diff --git a/compliance/controls/aws/aws_account_alternate_contact_security_registered.yaml b/compliance/controls/aws/aws_account_alternate_contact_security_registered.yaml index a511bc4b0..5a421c45b 100755 --- a/compliance/controls/aws/aws_account_alternate_contact_security_registered.yaml +++ b/compliance/controls/aws/aws_account_alternate_contact_security_registered.yaml @@ -1,8 +1,6 @@ ID: aws_account_alternate_contact_security_registered Title: "Security contact information should be provided for an AWS account" Description: "This control checks if an AWS Web Services (AWS) account has security contact information. The control fails if security contact information is not provided for the account." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -36,26 +34,28 @@ Query: left join alternate_security_contact as c on c.account_id = a.account_id; PrimaryTable: aws_account ListOfTables: - - aws_account - - aws_account_alternate_contact + - aws_account + - aws_account_alternate_contact Parameters: [] Severity: low Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "1.18" + - "1.18" cis_level: - - "1" + - "1" cis_section_id: - - "1" + - "1" cis_type: - - not_scored + - not_scored cis_version: - - v1.2.0 + - v1.2.0 plugin: - - aws + - aws service: - - AWS/IAM + - AWS/IAM +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_account_part_of_organizations.yaml b/compliance/controls/aws/aws_account_part_of_organizations.yaml index e4a7d8782..3c8dee4f1 100755 --- a/compliance/controls/aws/aws_account_part_of_organizations.yaml +++ b/compliance/controls/aws/aws_account_part_of_organizations.yaml @@ -1,8 +1,6 @@ ID: aws_account_part_of_organizations Title: "AWS account should be part of AWS Organizations" Description: "Ensure that an AWS account is part of AWS Organizations. The rule is non-compliant if an AWS account is not part of AWS Organizations or AWS Organizations master account ID does not match rule parameter MasterAccountId." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -23,21 +21,23 @@ Query: aws_account; PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/IAM + - AWS/IAM +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_acm_certificate_expires_30_days.yaml b/compliance/controls/aws/aws_acm_certificate_expires_30_days.yaml index 7bb968a95..a4a9b2a83 100755 --- a/compliance/controls/aws/aws_acm_certificate_expires_30_days.yaml +++ b/compliance/controls/aws/aws_acm_certificate_expires_30_days.yaml @@ -1,66 +1,48 @@ ID: aws_acm_certificate_expires_30_days Title: "ACM certificates should not expire within 30 days" Description: "Ensure network integrity is protected by ensuring X509 certificates are issued by AWS ACM." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - certificate_arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when renewal_eligibility = 'INELIGIBLE' then 'skip' - when date(not_after) - date(current_date) >= 30 then 'ok' - else 'alarm' - end as status, - case - when renewal_eligibility = 'INELIGIBLE' then title || ' not eligible for renewal.' - else title || ' expires ' || to_char(not_after, 'DD-Mon-YYYY') || - ' (' || extract(day from not_after - current_date) || ' days).' - end as reason - - , region, account_id - from - aws_acm_certificate; + QueryToExecute: "select\n certificate_arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when renewal_eligibility = 'INELIGIBLE' then 'skip'\n when date(not_after) - date(current_date) >= 30 then 'ok'\n else 'alarm'\n end as status,\n case\n when renewal_eligibility = 'INELIGIBLE' then title || ' not eligible for renewal.'\n else title || ' expires ' || to_char(not_after, 'DD-Mon-YYYY') ||\n ' (' || extract(day from not_after - current_date) || ' days).'\n end as reason\n \n , region, account_id\nfrom\n aws_acm_certificate;\n" PrimaryTable: aws_acm_certificate ListOfTables: - - aws_acm_certificate + - aws_acm_certificate Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gdpr: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/ACM + - AWS/ACM soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_acm_certificate_no_failed_certificate.yaml b/compliance/controls/aws/aws_acm_certificate_no_failed_certificate.yaml index 9b0018d20..1fdbdc131 100755 --- a/compliance/controls/aws/aws_acm_certificate_no_failed_certificate.yaml +++ b/compliance/controls/aws/aws_acm_certificate_no_failed_certificate.yaml @@ -1,27 +1,14 @@ ID: aws_acm_certificate_no_failed_certificate Title: "Ensure that ACM certificates are not in failed state" Description: "This control ensures that ACM certificates are not in failed state." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - certificate_arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when status in ('VALIDATION_TIMED_OUT', 'FAILED') then 'alarm' - else 'ok' - end as status, - title || ' status is ' || status || '.' as reason - - - from - aws_acm_certificate; + QueryToExecute: "select\n certificate_arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when status in ('VALIDATION_TIMED_OUT', 'FAILED') then 'alarm'\n else 'ok'\n end as status,\n title || ' status is ' || status || '.' as reason\n \n \nfrom\n aws_acm_certificate;" PrimaryTable: aws_acm_certificate ListOfTables: - - aws_acm_certificate + - aws_acm_certificate Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_acm_certificate_no_pending_validation_certificate.yaml b/compliance/controls/aws/aws_acm_certificate_no_pending_validation_certificate.yaml index 957d7c5de..ff89a5099 100755 --- a/compliance/controls/aws/aws_acm_certificate_no_pending_validation_certificate.yaml +++ b/compliance/controls/aws/aws_acm_certificate_no_pending_validation_certificate.yaml @@ -1,27 +1,14 @@ ID: aws_acm_certificate_no_pending_validation_certificate Title: "Ensure that ACM certificates are not in pending validation state" Description: "This control ensures that ACM certificates are not in pending validation state. When certificates are not validated within 72 hours after the request is made, those certificates become invalid." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - certificate_arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when status = 'PENDING_VALIDATION' then 'info' - else 'ok' - end as status, - title || ' status is ' || status || '.' as reason - - - from - aws_acm_certificate; + QueryToExecute: "select\n certificate_arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when status = 'PENDING_VALIDATION' then 'info'\n else 'ok'\n end as status,\n title || ' status is ' || status || '.' as reason\n \n \nfrom\n aws_acm_certificate;" PrimaryTable: aws_acm_certificate ListOfTables: - - aws_acm_certificate + - aws_acm_certificate Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_acm_certificate_no_wildcard_domain_name.yaml b/compliance/controls/aws/aws_acm_certificate_no_wildcard_domain_name.yaml index 90017c9a3..ef2222ad7 100755 --- a/compliance/controls/aws/aws_acm_certificate_no_wildcard_domain_name.yaml +++ b/compliance/controls/aws/aws_acm_certificate_no_wildcard_domain_name.yaml @@ -1,8 +1,6 @@ ID: aws_acm_certificate_no_wildcard_domain_name Title: "ACM certificates should not use wildcard certificates" Description: "Ensure that ACM single domain name certificates are used instead of wildcard certificates within your AWS account in order to follow security best practices and protect each domain/subdomain with its own unique private key." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_acm_certificate; PrimaryTable: aws_acm_certificate ListOfTables: - - aws_acm_certificate + - aws_acm_certificate Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_acm_certificate_not_expired.yaml b/compliance/controls/aws/aws_acm_certificate_not_expired.yaml index a6e5b5446..e370f36e2 100755 --- a/compliance/controls/aws/aws_acm_certificate_not_expired.yaml +++ b/compliance/controls/aws/aws_acm_certificate_not_expired.yaml @@ -1,34 +1,14 @@ ID: aws_acm_certificate_not_expired Title: "Ensure that all the expired ACM certificates are removed" Description: "This control ensures that all expired ACM certificates are removed from AWS account." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - certificate_arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when renewal_eligibility = 'INELIGIBLE' then 'skip' - when date(not_after) < (current_date - interval '1' minute) then 'alarm' - else 'ok' - end as status, - case - when renewal_eligibility = 'INELIGIBLE' then title || ' not eligible for renewal.' - when date(not_after) < (current_date - interval '1' minute) then title || ' expired ' || to_char(not_after, 'DD-Mon-YYYY') || - ' (' || extract(day from not_after - current_date) || ' days ago).' - else title || ' expires ' || to_char(not_after, 'DD-Mon-YYYY') || - ' (' || extract(day from not_after - current_date) || ' days).' - end as reason - - - from - aws_acm_certificate; + QueryToExecute: "select\n certificate_arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when renewal_eligibility = 'INELIGIBLE' then 'skip'\n when date(not_after) < (current_date - interval '1' minute) then 'alarm'\n else 'ok'\n end as status,\n case\n when renewal_eligibility = 'INELIGIBLE' then title || ' not eligible for renewal.'\n when date(not_after) < (current_date - interval '1' minute) then title || ' expired ' || to_char(not_after, 'DD-Mon-YYYY') ||\n ' (' || extract(day from not_after - current_date) || ' days ago).'\n else title || ' expires ' || to_char(not_after, 'DD-Mon-YYYY') ||\n ' (' || extract(day from not_after - current_date) || ' days).'\n end as reason\n \n \nfrom\n aws_acm_certificate;" PrimaryTable: aws_acm_certificate ListOfTables: - - aws_acm_certificate + - aws_acm_certificate Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_acm_certificate_rsa_key_length_2048_bits_or_greater.yaml b/compliance/controls/aws/aws_acm_certificate_rsa_key_length_2048_bits_or_greater.yaml index dc1a823a2..2a87f39a8 100755 --- a/compliance/controls/aws/aws_acm_certificate_rsa_key_length_2048_bits_or_greater.yaml +++ b/compliance/controls/aws/aws_acm_certificate_rsa_key_length_2048_bits_or_greater.yaml @@ -1,32 +1,14 @@ ID: aws_acm_certificate_rsa_key_length_2048_bits_or_greater Title: "RSA certificates managed by ACM should use a key length of at least 2,048 bits" Description: "This control checks whether RSA certificates managed by AWS Certificate Manager use a key length of at least 2,048 bits. The control fails if the key length is smaller than 2,048 bits." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - certificate_arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when not key_algorithm like 'RSA-%' then 'skip' - when key_algorithm = 'RSA_1024' then 'alarm' - else 'ok' - end as status, - case - when not key_algorithm like 'RSA-%' then title || ' is not a RSA certificate.' - when key_algorithm = 'RSA_1024' then title || ' is using 1024 bits key length.' - else title || ' is using ' || split_part(key_algorithm, '-', 2) || ' bits key length.' - end as reason - - - from - aws_acm_certificate; + QueryToExecute: "select\n certificate_arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when not key_algorithm like 'RSA-%' then 'skip'\n when key_algorithm = 'RSA_1024' then 'alarm'\n else 'ok'\n end as status,\n case\n when not key_algorithm like 'RSA-%' then title || ' is not a RSA certificate.'\n when key_algorithm = 'RSA_1024' then title || ' is using 1024 bits key length.'\n else title || ' is using ' || split_part(key_algorithm, '-', 2) || ' bits key length.'\n end as reason\n \n \nfrom\n aws_acm_certificate;" PrimaryTable: aws_acm_certificate ListOfTables: - - aws_acm_certificate + - aws_acm_certificate Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_acm_certificate_transparency_logging_enabled.yaml b/compliance/controls/aws/aws_acm_certificate_transparency_logging_enabled.yaml index 460fda5f8..f05a4bd45 100755 --- a/compliance/controls/aws/aws_acm_certificate_transparency_logging_enabled.yaml +++ b/compliance/controls/aws/aws_acm_certificate_transparency_logging_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_acm_certificate_transparency_logging_enabled Title: "ACM certificates should have transparency logging enabled" Description: "Ensure ACM certificates transparency logging is enabled as certificate transparency logging guards against SSL/TLS certificates issued by mistake or by a compromised certificate authority." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -24,7 +22,9 @@ Query: aws_acm_certificate; PrimaryTable: aws_acm_certificate ListOfTables: - - aws_acm_certificate + - aws_acm_certificate Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_acmpca_root_certificate_authority_disabled.yaml b/compliance/controls/aws/aws_acmpca_root_certificate_authority_disabled.yaml index a5464aaf2..4fc703f72 100755 --- a/compliance/controls/aws/aws_acmpca_root_certificate_authority_disabled.yaml +++ b/compliance/controls/aws/aws_acmpca_root_certificate_authority_disabled.yaml @@ -1,32 +1,14 @@ ID: aws_acmpca_root_certificate_authority_disabled Title: "AWS Private CA root certificate authority should be disabled" Description: "This control checks if AWS Private CA has a root certificate authority (CA) that is disabled. The control fails if the root CA is enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when type <> 'ROOT' then 'skip' - when status = 'DISABLED' then 'ok' - else 'alarm' - end as status, - case - when type <> 'ROOT' then title || ' is not root CA.' - when status = 'DISABLED' then title || ' root CA disabled.' - else title || ' root CA not disabled.' - end as reason - - - from - aws_acmpca_certificate_authority; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when type <> 'ROOT' then 'skip'\n when status = 'DISABLED' then 'ok'\n else 'alarm'\n end as status,\n case\n when type <> 'ROOT' then title || ' is not root CA.'\n when status = 'DISABLED' then title || ' root CA disabled.'\n else title || ' root CA not disabled.'\n end as reason\n \n \nfrom\n aws_acmpca_certificate_authority;" PrimaryTable: aws_acmpca_certificate_authority ListOfTables: - - aws_acmpca_certificate_authority + - aws_acmpca_certificate_authority Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_api_gateway_method_authorization_type_configured.yaml b/compliance/controls/aws/aws_api_gateway_method_authorization_type_configured.yaml index 33d09db00..14fadb6d8 100755 --- a/compliance/controls/aws/aws_api_gateway_method_authorization_type_configured.yaml +++ b/compliance/controls/aws/aws_api_gateway_method_authorization_type_configured.yaml @@ -1,29 +1,14 @@ ID: aws_api_gateway_method_authorization_type_configured Title: "API Gateway methods authorizer should be configured" Description: "This control checks whether API Gateway method has an authorizer configured. This rule is non-compliant if API Gateway method has no authorizers configured." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - resource_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when authorization_type = 'NONE' then 'alarm' - else 'ok' - end as status, - case - when authorization_type = 'NONE' then title || ' authorization type not configured.' - else title || ' authorization type ' || authorization_type || ' configured.' - end as reason - - from - aws_api_gateway_method; + QueryToExecute: "select\n resource_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when authorization_type = 'NONE' then 'alarm'\n else 'ok'\n end as status,\n case\n when authorization_type = 'NONE' then title || ' authorization type not configured.'\n else title || ' authorization type ' || authorization_type || ' configured.'\n end as reason\n \nfrom\n aws_api_gateway_method;" PrimaryTable: aws_api_gateway_method ListOfTables: - - aws_api_gateway_method + - aws_api_gateway_method Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_api_gateway_method_request_parameter_validated.yaml b/compliance/controls/aws/aws_api_gateway_method_request_parameter_validated.yaml index c91aed4a7..194b47bb1 100755 --- a/compliance/controls/aws/aws_api_gateway_method_request_parameter_validated.yaml +++ b/compliance/controls/aws/aws_api_gateway_method_request_parameter_validated.yaml @@ -1,8 +1,6 @@ ID: aws_api_gateway_method_request_parameter_validated Title: "API Gateway methods request parameter should be validated" Description: "This control checks whether API Gateway method request parameter is validated. This rule is non-compliant if API Gateway method request parameter is not validated." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_api_gateway_method; PrimaryTable: aws_api_gateway_method ListOfTables: - - aws_api_gateway_method + - aws_api_gateway_method Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_api_gateway_rest_api_public_endpoint_with_authorizer.yaml b/compliance/controls/aws/aws_api_gateway_rest_api_public_endpoint_with_authorizer.yaml index c9004213d..ec9f7f316 100755 --- a/compliance/controls/aws/aws_api_gateway_rest_api_public_endpoint_with_authorizer.yaml +++ b/compliance/controls/aws/aws_api_gateway_rest_api_public_endpoint_with_authorizer.yaml @@ -1,8 +1,6 @@ ID: aws_api_gateway_rest_api_public_endpoint_with_authorizer Title: "API Gateway REST API public endpoints should be configured with authorizer" Description: "Ensure API Gateway REST API public endpoint is configured with authorizer. This rule is non-compliant if API Gateway REST API public endpoint has no authorizer configured." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: left join aws_api_gateway_authorizer as a on p.api_id = a.rest_api_id; PrimaryTable: aws_api_gateway_rest_api ListOfTables: - - aws_api_gateway_rest_api - - aws_api_gateway_authorizer + - aws_api_gateway_rest_api + - aws_api_gateway_authorizer Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_api_gatewayv2_route_authorization_type_configured.yaml b/compliance/controls/aws/aws_api_gatewayv2_route_authorization_type_configured.yaml index 221374766..fd6bcd64d 100755 --- a/compliance/controls/aws/aws_api_gatewayv2_route_authorization_type_configured.yaml +++ b/compliance/controls/aws/aws_api_gatewayv2_route_authorization_type_configured.yaml @@ -1,8 +1,6 @@ ID: aws_api_gatewayv2_route_authorization_type_configured Title: "API Gateway routes should specify an authorization type" Description: "This control checks if AWS API Gateway routes have an authorization type. The control fails if the API Gateway route does not specify an authorization type." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -23,19 +21,21 @@ Query: aws_api_gatewayv2_route; PrimaryTable: aws_api_gatewayv2_route ListOfTables: - - aws_api_gatewayv2_route + - aws_api_gatewayv2_route Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - secure_access_management + - secure_access_management foundational_security_item_id: - - apigateway_8 + - apigateway_8 plugin: - - aws + - aws service: - - AWS/APIGateway + - AWS/APIGateway +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_api_gatewayv2_route_authorizer_configured.yaml b/compliance/controls/aws/aws_api_gatewayv2_route_authorizer_configured.yaml index b54aec5a9..8f92df653 100755 --- a/compliance/controls/aws/aws_api_gatewayv2_route_authorizer_configured.yaml +++ b/compliance/controls/aws/aws_api_gatewayv2_route_authorizer_configured.yaml @@ -1,8 +1,6 @@ ID: aws_api_gatewayv2_route_authorizer_configured Title: "API Gateway V2 authorizer should be configured" Description: "This control checks whether API Gateway V2 has an authorizer configured. This rule is non-compliant if API Gateway V2 has no authorizers configured." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_api_gatewayv2_route; PrimaryTable: aws_api_gatewayv2_route ListOfTables: - - aws_api_gatewayv2_route + - aws_api_gatewayv2_route Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_apigateway_rest_api_authorizers_configured.yaml b/compliance/controls/aws/aws_apigateway_rest_api_authorizers_configured.yaml index 3e8fbaeec..ee7f5f480 100755 --- a/compliance/controls/aws/aws_apigateway_rest_api_authorizers_configured.yaml +++ b/compliance/controls/aws/aws_apigateway_rest_api_authorizers_configured.yaml @@ -1,8 +1,6 @@ ID: aws_apigateway_rest_api_authorizers_configured Title: "API Gateway stages should have authorizers configured" Description: "Ensure API Gateway stages have authorizers configured." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -23,8 +21,10 @@ Query: left join aws_api_gateway_authorizer as a on p.api_id = a.rest_api_id; PrimaryTable: aws_api_gateway_rest_api ListOfTables: - - aws_api_gateway_rest_api - - aws_api_gateway_authorizer + - aws_api_gateway_rest_api + - aws_api_gateway_authorizer Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_apigateway_rest_api_endpoint_restrict_public_access.yaml b/compliance/controls/aws/aws_apigateway_rest_api_endpoint_restrict_public_access.yaml index 800e26e27..5a74c7113 100755 --- a/compliance/controls/aws/aws_apigateway_rest_api_endpoint_restrict_public_access.yaml +++ b/compliance/controls/aws/aws_apigateway_rest_api_endpoint_restrict_public_access.yaml @@ -1,8 +1,6 @@ ID: aws_apigateway_rest_api_endpoint_restrict_public_access Title: "API Gateway REST API endpoint type should be configured to private" Description: "This control checks whether API Gateway endpoint is public or private. This rule is non-compliant if API Gateway endpoint is public." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_api_gateway_rest_api; PrimaryTable: aws_api_gateway_rest_api ListOfTables: - - aws_api_gateway_rest_api + - aws_api_gateway_rest_api Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_apigateway_rest_api_stage_use_ssl_certificate.yaml b/compliance/controls/aws/aws_apigateway_rest_api_stage_use_ssl_certificate.yaml index c004a0d69..ff228b5ac 100755 --- a/compliance/controls/aws/aws_apigateway_rest_api_stage_use_ssl_certificate.yaml +++ b/compliance/controls/aws/aws_apigateway_rest_api_stage_use_ssl_certificate.yaml @@ -1,54 +1,38 @@ ID: aws_apigateway_rest_api_stage_use_ssl_certificate Title: "API Gateway stage should uses SSL certificate" Description: "Ensure that a REST API stage uses a Secure Sockets Layer (SSL) certificate. This rule is compliant if the REST API stage does not have an associated SSL certificate." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when client_certificate_id is null then 'alarm' - else 'ok' - end as status, - case - when client_certificate_id is null then title || ' does not use SSL certificate.' - else title || ' uses SSL certificate.' - end as reason - - , region, account_id - from - aws_api_gateway_stage; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when client_certificate_id is null then 'alarm'\n else 'ok'\n end as status,\n case\n when client_certificate_id is null then title || ' does not use SSL certificate.'\n else title || ' uses SSL certificate.'\n end as reason\n \n , region, account_id\nfrom\n aws_api_gateway_stage;\n" PrimaryTable: aws_api_gateway_stage ListOfTables: - - aws_api_gateway_stage + - aws_api_gateway_stage Parameters: [] Severity: low Tags: category: - - Compliance + - Compliance cisa_cyber_essentials: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/APIGateway + - AWS/APIGateway +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_apigateway_rest_api_stage_xray_tracing_enabled.yaml b/compliance/controls/aws/aws_apigateway_rest_api_stage_xray_tracing_enabled.yaml index 2da95b178..f19df89b4 100755 --- a/compliance/controls/aws/aws_apigateway_rest_api_stage_xray_tracing_enabled.yaml +++ b/compliance/controls/aws/aws_apigateway_rest_api_stage_xray_tracing_enabled.yaml @@ -1,42 +1,26 @@ ID: aws_apigateway_rest_api_stage_xray_tracing_enabled Title: "API Gateway REST API stages should have AWS X-Ray tracing enabled" Description: "This control checks whether AWS X-Ray active tracing is enabled for your AWS API Gateway REST API stages." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when tracing_enabled then 'ok' - else 'alarm' - end as status, - case - when tracing_enabled then title || ' X-Ray tracing enabled.' - else title || ' X-Ray tracing disabled.' - end as reason - - , region, account_id - from - aws_api_gateway_stage; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when tracing_enabled then 'ok'\n else 'alarm'\n end as status,\n case\n when tracing_enabled then title || ' X-Ray tracing enabled.'\n else title || ' X-Ray tracing disabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_api_gateway_stage;\n" PrimaryTable: aws_api_gateway_stage ListOfTables: - - aws_api_gateway_stage + - aws_api_gateway_stage Parameters: [] Severity: low Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - detection_services + - detection_services foundational_security_item_id: - - apigateway_3 + - apigateway_3 plugin: - - aws + - aws service: - - AWS/APIGateway + - AWS/APIGateway +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_apigateway_stage_cache_encryption_at_rest_enabled.yaml b/compliance/controls/aws/aws_apigateway_stage_cache_encryption_at_rest_enabled.yaml index 55a9ab4c2..2c79f7bd7 100755 --- a/compliance/controls/aws/aws_apigateway_stage_cache_encryption_at_rest_enabled.yaml +++ b/compliance/controls/aws/aws_apigateway_stage_cache_encryption_at_rest_enabled.yaml @@ -1,67 +1,48 @@ ID: aws_apigateway_stage_cache_encryption_at_rest_enabled Title: "API Gateway stage cache encryption at rest should be enabled" Description: "To help protect data at rest, ensure encryption is enabled for your API Gateway stage's cache." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - 'arn:' || partition || ':apigateway:' || region || '::/apis/' || rest_api_id || '/stages/' || name as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when method_settings -> '*/*' ->> 'CachingEnabled' = 'true' - and method_settings -> '*/*' ->> 'CacheDataEncrypted' = 'true' then 'ok' - else 'alarm' - end as status, - case - when method_settings -> '*/*' ->> 'CachingEnabled' = 'true' - and method_settings -> '*/*' ->> 'CacheDataEncrypted' = 'true' - then title || ' API cache and encryption enabled.' - else title || ' API cache and encryption not enabled.' - end as reason - - , region, account_id - from - aws_api_gateway_stage; + QueryToExecute: "select\n 'arn:' || partition || ':apigateway:' || region || '::/apis/' || rest_api_id || '/stages/' || name as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when method_settings -> '*/*' ->> 'CachingEnabled' = 'true'\n and method_settings -> '*/*' ->> 'CacheDataEncrypted' = 'true' then 'ok'\n else 'alarm'\n end as status,\n case\n when method_settings -> '*/*' ->> 'CachingEnabled' = 'true'\n and method_settings -> '*/*' ->> 'CacheDataEncrypted' = 'true'\n then title || ' API cache and encryption enabled.'\n else title || ' API cache and encryption not enabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_api_gateway_stage;\n" PrimaryTable: aws_api_gateway_stage ListOfTables: - - aws_api_gateway_stage + - aws_api_gateway_stage Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cisa_cyber_essentials: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" gdpr: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" gxp_eu_annex_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/APIGateway + - AWS/APIGateway soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_apigateway_stage_logging_enabled.yaml b/compliance/controls/aws/aws_apigateway_stage_logging_enabled.yaml index 681667c8e..39b33de51 100755 --- a/compliance/controls/aws/aws_apigateway_stage_logging_enabled.yaml +++ b/compliance/controls/aws/aws_apigateway_stage_logging_enabled.yaml @@ -1,99 +1,51 @@ ID: aws_apigateway_stage_logging_enabled Title: "API Gateway stage logging should be enabled" Description: "API Gateway logging displays detailed views of users who accessed the API and the way they accessed the API." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with all_stages as ( - select - name as stage_name, - 'arn:' || partition || ':apigateway:' || region || '::/apis/' || rest_api_id || '/stages/' || name as arn, - method_settings -> '*/*' ->> 'LoggingLevel' as log_level, - title, - region, - account_id, - tags, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'aws_api_gateway_stage' as og_table_name, - _ctx - from - aws_api_gateway_stage - union - select - stage_name, - 'arn:' || partition || ':apigateway:' || region || '::/apis/' || api_id || '/stages/' || stage_name as arn, - default_route_logging_level as log_level, - title, - region, - account_id, - tags, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'aws_api_gatewayv2_stage' as og_table_name, - _ctx - from - aws_api_gatewayv2_stage - ) - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - og_table_name as og_table_name, - case - when log_level is null or log_level = '' or log_level = 'OFF' then 'alarm' - else 'ok' - end as status, - case - when log_level is null or log_level = '' or log_level = 'OFF' then title || ' logging not enabled.' - else title || ' logging enabled.' - end as reason - - , region, account_id - from - all_stages; + QueryToExecute: "with all_stages as (\n select\n name as stage_name,\n 'arn:' || partition || ':apigateway:' || region || '::/apis/' || rest_api_id || '/stages/' || name as arn,\n method_settings -> '*/*' ->> 'LoggingLevel' as log_level,\n title,\n region,\n account_id,\n tags,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'aws_api_gateway_stage' as og_table_name,\n _ctx\n from\n aws_api_gateway_stage\n union\n select\n stage_name,\n 'arn:' || partition || ':apigateway:' || region || '::/apis/' || api_id || '/stages/' || stage_name as arn,\n default_route_logging_level as log_level,\n title,\n region,\n account_id,\n tags,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'aws_api_gatewayv2_stage' as og_table_name,\n _ctx\n from\n aws_api_gatewayv2_stage\n)\nselect\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n og_table_name as og_table_name,\n case\n when log_level is null or log_level = '' or log_level = 'OFF' then 'alarm'\n else 'ok'\n end as status,\n case\n when log_level is null or log_level = '' or log_level = 'OFF' then title || ' logging not enabled.'\n else title || ' logging enabled.'\n end as reason\n \n , region, account_id\nfrom\n all_stages;\n" PrimaryTable: "" ListOfTables: - - aws_api_gateway_stage - - aws_api_gatewayv2_stage + - aws_api_gateway_stage + - aws_api_gatewayv2_stage Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/APIGateway + - AWS/APIGateway soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_apigateway_stage_use_waf_web_acl.yaml b/compliance/controls/aws/aws_apigateway_stage_use_waf_web_acl.yaml index 77fa2e926..f2c9e8ff2 100755 --- a/compliance/controls/aws/aws_apigateway_stage_use_waf_web_acl.yaml +++ b/compliance/controls/aws/aws_apigateway_stage_use_waf_web_acl.yaml @@ -1,56 +1,40 @@ ID: aws_apigateway_stage_use_waf_web_acl Title: "API Gateway stage should be associated with waf" Description: "Ensure that an AWS API Gateway API stage is using a WAF Web ACL. This rule is non-compliant if an AWS WAF Web ACL is not used." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when web_acl_arn is not null then 'ok' - else 'alarm' - end as status, - case - when web_acl_arn is not null then title || ' associated with WAF web ACL.' - else title || ' not associated with WAF web ACL.' - end as reason - - , region, account_id - from - aws_api_gateway_stage; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when web_acl_arn is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when web_acl_arn is not null then title || ' associated with WAF web ACL.'\n else title || ' not associated with WAF web ACL.'\n end as reason\n \n , region, account_id\nfrom\n aws_api_gateway_stage;\n" PrimaryTable: aws_api_gateway_stage ListOfTables: - - aws_api_gateway_stage + - aws_api_gateway_stage Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/APIGateway + - AWS/APIGateway +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_appstream_fleet_default_internet_access_disabled.yaml b/compliance/controls/aws/aws_appstream_fleet_default_internet_access_disabled.yaml index 6c3cb15c2..5bb0fefb5 100755 --- a/compliance/controls/aws/aws_appstream_fleet_default_internet_access_disabled.yaml +++ b/compliance/controls/aws/aws_appstream_fleet_default_internet_access_disabled.yaml @@ -1,8 +1,6 @@ ID: aws_appstream_fleet_default_internet_access_disabled Title: "AppStream fleet default internet access should be disabled" Description: "Enabling default internet access for AppStream fleet is not recommended. This control will be considered non-compliant if default internet access is enabled for AppStream fleet." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_appstream_fleet; PrimaryTable: aws_appstream_fleet ListOfTables: - - aws_appstream_fleet + - aws_appstream_fleet Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_appstream_fleet_idle_disconnect_timeout_600_seconds.yaml b/compliance/controls/aws/aws_appstream_fleet_idle_disconnect_timeout_600_seconds.yaml index c67322c08..4d4bbdb07 100755 --- a/compliance/controls/aws/aws_appstream_fleet_idle_disconnect_timeout_600_seconds.yaml +++ b/compliance/controls/aws/aws_appstream_fleet_idle_disconnect_timeout_600_seconds.yaml @@ -1,8 +1,6 @@ ID: aws_appstream_fleet_idle_disconnect_timeout_600_seconds Title: "AppStream fleet idle disconnect timeout should be set to less than or equal to 10 mins" Description: "Ensure session idle disconnect timeout is set to 10 minutes or less." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -19,7 +17,9 @@ Query: aws_appstream_fleet; PrimaryTable: aws_appstream_fleet ListOfTables: - - aws_appstream_fleet + - aws_appstream_fleet Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_appstream_fleet_max_user_duration_36000_seconds.yaml b/compliance/controls/aws/aws_appstream_fleet_max_user_duration_36000_seconds.yaml index 10f1a4ac6..86229ea6a 100755 --- a/compliance/controls/aws/aws_appstream_fleet_max_user_duration_36000_seconds.yaml +++ b/compliance/controls/aws/aws_appstream_fleet_max_user_duration_36000_seconds.yaml @@ -1,27 +1,14 @@ ID: aws_appstream_fleet_max_user_duration_36000_seconds Title: "AppStream fleet max user duration should be set to less than 10 hours" Description: "Ensure user maximum session duration is no longer than 10 hours. A session duration exceeding 10 hours is unnecessary and may offer malicious users an extended period of unauthorized usage beyond acceptable limits." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when max_user_duration_in_seconds < 36000 then 'ok' - else 'alarm' - end as status, - title || ' max user duration in seconds is set to ' || max_user_duration_in_seconds || ' seconds.' as reason - - - from - aws_appstream_fleet; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when max_user_duration_in_seconds < 36000 then 'ok'\n else 'alarm'\n end as status,\n title || ' max user duration in seconds is set to ' || max_user_duration_in_seconds || ' seconds.' as reason\n \n \nfrom\n aws_appstream_fleet;" PrimaryTable: aws_appstream_fleet ListOfTables: - - aws_appstream_fleet + - aws_appstream_fleet Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_appstream_fleet_session_disconnect_timeout_300_seconds.yaml b/compliance/controls/aws/aws_appstream_fleet_session_disconnect_timeout_300_seconds.yaml index 901bcac92..ad5822e96 100755 --- a/compliance/controls/aws/aws_appstream_fleet_session_disconnect_timeout_300_seconds.yaml +++ b/compliance/controls/aws/aws_appstream_fleet_session_disconnect_timeout_300_seconds.yaml @@ -1,27 +1,14 @@ ID: aws_appstream_fleet_session_disconnect_timeout_300_seconds Title: "AppStream fleet session disconnect timeout should be set to less than or equal to 5 mins" Description: "The disconnect timeout in minutes refers to the duration for which a streaming session remains active even after users have disconnected. It is recommended to set the disconnect timeout to 5 minutes or less for the AppStream Fleet." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when disconnect_timeout_in_seconds <= 300 then 'ok' - else 'alarm' - end as status, - title || ' disconnect timeout in seconds is set to ' || disconnect_timeout_in_seconds || ' seconds.' as reason - - - from - aws_appstream_fleet; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when disconnect_timeout_in_seconds <= 300 then 'ok'\n else 'alarm'\n end as status,\n title || ' disconnect timeout in seconds is set to ' || disconnect_timeout_in_seconds || ' seconds.' as reason\n \n \nfrom\n aws_appstream_fleet;" PrimaryTable: aws_appstream_fleet ListOfTables: - - aws_appstream_fleet + - aws_appstream_fleet Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_appsync_graphql_api_field_level_logging_enabled.yaml b/compliance/controls/aws/aws_appsync_graphql_api_field_level_logging_enabled.yaml index 0b94e86b9..605633b31 100755 --- a/compliance/controls/aws/aws_appsync_graphql_api_field_level_logging_enabled.yaml +++ b/compliance/controls/aws/aws_appsync_graphql_api_field_level_logging_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_appsync_graphql_api_field_level_logging_enabled Title: "AppSync graphql API logging should be enabled" Description: "This control checks whether an AWS AppSync API has field-level logging turned on. The control fails if the field resolver log level is set to None. Unless you provide custom parameter values to indicate that a specific log type should be enabled, Security Hub produces a passed finding if the field resolver log level is either ERROR or ALL." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_appsync_graphql_api; PrimaryTable: aws_appsync_graphql_api ListOfTables: - - aws_appsync_graphql_api + - aws_appsync_graphql_api Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_athena_workgroup_encryption_at_rest_enabled.yaml b/compliance/controls/aws/aws_athena_workgroup_encryption_at_rest_enabled.yaml index da116ae75..145f69b2f 100755 --- a/compliance/controls/aws/aws_athena_workgroup_encryption_at_rest_enabled.yaml +++ b/compliance/controls/aws/aws_athena_workgroup_encryption_at_rest_enabled.yaml @@ -1,29 +1,14 @@ ID: aws_athena_workgroup_encryption_at_rest_enabled Title: "Athena workgroups should be encrypted at rest" Description: "This control checks if an Athena workgroup is encrypted at rest. The control fails if an Athena workgroup isn't encrypted at rest." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - name as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when encryption_option is not null then 'ok' - else 'alarm' - end as status, - case - when encryption_option is not null then name || ' encryption at rest enabled.' - else name || ' encryption at rest disabled.' - end as reason - - from - aws_athena_workgroup; + QueryToExecute: "select\n name as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when encryption_option is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when encryption_option is not null then name || ' encryption at rest enabled.'\n else name || ' encryption at rest disabled.'\n end as reason\n \nfrom\n aws_athena_workgroup;" PrimaryTable: aws_athena_workgroup ListOfTables: - - aws_athena_workgroup + - aws_athena_workgroup Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_athena_workgroup_enforce_configuration_enabled.yaml b/compliance/controls/aws/aws_athena_workgroup_enforce_configuration_enabled.yaml index 59ffcfee9..327c7bb9e 100755 --- a/compliance/controls/aws/aws_athena_workgroup_enforce_configuration_enabled.yaml +++ b/compliance/controls/aws/aws_athena_workgroup_enforce_configuration_enabled.yaml @@ -1,29 +1,14 @@ ID: aws_athena_workgroup_enforce_configuration_enabled Title: "Athena workgroups should enforce configuration" Description: "This control checks if an Athena workgroup enforces configuration. The control fails if an Athena workgroup doesn't enforce configuration." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - name as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when enforce_workgroup_configuration then 'ok' - else 'alarm' - end as status, - case - when enforce_workgroup_configuration then name || ' has enforce workgroup configuration enabled.' - else name || ' has enforce workgroup configuration disabled.' - end as reason - - from - aws_athena_workgroup; + QueryToExecute: "select\n name as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when enforce_workgroup_configuration then 'ok'\n else 'alarm'\n end as status,\n case\n when enforce_workgroup_configuration then name || ' has enforce workgroup configuration enabled.'\n else name || ' has enforce workgroup configuration disabled.'\n end as reason\n \nfrom\n aws_athena_workgroup;" PrimaryTable: aws_athena_workgroup ListOfTables: - - aws_athena_workgroup + - aws_athena_workgroup Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_autoscaling_ec2_launch_configuration_no_sensitive_data.yaml b/compliance/controls/aws/aws_autoscaling_ec2_launch_configuration_no_sensitive_data.yaml index 581690a67..21f63ac2b 100755 --- a/compliance/controls/aws/aws_autoscaling_ec2_launch_configuration_no_sensitive_data.yaml +++ b/compliance/controls/aws/aws_autoscaling_ec2_launch_configuration_no_sensitive_data.yaml @@ -1,33 +1,14 @@ ID: aws_autoscaling_ec2_launch_configuration_no_sensitive_data Title: "EC2 auto scaling group launch configurations user data should not have any sensitive data" Description: "Ensure that sensitive information is not included in the user data of the launch configuration. It is recommended to utilize Secrets Manager as an alternative for securely managing sensitive data." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - launch_configuration_arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when - user_data like any (array [ '%pass%', '%secret%', '%token%', '%key%' ]) - or user_data ~ '(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]' then 'alarm' - else 'ok' - end as status, - case - when - user_data like any (array [ '%pass%', '%secret%', '%token%', '%key%' ]) - or user_data ~ '(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]' then title || ' has potential secret patterns in user data.' - else title || ' does not contain secret patterns in user data.' - end as reason - - from - aws_ec2_launch_configuration; + QueryToExecute: "select\n launch_configuration_arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when\n user_data like any (array [ '%pass%', '%secret%', '%token%', '%key%' ])\n or user_data ~ '(?=.*[a-z])(?=.*[A-Z])(?=.*\\d)(?=.*[@$!%*?&])[A-Za-z\\d@$!%*?&]' then 'alarm'\n else 'ok'\n end as status,\n case\n when\n user_data like any (array [ '%pass%', '%secret%', '%token%', '%key%' ])\n or user_data ~ '(?=.*[a-z])(?=.*[A-Z])(?=.*\\d)(?=.*[@$!%*?&])[A-Za-z\\d@$!%*?&]' then title || ' has potential secret patterns in user data.'\n else title || ' does not contain secret patterns in user data.'\n end as reason\n \nfrom\n aws_ec2_launch_configuration;" PrimaryTable: aws_ec2_launch_configuration ListOfTables: - - aws_ec2_launch_configuration + - aws_ec2_launch_configuration Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_autoscaling_group_multiple_az_configured.yaml b/compliance/controls/aws/aws_autoscaling_group_multiple_az_configured.yaml index c89ee194e..bf5780c34 100755 --- a/compliance/controls/aws/aws_autoscaling_group_multiple_az_configured.yaml +++ b/compliance/controls/aws/aws_autoscaling_group_multiple_az_configured.yaml @@ -1,39 +1,26 @@ ID: aws_autoscaling_group_multiple_az_configured Title: "EC2 auto scaling groups should cover multiple availability zones" Description: "This control checks whether an AWS EC2 Auto Scaling group spans multiple availability zones. The control fails if an auto scaling group does not span multiple availability zones." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - autoscaling_group_arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when jsonb_array_length(availability_zones) > 1 then 'ok' - else 'alarm' - end as status, - title || ' has ' || jsonb_array_length(availability_zones) || ' availability zone(s).' as reason - - , region, account_id - from - aws_ec2_autoscaling_group; + QueryToExecute: "select\n autoscaling_group_arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when jsonb_array_length(availability_zones) > 1 then 'ok'\n else 'alarm'\n end as status,\n title || ' has ' || jsonb_array_length(availability_zones) || ' availability zone(s).' as reason\n \n , region, account_id\nfrom\n aws_ec2_autoscaling_group;\n" PrimaryTable: aws_ec2_autoscaling_group ListOfTables: - - aws_ec2_autoscaling_group + - aws_ec2_autoscaling_group Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - high_availability + - high_availability foundational_security_item_id: - - autoscaling_2 + - autoscaling_2 plugin: - - aws + - aws service: - - AWS/AutoScaling + - AWS/AutoScaling +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_autoscaling_group_no_suspended_process.yaml b/compliance/controls/aws/aws_autoscaling_group_no_suspended_process.yaml index 7f6088770..9cd40c267 100755 --- a/compliance/controls/aws/aws_autoscaling_group_no_suspended_process.yaml +++ b/compliance/controls/aws/aws_autoscaling_group_no_suspended_process.yaml @@ -1,30 +1,14 @@ ID: aws_autoscaling_group_no_suspended_process Title: "Auto Scaling groups should not have any suspended processes" Description: "Ensure that there are no Auto Scaling Groups (ASGs) with suspended processes provisioned in your AWS account in order to avoid disrupting the auto scaling workflow." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - autoscaling_group_arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when suspended_processes is null then 'ok' - else 'alarm' - end as status, - case - when suspended_processes is null then title || ' has no suspended process.' - else title || ' has suspended process.' - end as reason - - - from - aws_ec2_autoscaling_group; + QueryToExecute: "select\n autoscaling_group_arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when suspended_processes is null then 'ok'\n else 'alarm'\n end as status,\n case\n when suspended_processes is null then title || ' has no suspended process.'\n else title || ' has suspended process.'\n end as reason\n \n \nfrom\n aws_ec2_autoscaling_group;" PrimaryTable: aws_ec2_autoscaling_group ListOfTables: - - aws_ec2_autoscaling_group + - aws_ec2_autoscaling_group Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_autoscaling_group_propagate_tags_to_ec2_instance_enabled.yaml b/compliance/controls/aws/aws_autoscaling_group_propagate_tags_to_ec2_instance_enabled.yaml index 65aa73ce2..c80340ccf 100755 --- a/compliance/controls/aws/aws_autoscaling_group_propagate_tags_to_ec2_instance_enabled.yaml +++ b/compliance/controls/aws/aws_autoscaling_group_propagate_tags_to_ec2_instance_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_autoscaling_group_propagate_tags_to_ec2_instance_enabled Title: "Ensure EC2 Auto Scaling Groups Propagate Tags to EC2 Instances that it launches" Description: "Tags can help with managing, identifying, organizing, searching for, and filtering resources. Additionally, tags can help with security and compliance. Tags can be propagated from an Auto Scaling group to the EC2 instances that it launches." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -35,7 +33,9 @@ Query: left join propagate_tags_to_ec2_instance as i on i.autoscaling_group_arn = p.autoscaling_group_arn; PrimaryTable: aws_ec2_autoscaling_group ListOfTables: - - aws_ec2_autoscaling_group + - aws_ec2_autoscaling_group Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_autoscaling_group_uses_ec2_launch_template.yaml b/compliance/controls/aws/aws_autoscaling_group_uses_ec2_launch_template.yaml index e4b775c78..4969cf178 100755 --- a/compliance/controls/aws/aws_autoscaling_group_uses_ec2_launch_template.yaml +++ b/compliance/controls/aws/aws_autoscaling_group_uses_ec2_launch_template.yaml @@ -1,42 +1,26 @@ ID: aws_autoscaling_group_uses_ec2_launch_template Title: "EC2 Auto Scaling groups should use EC2 launch templates" Description: "This control checks whether an AWS EC2 Auto Scaling group is created from an EC2 launch template. This control fails if an AWS EC2 Auto Scaling group is not created with a launch template or if a launch template is not specified in a mixed instances policy." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - autoscaling_group_arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when launch_template_id is not null then 'ok' - else 'alarm' - end as status, - case - when launch_template_id is not null then title || ' using an EC2 launch template.' - else title || ' not using an EC2 launch template.' - end as reason - - , region, account_id - from - aws_ec2_autoscaling_group; + QueryToExecute: "select\n autoscaling_group_arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when launch_template_id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when launch_template_id is not null then title || ' using an EC2 launch template.'\n else title || ' not using an EC2 launch template.'\n end as reason\n \n , region, account_id\nfrom\n aws_ec2_autoscaling_group;\n" PrimaryTable: aws_ec2_autoscaling_group ListOfTables: - - aws_ec2_autoscaling_group + - aws_ec2_autoscaling_group Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - resource_configuration + - resource_configuration foundational_security_item_id: - - autoscaling_9 + - autoscaling_9 plugin: - - aws + - aws service: - - AWS/AutoScaling + - AWS/AutoScaling +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_autoscaling_group_with_lb_use_health_check.yaml b/compliance/controls/aws/aws_autoscaling_group_with_lb_use_health_check.yaml index 79294492c..7ad73efa8 100755 --- a/compliance/controls/aws/aws_autoscaling_group_with_lb_use_health_check.yaml +++ b/compliance/controls/aws/aws_autoscaling_group_with_lb_use_health_check.yaml @@ -1,60 +1,42 @@ ID: aws_autoscaling_group_with_lb_use_health_check Title: "Auto Scaling groups with a load balancer should use health checks" Description: "The Elastic Load Balancer (ELB) health checks for AWS Elastic Compute Cloud (AWS EC2) Auto Scaling groups support maintenance of adequate capacity and availability." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - autoscaling_group_arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when load_balancer_names is null and target_group_arns is null then 'alarm' - when health_check_type != 'ELB' then 'alarm' - else 'ok' - end as status, - case - when load_balancer_names is null and target_group_arns is null then title || ' not associated with a load balancer.' - when health_check_type != 'ELB' then title || ' does not use ELB health check.' - else title || ' uses ELB health check.' - end as reason - - , region, account_id - from - aws_ec2_autoscaling_group; + QueryToExecute: "select\n autoscaling_group_arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when load_balancer_names is null and target_group_arns is null then 'alarm'\n when health_check_type != 'ELB' then 'alarm'\n else 'ok'\n end as status,\n case\n when load_balancer_names is null and target_group_arns is null then title || ' not associated with a load balancer.'\n when health_check_type != 'ELB' then title || ' does not use ELB health check.'\n else title || ' uses ELB health check.'\n end as reason\n \n , region, account_id\nfrom\n aws_ec2_autoscaling_group;\n" PrimaryTable: aws_ec2_autoscaling_group ListOfTables: - - aws_ec2_autoscaling_group + - aws_ec2_autoscaling_group Parameters: [] Severity: low Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/AutoScaling + - AWS/AutoScaling +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_autoscaling_launch_config_hop_limit.yaml b/compliance/controls/aws/aws_autoscaling_launch_config_hop_limit.yaml index 0acd3be14..ce3fa13be 100755 --- a/compliance/controls/aws/aws_autoscaling_launch_config_hop_limit.yaml +++ b/compliance/controls/aws/aws_autoscaling_launch_config_hop_limit.yaml @@ -1,8 +1,6 @@ ID: aws_autoscaling_launch_config_hop_limit Title: "EC2 auto scaling group launch configurations should not have metadata response hop limit greater than 1" Description: "This control checks the number of network hops that a metadata token can travel. The control fails if the metadata response hop limit is greater than 1." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -25,19 +23,21 @@ Query: aws_ec2_launch_configuration; PrimaryTable: aws_ec2_launch_configuration ListOfTables: - - aws_ec2_launch_configuration + - aws_ec2_launch_configuration Parameters: [] Severity: high Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - secure_network_configuration + - secure_network_configuration foundational_security_item_id: - - autoscaling_4 + - autoscaling_4 plugin: - - aws + - aws service: - - AWS/AutoScaling + - AWS/AutoScaling +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_autoscaling_launch_config_public_ip_disabled.yaml b/compliance/controls/aws/aws_autoscaling_launch_config_public_ip_disabled.yaml index 7aba9c4b7..e037dc4df 100755 --- a/compliance/controls/aws/aws_autoscaling_launch_config_public_ip_disabled.yaml +++ b/compliance/controls/aws/aws_autoscaling_launch_config_public_ip_disabled.yaml @@ -1,8 +1,6 @@ ID: aws_autoscaling_launch_config_public_ip_disabled Title: "Auto Scaling launch config public IP should be disabled" Description: "Ensure that AWS EC2 Auto Scaling groups have public IP addresses enabled through Launch Configurations. This rule is non-compliant if the Launch Configuration for an Auto Scaling group has AssociatePublicIpAddress set to 'true'." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -23,37 +21,39 @@ Query: aws_ec2_launch_configuration; PrimaryTable: aws_ec2_launch_configuration ListOfTables: - - aws_ec2_launch_configuration + - aws_ec2_launch_configuration Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/AutoScaling + - AWS/AutoScaling +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_autoscaling_launch_config_requires_imdsv2.yaml b/compliance/controls/aws/aws_autoscaling_launch_config_requires_imdsv2.yaml index b1c71e7db..3847d6780 100755 --- a/compliance/controls/aws/aws_autoscaling_launch_config_requires_imdsv2.yaml +++ b/compliance/controls/aws/aws_autoscaling_launch_config_requires_imdsv2.yaml @@ -1,8 +1,6 @@ ID: aws_autoscaling_launch_config_requires_imdsv2 Title: "Auto Scaling group should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)" Description: "This control checks whether IMDSv2 is enabled on all instances launched by AWS EC2 Auto Scaling groups. The control fails if the Instance Metadata Service (IMDS) version is not included in the launch configuration or if both IMDSv1 and IMDSv2 are enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -23,19 +21,21 @@ Query: aws_ec2_launch_configuration; PrimaryTable: aws_ec2_launch_configuration ListOfTables: - - aws_ec2_launch_configuration + - aws_ec2_launch_configuration Parameters: [] Severity: high Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - secure_network_configuration + - secure_network_configuration foundational_security_item_id: - - autoscaling_3 + - autoscaling_3 plugin: - - aws + - aws service: - - AWS/AutoScaling + - AWS/AutoScaling +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_autoscaling_use_multiple_instance_types_in_multiple_az.yaml b/compliance/controls/aws/aws_autoscaling_use_multiple_instance_types_in_multiple_az.yaml index 45c3f9efb..8beef146b 100755 --- a/compliance/controls/aws/aws_autoscaling_use_multiple_instance_types_in_multiple_az.yaml +++ b/compliance/controls/aws/aws_autoscaling_use_multiple_instance_types_in_multiple_az.yaml @@ -1,69 +1,26 @@ ID: aws_autoscaling_use_multiple_instance_types_in_multiple_az Title: "EC2 auto scaling groups should use multiple instance types in multiple availability zones" Description: "This control checks whether an AWS EC2 Auto Scaling group uses multiple instance types. The control fails if the Auto Scaling group has only one instance type defined." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with autoscaling_groups as ( - select - autoscaling_group_arn, - title, - mixed_instances_policy_launch_template_overrides, - region, - tags, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - _ctx, - account_id - from - aws_ec2_autoscaling_group - ), - distinct_instance_types_count as ( - select - autoscaling_group_arn, - count(distinct(e -> 'InstanceType')) as distinct_instance_types - from - autoscaling_groups, - jsonb_array_elements(mixed_instances_policy_launch_template_overrides) as e - group by - autoscaling_group_arn, - title, - mixed_instances_policy_launch_template_overrides - ) - select - a.autoscaling_group_arn as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when b.distinct_instance_types > 1 then 'ok' - else 'alarm' - end as status, - case - when b.distinct_instance_types > 1 then title || ' uses ' || b.distinct_instance_types || ' instance types.' - else title || ' does not use multiple instance types.' - end as reason - - , a.region, a.account_id - from - autoscaling_groups as a - left join distinct_instance_types_count as b on a.autoscaling_group_arn = b.autoscaling_group_arn; + QueryToExecute: "with autoscaling_groups as (\n select\n autoscaling_group_arn,\n title,\n mixed_instances_policy_launch_template_overrides,\n region,\n tags,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n _ctx,\n account_id\nfrom\n aws_ec2_autoscaling_group\n),\ndistinct_instance_types_count as (\n select\n autoscaling_group_arn,\n count(distinct(e -> 'InstanceType')) as distinct_instance_types\nfrom\n autoscaling_groups,\n jsonb_array_elements(mixed_instances_policy_launch_template_overrides) as e\ngroup by\n autoscaling_group_arn,\n title,\n mixed_instances_policy_launch_template_overrides\n)\nselect\n a.autoscaling_group_arn as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when b.distinct_instance_types > 1 then 'ok'\n else 'alarm'\n end as status,\n case\n when b.distinct_instance_types > 1 then title || ' uses ' || b.distinct_instance_types || ' instance types.'\n else title || ' does not use multiple instance types.'\n end as reason\n \n , a.region, a.account_id\nfrom\n autoscaling_groups as a\n left join distinct_instance_types_count as b on a.autoscaling_group_arn = b.autoscaling_group_arn;\n" PrimaryTable: aws_ec2_autoscaling_group ListOfTables: - - aws_ec2_autoscaling_group + - aws_ec2_autoscaling_group Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - high_availability + - high_availability foundational_security_item_id: - - autoscaling_6 + - autoscaling_6 plugin: - - aws + - aws service: - - AWS/AutoScaling + - AWS/AutoScaling +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_backup_plan_min_retention_35_days.yaml b/compliance/controls/aws/aws_backup_plan_min_retention_35_days.yaml index ebc51239f..05b4db59b 100755 --- a/compliance/controls/aws/aws_backup_plan_min_retention_35_days.yaml +++ b/compliance/controls/aws/aws_backup_plan_min_retention_35_days.yaml @@ -1,8 +1,6 @@ ID: aws_backup_plan_min_retention_35_days Title: "Backup plan min frequency and min retention check" Description: "Checks if a backup plan has a backup rule that satisfies the required frequency and retention period(35 Days). The rule is non-compliant if recovery points are not created at least as often as the specified frequency or expire before the specified period." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -43,37 +41,39 @@ Query: all_plans as r; PrimaryTable: aws_backup_plan ListOfTables: - - aws_backup_plan + - aws_backup_plan Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" gxp_eu_annex_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/Backup + - AWS/Backup soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_backup_plan_region_configured.yaml b/compliance/controls/aws/aws_backup_plan_region_configured.yaml index a42daa034..fd2986d3a 100755 --- a/compliance/controls/aws/aws_backup_plan_region_configured.yaml +++ b/compliance/controls/aws/aws_backup_plan_region_configured.yaml @@ -1,8 +1,6 @@ ID: aws_backup_plan_region_configured Title: "Backup plan should exist in a region" Description: "Ensure that there exists at least one backup plan in a region. The rule is non-compliant if there are no backup plans in a region." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -34,8 +32,10 @@ Query: left join count_plans as cp on r.account_id = cp.account_id and r.region = cp.region; PrimaryTable: aws_backup_plan ListOfTables: - - aws_backup_plan - - aws_region + - aws_backup_plan + - aws_region Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_backup_recovery_point_encryption_enabled.yaml b/compliance/controls/aws/aws_backup_recovery_point_encryption_enabled.yaml index 7b556fb12..92f6db824 100755 --- a/compliance/controls/aws/aws_backup_recovery_point_encryption_enabled.yaml +++ b/compliance/controls/aws/aws_backup_recovery_point_encryption_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_backup_recovery_point_encryption_enabled Title: "Backup recovery points should be encrypted" Description: "Ensure that a recovery point is encrypted. The rule is non-compliant if the recovery point is not encrypted." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -23,33 +21,35 @@ Query: aws_backup_recovery_point; PrimaryTable: aws_backup_recovery_point ListOfTables: - - aws_backup_recovery_point + - aws_backup_recovery_point Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cisa_cyber_essentials: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" gxp_eu_annex_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/Backup + - AWS/Backup soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_backup_recovery_point_manual_deletion_disabled.yaml b/compliance/controls/aws/aws_backup_recovery_point_manual_deletion_disabled.yaml index 7b44fa82e..3b6adbf1e 100755 --- a/compliance/controls/aws/aws_backup_recovery_point_manual_deletion_disabled.yaml +++ b/compliance/controls/aws/aws_backup_recovery_point_manual_deletion_disabled.yaml @@ -1,8 +1,6 @@ ID: aws_backup_recovery_point_manual_deletion_disabled Title: "Backup recovery points manual deletion should be disabled" Description: "Checks if a backup vault has an attached resource-based policy which prevents deletion of recovery points. The rule is non-compliant if the Backup Vault does not have resource-based policies or has policies without a suitable 'Deny' statement." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -37,33 +35,35 @@ Query: left join recovery_point_manual_deletion_disabled as d on v.arn = d.arn; PrimaryTable: aws_backup_vault ListOfTables: - - aws_backup_vault + - aws_backup_vault Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cisa_cyber_essentials: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" gxp_eu_annex_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/Backup + - AWS/Backup soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_backup_recovery_point_min_retention_35_days.yaml b/compliance/controls/aws/aws_backup_recovery_point_min_retention_35_days.yaml index 0112bef65..70bdd69e6 100755 --- a/compliance/controls/aws/aws_backup_recovery_point_min_retention_35_days.yaml +++ b/compliance/controls/aws/aws_backup_recovery_point_min_retention_35_days.yaml @@ -1,8 +1,6 @@ ID: aws_backup_recovery_point_min_retention_35_days Title: "Backup recovery points should not expire before retention period" Description: "Ensure a recovery point expires no earlier than after the specified period. The rule is non-compliant if the recovery point has a retention point less than 35 days." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -24,33 +22,35 @@ Query: aws_backup_recovery_point; PrimaryTable: aws_backup_recovery_point ListOfTables: - - aws_backup_recovery_point + - aws_backup_recovery_point Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cisa_cyber_essentials: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" gxp_eu_annex_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/Backup + - AWS/Backup soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_backup_vault_region_configured.yaml b/compliance/controls/aws/aws_backup_vault_region_configured.yaml index 02086a5e7..4e461dd07 100755 --- a/compliance/controls/aws/aws_backup_vault_region_configured.yaml +++ b/compliance/controls/aws/aws_backup_vault_region_configured.yaml @@ -1,8 +1,6 @@ ID: aws_backup_vault_region_configured Title: "Backup vaults should exist in a region" Description: "Ensure that there exists at least one backup vault in a region. The rule is non-compliant if there are no backup vaults in a region." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -34,8 +32,10 @@ Query: left join count_vaults as v on r.account_id = v.account_id and r.region = v.region; PrimaryTable: aws_backup_vault ListOfTables: - - aws_backup_vault - - aws_region + - aws_backup_vault + - aws_region Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_10_1.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_10_1.yaml index 552e2d024..cab749c67 100755 --- a/compliance/controls/aws/aws_cis_compute_service_v100_10_1.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_10_1.yaml @@ -1,23 +1,14 @@ ID: aws_cis_compute_service_v100_10_1 Title: "10.1 Ensure you are using VPC Endpoints for source code access" Description: "App Runner needs access to your application source, so it can't be encrypted. Therefore, be sure to secure the connection between your development or deployment environment and App Runner." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'info' as status, - 'Manual verification required.' as reason - - from - aws_account; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'info' as status,\n 'Manual verification required.' as reason\n \nfrom\n aws_account;" PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_11_1.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_11_1.yaml index 26f2c2c30..27f9b1717 100755 --- a/compliance/controls/aws/aws_cis_compute_service_v100_11_1.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_11_1.yaml @@ -1,23 +1,14 @@ ID: aws_cis_compute_service_v100_11_1 Title: "11.1 Ensure communications between your applications and clients is encrypted" Description: "SimSpace Weaver doesn't manage communications between your apps and the clients." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'info' as status, - 'Manual verification required.' as reason - - from - aws_account; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'info' as status,\n 'Manual verification required.' as reason\n \nfrom\n aws_account;" PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_2_10.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_2_10.yaml index 9e65759f3..48c7905ac 100755 --- a/compliance/controls/aws/aws_cis_compute_service_v100_2_10.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_2_10.yaml @@ -1,8 +1,6 @@ ID: aws_cis_compute_service_v100_2_10 Title: "2.10 Ensure unused ENIs are removed" Description: "Identify and delete any unused Amazon AWS Elastic Network Interfaces in order to adhere to best practices and to avoid reaching the service limit. An AWS Elastic Network Interface (ENI) is pronounced unused when is not attached anymore to an EC2 instance." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_ec2_network_interface; PrimaryTable: aws_ec2_network_interface ListOfTables: - - aws_ec2_network_interface + - aws_ec2_network_interface Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_2_11.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_2_11.yaml index 6ecd2e03b..8da2c42fb 100755 --- a/compliance/controls/aws/aws_cis_compute_service_v100_2_11.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_2_11.yaml @@ -1,31 +1,14 @@ ID: aws_cis_compute_service_v100_2_11 Title: "2.11 Ensure instances stopped for over 90 days are removed" Description: "Enable this rule to help with the baseline configuration of Amazon Elastic Compute Cloud (Amazon EC2) instances by checking whether Amazon EC2 instances have been stopped for more than the allowed number of days, according to your organization's standards." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when instance_state not in ('stopped', 'stopping') then 'skip' - when state_transition_time <= (current_date - interval '90' day) then 'alarm' - else 'ok' - end as status, - case - when instance_state not in ('stopped', 'stopping') then title || ' is in ' || instance_state || ' state.' - else title || ' stopped since ' || to_char(state_transition_time , 'DD-Mon-YYYY') || ' (' || extract(day from current_timestamp - state_transition_time) || ' days).' - end as reason - - - from - aws_ec2_instance; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when instance_state not in ('stopped', 'stopping') then 'skip'\n when state_transition_time <= (current_date - interval '90' day) then 'alarm'\n else 'ok'\n end as status,\n case\n when instance_state not in ('stopped', 'stopping') then title || ' is in ' || instance_state || ' state.'\n else title || ' stopped since ' || to_char(state_transition_time , 'DD-Mon-YYYY') || ' (' || extract(day from current_timestamp - state_transition_time) || ' days).'\n end as reason\n \n \nfrom\n aws_ec2_instance;" PrimaryTable: aws_ec2_instance ListOfTables: - - aws_ec2_instance + - aws_ec2_instance Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_2_12.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_2_12.yaml index 95ffc4307..6cc97666a 100755 --- a/compliance/controls/aws/aws_cis_compute_service_v100_2_12.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_2_12.yaml @@ -1,8 +1,6 @@ ID: aws_cis_compute_service_v100_2_12 Title: "2.12 Ensure EBS volumes attached to an EC2 instance is marked for deletion upon instance termination" Description: "This rule ensures that Amazon Elastic Block Store volumes that are attached to Amazon Elastic Compute Cloud (Amazon EC2) instances are marked for deletion when an instance is terminated. If an Amazon EBS volume isn't deleted when the instance that it's attached to is terminated, it may violate the concept of least functionality." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -35,7 +33,9 @@ Query: left join ebs_volume_with_delete_on_termination_enabled as e on e.arn = i.arn; PrimaryTable: aws_ec2_instance ListOfTables: - - aws_ec2_instance + - aws_ec2_instance Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_2_13.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_2_13.yaml index f00621ae1..7b75f6aa5 100755 --- a/compliance/controls/aws/aws_cis_compute_service_v100_2_13.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_2_13.yaml @@ -1,32 +1,14 @@ ID: aws_cis_compute_service_v100_2_13 Title: "2.13 Ensure Secrets and Sensitive Data are not stored directly in EC2 User Data" Description: "User Data can be specified when launching an ec2 instance. Examples include specifying parameters for configuring the instance or including a simple script." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when user_data like any (array ['%pass%', '%secret%','%token%','%key%']) - or user_data ~ '(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]' then 'alarm' - else 'ok' - end as status, - case - when user_data like any (array ['%pass%', '%secret%','%token%','%key%']) - or user_data ~ '(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]' then instance_id ||' potential secret found in user data.' - else instance_id || ' no secrets found in user data.' - end as reason - - - from - aws_ec2_instance; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when user_data like any (array ['%pass%', '%secret%','%token%','%key%'])\n or user_data ~ '(?=.*[a-z])(?=.*[A-Z])(?=.*\\d)(?=.*[@$!%*?&])[A-Za-z\\d@$!%*?&]' then 'alarm'\n else 'ok'\n end as status,\n case\n when user_data like any (array ['%pass%', '%secret%','%token%','%key%'])\n or user_data ~ '(?=.*[a-z])(?=.*[A-Z])(?=.*\\d)(?=.*[@$!%*?&])[A-Za-z\\d@$!%*?&]' then instance_id ||' potential secret found in user data.'\n else instance_id || ' no secrets found in user data.'\n end as reason\n \n \nfrom\n aws_ec2_instance;" PrimaryTable: aws_ec2_instance ListOfTables: - - aws_ec2_instance + - aws_ec2_instance Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_2_14.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_2_14.yaml index b6dc56cc3..1140fca49 100755 --- a/compliance/controls/aws/aws_cis_compute_service_v100_2_14.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_2_14.yaml @@ -1,8 +1,6 @@ ID: aws_cis_compute_service_v100_2_14 Title: "2.14 Ensure EC2 Auto Scaling Groups Propagate Tags to EC2 Instances that it launches" Description: "Tags can help with managing, identifying, organizing, searching for, and filtering resources. Additionally, tags can help with security and compliance. Tags can be propagated from an Auto Scaling group to the EC2 instances that it launches." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -35,7 +33,9 @@ Query: left join propagate_tags_to_ec2_instance as i on i.autoscaling_group_arn = p.autoscaling_group_arn; PrimaryTable: aws_ec2_autoscaling_group ListOfTables: - - aws_ec2_autoscaling_group + - aws_ec2_autoscaling_group Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_2_1_1.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_2_1_1.yaml index 566b283c3..c3cb20717 100755 --- a/compliance/controls/aws/aws_cis_compute_service_v100_2_1_1.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_2_1_1.yaml @@ -1,23 +1,14 @@ ID: aws_cis_compute_service_v100_2_1_1 Title: "2.1.1 Ensure Consistent Naming Convention is used for Organizational AMI" Description: "The naming convention for AMI (Amazon Machine Images) should be documented and followed for any AMI's created." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'info' as status, - 'Manual verification required.' as reason - - from - aws_account; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'info' as status,\n 'Manual verification required.' as reason\n \nfrom\n aws_account;" PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_2_1_2.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_2_1_2.yaml index 6aefdb0ff..15041e5d5 100755 --- a/compliance/controls/aws/aws_cis_compute_service_v100_2_1_2.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_2_1_2.yaml @@ -1,8 +1,6 @@ ID: aws_cis_compute_service_v100_2_1_2 Title: "2.1.2 Ensure Images (AMI's) are encrypted" Description: "Amazon Machine Images should utilize EBS Encrypted snapshots" -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -40,7 +38,9 @@ Query: encryption_status; PrimaryTable: aws_ec2_ami ListOfTables: - - aws_ec2_ami + - aws_ec2_ami Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_2_1_3.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_2_1_3.yaml index 00b3a1990..5f74a1385 100755 --- a/compliance/controls/aws/aws_cis_compute_service_v100_2_1_3.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_2_1_3.yaml @@ -1,23 +1,14 @@ ID: aws_cis_compute_service_v100_2_1_3 Title: "2.1.3 Ensure Only Approved AMIs (Images) are Used" Description: "Ensure that all base AMIs utilized are approved for use by your organization." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'info' as status, - 'Manual verification required.' as reason - - from - aws_account; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'info' as status,\n 'Manual verification required.' as reason\n \nfrom\n aws_account;" PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_2_1_4.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_2_1_4.yaml index 6c231fe9c..4fcebc363 100755 --- a/compliance/controls/aws/aws_cis_compute_service_v100_2_1_4.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_2_1_4.yaml @@ -1,27 +1,14 @@ ID: aws_cis_compute_service_v100_2_1_4 Title: "2.1.4 Ensure Images (AMI) are not older than 90 days" Description: "Ensure that your AMIs are not older than 90 days." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - image_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when creation_date >= (current_date - interval '90 days') then 'ok' - else 'alarm' - end as status, - title || ' created ' || to_char(creation_date , 'DD-Mon-YYYY') || ' (' || extract(day from current_timestamp - creation_date) || ' days).' as reason - - - from - aws_ec2_ami; + QueryToExecute: "select\n image_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when creation_date >= (current_date - interval '90 days') then 'ok'\n else 'alarm'\n end as status,\n title || ' created ' || to_char(creation_date , 'DD-Mon-YYYY') || ' (' || extract(day from current_timestamp - creation_date) || ' days).' as reason\n \n \nfrom\n aws_ec2_ami;" PrimaryTable: aws_ec2_ami ListOfTables: - - aws_ec2_ami + - aws_ec2_ami Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_2_1_5.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_2_1_5.yaml index 16abde8d7..35a7abb01 100755 --- a/compliance/controls/aws/aws_cis_compute_service_v100_2_1_5.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_2_1_5.yaml @@ -1,30 +1,14 @@ ID: aws_cis_compute_service_v100_2_1_5 Title: "2.1.5 Ensure Images are not Publicly Available" Description: "EC2 allows you to make an AMI public, sharing it with all AWS accounts." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':ec2:' || region || ':' || account_id || ':image/' || image_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when public then 'alarm' - else 'ok' - end status, - case - when public then title || ' publicly accessible.' - else title || ' not publicly accessible.' - end reason - - - from - aws_ec2_ami; + QueryToExecute: "select\n 'arn:' || partition || ':ec2:' || region || ':' || account_id || ':image/' || image_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when public then 'alarm'\n else 'ok'\n end status,\n case\n when public then title || ' publicly accessible.'\n else title || ' not publicly accessible.'\n end reason\n \n \nfrom\n aws_ec2_ami;" PrimaryTable: aws_ec2_ami ListOfTables: - - aws_ec2_ami + - aws_ec2_ami Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_2_2_1.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_2_2_1.yaml index d43907f75..27a4406b4 100755 --- a/compliance/controls/aws/aws_cis_compute_service_v100_2_2_1.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_2_2_1.yaml @@ -1,8 +1,6 @@ ID: aws_cis_compute_service_v100_2_2_1 Title: "2.2.1 Ensure EBS volume encryption is enabled" Description: "Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_ebs_volume; PrimaryTable: aws_ebs_volume ListOfTables: - - aws_ebs_volume + - aws_ebs_volume Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_2_2_2.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_2_2_2.yaml index f2ebd20eb..321f95316 100755 --- a/compliance/controls/aws/aws_cis_compute_service_v100_2_2_2.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_2_2_2.yaml @@ -1,30 +1,14 @@ ID: aws_cis_compute_service_v100_2_2_2 Title: "2.2.2 Ensure public access to EBS Snapshots is disabled" Description: "To protect your data disable the public mode of EBS snapshots." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':ec2:' || region || ':' || account_id || ':snapshot/' || snapshot_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when create_volume_permissions @> '[{"Group": "all", "UserId": null}]' then 'alarm' - else 'ok' - end as status, - case - when create_volume_permissions @> '[{"Group": "all", "UserId": null}]' then title || ' is publicly restorable.' - else title || ' is not publicly restorable.' - end as reason - - - from - aws_ebs_snapshot; + QueryToExecute: "select\n 'arn:' || partition || ':ec2:' || region || ':' || account_id || ':snapshot/' || snapshot_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when create_volume_permissions @> '[{\"Group\": \"all\", \"UserId\": null}]' then 'alarm'\n else 'ok'\n end as status,\n case\n when create_volume_permissions @> '[{\"Group\": \"all\", \"UserId\": null}]' then title || ' is publicly restorable.'\n else title || ' is not publicly restorable.'\n end as reason\n \n \nfrom\n aws_ebs_snapshot;" PrimaryTable: aws_ebs_snapshot ListOfTables: - - aws_ebs_snapshot + - aws_ebs_snapshot Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_2_2_3.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_2_2_3.yaml index 8f83f43e9..7dcf70638 100755 --- a/compliance/controls/aws/aws_cis_compute_service_v100_2_2_3.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_2_2_3.yaml @@ -1,30 +1,14 @@ ID: aws_cis_compute_service_v100_2_2_3 Title: "2.2.3 Ensure EBS volume snapshots are encrypted" Description: "Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when encrypted then 'ok' - else 'alarm' - end as status, - case - when encrypted then title || ' encryption enabled.' - else title || ' encryption disabled.' - end as reason - - - from - aws_ebs_snapshot; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when encrypted then 'ok'\n else 'alarm'\n end as status,\n case\n when encrypted then title || ' encryption enabled.'\n else title || ' encryption disabled.'\n end as reason\n \n \nfrom\n aws_ebs_snapshot;" PrimaryTable: aws_ebs_snapshot ListOfTables: - - aws_ebs_snapshot + - aws_ebs_snapshot Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_2_2_4.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_2_2_4.yaml index 0240f006d..f0e140b44 100755 --- a/compliance/controls/aws/aws_cis_compute_service_v100_2_2_4.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_2_2_4.yaml @@ -1,8 +1,6 @@ ID: aws_cis_compute_service_v100_2_2_4 Title: "2.2.4 Ensure unused EBS volumes are removed" Description: "Identify any unused Elastic Block Store (EBS) volumes in your AWS account and remove them." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_ebs_volume; PrimaryTable: aws_ebs_volume ListOfTables: - - aws_ebs_volume + - aws_ebs_volume Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_2_3.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_2_3.yaml index 66ca34ba0..69fd5c7c1 100755 --- a/compliance/controls/aws/aws_cis_compute_service_v100_2_3.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_2_3.yaml @@ -1,8 +1,6 @@ ID: aws_cis_compute_service_v100_2_3 Title: "2.3 Ensure Tag Policies are enabled" Description: "Tag policies help you standardize tags on all tagged resources across your organization." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -37,7 +35,9 @@ Query: tag_policy_enabled; PrimaryTable: aws_organizations_policy ListOfTables: - - aws_organizations_policy + - aws_organizations_policy Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_2_4.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_2_4.yaml index 7fd493fb2..867b321e5 100755 --- a/compliance/controls/aws/aws_cis_compute_service_v100_2_4.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_2_4.yaml @@ -1,23 +1,14 @@ ID: aws_cis_compute_service_v100_2_4 Title: "2.4 Ensure an Organizational EC2 Tag Policy has been created" Description: "A tag policy enables you to define tag compliance rules to help you maintain consistency in the tags attached to your organization's resources." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'info' as status, - 'Manual verification required.' as reason - - from - aws_account; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'info' as status,\n 'Manual verification required.' as reason\n \nfrom\n aws_account;" PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_2_5.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_2_5.yaml index 997dd5a43..1eee5603a 100755 --- a/compliance/controls/aws/aws_cis_compute_service_v100_2_5.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_2_5.yaml @@ -1,28 +1,14 @@ ID: aws_cis_compute_service_v100_2_5 Title: "2.5 Ensure no AWS EC2 Instances are older than 180 days" Description: "Identify any running AWS EC2 instances older than 180 days." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - instance_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - launch_time, - case - when launch_time >= (current_date - interval '180 days') then 'ok' - else 'alarm' - end as status, - title || ' created ' || to_char(launch_time , 'DD-Mon-YYYY') || ' (' || extract(day from current_timestamp - launch_time) || ' days).' as reason - - - from - aws_ec2_instance; + QueryToExecute: "select\n instance_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n launch_time,\n case\n when launch_time >= (current_date - interval '180 days') then 'ok'\n else 'alarm'\n end as status,\n title || ' created ' || to_char(launch_time , 'DD-Mon-YYYY') || ' (' || extract(day from current_timestamp - launch_time) || ' days).' as reason\n \n \nfrom\n aws_ec2_instance;" PrimaryTable: aws_ec2_instance ListOfTables: - - aws_ec2_instance + - aws_ec2_instance Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_2_6.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_2_6.yaml index a16c6f1c0..a6b8d8563 100755 --- a/compliance/controls/aws/aws_cis_compute_service_v100_2_6.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_2_6.yaml @@ -1,8 +1,6 @@ ID: aws_cis_compute_service_v100_2_6 Title: "2.6 Ensure detailed monitoring is enable for production EC2 Instances" Description: "Ensure that detailed monitoring is enabled for your Amazon EC2 instances." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_ec2_instance; PrimaryTable: aws_ec2_instance ListOfTables: - - aws_ec2_instance + - aws_ec2_instance Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_2_8.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_2_8.yaml index 8cc21bc82..ba14321b0 100755 --- a/compliance/controls/aws/aws_cis_compute_service_v100_2_8.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_2_8.yaml @@ -1,8 +1,6 @@ ID: aws_cis_compute_service_v100_2_8 Title: "2.8 Ensure the Use of IMDSv2 is Enforced on All Existing Instances" Description: "Ensure the Instance Metadata Service Version 2 (IMDSv2) method is enabled on all running instances." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_ec2_instance; PrimaryTable: aws_ec2_instance ListOfTables: - - aws_ec2_instance + - aws_ec2_instance Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_2_9.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_2_9.yaml index 8c7cfee33..466d82d46 100755 --- a/compliance/controls/aws/aws_cis_compute_service_v100_2_9.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_2_9.yaml @@ -1,8 +1,6 @@ ID: aws_cis_compute_service_v100_2_9 Title: "2.9 Ensure use of AWS Systems Manager to manage EC2 instances" Description: "An inventory and management of Amazon Elastic Compute Cloud (Amazon EC2) instances is made possible with AWS Systems Manager." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: left join aws_ssm_managed_instance m on m.instance_id = i.instance_id; PrimaryTable: aws_ec2_instance ListOfTables: - - aws_ec2_instance - - aws_ssm_managed_instance + - aws_ec2_instance + - aws_ssm_managed_instance Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_3_1.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_3_1.yaml index b172811e3..60a3b2aed 100755 --- a/compliance/controls/aws/aws_cis_compute_service_v100_3_1.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_3_1.yaml @@ -1,23 +1,14 @@ ID: aws_cis_compute_service_v100_3_1 Title: "3.1 Apply updates to any apps running in Lightsail" Description: "Amazon Lightsail is a virtual private server (VPS) provider and is the easiest way to get started with AWS for developers, small businesses, students, and other users who need a solution to build and host their applications on cloud." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'info' as status, - 'Manual verification required.' as reason - - from - aws_account; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'info' as status,\n 'Manual verification required.' as reason\n \nfrom\n aws_account;" PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_3_10.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_3_10.yaml index 0054392fd..6dd806679 100755 --- a/compliance/controls/aws/aws_cis_compute_service_v100_3_10.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_3_10.yaml @@ -1,23 +1,14 @@ ID: aws_cis_compute_service_v100_3_10 Title: "3.10 Enable storage bucket access logging" Description: "Access logging provides detailed records for the requests that are made to this bucket. This information can include the request type, the resources that are specified in the request, and the time and date that the request was processed. Access logs are useful for many applications." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'info' as status, - 'Manual verification required.' as reason - - from - aws_account; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'info' as status,\n 'Manual verification required.' as reason\n \nfrom\n aws_account;\n" PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_3_11.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_3_11.yaml index 5bb34fc3e..1b6e282da 100755 --- a/compliance/controls/aws/aws_cis_compute_service_v100_3_11.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_3_11.yaml @@ -1,23 +1,14 @@ ID: aws_cis_compute_service_v100_3_11 Title: "3.11 Ensure your Windows Server based lightsail instances are updated with the latest security patches" Description: "Windows server based Lightsail instances are still managed by the consumer and any security updates or patches have to be installed and maintained by the user." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'info' as status, - 'Manual verification required.' as reason - - from - aws_account; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'info' as status,\n 'Manual verification required.' as reason\n \nfrom\n aws_account;" PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_3_12.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_3_12.yaml index d646bb7e8..4f072f01c 100755 --- a/compliance/controls/aws/aws_cis_compute_service_v100_3_12.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_3_12.yaml @@ -1,23 +1,14 @@ ID: aws_cis_compute_service_v100_3_12 Title: "3.12 Change the auto-generated password for Windows based instances" Description: "When you create a Windows Server-based instance, Lightsail randomly generates a long password that is hard to guess. You use this password uniquely with your new instance. You can use the default password to connect quickly to your instance using remote desktop (RDP). You are always logged in as the Administrator on your Lightsail instance." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'info' as status, - 'Manual verification required.' as reason - - from - aws_account; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'info' as status,\n 'Manual verification required.' as reason\n \nfrom\n aws_account;" PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_3_2.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_3_2.yaml index 905a8a393..34e5381a5 100755 --- a/compliance/controls/aws/aws_cis_compute_service_v100_3_2.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_3_2.yaml @@ -1,23 +1,14 @@ ID: aws_cis_compute_service_v100_3_2 Title: "3.2 Change default Administrator login names and passwords for applications" Description: "Change the default settings for the administrator login names and passwords of the application software that you install on Lightsail instances." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'info' as status, - 'Manual verification required.' as reason - - from - aws_account; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'info' as status,\n 'Manual verification required.' as reason\n \nfrom\n aws_account;" PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_3_3.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_3_3.yaml index 413e6fddb..dc830cfd9 100755 --- a/compliance/controls/aws/aws_cis_compute_service_v100_3_3.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_3_3.yaml @@ -1,8 +1,6 @@ ID: aws_cis_compute_service_v100_3_3 Title: "3.3 Disable SSH and RDP ports for Lightsail instances when not needed" Description: "Any ports enable within Lightsail by default are open and exposed to the world. For SSH and RDP access you should remove and disable these ports when not is use." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -53,7 +51,9 @@ Query: left join insecure_ports p on i.name = p.name; PrimaryTable: aws_lightsail_instance ListOfTables: - - aws_lightsail_instance + - aws_lightsail_instance Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_3_5.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_3_5.yaml index 2155d7bdb..435219ba6 100755 --- a/compliance/controls/aws/aws_cis_compute_service_v100_3_5.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_3_5.yaml @@ -1,8 +1,6 @@ ID: aws_cis_compute_service_v100_3_5 Title: "3.5 Ensure RDP is restricted to only IP address that should have this access" Description: "Any ports enable within Lightsail by default are open and exposed to the world. For SSH and RDP access you should identify which IP address need access." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -52,7 +50,9 @@ Query: left join unrestricted_rdp_ports urp on i.name = urp.name; PrimaryTable: aws_lightsail_instance ListOfTables: - - aws_lightsail_instance + - aws_lightsail_instance Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_3_6.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_3_6.yaml index f8d2f74cc..872817653 100755 --- a/compliance/controls/aws/aws_cis_compute_service_v100_3_6.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_3_6.yaml @@ -1,30 +1,14 @@ ID: aws_cis_compute_service_v100_3_6 Title: "3.6 Disable IPv6 Networking if not in use within your organization" Description: "Any protocols enable within Lightsail by default that aren't being used should be disabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - name as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when ip_v6_addresses is null then 'ok' - else 'alarm' - end as status, - case - when ip_v6_addresses is null then name || ' has IPv6 networking disabled.' - else name || ' has IPv6 networking enabled.' - end as reason - - - from - aws_lightsail_instance; + QueryToExecute: "select\n name as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when ip_v6_addresses is null then 'ok'\n else 'alarm'\n end as status,\n case\n when ip_v6_addresses is null then name || ' has IPv6 networking disabled.'\n else name || ' has IPv6 networking enabled.'\n end as reason\n \n \nfrom\n aws_lightsail_instance;" PrimaryTable: aws_lightsail_instance ListOfTables: - - aws_lightsail_instance + - aws_lightsail_instance Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_3_7.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_3_7.yaml index 8aebb3ee9..a2ac737e9 100755 --- a/compliance/controls/aws/aws_cis_compute_service_v100_3_7.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_3_7.yaml @@ -1,23 +1,14 @@ ID: aws_cis_compute_service_v100_3_7 Title: "3.7 Ensure you are using an IAM policy to manage access to buckets in Lightsail" Description: "The following policy grants a user access to manage a specific bucket in the Amazon Lightsail object storage service." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'info' as status, - 'Manual verification required.' as reason - - from - aws_account; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'info' as status,\n 'Manual verification required.' as reason\n \nfrom\n aws_account;" PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_3_8.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_3_8.yaml index 9bb9f0b0d..d005902f7 100755 --- a/compliance/controls/aws/aws_cis_compute_service_v100_3_8.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_3_8.yaml @@ -1,23 +1,14 @@ ID: aws_cis_compute_service_v100_3_8 Title: "3.8 Ensure Lightsail instances are attached to the buckets" Description: "Attaching an Amazon Lightsail instance to a Lightsail storage bucket gives it full programmatic access to the bucket and its objects." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'info' as status, - 'Manual verification required.' as reason - - from - aws_account; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'info' as status,\n 'Manual verification required.' as reason\n \nfrom\n aws_account;" PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_3_9.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_3_9.yaml index 020b5d30a..c1738d006 100755 --- a/compliance/controls/aws/aws_cis_compute_service_v100_3_9.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_3_9.yaml @@ -1,23 +1,14 @@ ID: aws_cis_compute_service_v100_3_9 Title: "3.9 Ensure that your Lightsail buckets are not publicly accessible" Description: "You can make all objects private, public (read-only) or private while making individual objects public (read-only). By default when creating a bucket the permissions are set to 'All objects are private'." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'info' as status, - 'Manual verification required.' as reason - - from - aws_account; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'info' as status,\n 'Manual verification required.' as reason\n \nfrom\n aws_account;" PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_4_1.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_4_1.yaml index 573e92444..0c490209f 100755 --- a/compliance/controls/aws/aws_cis_compute_service_v100_4_1.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_4_1.yaml @@ -1,23 +1,14 @@ ID: aws_cis_compute_service_v100_4_1 Title: "4.1 Ensure AWS Config is enabled for Lambda and serverless" Description: "With AWS Config, you can track configuration changes to the Lambda functions (including deleted functions), runtime environments, tags, handler name, code size, memory allocation, timeout settings, and concurrency settings, along with Lambda IAM execution role, subnet, and security group associations." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'info' as status, - 'Manual verification required.' as reason - - from - aws_account; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'info' as status,\n 'Manual verification required.' as reason\n \nfrom\n aws_account;" PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_4_10.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_4_10.yaml index 8c6a2eaf2..c21944fda 100755 --- a/compliance/controls/aws/aws_cis_compute_service_v100_4_10.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_4_10.yaml @@ -1,23 +1,14 @@ ID: aws_cis_compute_service_v100_4_10 Title: "4.10 Ensure Lambda functions do not allow unknown cross account access via permission policies" Description: "Ensure that all your Amazon Lambda functions are configured to allow access only to trusted AWS accounts in order to protect against unauthorized cross-account access." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'info' as status, - 'Manual verification required.' as reason - - from - aws_account; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'info' as status,\n 'Manual verification required.' as reason\n \nfrom\n aws_account;" PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_4_11.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_4_11.yaml index 69fb30ccb..eb27b1e2e 100755 --- a/compliance/controls/aws/aws_cis_compute_service_v100_4_11.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_4_11.yaml @@ -1,23 +1,14 @@ ID: aws_cis_compute_service_v100_4_11 Title: "4.11 Ensure that the runtime environment versions used for your Lambda functions do not have end of support dates" Description: "Always using a recent version of the execution environment configured for your Amazon Lambda functions adheres to best practices for the newest software features, the latest security patches and bug fixes, and performance and reliability." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'info' as status, - 'Manual verification required.' as reason - - from - aws_account; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'info' as status,\n 'Manual verification required.' as reason\n \nfrom\n aws_account;" PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_4_12.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_4_12.yaml index a34fb4a38..44a66be55 100755 --- a/compliance/controls/aws/aws_cis_compute_service_v100_4_12.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_4_12.yaml @@ -1,30 +1,14 @@ ID: aws_cis_compute_service_v100_4_12 Title: "4.12 Ensure encryption in transit is enabled for Lambda environment variables" Description: "As you can set your own environmental variables for Lambda it is important to also encrypt them for in transit protection." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when kms_key_arn is null then 'alarm' - else 'ok' - end as status, - case - when kms_key_arn is null then title || ' encryption is disabled.' - else title || ' encryption is enabled.' - end as reason - - - from - aws_lambda_function; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when kms_key_arn is null then 'alarm'\n else 'ok'\n end as status,\n case\n when kms_key_arn is null then title || ' encryption is disabled.'\n else title || ' encryption is enabled.'\n end as reason\n \n \nfrom\n aws_lambda_function;" PrimaryTable: aws_lambda_function ListOfTables: - - aws_lambda_function + - aws_lambda_function Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_4_2.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_4_2.yaml index 025cf865a..f8b8a4861 100755 --- a/compliance/controls/aws/aws_cis_compute_service_v100_4_2.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_4_2.yaml @@ -1,38 +1,14 @@ ID: aws_cis_compute_service_v100_4_2 Title: "4.2 Ensure Cloudwatch Lambda insights is enabled" Description: "Ensure that Amazon CloudWatch Lambda Insights is enabled for your Amazon Lambda functions for enhanced monitoring." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when exists ( - select 1 - from jsonb_array_elements(layers) as l - where l ->> 'Arn' like '%:layer:LambdaInsightsExtension:%' - ) then 'ok' - else 'alarm' - end as status, - case - when exists ( - select 1 - from jsonb_array_elements(layers) as l - where l ->> 'Arn' like '%:layer:LambdaInsightsExtension:%' - ) then title || ' CloudWatch Insights enabled.' - else title || ' CloudWatch Insights disabled.' - end as reason - - - from - aws_lambda_function; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when exists (\n select 1\n from jsonb_array_elements(layers) as l\n where l ->> 'Arn' like '%:layer:LambdaInsightsExtension:%'\n ) then 'ok'\n else 'alarm'\n end as status,\n case\n when exists (\n select 1\n from jsonb_array_elements(layers) as l\n where l ->> 'Arn' like '%:layer:LambdaInsightsExtension:%'\n ) then title || ' CloudWatch Insights enabled.'\n else title || ' CloudWatch Insights disabled.'\n end as reason\n \n \nfrom\n aws_lambda_function;" PrimaryTable: aws_lambda_function ListOfTables: - - aws_lambda_function + - aws_lambda_function Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_4_3.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_4_3.yaml index 7283fcaec..2ac7ad808 100755 --- a/compliance/controls/aws/aws_cis_compute_service_v100_4_3.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_4_3.yaml @@ -1,23 +1,14 @@ ID: aws_cis_compute_service_v100_4_3 Title: "4.3 Ensure AWS Secrets manager is configured and being used by Lambda for databases" Description: "Lambda functions often have to access a database or other services within your environment." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'info' as status, - 'Manual verification required.' as reason - - from - aws_account; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'info' as status,\n 'Manual verification required.' as reason\n \nfrom\n aws_account;" PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_4_4.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_4_4.yaml index 625472ffd..d8c74901d 100755 --- a/compliance/controls/aws/aws_cis_compute_service_v100_4_4.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_4_4.yaml @@ -1,23 +1,14 @@ ID: aws_cis_compute_service_v100_4_4 Title: "4.4 Ensure least privilege is used with Lambda function access" Description: "Lambda is fully integrated with IAM, allowing you to control precisely what each Lambda function can do within the AWS Cloud. As you develop a Lambda function, you expand the scope of this policy to enable access to other resources. For example, for a function that processes objects put into an S3 bucket, it requires read access to objects stored in that bucket." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'info' as status, - 'Manual verification required.' as reason - - from - aws_account; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'info' as status,\n 'Manual verification required.' as reason\n \nfrom\n aws_account;" PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_4_5.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_4_5.yaml index 2b154dec7..563e6d9fe 100755 --- a/compliance/controls/aws/aws_cis_compute_service_v100_4_5.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_4_5.yaml @@ -1,23 +1,14 @@ ID: aws_cis_compute_service_v100_4_5 Title: "4.5 Ensure every Lambda function has its own IAM Role" Description: "Every Lambda function should have a one to one IAM execution role and the roles should not be shared between functions." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'info' as status, - 'Manual verification required.' as reason - - from - aws_account; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'info' as status,\n 'Manual verification required.' as reason\n \nfrom\n aws_account;" PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_4_6.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_4_6.yaml index 8d7826c33..7b69b1036 100755 --- a/compliance/controls/aws/aws_cis_compute_service_v100_4_6.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_4_6.yaml @@ -1,8 +1,6 @@ ID: aws_cis_compute_service_v100_4_6 Title: "4.6 Ensure Lambda functions are not exposed to everyone" Description: "A publicly accessible Amazon Lambda function is open to the public and can be reviewed by anyone. To protect against unauthorized users that are sending requests to invoke these functions they need to be changed so they are not exposed to the public" -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -40,7 +38,9 @@ Query: left join wildcard_action_policies as p on p.arn = f.arn; PrimaryTable: aws_lambda_function ListOfTables: - - aws_lambda_function + - aws_lambda_function Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_4_7.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_4_7.yaml index e19d5c97a..2b245095a 100755 --- a/compliance/controls/aws/aws_cis_compute_service_v100_4_7.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_4_7.yaml @@ -1,23 +1,14 @@ ID: aws_cis_compute_service_v100_4_7 Title: "4.7 Ensure Lambda functions are referencing active execution" Description: "In order to have the necessary permissions to access the AWS cloud services and resources Amazon Lambda functions should be associated with active(available) execution roles." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'info' as status, - 'Manual verification required.' as reason - - from - aws_account; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'info' as status,\n 'Manual verification required.' as reason\n \nfrom\n aws_account;" PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_4_8.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_4_8.yaml index 9ff300271..b76cdea81 100755 --- a/compliance/controls/aws/aws_cis_compute_service_v100_4_8.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_4_8.yaml @@ -1,23 +1,14 @@ ID: aws_cis_compute_service_v100_4_8 Title: "4.8 Ensure that Code Signing is enabled for Lambda functions" Description: "Ensure that all your Amazon Lambda functions are configured to use the Code Signing feature in order to restrict the deployment of unverified code." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'info' as status, - 'Manual verification required.' as reason - - from - aws_account; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'info' as status,\n 'Manual verification required.' as reason\n \nfrom\n aws_account;" PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_4_9.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_4_9.yaml index 62b89dd33..1c708cf79 100755 --- a/compliance/controls/aws/aws_cis_compute_service_v100_4_9.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_4_9.yaml @@ -1,23 +1,14 @@ ID: aws_cis_compute_service_v100_4_9 Title: "4.9 Ensure there are no Lambda functions with admin privileges within your AWS account" Description: "Ensure that your Amazon Lambda functions don't have administrative permissions potentially giving the function access to all AWS cloud services and resources." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'info' as status, - 'Manual verification required.' as reason - - from - aws_account; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'info' as status,\n 'Manual verification required.' as reason\n \nfrom\n aws_account;" PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_5_1.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_5_1.yaml index 915cf790f..c4612554e 100755 --- a/compliance/controls/aws/aws_cis_compute_service_v100_5_1.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_5_1.yaml @@ -1,23 +1,14 @@ ID: aws_cis_compute_service_v100_5_1 Title: "5.1 Ensure AWS Batch is configured with AWS Cloudwatch Logs" Description: "You can configure Batch jobs to send log information to CloudWatch Logs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'info' as status, - 'Manual verification required.' as reason - - from - aws_account; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'info' as status,\n 'Manual verification required.' as reason\n \nfrom\n aws_account;" PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_5_2.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_5_2.yaml index fd3f30828..e2911a523 100755 --- a/compliance/controls/aws/aws_cis_compute_service_v100_5_2.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_5_2.yaml @@ -1,23 +1,14 @@ ID: aws_cis_compute_service_v100_5_2 Title: "5.2 Ensure Batch roles are configured for cross-service confused deputy prevention" Description: "The Cross-service confused deputy problem is a security issue where an entity that doesn't have permission to perform an action can coerce a more-privileged entity to perform the action." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'info' as status, - 'Manual verification required.' as reason - - from - aws_account; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'info' as status,\n 'Manual verification required.' as reason\n \nfrom\n aws_account;" PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_6_1.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_6_1.yaml index 60a674bb3..2ea219033 100755 --- a/compliance/controls/aws/aws_cis_compute_service_v100_6_1.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_6_1.yaml @@ -1,23 +1,14 @@ ID: aws_cis_compute_service_v100_6_1 Title: "6.1 Ensure Managed Platform updates is configured" Description: "AWS Elastic Beanstalk regularly releases platform updates to provide fixes, software updates, and new features. With managed platform updates, you can configure your environment to automatically upgrade to the latest version of a platform during a scheduled maintenance window." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'info' as status, - 'Manual verification required.' as reason - - from - aws_account; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'info' as status,\n 'Manual verification required.' as reason\n \nfrom\n aws_account;" PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_6_2.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_6_2.yaml index f103a74a5..7193fce99 100755 --- a/compliance/controls/aws/aws_cis_compute_service_v100_6_2.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_6_2.yaml @@ -1,8 +1,6 @@ ID: aws_cis_compute_service_v100_6_2 Title: "6.2 Ensure Persistent logs is setup and configured to S3" Description: "Elastic Beanstalk can be configured to automatically stream logs to the CloudWatch service." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -36,7 +34,9 @@ Query: left join beanstalk_environment_logs_enabled as l on e.arn = l.arn; PrimaryTable: aws_elastic_beanstalk_environment ListOfTables: - - aws_elastic_beanstalk_environment + - aws_elastic_beanstalk_environment Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_6_3.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_6_3.yaml index fbbbd007d..93f23ef67 100755 --- a/compliance/controls/aws/aws_cis_compute_service_v100_6_3.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_6_3.yaml @@ -1,23 +1,14 @@ ID: aws_cis_compute_service_v100_6_3 Title: "6.3 Ensure access logs are enabled" Description: "When you enable load balancing, your AWS Elastic Beanstalk environment is equipped with an Elastic Load Balancing load balancer to distribute traffic among the instances in your environment." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'info' as status, - 'Manual verification required.' as reason - - from - aws_account; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'info' as status,\n 'Manual verification required.' as reason\n \nfrom\n aws_account;" PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_compute_service_v100_6_4.yaml b/compliance/controls/aws/aws_cis_compute_service_v100_6_4.yaml index 371af7f4c..e458df1c0 100755 --- a/compliance/controls/aws/aws_cis_compute_service_v100_6_4.yaml +++ b/compliance/controls/aws/aws_cis_compute_service_v100_6_4.yaml @@ -1,23 +1,14 @@ ID: aws_cis_compute_service_v100_6_4 Title: "6.4 Ensure that HTTPS is enabled on load balancer" Description: "The simplest way to use HTTPS with an Elastic Beanstalk environment is to assign a server certificate to your environment's load balancer." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'info' as status, - 'Manual verification required.' as reason - - from - aws_account; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'info' as status,\n 'Manual verification required.' as reason\n \nfrom\n aws_account;" PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v120_1_1.yaml b/compliance/controls/aws/aws_cis_v120_1_1.yaml index e875026c5..2eea7f5d9 100755 --- a/compliance/controls/aws/aws_cis_v120_1_1.yaml +++ b/compliance/controls/aws/aws_cis_v120_1_1.yaml @@ -1,23 +1,14 @@ ID: aws_cis_v120_1_1 Title: "1.1 Avoid the use of the \\\"root\\\" account" Description: "The \\\"root\\\" account has unrestricted access to all resources in the AWS account. It is highly recommended that the use of this account be avoided." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'info' as status, - 'Manual verification required.' as reason - - from - aws_account; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'info' as status,\n 'Manual verification required.' as reason\n \nfrom\n aws_account;" PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v120_1_11.yaml b/compliance/controls/aws/aws_cis_v120_1_11.yaml index 2f155eac5..2203974f2 100755 --- a/compliance/controls/aws/aws_cis_v120_1_11.yaml +++ b/compliance/controls/aws/aws_cis_v120_1_11.yaml @@ -1,31 +1,15 @@ ID: aws_cis_v120_1_11 Title: "1.11 Ensure IAM password policy expires passwords within 90 days or less" Description: "IAM password policies can require passwords to be rotated or expired after a given number of days. It is recommended that the password policy expire passwords after 90 days or less." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || a.partition || ':::' || a.account_id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when max_password_age <= 90 then 'ok' - else 'alarm' - end as status, - case - when max_password_age is null then 'Password expiration not set.' - else 'Password expiration set to ' || max_password_age || ' days.' - end as reason - - from - aws_account as a - left join aws_iam_account_password_policy as pol on a.account_id = pol.account_id; + QueryToExecute: "select\n 'arn:' || a.partition || ':::' || a.account_id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when max_password_age <= 90 then 'ok'\n else 'alarm'\n end as status,\n case\n when max_password_age is null then 'Password expiration not set.'\n else 'Password expiration set to ' || max_password_age || ' days.'\n end as reason\n \nfrom\n aws_account as a\n left join aws_iam_account_password_policy as pol on a.account_id = pol.account_id;" PrimaryTable: aws_account ListOfTables: - - aws_account - - aws_iam_account_password_policy + - aws_account + - aws_iam_account_password_policy Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v120_1_12.yaml b/compliance/controls/aws/aws_cis_v120_1_12.yaml index 633608e7c..943d0cd1c 100755 --- a/compliance/controls/aws/aws_cis_v120_1_12.yaml +++ b/compliance/controls/aws/aws_cis_v120_1_12.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v120_1_12 Title: "1.12 Ensure no root account access key exists" Description: "The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root account be removed." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_iam_account_summary; PrimaryTable: aws_iam_account_summary ListOfTables: - - aws_iam_account_summary + - aws_iam_account_summary Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v120_1_13.yaml b/compliance/controls/aws/aws_cis_v120_1_13.yaml index 75458a6f6..db122813f 100755 --- a/compliance/controls/aws/aws_cis_v120_1_13.yaml +++ b/compliance/controls/aws/aws_cis_v120_1_13.yaml @@ -1,29 +1,14 @@ ID: aws_cis_v120_1_13 Title: "1.13 Ensure MFA is enabled for the \\\"root\\\" account" Description: "The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when account_mfa_enabled then 'ok' - else 'alarm' - end status, - case - when account_mfa_enabled then 'MFA enabled for root account.' - else 'MFA not enabled for root account.' - end reason - - from - aws_iam_account_summary; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when account_mfa_enabled then 'ok'\n else 'alarm'\n end status,\n case\n when account_mfa_enabled then 'MFA enabled for root account.'\n else 'MFA not enabled for root account.'\n end reason\n \nfrom\n aws_iam_account_summary;" PrimaryTable: aws_iam_account_summary ListOfTables: - - aws_iam_account_summary + - aws_iam_account_summary Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v120_1_15.yaml b/compliance/controls/aws/aws_cis_v120_1_15.yaml index a1e8659f9..35690f088 100755 --- a/compliance/controls/aws/aws_cis_v120_1_15.yaml +++ b/compliance/controls/aws/aws_cis_v120_1_15.yaml @@ -1,41 +1,32 @@ ID: aws_cis_v120_1_15 Title: "1.15 Ensure security questions are registered in the AWS account" Description: "The AWS support portal allows account owners to establish security questions that can be used to authenticate individuals calling AWS customer service for support. It is recommended that security questions be established." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'info' as status, - 'Manual verification required.' as reason - - from - aws_account; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'info' as status,\n 'Manual verification required.' as reason\n \nfrom\n aws_account;" PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: low Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "1.15" + - "1.15" cis_level: - - "1" + - "1" cis_section_id: - - "1" + - "1" cis_type: - - not_scored + - not_scored cis_version: - - v1.2.0 + - v1.2.0 plugin: - - aws + - aws service: - - AWS/IAM + - AWS/IAM +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v120_1_16.yaml b/compliance/controls/aws/aws_cis_v120_1_16.yaml index dc47ecc79..22d42b388 100755 --- a/compliance/controls/aws/aws_cis_v120_1_16.yaml +++ b/compliance/controls/aws/aws_cis_v120_1_16.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v120_1_16 Title: "1.16 Ensure IAM policies are attached only to groups or roles" Description: "By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended that IAM policies be applied directly to groups and roles but not users." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -15,12 +13,14 @@ Query: else 'alarm' end status, name || ' has ' || coalesce(jsonb_array_length(attached_policy_arns),0) || ' attached policies.' as reason - + from aws_iam_user; PrimaryTable: aws_iam_user ListOfTables: - - aws_iam_user + - aws_iam_user Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v120_1_17.yaml b/compliance/controls/aws/aws_cis_v120_1_17.yaml index 7f49de8e6..10b98b242 100755 --- a/compliance/controls/aws/aws_cis_v120_1_17.yaml +++ b/compliance/controls/aws/aws_cis_v120_1_17.yaml @@ -1,23 +1,14 @@ ID: aws_cis_v120_1_17 Title: "1.17 Maintain current contact details" Description: "Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization. An AWS account supports a number of contact details, and AWS will use these to contact the account owner if activity judged to be in breach of Acceptable Use Policy or indicative of likely security compromise is observed by the AWS Abuse team. Contact details should not be for a single individual, as circumstances may arise where that individual is unavailable." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'info' as status, - 'Manual verification required.' as reason - - from - aws_account; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'info' as status,\n 'Manual verification required.' as reason\n \nfrom\n aws_account;" PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v120_1_18.yaml b/compliance/controls/aws/aws_cis_v120_1_18.yaml index c0ac85a2c..aa1f21a09 100755 --- a/compliance/controls/aws/aws_cis_v120_1_18.yaml +++ b/compliance/controls/aws/aws_cis_v120_1_18.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v120_1_18 Title: "1.18 Ensure security contact information is registered" Description: "AWS provides customers with the option of specifying the contact information for account's security team. It is recommended that this information be provided." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -47,8 +45,10 @@ Query: c.account_id = a.account_id; PrimaryTable: aws_account ListOfTables: - - aws_account_alternate_contact - - aws_account + - aws_account_alternate_contact + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v120_1_19.yaml b/compliance/controls/aws/aws_cis_v120_1_19.yaml index ab4383e47..17a25a3b4 100755 --- a/compliance/controls/aws/aws_cis_v120_1_19.yaml +++ b/compliance/controls/aws/aws_cis_v120_1_19.yaml @@ -1,23 +1,14 @@ ID: aws_cis_v120_1_19 Title: "1.19 Ensure IAM instance roles are used for AWS resource access from instances" Description: "AWS access from within AWS instances can be done by either encoding AWS keys into AWS API calls or by assigning the instance to a role which has an appropriate permissions policy for the required access. \\\"AWS Access\\\" means accessing the APIs of AWS in order to access AWS resources or manage AWS account resources." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'info' as status, - 'Manual verification required.' as reason - - from - aws_account; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'info' as status,\n 'Manual verification required.' as reason\n \nfrom\n aws_account;" PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v120_1_2.yaml b/compliance/controls/aws/aws_cis_v120_1_2.yaml index f6261f527..4faa63f14 100755 --- a/compliance/controls/aws/aws_cis_v120_1_2.yaml +++ b/compliance/controls/aws/aws_cis_v120_1_2.yaml @@ -1,30 +1,14 @@ ID: aws_cis_v120_1_2 Title: "1.2 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password" Description: "Multi-Factor Authentication (MFA) adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. It is recommended that MFA be enabled for all accounts that have a console password." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - user_arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when password_enabled and not mfa_active then 'alarm' - else 'ok' - end as status, - case - when not password_enabled then user_name || ' password login disabled.' - when password_enabled and not mfa_active then user_name || ' password login enabled but no MFA device configured.' - else user_name || ' password login enabled and MFA device configured.' - end as reason - - from - aws_iam_credential_report; + QueryToExecute: "select\n user_arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when password_enabled and not mfa_active then 'alarm'\n else 'ok'\n end as status,\n case\n when not password_enabled then user_name || ' password login disabled.'\n when password_enabled and not mfa_active then user_name || ' password login enabled but no MFA device configured.'\n else user_name || ' password login enabled and MFA device configured.'\n end as reason\n \nfrom\n aws_iam_credential_report;" PrimaryTable: aws_iam_credential_report ListOfTables: - - aws_iam_credential_report + - aws_iam_credential_report Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v120_1_20.yaml b/compliance/controls/aws/aws_cis_v120_1_20.yaml index ef3126a95..a4ee10573 100755 --- a/compliance/controls/aws/aws_cis_v120_1_20.yaml +++ b/compliance/controls/aws/aws_cis_v120_1_20.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v120_1_20 Title: "1.20 Ensure a support role has been created to manage incidents with AWS Support" Description: "AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -43,8 +41,10 @@ Query: support_role_count; PrimaryTable: aws_iam_role ListOfTables: - - aws_account - - aws_iam_role + - aws_account + - aws_iam_role Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v120_1_21.yaml b/compliance/controls/aws/aws_cis_v120_1_21.yaml index 0c38fdb7c..a7e40e194 100755 --- a/compliance/controls/aws/aws_cis_v120_1_21.yaml +++ b/compliance/controls/aws/aws_cis_v120_1_21.yaml @@ -1,33 +1,14 @@ ID: aws_cis_v120_1_21 Title: "1.21 Do not setup access keys during initial user setup for all IAM users that have a console password" Description: "AWS console defaults the checkbox for creating access keys to enabled. This results in many access keys being generated unnecessarily. In addition to unnecessary credentials, it also generates unnecessary management work in auditing and rotating these keys." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - user_arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - -- alarm when password is enabled and the key was created within 10 seconds of the user - when password_enabled and (extract(epoch from (access_key_1_last_rotated - user_creation_time)) < 10) then 'alarm' - else 'ok' - end as status, - case - when not password_enabled then user_name || ' password login disabled.' - when access_key_1_last_rotated is null then user_name || ' has no access keys.' - when password_enabled and (extract(epoch from (access_key_1_last_rotated - user_creation_time)) < 10) - then user_name || ' has access key created during user creation and password login enabled.' - else user_name || ' has access key not created during user creation.' - end as reason - - from - aws_iam_credential_report; + QueryToExecute: "select\n user_arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n -- alarm when password is enabled and the key was created within 10 seconds of the user\n when password_enabled and (extract(epoch from (access_key_1_last_rotated - user_creation_time)) < 10) then 'alarm'\n else 'ok'\n end as status,\n case\n when not password_enabled then user_name || ' password login disabled.'\n when access_key_1_last_rotated is null then user_name || ' has no access keys.'\n when password_enabled and (extract(epoch from (access_key_1_last_rotated - user_creation_time)) < 10)\n then user_name || ' has access key created during user creation and password login enabled.'\n else user_name || ' has access key not created during user creation.'\n end as reason\n \nfrom\n aws_iam_credential_report;" PrimaryTable: aws_iam_credential_report ListOfTables: - - aws_iam_credential_report + - aws_iam_credential_report Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v120_1_22.yaml b/compliance/controls/aws/aws_cis_v120_1_22.yaml index 5b357f593..f6d513b22 100755 --- a/compliance/controls/aws/aws_cis_v120_1_22.yaml +++ b/compliance/controls/aws/aws_cis_v120_1_22.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v120_1_22 Title: "1.22 Ensure IAM policies that allow full \\\"*:*\\\" administrative privileges are not created" Description: "IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege—that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -49,7 +47,9 @@ Query: p.is_attached; PrimaryTable: aws_iam_policy ListOfTables: - - aws_iam_policy + - aws_iam_policy Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v120_1_3.yaml b/compliance/controls/aws/aws_cis_v120_1_3.yaml index c8cf0c87c..d3278d646 100755 --- a/compliance/controls/aws/aws_cis_v120_1_3.yaml +++ b/compliance/controls/aws/aws_cis_v120_1_3.yaml @@ -1,64 +1,14 @@ ID: aws_cis_v120_1_3 Title: "1.3 Ensure credentials unused for 90 days or greater are disabled" Description: "AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have been unused in 90 or greater days be removed or deactivated." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - user_arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when user_name = '' - then 'info' - when password_enabled and password_last_used is null and password_last_changed < (current_date - interval '90' day) - then 'alarm' - when password_enabled and password_last_used < (current_date - interval '90' day) - then 'alarm' - when access_key_1_active and access_key_1_last_used_date is null and access_key_1_last_rotated < (current_date - interval '90' day) - then 'alarm' - when access_key_1_active and access_key_1_last_used_date < (current_date - interval '90' day) - then 'alarm' - when access_key_2_active and access_key_2_last_used_date is null and access_key_2_last_rotated < (current_date - interval '90' day) - then 'alarm' - when access_key_2_active and access_key_2_last_used_date < (current_date - interval '90' day) - then 'alarm' - else 'ok' - end status, - user_name || - case - when not password_enabled - then ' password not enabled,' - when password_enabled and password_last_used is null - then ' password created ' || to_char(password_last_changed, 'DD-Mon-YYYY') || ' never used,' - else - ' password used ' || to_char(password_last_used, 'DD-Mon-YYYY') || ',' - end || - case - when not access_key_1_active - then ' key 1 not enabled,' - when access_key_1_active and access_key_1_last_used_date is null - then ' key 1 created ' || to_char(access_key_1_last_rotated, 'DD-Mon-YYYY') || ' never used,' - else - ' key 1 used ' || to_char(access_key_1_last_used_date, 'DD-Mon-YYYY') || ',' - end || - case - when not access_key_2_active - then ' key 2 not enabled.' - when access_key_2_active and access_key_2_last_used_date is null - then ' key 2 created ' || to_char(access_key_2_last_rotated, 'DD-Mon-YYYY') || ' never used.' - else - ' key 2 used ' || to_char(access_key_2_last_used_date, 'DD-Mon-YYYY') || '.' - end - as reason - - from - aws_iam_credential_report; + QueryToExecute: "select\n user_arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when user_name = ''\n then 'info'\n when password_enabled and password_last_used is null and password_last_changed < (current_date - interval '90' day)\n then 'alarm'\n when password_enabled and password_last_used < (current_date - interval '90' day)\n then 'alarm'\n when access_key_1_active and access_key_1_last_used_date is null and access_key_1_last_rotated < (current_date - interval '90' day)\n then 'alarm'\n when access_key_1_active and access_key_1_last_used_date < (current_date - interval '90' day)\n then 'alarm'\n when access_key_2_active and access_key_2_last_used_date is null and access_key_2_last_rotated < (current_date - interval '90' day)\n then 'alarm'\n when access_key_2_active and access_key_2_last_used_date < (current_date - interval '90' day)\n then 'alarm'\n else 'ok'\n end status,\n user_name ||\n case\n when not password_enabled\n then ' password not enabled,'\n when password_enabled and password_last_used is null\n then ' password created ' || to_char(password_last_changed, 'DD-Mon-YYYY') || ' never used,'\n else\n ' password used ' || to_char(password_last_used, 'DD-Mon-YYYY') || ','\n end ||\n case\n when not access_key_1_active\n then ' key 1 not enabled,'\n when access_key_1_active and access_key_1_last_used_date is null\n then ' key 1 created ' || to_char(access_key_1_last_rotated, 'DD-Mon-YYYY') || ' never used,'\n else\n ' key 1 used ' || to_char(access_key_1_last_used_date, 'DD-Mon-YYYY') || ','\n end ||\n case\n when not access_key_2_active\n then ' key 2 not enabled.'\n when access_key_2_active and access_key_2_last_used_date is null\n then ' key 2 created ' || to_char(access_key_2_last_rotated, 'DD-Mon-YYYY') || ' never used.'\n else\n ' key 2 used ' || to_char(access_key_2_last_used_date, 'DD-Mon-YYYY') || '.'\n end\n as reason\n \nfrom\n aws_iam_credential_report;" PrimaryTable: aws_iam_credential_report ListOfTables: - - aws_iam_credential_report + - aws_iam_credential_report Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v120_1_4.yaml b/compliance/controls/aws/aws_cis_v120_1_4.yaml index b4304e66f..7fb72f3c7 100755 --- a/compliance/controls/aws/aws_cis_v120_1_4.yaml +++ b/compliance/controls/aws/aws_cis_v120_1_4.yaml @@ -1,28 +1,14 @@ ID: aws_cis_v120_1_4 Title: "1.4 Ensure access keys are rotated every 90 days or less" Description: "Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':iam::' || account_id || ':user/' || user_name || '/accesskey/' || access_key_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when create_date <= (current_date - interval '90' day) then 'alarm' - else 'ok' - end status, - user_name || ' ' || access_key_id || ' created ' || to_char(create_date , 'DD-Mon-YYYY') || - ' (' || extract(day from current_timestamp - create_date) || ' days).' - as reason - - from - aws_iam_access_key; + QueryToExecute: "select\n 'arn:' || partition || ':iam::' || account_id || ':user/' || user_name || '/accesskey/' || access_key_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when create_date <= (current_date - interval '90' day) then 'alarm'\n else 'ok'\n end status,\n user_name || ' ' || access_key_id || ' created ' || to_char(create_date , 'DD-Mon-YYYY') ||\n ' (' || extract(day from current_timestamp - create_date) || ' days).'\n as reason\n \nfrom\n aws_iam_access_key;" PrimaryTable: aws_iam_access_key ListOfTables: - - aws_iam_access_key + - aws_iam_access_key Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v120_1_8.yaml b/compliance/controls/aws/aws_cis_v120_1_8.yaml index ac3b11324..20d8b98dd 100755 --- a/compliance/controls/aws/aws_cis_v120_1_8.yaml +++ b/compliance/controls/aws/aws_cis_v120_1_8.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v120_1_8 Title: "1.8 Ensure IAM password policy require at least one number" Description: "Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one number." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -24,8 +22,10 @@ Query: left join aws_iam_account_password_policy as pol on a.account_id = pol.account_id; PrimaryTable: aws_account ListOfTables: - - aws_account - - aws_iam_account_password_policy + - aws_account + - aws_iam_account_password_policy Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v120_2_2.yaml b/compliance/controls/aws/aws_cis_v120_2_2.yaml index ba44eb7d6..1ea12a32a 100755 --- a/compliance/controls/aws/aws_cis_v120_2_2.yaml +++ b/compliance/controls/aws/aws_cis_v120_2_2.yaml @@ -1,32 +1,14 @@ ID: aws_cis_v120_2_2 Title: "2.2 Ensure CloudTrail log file validation is enabled." Description: "CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. It is recommended that file validation be enabled on all CloudTrails." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when log_file_validation_enabled then 'ok' - else 'alarm' - end as status, - case - when log_file_validation_enabled then title || ' log file validation enabled.' - else title || ' log file validation disabled.' - end as reason - - - from - aws_cloudtrail_trail - where - region = home_region; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when log_file_validation_enabled then 'ok'\n else 'alarm'\n end as status,\n case\n when log_file_validation_enabled then title || ' log file validation enabled.'\n else title || ' log file validation disabled.'\n end as reason\n \n \nfrom\n aws_cloudtrail_trail\nwhere\n region = home_region;" PrimaryTable: aws_cloudtrail_trail ListOfTables: - - aws_cloudtrail_trail + - aws_cloudtrail_trail Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v120_2_3.yaml b/compliance/controls/aws/aws_cis_v120_2_3.yaml index 72de7d2c1..87912d295 100755 --- a/compliance/controls/aws/aws_cis_v120_2_3.yaml +++ b/compliance/controls/aws/aws_cis_v120_2_3.yaml @@ -1,67 +1,15 @@ ID: aws_cis_v120_2_3 Title: "2.3 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible" Description: "CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy, or access control list (ACL), applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - with public_bucket_data as ( - -- note the counts are not exactly CORRECT because of the jsonb_array_elements joins, - -- but will be non-zero if any matches are found - select - t.s3_bucket_name as name, - b.arn, - t.region, - t.account_id, - t.tags, - t._ctx, - count(acl_grant) filter (where acl_grant -> 'Grantee' ->> 'URI' like '%acs.amazonaws.com/groups/global/AllUsers') as all_user_grants, - count(acl_grant) filter (where acl_grant -> 'Grantee' ->> 'URI' like '%acs.amazonaws.com/groups/global/AuthenticatedUsers') as auth_user_grants, - count(s) filter (where s ->> 'Effect' = 'Allow' and p = '*' ) as anon_statements - from - aws_cloudtrail_trail as t - left join aws_s3_bucket as b on t.s3_bucket_name = b.name - left join jsonb_array_elements(acl -> 'Grants') as acl_grant on true - left join jsonb_array_elements(policy_std -> 'Statement') as s on true - left join jsonb_array_elements_text(s -> 'Principal' -> 'AWS') as p on true - group by - t.s3_bucket_name, - b.arn, - t.region, - t.account_id, - t.tags, - t._ctx - ) - select - case - when arn is null then 'arn:aws:s3::' || name - else arn - end as resource, - t.og_account_id as og_account_id, - t.og_resource_id as og_resource_id, - case - when arn is null then 'skip' - when all_user_grants > 0 then 'alarm' - when auth_user_grants > 0 then 'alarm' - when anon_statements > 0 then 'alarm' - else 'ok' - end as status, - case - when arn is null then name || ' not found in account ' || account_id || '.' - when all_user_grants > 0 then name || ' grants access to AllUsers in ACL.' - when auth_user_grants > 0 then name || ' grants access to AuthenticatedUsers in ACL.' - when anon_statements > 0 then name || ' grants access to AWS:*" in bucket policy.' - else name || ' does not grant anonymous access in ACL or bucket policy.' - end as reason - - - from - public_bucket_data; + QueryToExecute: "with public_bucket_data as (\n-- note the counts are not exactly CORRECT because of the jsonb_array_elements joins,\n-- but will be non-zero if any matches are found\nselect\n t.s3_bucket_name as name,\n b.arn,\n t.region,\n t.account_id,\n t.tags,\n t._ctx,\n count(acl_grant) filter (where acl_grant -> 'Grantee' ->> 'URI' like '%acs.amazonaws.com/groups/global/AllUsers') as all_user_grants,\n count(acl_grant) filter (where acl_grant -> 'Grantee' ->> 'URI' like '%acs.amazonaws.com/groups/global/AuthenticatedUsers') as auth_user_grants,\n count(s) filter (where s ->> 'Effect' = 'Allow' and p = '*' ) as anon_statements\nfrom\n aws_cloudtrail_trail as t\nleft join aws_s3_bucket as b on t.s3_bucket_name = b.name\nleft join jsonb_array_elements(acl -> 'Grants') as acl_grant on true\nleft join jsonb_array_elements(policy_std -> 'Statement') as s on true\nleft join jsonb_array_elements_text(s -> 'Principal' -> 'AWS') as p on true\ngroup by\n t.s3_bucket_name,\n b.arn,\n t.region,\n t.account_id,\n t.tags,\n t._ctx\n)\nselect\n case\n when arn is null then 'arn:aws:s3::' || name\n else arn\n end as resource,\n t.og_account_id as og_account_id,\n t.og_resource_id as og_resource_id,\n case\n when arn is null then 'skip'\n when all_user_grants > 0 then 'alarm'\n when auth_user_grants > 0 then 'alarm'\n when anon_statements > 0 then 'alarm'\n else 'ok'\n end as status,\n case\n when arn is null then name || ' not found in account ' || account_id || '.'\n when all_user_grants > 0 then name || ' grants access to AllUsers in ACL.'\n when auth_user_grants > 0 then name || ' grants access to AuthenticatedUsers in ACL.'\n when anon_statements > 0 then name || ' grants access to AWS:*\" in bucket policy.'\n else name || ' does not grant anonymous access in ACL or bucket policy.'\n end as reason\n \n \nfrom\n public_bucket_data;" PrimaryTable: aws_cloudtrail_trail ListOfTables: - - aws_cloudtrail_trail - - aws_s3_bucket + - aws_cloudtrail_trail + - aws_s3_bucket Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v120_2_4.yaml b/compliance/controls/aws/aws_cis_v120_2_4.yaml index 129039c38..4e6c03df3 100755 --- a/compliance/controls/aws/aws_cis_v120_2_4.yaml +++ b/compliance/controls/aws/aws_cis_v120_2_4.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v120_2_4 Title: "2.4 Ensure CloudTrail trails are integrated with CloudWatch Logs" Description: "AWS CloudTrail is a web service that records AWS API calls made in a given AWS account. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, realtime analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is recommended that CloudTrail logs be sent to CloudWatch Logs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -24,7 +22,9 @@ Query: region = home_region; PrimaryTable: aws_cloudtrail_trail ListOfTables: - - aws_cloudtrail_trail + - aws_cloudtrail_trail Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v120_2_5.yaml b/compliance/controls/aws/aws_cis_v120_2_5.yaml index d303a8927..9af82fd30 100755 --- a/compliance/controls/aws/aws_cis_v120_2_5.yaml +++ b/compliance/controls/aws/aws_cis_v120_2_5.yaml @@ -1,71 +1,15 @@ ID: aws_cis_v120_2_5 Title: "2.5 Ensure AWS Config is enabled in all regions" Description: "AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. It is recommended to enable AWS Config be enabled in all regions." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - -- pgFormatter-ignore - -- Get count for any region with all matching criteria - with global_recorders as ( - select - count(*) as global_config_recorders - from - aws_config_configuration_recorder - where - recording_group -> 'IncludeGlobalResourceTypes' = 'true' - and recording_group -> 'AllSupported' = 'true' - and status ->> 'Recording' = 'true' - and status ->> 'LastStatus' = 'SUCCESS' - ) - select - 'arn:aws::' || a.region || ':' || a.account_id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - -- When any of the region satisfies with above CTE - -- In left join of table, regions now having - -- 'Recording' and 'LastStatus' matching criteria can be considered as OK - when - g.global_config_recorders >= 1 - and status ->> 'Recording' = 'true' - and status ->> 'LastStatus' = 'SUCCESS' - then 'ok' - -- Skip any regions that are disabled in the account. - when a.opt_in_status = 'not-opted-in' then 'skip' - else 'alarm' - end as status, - -- Below cases are for citing respective reasons for control state - case - when a.opt_in_status = 'not-opted-in' then a.region || ' region is disabled.' - else - case - when recording_group -> 'IncludeGlobalResourceTypes' = 'true' then a.region || ' IncludeGlobalResourceTypes enabled,' - else a.region || ' IncludeGlobalResourceTypes disabled,' - end || - case - when recording_group -> 'AllSupported' = 'true' then ' AllSupported enabled,' - else ' AllSupported disabled,' - end || - case - when status ->> 'Recording' = 'true' then ' Recording enabled' - else ' Recording disabled' - end || - case - when status ->> 'LastStatus' = 'SUCCESS' then ' and LastStatus is SUCCESS.' - else ' and LastStatus is not SUCCESS.' - end - end as reason - - from - global_recorders as g, - aws_region as a - left join aws_config_configuration_recorder as r on r.account_id = a.account_id and r.region = a.name; + QueryToExecute: "-- pgFormatter-ignore\n-- Get count for any region with all matching criteria\nwith global_recorders as (\n select\n count(*) as global_config_recorders\n from\n aws_config_configuration_recorder\n where\n recording_group -> 'IncludeGlobalResourceTypes' = 'true'\n and recording_group -> 'AllSupported' = 'true'\n and status ->> 'Recording' = 'true'\n and status ->> 'LastStatus' = 'SUCCESS'\n)\nselect\n 'arn:aws::' || a.region || ':' || a.account_id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n -- When any of the region satisfies with above CTE\n -- In left join of table, regions now having\n -- 'Recording' and 'LastStatus' matching criteria can be considered as OK\n when\n g.global_config_recorders >= 1\n and status ->> 'Recording' = 'true'\n and status ->> 'LastStatus' = 'SUCCESS'\n then 'ok'\n -- Skip any regions that are disabled in the account.\n when a.opt_in_status = 'not-opted-in' then 'skip'\n else 'alarm'\n end as status,\n -- Below cases are for citing respective reasons for control state\n case\n when a.opt_in_status = 'not-opted-in' then a.region || ' region is disabled.'\n else\n case\n when recording_group -> 'IncludeGlobalResourceTypes' = 'true' then a.region || ' IncludeGlobalResourceTypes enabled,'\n else a.region || ' IncludeGlobalResourceTypes disabled,'\n end ||\n case\n when recording_group -> 'AllSupported' = 'true' then ' AllSupported enabled,'\n else ' AllSupported disabled,'\n end ||\n case\n when status ->> 'Recording' = 'true' then ' Recording enabled'\n else ' Recording disabled'\n end ||\n case\n when status ->> 'LastStatus' = 'SUCCESS' then ' and LastStatus is SUCCESS.'\n else ' and LastStatus is not SUCCESS.'\n end\n end as reason\n \nfrom\n global_recorders as g,\n aws_region as a\n left join aws_config_configuration_recorder as r on r.account_id = a.account_id and r.region = a.name;" PrimaryTable: aws_config_configuration_recorder ListOfTables: - - aws_config_configuration_recorder - - aws_region + - aws_config_configuration_recorder + - aws_region Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v120_2_6.yaml b/compliance/controls/aws/aws_cis_v120_2_6.yaml index f0ea24ab6..492a43a41 100755 --- a/compliance/controls/aws/aws_cis_v120_2_6.yaml +++ b/compliance/controls/aws/aws_cis_v120_2_6.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v120_2_6 Title: "2.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket" Description: "S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: t.region = t.home_region; PrimaryTable: aws_cloudtrail_trail ListOfTables: - - aws_cloudtrail_trail - - aws_s3_bucket + - aws_cloudtrail_trail + - aws_s3_bucket Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v120_2_7.yaml b/compliance/controls/aws/aws_cis_v120_2_7.yaml index 3a26b3acd..70f33078b 100755 --- a/compliance/controls/aws/aws_cis_v120_2_7.yaml +++ b/compliance/controls/aws/aws_cis_v120_2_7.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v120_2_7 Title: "2.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs" Description: "AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -24,7 +22,9 @@ Query: region = home_region; PrimaryTable: aws_cloudtrail_trail ListOfTables: - - aws_cloudtrail_trail + - aws_cloudtrail_trail Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v120_2_8.yaml b/compliance/controls/aws/aws_cis_v120_2_8.yaml index 27a4271bf..3a3f6584f 100755 --- a/compliance/controls/aws/aws_cis_v120_2_8.yaml +++ b/compliance/controls/aws/aws_cis_v120_2_8.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v120_2_8 Title: "2.8 Ensure rotation for customer created CMKs is enabled" Description: "AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -30,7 +28,9 @@ Query: key_manager = 'CUSTOMER'; PrimaryTable: aws_kms_key ListOfTables: - - aws_kms_key + - aws_kms_key Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v120_2_9.yaml b/compliance/controls/aws/aws_cis_v120_2_9.yaml index a0ccee0b1..b0d677997 100755 --- a/compliance/controls/aws/aws_cis_v120_2_9.yaml +++ b/compliance/controls/aws/aws_cis_v120_2_9.yaml @@ -1,57 +1,15 @@ ID: aws_cis_v120_2_9 Title: "2.9 Ensure VPC flow logging is enabled in all VPCs" Description: "VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet \\\"Rejects\\\" for VPCs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - with vpcs as ( - select - arn, - account_id, - region, - owner_id, - vpc_id, - tags, - _ctx - from - aws_vpc - order by - vpc_id - ), - flowlogs as ( - select - resource_id, - account_id, - region - from - aws_vpc_flow_log - order by - resource_id - ) - select - v.arn as resource, - v.og_account_id as og_account_id, - v.og_resource_id as og_resource_id, - case - when v.account_id <> v.owner_id then 'skip' - when f.resource_id is not null then 'ok' - else 'alarm' - end as status, - case - when v.account_id <> v.owner_id then v.vpc_id || ' is a shared VPC.' - when f.resource_id is not null then v.vpc_id || ' flow logging enabled.' - else v.vpc_id || ' flow logging disabled.' - end as reason - - from - vpcs as v - left join flowlogs as f on v.vpc_id = f.resource_id; + QueryToExecute: "with vpcs as (\n select\n arn,\n account_id,\n region,\n owner_id,\n vpc_id,\n tags,\n _ctx\n from\n aws_vpc\n order by\n vpc_id\n),\nflowlogs as (\n select\n resource_id,\n account_id,\n region\n from\n aws_vpc_flow_log\n order by\n resource_id\n)\nselect\n v.arn as resource,\n v.og_account_id as og_account_id,\n v.og_resource_id as og_resource_id,\n case\n when v.account_id <> v.owner_id then 'skip'\n when f.resource_id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when v.account_id <> v.owner_id then v.vpc_id || ' is a shared VPC.'\n when f.resource_id is not null then v.vpc_id || ' flow logging enabled.'\n else v.vpc_id || ' flow logging disabled.'\n end as reason\n \nfrom\n vpcs as v\n left join flowlogs as f on v.vpc_id = f.resource_id;" PrimaryTable: aws_vpc ListOfTables: - - aws_vpc - - aws_vpc_flow_log + - aws_vpc + - aws_vpc_flow_log Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v120_3_11.yaml b/compliance/controls/aws/aws_cis_v120_3_11.yaml index c4605fc82..bd419d913 100755 --- a/compliance/controls/aws/aws_cis_v120_3_11.yaml +++ b/compliance/controls/aws/aws_cis_v120_3_11.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v120_3_11 Title: "3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC. It is recommended that a metric filter and alarm be established for changes made to NACLs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -86,11 +84,13 @@ Query: left join filter_data as f on a.account_id = f.account_id; PrimaryTable: aws_cloudtrail_trail ListOfTables: - - aws_cloudtrail_trail - - aws_cloudwatch_alarm - - aws_sns_topic_subscription - - aws_cloudwatch_log_metric_filter - - aws_account + - aws_cloudtrail_trail + - aws_cloudwatch_alarm + - aws_sns_topic_subscription + - aws_cloudwatch_log_metric_filter + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v120_3_12.yaml b/compliance/controls/aws/aws_cis_v120_3_12.yaml index b4275a750..a1634e290 100755 --- a/compliance/controls/aws/aws_cis_v120_3_12.yaml +++ b/compliance/controls/aws/aws_cis_v120_3_12.yaml @@ -1,97 +1,18 @@ ID: aws_cis_v120_3_12 Title: "3.12 Ensure a log metric filter and alarm exist for changes to network gateways" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*CreateCustomerGateway.+\$\.eventName\s*=\s*DeleteCustomerGateway.+\$\.eventName\s*=\s*AttachInternetGateway.+\$\.eventName\s*=\s*CreateInternetGateway.+\$\.eventName\s*=\s*DeleteInternetGateway.+\$\.eventName\s*=\s*DetachInternetGateway' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - f.og_account_id as og_account_id, - f.og_resource_id as og_resource_id, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for changes to network gateways.' - else filter_name || ' forwards events for changes to network gateways.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.eventName\\s*=\\s*CreateCustomerGateway.+\\$\\.eventName\\s*=\\s*DeleteCustomerGateway.+\\$\\.eventName\\s*=\\s*AttachInternetGateway.+\\$\\.eventName\\s*=\\s*CreateInternetGateway.+\\$\\.eventName\\s*=\\s*DeleteInternetGateway.+\\$\\.eventName\\s*=\\s*DetachInternetGateway'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n f.og_account_id as og_account_id,\n f.og_resource_id as og_resource_id,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for changes to network gateways.'\n else filter_name || ' forwards events for changes to network gateways.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;" PrimaryTable: aws_cloudtrail_trail ListOfTables: - - aws_cloudtrail_trail - - aws_cloudwatch_alarm - - aws_sns_topic_subscription - - aws_cloudwatch_log_metric_filter - - aws_account + - aws_cloudtrail_trail + - aws_cloudwatch_alarm + - aws_sns_topic_subscription + - aws_cloudwatch_log_metric_filter + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v120_3_13.yaml b/compliance/controls/aws/aws_cis_v120_3_13.yaml index 9f7a04136..5437a3466 100755 --- a/compliance/controls/aws/aws_cis_v120_3_13.yaml +++ b/compliance/controls/aws/aws_cis_v120_3_13.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v120_3_13 Title: "3.13 Ensure a log metric filter and alarm exist for route table changes" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways. It is recommended that a metric filter and alarm be established for changes to route tables." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -86,11 +84,13 @@ Query: left join filter_data as f on a.account_id = f.account_id; PrimaryTable: aws_cloudtrail_trail ListOfTables: - - aws_cloudtrail_trail - - aws_cloudwatch_alarm - - aws_sns_topic_subscription - - aws_cloudwatch_log_metric_filter - - aws_account + - aws_cloudtrail_trail + - aws_cloudwatch_alarm + - aws_sns_topic_subscription + - aws_cloudwatch_log_metric_filter + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v120_3_14.yaml b/compliance/controls/aws/aws_cis_v120_3_14.yaml index 3a17b3834..5e2827cd9 100755 --- a/compliance/controls/aws/aws_cis_v120_3_14.yaml +++ b/compliance/controls/aws/aws_cis_v120_3_14.yaml @@ -1,97 +1,18 @@ ID: aws_cis_v120_3_14 Title: "3.14 Ensure a log metric filter and alarm exist for VPC changes" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*CreateVpc.+\$\.eventName\s*=\s*DeleteVpc.+\$\.eventName\s*=\s*ModifyVpcAttribute.+\$\.eventName\s*=\s*AcceptVpcPeeringConnection.+\$\.eventName\s*=\s*CreateVpcPeeringConnection.+\$\.eventName\s*=\s*DeleteVpcPeeringConnection.+\$\.eventName\s*=\s*RejectVpcPeeringConnection.+\$\.eventName\s*=\s*AttachClassicLinkVpc.+\$\.eventName\s*=\s*DetachClassicLinkVpc.+\$\.eventName\s*=\s*DisableVpcClassicLink.+\$\.eventName\s*=\s*EnableVpcClassicLink' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - t.og_account_id as og_account_id, - t.og_resource_id as og_resource_id, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for VPC changes.' - else filter_name || ' forwards events for VPC changes.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.eventName\\s*=\\s*CreateVpc.+\\$\\.eventName\\s*=\\s*DeleteVpc.+\\$\\.eventName\\s*=\\s*ModifyVpcAttribute.+\\$\\.eventName\\s*=\\s*AcceptVpcPeeringConnection.+\\$\\.eventName\\s*=\\s*CreateVpcPeeringConnection.+\\$\\.eventName\\s*=\\s*DeleteVpcPeeringConnection.+\\$\\.eventName\\s*=\\s*RejectVpcPeeringConnection.+\\$\\.eventName\\s*=\\s*AttachClassicLinkVpc.+\\$\\.eventName\\s*=\\s*DetachClassicLinkVpc.+\\$\\.eventName\\s*=\\s*DisableVpcClassicLink.+\\$\\.eventName\\s*=\\s*EnableVpcClassicLink'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\nt.og_account_id as og_account_id,\nt.og_resource_id as og_resource_id,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for VPC changes.'\n else filter_name || ' forwards events for VPC changes.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;" PrimaryTable: aws_cloudtrail_trail ListOfTables: - - aws_cloudtrail_trail - - aws_cloudwatch_alarm - - aws_sns_topic_subscription - - aws_cloudwatch_log_metric_filter - - aws_account + - aws_cloudtrail_trail + - aws_cloudwatch_alarm + - aws_sns_topic_subscription + - aws_cloudwatch_log_metric_filter + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v120_3_5.yaml b/compliance/controls/aws/aws_cis_v120_3_5.yaml index 32a8e4b26..7ba727d49 100755 --- a/compliance/controls/aws/aws_cis_v120_3_5.yaml +++ b/compliance/controls/aws/aws_cis_v120_3_5.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v120_3_5 Title: "3.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -86,11 +84,13 @@ Query: left join filter_data as f on a.account_id = f.account_id; PrimaryTable: aws_cloudtrail_trail ListOfTables: - - aws_cloudtrail_trail - - aws_cloudwatch_alarm - - aws_sns_topic_subscription - - aws_cloudwatch_log_metric_filter - - aws_account + - aws_cloudtrail_trail + - aws_cloudwatch_alarm + - aws_sns_topic_subscription + - aws_cloudwatch_log_metric_filter + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v120_4_1.yaml b/compliance/controls/aws/aws_cis_v120_4_1.yaml index d9f83a058..9ee919024 100755 --- a/compliance/controls/aws/aws_cis_v120_4_1.yaml +++ b/compliance/controls/aws/aws_cis_v120_4_1.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v120_4_1 Title: "4.1 Ensure no security groups allow ingress from 0.0.0.0/0 to port 22" Description: "Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 22." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -44,8 +42,10 @@ Query: left join ingress_ssh_rules on ingress_ssh_rules.group_id = sg.group_id; PrimaryTable: aws_vpc_security_group ListOfTables: - - aws_vpc_security_group_rule - - aws_vpc_security_group + - aws_vpc_security_group_rule + - aws_vpc_security_group Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v120_4_2.yaml b/compliance/controls/aws/aws_cis_v120_4_2.yaml index 4ac3fb9a9..f4e88d1b5 100755 --- a/compliance/controls/aws/aws_cis_v120_4_2.yaml +++ b/compliance/controls/aws/aws_cis_v120_4_2.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v120_4_2 Title: "4.2 Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389" Description: "Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 3389." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -44,8 +42,10 @@ Query: left join ingress_rdp_rules on ingress_rdp_rules.group_id = sg.group_id; PrimaryTable: aws_vpc_security_group ListOfTables: - - aws_vpc_security_group_rule - - aws_vpc_security_group + - aws_vpc_security_group_rule + - aws_vpc_security_group Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v120_4_4.yaml b/compliance/controls/aws/aws_cis_v120_4_4.yaml index 7ba763adc..130b515be 100755 --- a/compliance/controls/aws/aws_cis_v120_4_4.yaml +++ b/compliance/controls/aws/aws_cis_v120_4_4.yaml @@ -1,23 +1,14 @@ ID: aws_cis_v120_4_4 Title: "4.4 Ensure routing tables for VPC peering are \\\"least access\\\"" Description: "Once a VPC peering connection is established, routing tables must be updated to establish any connections between the peered VPCs. These routes can be as specific as desired - even peering a VPC to only a single host on the other side of the connection." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'info' as status, - 'Manual verification required.' as reason - - from - aws_account; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'info' as status,\n 'Manual verification required.' as reason\n \nfrom\n aws_account;" PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v130_1_1.yaml b/compliance/controls/aws/aws_cis_v130_1_1.yaml index cc7abea99..436d8ea71 100755 --- a/compliance/controls/aws/aws_cis_v130_1_1.yaml +++ b/compliance/controls/aws/aws_cis_v130_1_1.yaml @@ -1,23 +1,14 @@ ID: aws_cis_v130_1_1 Title: "1.1 Maintain current contact details" Description: "Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'info' as status, - 'Manual verification required.' as reason - - from - aws_account; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'info' as status,\n 'Manual verification required.' as reason\n \nfrom\n aws_account;" PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v130_1_10.yaml b/compliance/controls/aws/aws_cis_v130_1_10.yaml index 99bb6ad94..ca7f6f5ee 100755 --- a/compliance/controls/aws/aws_cis_v130_1_10.yaml +++ b/compliance/controls/aws/aws_cis_v130_1_10.yaml @@ -1,30 +1,14 @@ ID: aws_cis_v130_1_10 Title: "1.10 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password" Description: "Multi-Factor Authentication (MFA) adds an extra layer of authentication assurance beyond traditional credentials. With MFA enabled, when a user signs in to the AWS Console, they will be prompted for their user name and password as well as for an authentication code from their physical or virtual MFA token. It is recommended that MFA be enabled for all accounts that have a console password." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - user_arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when password_enabled and not mfa_active then 'alarm' - else 'ok' - end as status, - case - when not password_enabled then user_name || ' password login disabled.' - when password_enabled and not mfa_active then user_name || ' password login enabled but no MFA device configured.' - else user_name || ' password login enabled and MFA device configured.' - end as reason - - from - aws_iam_credential_report; + QueryToExecute: "select\n user_arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when password_enabled and not mfa_active then 'alarm'\n else 'ok'\n end as status,\n case\n when not password_enabled then user_name || ' password login disabled.'\n when password_enabled and not mfa_active then user_name || ' password login enabled but no MFA device configured.'\n else user_name || ' password login enabled and MFA device configured.'\n end as reason\n \nfrom\n aws_iam_credential_report;" PrimaryTable: aws_iam_credential_report ListOfTables: - - aws_iam_credential_report + - aws_iam_credential_report Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v130_1_11.yaml b/compliance/controls/aws/aws_cis_v130_1_11.yaml index a6b6d254e..cea06dda7 100755 --- a/compliance/controls/aws/aws_cis_v130_1_11.yaml +++ b/compliance/controls/aws/aws_cis_v130_1_11.yaml @@ -1,33 +1,14 @@ ID: aws_cis_v130_1_11 Title: "1.11 Do not setup access keys during initial user setup for all IAM users that have a console password" Description: "AWS console defaults to no check boxes selected when creating a new IAM user. When cerating the IAM User credentials you have to determine what type of access they require." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - user_arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - -- alarm when password is enabled and the key was created within 10 seconds of the user - when password_enabled and (extract(epoch from (access_key_1_last_rotated - user_creation_time)) < 10) then 'alarm' - else 'ok' - end as status, - case - when not password_enabled then user_name || ' password login disabled.' - when access_key_1_last_rotated is null then user_name || ' has no access keys.' - when password_enabled and (extract(epoch from (access_key_1_last_rotated - user_creation_time)) < 10) - then user_name || ' has access key created during user creation and password login enabled.' - else user_name || ' has access key not created during user creation.' - end as reason - - from - aws_iam_credential_report; + QueryToExecute: "select\n user_arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n -- alarm when password is enabled and the key was created within 10 seconds of the user\n when password_enabled and (extract(epoch from (access_key_1_last_rotated - user_creation_time)) < 10) then 'alarm'\n else 'ok'\n end as status,\n case\n when not password_enabled then user_name || ' password login disabled.'\n when access_key_1_last_rotated is null then user_name || ' has no access keys.'\n when password_enabled and (extract(epoch from (access_key_1_last_rotated - user_creation_time)) < 10)\n then user_name || ' has access key created during user creation and password login enabled.'\n else user_name || ' has access key not created during user creation.'\n end as reason\n \nfrom\n aws_iam_credential_report;" PrimaryTable: aws_iam_credential_report ListOfTables: - - aws_iam_credential_report + - aws_iam_credential_report Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v130_1_12.yaml b/compliance/controls/aws/aws_cis_v130_1_12.yaml index 1d1efa79b..486d541b6 100755 --- a/compliance/controls/aws/aws_cis_v130_1_12.yaml +++ b/compliance/controls/aws/aws_cis_v130_1_12.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v130_1_12 Title: "1.12 Ensure credentials unused for 90 days or greater are disabled" Description: "AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have been unused in 90 or greater days be deactivated or removed." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -57,7 +55,9 @@ Query: aws_iam_credential_report; PrimaryTable: aws_iam_credential_report ListOfTables: - - aws_iam_credential_report + - aws_iam_credential_report Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v130_1_13.yaml b/compliance/controls/aws/aws_cis_v130_1_13.yaml index 38b16d269..2d8974af3 100755 --- a/compliance/controls/aws/aws_cis_v130_1_13.yaml +++ b/compliance/controls/aws/aws_cis_v130_1_13.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v130_1_13 Title: "1.13 Ensure there is only one active access key available for any single IAM user" Description: "Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API. One of the best ways to protect your account is to not allow users to have multiple access keys." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -28,8 +26,10 @@ Query: u._ctx; PrimaryTable: aws_iam_user ListOfTables: - - aws_iam_user - - aws_iam_access_key + - aws_iam_user + - aws_iam_access_key Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v130_1_14.yaml b/compliance/controls/aws/aws_cis_v130_1_14.yaml index 7c45c1138..1a637a699 100755 --- a/compliance/controls/aws/aws_cis_v130_1_14.yaml +++ b/compliance/controls/aws/aws_cis_v130_1_14.yaml @@ -1,28 +1,14 @@ ID: aws_cis_v130_1_14 Title: "1.14 Ensure access keys are rotated every 90 days or less" Description: "Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':iam::' || account_id || ':user/' || user_name || '/accesskey/' || access_key_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when create_date <= (current_date - interval '90' day) then 'alarm' - else 'ok' - end status, - user_name || ' ' || access_key_id || ' created ' || to_char(create_date , 'DD-Mon-YYYY') || - ' (' || extract(day from current_timestamp - create_date) || ' days).' - as reason - - from - aws_iam_access_key; + QueryToExecute: "select\n 'arn:' || partition || ':iam::' || account_id || ':user/' || user_name || '/accesskey/' || access_key_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when create_date <= (current_date - interval '90' day) then 'alarm'\n else 'ok'\n end status,\n user_name || ' ' || access_key_id || ' created ' || to_char(create_date , 'DD-Mon-YYYY') ||\n ' (' || extract(day from current_timestamp - create_date) || ' days).'\n as reason\n \nfrom\n aws_iam_access_key;" PrimaryTable: aws_iam_access_key ListOfTables: - - aws_iam_access_key + - aws_iam_access_key Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v130_1_15.yaml b/compliance/controls/aws/aws_cis_v130_1_15.yaml index 1334def1a..51f50d172 100755 --- a/compliance/controls/aws/aws_cis_v130_1_15.yaml +++ b/compliance/controls/aws/aws_cis_v130_1_15.yaml @@ -1,28 +1,14 @@ ID: aws_cis_v130_1_15 Title: "1.15 Ensure IAM Users Receive Permissions Only Through Groups" Description: "IAM users are granted access to services, functions, and data through IAM policies. There are three ways to define policies for a user: 1) Edit the user policy directly, aka an inline, or user, policy; 2) attach a policy directly to a user; 3) add the user to an IAM group that has an attached policy. Only the third implementation is recommended." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when inline_policies is null and attached_policy_arns is null then 'ok' - else 'alarm' - end status, - name || ' has ' || coalesce(jsonb_array_length(inline_policies),0) || ' inline and ' || - coalesce(jsonb_array_length(attached_policy_arns),0) || ' directly attached policies.' as reason - - - from - aws_iam_user; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when inline_policies is null and attached_policy_arns is null then 'ok'\n else 'alarm'\n end status,\n name || ' has ' || coalesce(jsonb_array_length(inline_policies),0) || ' inline and ' ||\n coalesce(jsonb_array_length(attached_policy_arns),0) || ' directly attached policies.' as reason\n \n \nfrom\n aws_iam_user;" PrimaryTable: aws_iam_user ListOfTables: - - aws_iam_user + - aws_iam_user Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v130_1_16.yaml b/compliance/controls/aws/aws_cis_v130_1_16.yaml index e164f3202..91b670a6b 100755 --- a/compliance/controls/aws/aws_cis_v130_1_16.yaml +++ b/compliance/controls/aws/aws_cis_v130_1_16.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v130_1_16 Title: "1.16 Ensure IAM policies that allow full \\\"*:*\\\" administrative privileges are not attached" Description: "IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege -that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -49,7 +47,9 @@ Query: p.is_attached; PrimaryTable: aws_iam_policy ListOfTables: - - aws_iam_policy + - aws_iam_policy Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v130_1_17.yaml b/compliance/controls/aws/aws_cis_v130_1_17.yaml index 159bfbf2e..df625e7ff 100755 --- a/compliance/controls/aws/aws_cis_v130_1_17.yaml +++ b/compliance/controls/aws/aws_cis_v130_1_17.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v130_1_17 Title: "1.17 Ensure a support role has been created to manage incidents with AWS Support" Description: "AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -43,8 +41,10 @@ Query: support_role_count; PrimaryTable: aws_account ListOfTables: - - aws_account - - aws_iam_role + - aws_account + - aws_iam_role Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v130_1_18.yaml b/compliance/controls/aws/aws_cis_v130_1_18.yaml index 6738f928b..7b8cd481c 100755 --- a/compliance/controls/aws/aws_cis_v130_1_18.yaml +++ b/compliance/controls/aws/aws_cis_v130_1_18.yaml @@ -1,23 +1,14 @@ ID: aws_cis_v130_1_18 Title: "1.18 Ensure IAM instance roles are used for AWS resource access from instances" Description: "AWS access from within AWS instances can be done by either encoding AWS keys into AWS API calls or by assigning the instance to a role which has an appropriate permissions policy for the required access. \\\"AWS Access\\\" means accessing the APIs of AWS in order to access AWS resources or manage AWS account resources." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'info' as status, - 'Manual verification required.' as reason - - from - aws_account; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'info' as status,\n 'Manual verification required.' as reason\n \nfrom\n aws_account;" PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v130_1_19.yaml b/compliance/controls/aws/aws_cis_v130_1_19.yaml index 6ad30ac1a..d9ba2497f 100755 --- a/compliance/controls/aws/aws_cis_v130_1_19.yaml +++ b/compliance/controls/aws/aws_cis_v130_1_19.yaml @@ -1,30 +1,14 @@ ID: aws_cis_v130_1_19 Title: "1.19 Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed" Description: "To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates. Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case when expiration < (current_date - interval '1' second) then 'alarm' - else 'ok' - end as status, - case when expiration < (current_date - interval '1' second) then - name || ' expired ' || to_char(expiration, 'DD-Mon-YYYY') || '.' - else - name || ' valid until ' || to_char(expiration, 'DD-Mon-YYYY') || '.' - end as reason - - - from - aws_iam_server_certificate; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case when expiration < (current_date - interval '1' second) then 'alarm'\n else 'ok'\n end as status,\n case when expiration < (current_date - interval '1' second) then\n name || ' expired ' || to_char(expiration, 'DD-Mon-YYYY') || '.'\n else\n name || ' valid until ' || to_char(expiration, 'DD-Mon-YYYY') || '.'\n end as reason\n \n \nfrom\n aws_iam_server_certificate;" PrimaryTable: aws_iam_server_certificate ListOfTables: - - aws_iam_server_certificate + - aws_iam_server_certificate Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v130_1_2.yaml b/compliance/controls/aws/aws_cis_v130_1_2.yaml index b7bf125b1..1efb6e3a8 100755 --- a/compliance/controls/aws/aws_cis_v130_1_2.yaml +++ b/compliance/controls/aws/aws_cis_v130_1_2.yaml @@ -1,55 +1,15 @@ ID: aws_cis_v130_1_2 Title: "1.2 Ensure security contact information is registered" Description: "AWS provides customers with the option of specifying the contact information for accounts security team. It is recommended that this information be provided." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - with alternate_security_contact as ( - select - name, - account_id - from - aws_account_alternate_contact - where - contact_type = 'SECURITY' - ), - account as ( - select - arn, - partition, - title, - account_id, - _ctx - from - aws_account - ) - select - arn as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when a.partition = 'aws-us-gov' then 'info' - -- Name is a required field if setting a security contact - when c.name is not null then 'ok' - else 'alarm' - end as status, - case - when a.partition = 'aws-us-gov' then a.title || ' in GovCloud, manual verification required.' - when c.name is not null then a.title || ' has security contact ' || c.name || ' registered.' - else a.title || ' security contact not registered.' - end as reason - - from - account as a, - alternate_security_contact as c - where - c.account_id = a.account_id; + QueryToExecute: "with alternate_security_contact as (\n select\n name,\n account_id\n from\n aws_account_alternate_contact\n where\n contact_type = 'SECURITY'\n),\naccount as (\n select\n arn,\n partition,\n title,\n account_id,\n _ctx\n from\n aws_account\n)\nselect\n arn as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when a.partition = 'aws-us-gov' then 'info'\n -- Name is a required field if setting a security contact\n when c.name is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when a.partition = 'aws-us-gov' then a.title || ' in GovCloud, manual verification required.'\n when c.name is not null then a.title || ' has security contact ' || c.name || ' registered.'\n else a.title || ' security contact not registered.'\n end as reason\n \nfrom\n account as a,\n alternate_security_contact as c\nwhere\n c.account_id = a.account_id;" PrimaryTable: aws_account ListOfTables: - - aws_account_alternate_contact - - aws_account + - aws_account_alternate_contact + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v130_1_20.yaml b/compliance/controls/aws/aws_cis_v130_1_20.yaml index dfe815798..a8c7c19a3 100755 --- a/compliance/controls/aws/aws_cis_v130_1_20.yaml +++ b/compliance/controls/aws/aws_cis_v130_1_20.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v130_1_20 Title: "1.20 Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'" Description: "Amazon S3 provides Block public access (bucket settings) and Block public access (account settings) to help you manage public access to Amazon S3 resources. By default, S3 buckets and objects are created with public access disabled. However, an IAM principle with sufficient S3 permissions can enable public access at the bucket and/or object level. While enabled, Block public access (bucket settings) prevents an individual bucket, and its contained objects, from becoming publicly accessible. Similarly, Block public access (account settings) prevents all buckets, and contained objects, from becoming publicly accessible across the entire account." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -39,8 +37,10 @@ Query: s3account.account_id = bucket.account_id; PrimaryTable: aws_s3_bucket ListOfTables: - - aws_s3_bucket - - aws_s3_account_settings + - aws_s3_bucket + - aws_s3_account_settings Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v130_1_21.yaml b/compliance/controls/aws/aws_cis_v130_1_21.yaml index e76b99758..f3a9d8df3 100755 --- a/compliance/controls/aws/aws_cis_v130_1_21.yaml +++ b/compliance/controls/aws/aws_cis_v130_1_21.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v130_1_21 Title: "1.21 Ensure that IAM Access analyzer is enabled" Description: "Enable IAM Access analyzer for IAM policies about all resources. IAM Access Analyzer is a technology introduced at AWS reinvent 2019. After the Analyzer is enabled in IAM, scan results are displayed on the console showing the accessible resources. Scans show resources that other accounts and federated users can access, such as KMS keys and IAM roles. So the results allow you to determine if an unintended user is allowed, making it easier for administrators to monitor least privileges access." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -26,8 +24,10 @@ Query: left join aws_accessanalyzer_analyzer as aa on r.account_id = aa.account_id and r.region = aa.region; PrimaryTable: aws_accessanalyzer_analyzer ListOfTables: - - aws_region - - aws_accessanalyzer_analyzer + - aws_region + - aws_accessanalyzer_analyzer Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v130_1_22.yaml b/compliance/controls/aws/aws_cis_v130_1_22.yaml index 84f9e3fde..b398a745d 100755 --- a/compliance/controls/aws/aws_cis_v130_1_22.yaml +++ b/compliance/controls/aws/aws_cis_v130_1_22.yaml @@ -1,23 +1,14 @@ ID: aws_cis_v130_1_22 Title: "1.22 Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments" Description: "In multi-account environments, IAM user centralization facilitates greater user control. User access beyond the initial account is then provide via role assumption. Centralization of users can be accomplished through federation with an external identity provider or through the use of AWS Organizations." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'info' as status, - 'Manual verification required.' as reason - - from - aws_account; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'info' as status,\n 'Manual verification required.' as reason\n \nfrom\n aws_account;" PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v130_1_3.yaml b/compliance/controls/aws/aws_cis_v130_1_3.yaml index eed4dc115..a197f5177 100755 --- a/compliance/controls/aws/aws_cis_v130_1_3.yaml +++ b/compliance/controls/aws/aws_cis_v130_1_3.yaml @@ -1,23 +1,14 @@ ID: aws_cis_v130_1_3 Title: "1.3 Ensure security questions are registered in the AWS account" Description: "The AWS support portal allows account owners to establish security questions that can be used to authenticate individuals calling AWS customer service for support. It is recommended that security questions be established." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'info' as status, - 'Manual verification required.' as reason - - from - aws_account; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'info' as status,\n 'Manual verification required.' as reason\n \nfrom\n aws_account;" PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v130_1_4.yaml b/compliance/controls/aws/aws_cis_v130_1_4.yaml index a9085d5b2..8007a2fe3 100755 --- a/compliance/controls/aws/aws_cis_v130_1_4.yaml +++ b/compliance/controls/aws/aws_cis_v130_1_4.yaml @@ -1,29 +1,14 @@ ID: aws_cis_v130_1_4 Title: "1.4 Ensure no root user account access key exists" Description: "The root user account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root user account be removed." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when account_access_keys_present > 0 then 'alarm' - else 'ok' - end status, - case - when account_access_keys_present > 0 then 'Root user access keys exist.' - else 'No root user access keys exist.' - end reason - - from - aws_iam_account_summary; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when account_access_keys_present > 0 then 'alarm'\n else 'ok'\n end status,\n case\n when account_access_keys_present > 0 then 'Root user access keys exist.'\n else 'No root user access keys exist.'\n end reason\n \nfrom\n aws_iam_account_summary;" PrimaryTable: aws_iam_account_summary ListOfTables: - - aws_iam_account_summary + - aws_iam_account_summary Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v130_1_5.yaml b/compliance/controls/aws/aws_cis_v130_1_5.yaml index 04022fd93..0a211a8a0 100755 --- a/compliance/controls/aws/aws_cis_v130_1_5.yaml +++ b/compliance/controls/aws/aws_cis_v130_1_5.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v130_1_5 Title: "1.5 Ensure MFA is enabled for the \\\"root user\\\" account" Description: "The root user account is the most privileged user in an AWS account. Multi-factor Authentication (MFA) adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their username and password as well as for an authentication code from their AWS MFA device." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_iam_account_summary; PrimaryTable: aws_iam_account_summary ListOfTables: - - aws_iam_account_summary + - aws_iam_account_summary Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v130_1_7.yaml b/compliance/controls/aws/aws_cis_v130_1_7.yaml index 423085a4a..e5b42b8fe 100755 --- a/compliance/controls/aws/aws_cis_v130_1_7.yaml +++ b/compliance/controls/aws/aws_cis_v130_1_7.yaml @@ -1,41 +1,14 @@ ID: aws_cis_v130_1_7 Title: "1.7 Eliminate use of the root user for administrative and daily tasks" Description: "With the creation of an AWS account, a root user is created that cannot be disabled or deleted. That user has unrestricted access to and control over all resources in the AWS account. It is highly recommended that the use of this account be avoided for everyday tasks." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - user_arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when password_last_used >= (current_date - interval '90' day) then 'alarm' - when access_key_1_last_used_date <= (current_date - interval '90' day) then 'alarm' - when access_key_2_last_used_date <= (current_date - interval '90' day) then 'alarm' - else 'ok' - end as status, - case - when password_last_used is null then 'Root never logged in with password.' - else 'Root password used ' || to_char(password_last_used , 'DD-Mon-YYYY') || ' (' || extract(day from current_timestamp - password_last_used) || ' days).' - end || - case - when access_key_1_last_used_date is null then ' Access Key 1 never used.' - else ' Access Key 1 used ' || to_char(access_key_1_last_used_date , 'DD-Mon-YYYY') || ' (' || extract(day from current_timestamp - access_key_1_last_used_date) || ' days).' - end || - case - when access_key_2_last_used_date is null then ' Access Key 2 never used.' - else ' Access Key 2 used ' || to_char(access_key_2_last_used_date , 'DD-Mon-YYYY') || ' (' || extract(day from current_timestamp - access_key_2_last_used_date) || ' days).' - end as reason - - from - aws_iam_credential_report - where - user_name = ''; + QueryToExecute: "select\n user_arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when password_last_used >= (current_date - interval '90' day) then 'alarm'\n when access_key_1_last_used_date <= (current_date - interval '90' day) then 'alarm'\n when access_key_2_last_used_date <= (current_date - interval '90' day) then 'alarm'\n else 'ok'\n end as status,\n case\n when password_last_used is null then 'Root never logged in with password.'\n else 'Root password used ' || to_char(password_last_used , 'DD-Mon-YYYY') || ' (' || extract(day from current_timestamp - password_last_used) || ' days).'\n end ||\n case\n when access_key_1_last_used_date is null then ' Access Key 1 never used.'\n else ' Access Key 1 used ' || to_char(access_key_1_last_used_date , 'DD-Mon-YYYY') || ' (' || extract(day from current_timestamp - access_key_1_last_used_date) || ' days).'\n end ||\n case\n when access_key_2_last_used_date is null then ' Access Key 2 never used.'\n else ' Access Key 2 used ' || to_char(access_key_2_last_used_date , 'DD-Mon-YYYY') || ' (' || extract(day from current_timestamp - access_key_2_last_used_date) || ' days).'\n end as reason\n \nfrom\n aws_iam_credential_report\nwhere\n user_name = '';" PrimaryTable: aws_iam_credential_report ListOfTables: - - aws_iam_credential_report + - aws_iam_credential_report Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v130_1_8.yaml b/compliance/controls/aws/aws_cis_v130_1_8.yaml index a60029f80..fb11cce89 100755 --- a/compliance/controls/aws/aws_cis_v130_1_8.yaml +++ b/compliance/controls/aws/aws_cis_v130_1_8.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v130_1_8 Title: "1.8 Ensure IAM password policy requires minimum length of 14 or greater" Description: "Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length. It is recommended that the password policy require a minimum password length 14." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -23,8 +21,10 @@ Query: left join aws_iam_account_password_policy as pol on a.account_id = pol.account_id; PrimaryTable: aws_account ListOfTables: - - aws_account - - aws_iam_account_password_policy + - aws_account + - aws_iam_account_password_policy Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v130_2_1_1.yaml b/compliance/controls/aws/aws_cis_v130_2_1_1.yaml index 974529377..5c1bfcf85 100755 --- a/compliance/controls/aws/aws_cis_v130_2_1_1.yaml +++ b/compliance/controls/aws/aws_cis_v130_2_1_1.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v130_2_1_1 Title: "2.1.1 Ensure all S3 buckets employ encryption-at-rest" Description: "Amazon S3 provides a variety of no, or low, cost encryption options to protect data at rest." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_s3_bucket; PrimaryTable: aws_s3_bucket ListOfTables: - - aws_s3_bucket + - aws_s3_bucket Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v130_2_1_2.yaml b/compliance/controls/aws/aws_cis_v130_2_1_2.yaml index 8b913c7f9..10b994b65 100755 --- a/compliance/controls/aws/aws_cis_v130_2_1_2.yaml +++ b/compliance/controls/aws/aws_cis_v130_2_1_2.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v130_2_1_2 Title: "2.1.2 Ensure S3 Bucket Policy allows HTTPS requests" Description: "At the Amazon S3 bucket level, you can configure permissions through a bucket policy making the objects accessible only through HTTPS." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -42,7 +40,9 @@ Query: left join ssl_ok as ok on ok.name = b.name; PrimaryTable: aws_s3_bucket ListOfTables: - - aws_s3_bucket + - aws_s3_bucket Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v130_2_2_1.yaml b/compliance/controls/aws/aws_cis_v130_2_2_1.yaml index dada7410b..fe01de6b2 100755 --- a/compliance/controls/aws/aws_cis_v130_2_2_1.yaml +++ b/compliance/controls/aws/aws_cis_v130_2_2_1.yaml @@ -1,30 +1,14 @@ ID: aws_cis_v130_2_2_1 Title: "2.2.1 Ensure EBS volume encryption is enabled" Description: "Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when encrypted then 'ok' - else 'alarm' - end as status, - case - when encrypted then volume_id || ' encrypted.' - else volume_id || ' not encrypted.' - end as reason - - - from - aws_ebs_volume; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when encrypted then 'ok'\n else 'alarm'\n end as status,\n case\n when encrypted then volume_id || ' encrypted.'\n else volume_id || ' not encrypted.'\n end as reason\n \n \nfrom\n aws_ebs_volume;" PrimaryTable: aws_ebs_volume ListOfTables: - - aws_ebs_volume + - aws_ebs_volume Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v130_3_10.yaml b/compliance/controls/aws/aws_cis_v130_3_10.yaml index a3f5d0a41..a7c188665 100755 --- a/compliance/controls/aws/aws_cis_v130_3_10.yaml +++ b/compliance/controls/aws/aws_cis_v130_3_10.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v130_3_10 Title: "3.10 Ensure that Object-level logging for write events is enabled for S3 bucket" Description: "S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -48,8 +46,10 @@ Query: b.account_id, b.region, b.arn, b.name, b.tags, b._ctx; PrimaryTable: aws_s3_bucket ListOfTables: - - aws_cloudtrail_trail - - aws_s3_bucket + - aws_cloudtrail_trail + - aws_s3_bucket Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v130_3_11.yaml b/compliance/controls/aws/aws_cis_v130_3_11.yaml index ae5058d11..6260d05fe 100755 --- a/compliance/controls/aws/aws_cis_v130_3_11.yaml +++ b/compliance/controls/aws/aws_cis_v130_3_11.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v130_3_11 Title: "3.11 Ensure that Object-level logging for read events is enabled for S3 bucket" Description: "S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -48,8 +46,10 @@ Query: b.account_id, b.region, b.arn, b.name, b.tags, b._ctx; PrimaryTable: aws_s3_bucket ListOfTables: - - aws_cloudtrail_trail - - aws_s3_bucket + - aws_cloudtrail_trail + - aws_s3_bucket Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v130_3_2.yaml b/compliance/controls/aws/aws_cis_v130_3_2.yaml index 291277b65..a0e607533 100755 --- a/compliance/controls/aws/aws_cis_v130_3_2.yaml +++ b/compliance/controls/aws/aws_cis_v130_3_2.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v130_3_2 Title: "3.2 Ensure CloudTrail log file validation is enabled." Description: "CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. It is recommended that file validation be enabled on all CloudTrails." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -24,7 +22,9 @@ Query: region = home_region; PrimaryTable: aws_cloudtrail_trail ListOfTables: - - aws_cloudtrail_trail + - aws_cloudtrail_trail Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v130_3_3.yaml b/compliance/controls/aws/aws_cis_v130_3_3.yaml index c9333d512..0edd6f527 100755 --- a/compliance/controls/aws/aws_cis_v130_3_3.yaml +++ b/compliance/controls/aws/aws_cis_v130_3_3.yaml @@ -1,67 +1,15 @@ ID: aws_cis_v130_3_3 Title: "3.3 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible" Description: "CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy or access control list (ACL) applied to the S3 bucket that CloudTrail logs to prevent public access to the CloudTrail logs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - with public_bucket_data as ( - -- note the counts are not exactly CORRECT because of the jsonb_array_elements joins, - -- but will be non-zero if any matches are found - select - t.s3_bucket_name as name, - b.arn, - t.region, - t.account_id, - t.tags, - t._ctx, - count(acl_grant) filter (where acl_grant -> 'Grantee' ->> 'URI' like '%acs.amazonaws.com/groups/global/AllUsers') as all_user_grants, - count(acl_grant) filter (where acl_grant -> 'Grantee' ->> 'URI' like '%acs.amazonaws.com/groups/global/AuthenticatedUsers') as auth_user_grants, - count(s) filter (where s ->> 'Effect' = 'Allow' and p = '*' ) as anon_statements - from - aws_cloudtrail_trail as t - left join aws_s3_bucket as b on t.s3_bucket_name = b.name - left join jsonb_array_elements(acl -> 'Grants') as acl_grant on true - left join jsonb_array_elements(policy_std -> 'Statement') as s on true - left join jsonb_array_elements_text(s -> 'Principal' -> 'AWS') as p on true - group by - t.s3_bucket_name, - b.arn, - t.region, - t.account_id, - t.tags, - t._ctx - ) - select - case - when arn is null then 'arn:aws:s3::' || name - else arn - end as resource, - t.og_account_id as og_account_id, - t.og_resource_id as og_resource_id, - case - when arn is null then 'skip' - when all_user_grants > 0 then 'alarm' - when auth_user_grants > 0 then 'alarm' - when anon_statements > 0 then 'alarm' - else 'ok' - end as status, - case - when arn is null then name || ' not found in account ' || account_id || '.' - when all_user_grants > 0 then name || ' grants access to AllUsers in ACL.' - when auth_user_grants > 0 then name || ' grants access to AuthenticatedUsers in ACL.' - when anon_statements > 0 then name || ' grants access to AWS:*" in bucket policy.' - else name || ' does not grant anonymous access in ACL or bucket policy.' - end as reason - - - from - public_bucket_data; + QueryToExecute: "with public_bucket_data as (\n-- note the counts are not exactly CORRECT because of the jsonb_array_elements joins,\n-- but will be non-zero if any matches are found\nselect\n t.s3_bucket_name as name,\n b.arn,\n t.region,\n t.account_id,\n t.tags,\n t._ctx,\n count(acl_grant) filter (where acl_grant -> 'Grantee' ->> 'URI' like '%acs.amazonaws.com/groups/global/AllUsers') as all_user_grants,\n count(acl_grant) filter (where acl_grant -> 'Grantee' ->> 'URI' like '%acs.amazonaws.com/groups/global/AuthenticatedUsers') as auth_user_grants,\n count(s) filter (where s ->> 'Effect' = 'Allow' and p = '*' ) as anon_statements\nfrom\n aws_cloudtrail_trail as t\nleft join aws_s3_bucket as b on t.s3_bucket_name = b.name\nleft join jsonb_array_elements(acl -> 'Grants') as acl_grant on true\nleft join jsonb_array_elements(policy_std -> 'Statement') as s on true\nleft join jsonb_array_elements_text(s -> 'Principal' -> 'AWS') as p on true\ngroup by\n t.s3_bucket_name,\n b.arn,\n t.region,\n t.account_id,\n t.tags,\n t._ctx\n)\nselect\n case\n when arn is null then 'arn:aws:s3::' || name\n else arn\n end as resource,\n t.og_account_id as og_account_id,\n t.og_resource_id as og_resource_id,\n case\n when arn is null then 'skip'\n when all_user_grants > 0 then 'alarm'\n when auth_user_grants > 0 then 'alarm'\n when anon_statements > 0 then 'alarm'\n else 'ok'\n end as status,\n case\n when arn is null then name || ' not found in account ' || account_id || '.'\n when all_user_grants > 0 then name || ' grants access to AllUsers in ACL.'\n when auth_user_grants > 0 then name || ' grants access to AuthenticatedUsers in ACL.'\n when anon_statements > 0 then name || ' grants access to AWS:*\" in bucket policy.'\n else name || ' does not grant anonymous access in ACL or bucket policy.'\n end as reason\n \n \nfrom\n public_bucket_data;" PrimaryTable: aws_cloudtrail_trail ListOfTables: - - aws_cloudtrail_trail - - aws_s3_bucket + - aws_cloudtrail_trail + - aws_s3_bucket Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v130_3_4.yaml b/compliance/controls/aws/aws_cis_v130_3_4.yaml index 2fac830fc..770727b07 100755 --- a/compliance/controls/aws/aws_cis_v130_3_4.yaml +++ b/compliance/controls/aws/aws_cis_v130_3_4.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v130_3_4 Title: "3.4 Ensure CloudTrail trails are integrated with CloudWatch Logs" Description: "AWS CloudTrail is a web service that records AWS API calls made in a given AWS account. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, realtime analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is recommended that CloudTrail logs be sent to CloudWatch Logs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -24,7 +22,9 @@ Query: region = home_region; PrimaryTable: aws_cloudtrail_trail ListOfTables: - - aws_cloudtrail_trail + - aws_cloudtrail_trail Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v130_3_5.yaml b/compliance/controls/aws/aws_cis_v130_3_5.yaml index 63b3bfa3a..b988c3009 100755 --- a/compliance/controls/aws/aws_cis_v130_3_5.yaml +++ b/compliance/controls/aws/aws_cis_v130_3_5.yaml @@ -1,71 +1,15 @@ ID: aws_cis_v130_3_5 Title: "3.5 Ensure AWS Config is enabled in all regions" Description: "AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. It is recommended to enable AWS Config be enabled in all regions." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - -- pgFormatter-ignore - -- Get count for any region with all matching criteria - with global_recorders as ( - select - count(*) as global_config_recorders - from - aws_config_configuration_recorder - where - recording_group -> 'IncludeGlobalResourceTypes' = 'true' - and recording_group -> 'AllSupported' = 'true' - and status ->> 'Recording' = 'true' - and status ->> 'LastStatus' = 'SUCCESS' - ) - select - 'arn:aws::' || a.region || ':' || a.account_id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - -- When any of the region satisfies with above CTE - -- In left join of table, regions now having - -- 'Recording' and 'LastStatus' matching criteria can be considered as OK - when - g.global_config_recorders >= 1 - and status ->> 'Recording' = 'true' - and status ->> 'LastStatus' = 'SUCCESS' - then 'ok' - -- Skip any regions that are disabled in the account. - when a.opt_in_status = 'not-opted-in' then 'skip' - else 'alarm' - end as status, - -- Below cases are for citing respective reasons for control state - case - when a.opt_in_status = 'not-opted-in' then a.region || ' region is disabled.' - else - case - when recording_group -> 'IncludeGlobalResourceTypes' = 'true' then a.region || ' IncludeGlobalResourceTypes enabled,' - else a.region || ' IncludeGlobalResourceTypes disabled,' - end || - case - when recording_group -> 'AllSupported' = 'true' then ' AllSupported enabled,' - else ' AllSupported disabled,' - end || - case - when status ->> 'Recording' = 'true' then ' Recording enabled' - else ' Recording disabled' - end || - case - when status ->> 'LastStatus' = 'SUCCESS' then ' and LastStatus is SUCCESS.' - else ' and LastStatus is not SUCCESS.' - end - end as reason - - from - global_recorders as g, - aws_region as a - left join aws_config_configuration_recorder as r on r.account_id = a.account_id and r.region = a.name; + QueryToExecute: "-- pgFormatter-ignore\n-- Get count for any region with all matching criteria\nwith global_recorders as (\n select\n count(*) as global_config_recorders\n from\n aws_config_configuration_recorder\n where\n recording_group -> 'IncludeGlobalResourceTypes' = 'true'\n and recording_group -> 'AllSupported' = 'true'\n and status ->> 'Recording' = 'true'\n and status ->> 'LastStatus' = 'SUCCESS'\n)\nselect\n 'arn:aws::' || a.region || ':' || a.account_id as resource,\na.og_account_id as og_account_id,\na.og_resource_id as og_resource_id,\n case\n -- When any of the region satisfies with above CTE\n -- In left join of table, regions now having\n -- 'Recording' and 'LastStatus' matching criteria can be considered as OK\n when\n g.global_config_recorders >= 1\n and status ->> 'Recording' = 'true'\n and status ->> 'LastStatus' = 'SUCCESS'\n then 'ok'\n -- Skip any regions that are disabled in the account.\n when a.opt_in_status = 'not-opted-in' then 'skip'\n else 'alarm'\n end as status,\n -- Below cases are for citing respective reasons for control state\n case\n when a.opt_in_status = 'not-opted-in' then a.region || ' region is disabled.'\n else\n case\n when recording_group -> 'IncludeGlobalResourceTypes' = 'true' then a.region || ' IncludeGlobalResourceTypes enabled,'\n else a.region || ' IncludeGlobalResourceTypes disabled,'\n end ||\n case\n when recording_group -> 'AllSupported' = 'true' then ' AllSupported enabled,'\n else ' AllSupported disabled,'\n end ||\n case\n when status ->> 'Recording' = 'true' then ' Recording enabled'\n else ' Recording disabled'\n end ||\n case\n when status ->> 'LastStatus' = 'SUCCESS' then ' and LastStatus is SUCCESS.'\n else ' and LastStatus is not SUCCESS.'\n end\n end as reason\n \nfrom\n global_recorders as g,\n aws_region as a\n left join aws_config_configuration_recorder as r on r.account_id = a.account_id and r.region = a.name;" PrimaryTable: aws_config_configuration_recorder ListOfTables: - - aws_config_configuration_recorder - - aws_region + - aws_config_configuration_recorder + - aws_region Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v130_3_6.yaml b/compliance/controls/aws/aws_cis_v130_3_6.yaml index af3e5ae56..625015527 100755 --- a/compliance/controls/aws/aws_cis_v130_3_6.yaml +++ b/compliance/controls/aws/aws_cis_v130_3_6.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v130_3_6 Title: "3.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket" Description: "S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: t.region = t.home_region; PrimaryTable: aws_cloudtrail_trail ListOfTables: - - aws_cloudtrail_trail - - aws_s3_bucket + - aws_cloudtrail_trail + - aws_s3_bucket Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v130_3_7.yaml b/compliance/controls/aws/aws_cis_v130_3_7.yaml index c3637738e..df7a444e7 100755 --- a/compliance/controls/aws/aws_cis_v130_3_7.yaml +++ b/compliance/controls/aws/aws_cis_v130_3_7.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v130_3_7 Title: "3.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs" Description: "AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -24,7 +22,9 @@ Query: region = home_region; PrimaryTable: aws_cloudtrail_trail ListOfTables: - - aws_cloudtrail_trail + - aws_cloudtrail_trail Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v130_3_8.yaml b/compliance/controls/aws/aws_cis_v130_3_8.yaml index d4bf97ba5..1e3bd6824 100755 --- a/compliance/controls/aws/aws_cis_v130_3_8.yaml +++ b/compliance/controls/aws/aws_cis_v130_3_8.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v130_3_8 Title: "3.8 Ensure rotation for customer created CMKs is enabled" Description: "AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -30,7 +28,9 @@ Query: key_manager = 'CUSTOMER'; PrimaryTable: aws_kms_key ListOfTables: - - aws_kms_key + - aws_kms_key Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v130_4_13.yaml b/compliance/controls/aws/aws_cis_v130_4_13.yaml index 61ae11921..bb58c6f59 100755 --- a/compliance/controls/aws/aws_cis_v130_4_13.yaml +++ b/compliance/controls/aws/aws_cis_v130_4_13.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v130_4_13 Title: "4.13 Ensure a log metric filter and alarm exist for route table changes" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways. It is recommended that a metric filter and alarm be established for changes to route tables." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -86,11 +84,13 @@ Query: left join filter_data as f on a.account_id = f.account_id; PrimaryTable: aws_cloudtrail_trail ListOfTables: - - aws_cloudtrail_trail - - aws_cloudwatch_alarm - - aws_sns_topic_subscription - - aws_cloudwatch_log_metric_filter - - aws_account + - aws_cloudtrail_trail + - aws_cloudwatch_alarm + - aws_sns_topic_subscription + - aws_cloudwatch_log_metric_filter + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v130_4_3.yaml b/compliance/controls/aws/aws_cis_v130_4_3.yaml index 1af891390..c67833348 100755 --- a/compliance/controls/aws/aws_cis_v130_4_3.yaml +++ b/compliance/controls/aws/aws_cis_v130_4_3.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v130_4_3 Title: "4.3 Ensure a log metric filter and alarm exist for usage of \\\"root\\\" account" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for root login attempts." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -86,11 +84,13 @@ Query: left join filter_data as f on a.account_id = f.account_id; PrimaryTable: aws_cloudtrail_trail ListOfTables: - - aws_cloudtrail_trail - - aws_cloudwatch_alarm - - aws_sns_topic_subscription - - aws_cloudwatch_log_metric_filter - - aws_account + - aws_cloudtrail_trail + - aws_cloudwatch_alarm + - aws_sns_topic_subscription + - aws_cloudwatch_log_metric_filter + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v130_4_8.yaml b/compliance/controls/aws/aws_cis_v130_4_8.yaml index c23518073..5b91345ad 100755 --- a/compliance/controls/aws/aws_cis_v130_4_8.yaml +++ b/compliance/controls/aws/aws_cis_v130_4_8.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v130_4_8 Title: "4.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for changes to S3 bucket policies." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -86,11 +84,13 @@ Query: left join filter_data as f on a.account_id = f.account_id; PrimaryTable: aws_cloudtrail_trail ListOfTables: - - aws_cloudtrail_trail - - aws_cloudwatch_alarm - - aws_sns_topic_subscription - - aws_cloudwatch_log_metric_filter - - aws_account + - aws_cloudtrail_trail + - aws_cloudwatch_alarm + - aws_sns_topic_subscription + - aws_cloudwatch_log_metric_filter + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v130_5_2.yaml b/compliance/controls/aws/aws_cis_v130_5_2.yaml index c8a70767f..97e24c2fb 100755 --- a/compliance/controls/aws/aws_cis_v130_5_2.yaml +++ b/compliance/controls/aws/aws_cis_v130_5_2.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v130_5_2 Title: "5.2 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports" Description: "Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -51,8 +49,10 @@ Query: left join bad_rules on bad_rules.group_id = sg.group_id; PrimaryTable: aws_vpc_security_group ListOfTables: - - aws_vpc_security_group_rule - - aws_vpc_security_group + - aws_vpc_security_group_rule + - aws_vpc_security_group Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v130_5_4.yaml b/compliance/controls/aws/aws_cis_v130_5_4.yaml index b2c0ae6a8..249379c91 100755 --- a/compliance/controls/aws/aws_cis_v130_5_4.yaml +++ b/compliance/controls/aws/aws_cis_v130_5_4.yaml @@ -1,23 +1,14 @@ ID: aws_cis_v130_5_4 Title: "5.4 Ensure routing tables for VPC peering are 'least access'" Description: "A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'info' as status, - 'Manual verification required.' as reason - - from - aws_account; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'info' as status,\n 'Manual verification required.' as reason\n \nfrom\n aws_account;" PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v140_1_1.yaml b/compliance/controls/aws/aws_cis_v140_1_1.yaml index e295093fd..c185ebce2 100755 --- a/compliance/controls/aws/aws_cis_v140_1_1.yaml +++ b/compliance/controls/aws/aws_cis_v140_1_1.yaml @@ -1,23 +1,14 @@ ID: aws_cis_v140_1_1 Title: "1.1 Maintain current contact details" Description: "Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'info' as status, - 'Manual verification required.' as reason - - from - aws_account; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'info' as status,\n 'Manual verification required.' as reason\n \nfrom\n aws_account;" PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v140_1_10.yaml b/compliance/controls/aws/aws_cis_v140_1_10.yaml index 4e8b03115..b4e6adf74 100755 --- a/compliance/controls/aws/aws_cis_v140_1_10.yaml +++ b/compliance/controls/aws/aws_cis_v140_1_10.yaml @@ -1,30 +1,14 @@ ID: aws_cis_v140_1_10 Title: "1.10 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password" Description: "Multi-Factor Authentication (MFA) adds an extra layer of authentication assurance beyond traditional credentials. With MFA enabled, when a user signs in to the AWS Console, they will be prompted for their user name and password as well as for an authentication code from their physical or virtual MFA token. It is recommended that MFA be enabled for all accounts that have a console password." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - user_arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when password_enabled and not mfa_active then 'alarm' - else 'ok' - end as status, - case - when not password_enabled then user_name || ' password login disabled.' - when password_enabled and not mfa_active then user_name || ' password login enabled but no MFA device configured.' - else user_name || ' password login enabled and MFA device configured.' - end as reason - - from - aws_iam_credential_report; + QueryToExecute: "select\n user_arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when password_enabled and not mfa_active then 'alarm'\n else 'ok'\n end as status,\n case\n when not password_enabled then user_name || ' password login disabled.'\n when password_enabled and not mfa_active then user_name || ' password login enabled but no MFA device configured.'\n else user_name || ' password login enabled and MFA device configured.'\n end as reason\n \nfrom\n aws_iam_credential_report;" PrimaryTable: aws_iam_credential_report ListOfTables: - - aws_iam_credential_report + - aws_iam_credential_report Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v140_1_11.yaml b/compliance/controls/aws/aws_cis_v140_1_11.yaml index ae60e4d4d..265fb9dda 100755 --- a/compliance/controls/aws/aws_cis_v140_1_11.yaml +++ b/compliance/controls/aws/aws_cis_v140_1_11.yaml @@ -1,33 +1,14 @@ ID: aws_cis_v140_1_11 Title: "1.11 Do not setup access keys during initial user setup for all IAM users that have a console password" Description: "AWS console defaults to no check boxes selected when creating a new IAM user. When creating the IAM User credentials you have to determine what type of access they require." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - user_arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - -- alarm when password is enabled and the key was created within 10 seconds of the user - when password_enabled and (extract(epoch from (access_key_1_last_rotated - user_creation_time)) < 10) then 'alarm' - else 'ok' - end as status, - case - when not password_enabled then user_name || ' password login disabled.' - when access_key_1_last_rotated is null then user_name || ' has no access keys.' - when password_enabled and (extract(epoch from (access_key_1_last_rotated - user_creation_time)) < 10) - then user_name || ' has access key created during user creation and password login enabled.' - else user_name || ' has access key not created during user creation.' - end as reason - - from - aws_iam_credential_report; + QueryToExecute: "select\n user_arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n -- alarm when password is enabled and the key was created within 10 seconds of the user\n when password_enabled and (extract(epoch from (access_key_1_last_rotated - user_creation_time)) < 10) then 'alarm'\n else 'ok'\n end as status,\n case\n when not password_enabled then user_name || ' password login disabled.'\n when access_key_1_last_rotated is null then user_name || ' has no access keys.'\n when password_enabled and (extract(epoch from (access_key_1_last_rotated - user_creation_time)) < 10)\n then user_name || ' has access key created during user creation and password login enabled.'\n else user_name || ' has access key not created during user creation.'\n end as reason\n \nfrom\n aws_iam_credential_report;" PrimaryTable: aws_iam_credential_report ListOfTables: - - aws_iam_credential_report + - aws_iam_credential_report Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v140_1_12.yaml b/compliance/controls/aws/aws_cis_v140_1_12.yaml index 83baebaa0..40399ca7e 100755 --- a/compliance/controls/aws/aws_cis_v140_1_12.yaml +++ b/compliance/controls/aws/aws_cis_v140_1_12.yaml @@ -1,65 +1,14 @@ ID: aws_cis_v140_1_12 Title: "1.12 Ensure credentials unused for 45 days or greater are disabled" Description: "AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have been unused in 45 or greater days be deactivated or removed." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - user_arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - --root_account will have always password associated even though AWS credential report returns 'not_supported' for password_enabled - when user_name = '' - then 'info' - when password_enabled and password_last_used is null and password_last_changed < (current_date - interval '45' day) - then 'alarm' - when password_enabled and password_last_used < (current_date - interval '45' day) - then 'alarm' - when access_key_1_active and access_key_1_last_used_date is null and access_key_1_last_rotated < (current_date - interval '45' day) - then 'alarm' - when access_key_1_active and access_key_1_last_used_date < (current_date - interval '45' day) - then 'alarm' - when access_key_2_active and access_key_2_last_used_date is null and access_key_2_last_rotated < (current_date - interval '45' day) - then 'alarm' - when access_key_2_active and access_key_2_last_used_date < (current_date - interval '45' day) - then 'alarm' - else 'ok' - end status, - user_name || - case - when not password_enabled - then ' password not enabled,' - when password_enabled and password_last_used is null - then ' password created ' || to_char(password_last_changed, 'DD-Mon-YYYY') || ' never used,' - else - ' password used ' || to_char(password_last_used, 'DD-Mon-YYYY') || ',' - end || - case - when not access_key_1_active - then ' key 1 not enabled,' - when access_key_1_active and access_key_1_last_used_date is null - then ' key 1 created ' || to_char(access_key_1_last_rotated, 'DD-Mon-YYYY') || ' never used,' - else - ' key 1 used ' || to_char(access_key_1_last_used_date, 'DD-Mon-YYYY') || ',' - end || - case - when not access_key_2_active - then ' key 2 not enabled.' - when access_key_2_active and access_key_2_last_used_date is null - then ' key 2 created ' || to_char(access_key_2_last_rotated, 'DD-Mon-YYYY') || ' never used.' - else - ' key 2 used ' || to_char(access_key_2_last_used_date, 'DD-Mon-YYYY') || '.' - end - as reason - - from - aws_iam_credential_report; + QueryToExecute: "select\n user_arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n --root_account will have always password associated even though AWS credential report returns 'not_supported' for password_enabled\n when user_name = ''\n then 'info'\n when password_enabled and password_last_used is null and password_last_changed < (current_date - interval '45' day)\n then 'alarm'\n when password_enabled and password_last_used < (current_date - interval '45' day)\n then 'alarm'\n when access_key_1_active and access_key_1_last_used_date is null and access_key_1_last_rotated < (current_date - interval '45' day)\n then 'alarm'\n when access_key_1_active and access_key_1_last_used_date < (current_date - interval '45' day)\n then 'alarm'\n when access_key_2_active and access_key_2_last_used_date is null and access_key_2_last_rotated < (current_date - interval '45' day)\n then 'alarm'\n when access_key_2_active and access_key_2_last_used_date < (current_date - interval '45' day)\n then 'alarm'\n else 'ok'\n end status,\n user_name ||\n case\n when not password_enabled\n then ' password not enabled,'\n when password_enabled and password_last_used is null\n then ' password created ' || to_char(password_last_changed, 'DD-Mon-YYYY') || ' never used,'\n else\n ' password used ' || to_char(password_last_used, 'DD-Mon-YYYY') || ','\n end ||\n case\n when not access_key_1_active\n then ' key 1 not enabled,'\n when access_key_1_active and access_key_1_last_used_date is null\n then ' key 1 created ' || to_char(access_key_1_last_rotated, 'DD-Mon-YYYY') || ' never used,'\n else\n ' key 1 used ' || to_char(access_key_1_last_used_date, 'DD-Mon-YYYY') || ','\n end ||\n case\n when not access_key_2_active\n then ' key 2 not enabled.'\n when access_key_2_active and access_key_2_last_used_date is null\n then ' key 2 created ' || to_char(access_key_2_last_rotated, 'DD-Mon-YYYY') || ' never used.'\n else\n ' key 2 used ' || to_char(access_key_2_last_used_date, 'DD-Mon-YYYY') || '.'\n end\n as reason\n \nfrom\n aws_iam_credential_report;" PrimaryTable: aws_iam_credential_report ListOfTables: - - aws_iam_credential_report + - aws_iam_credential_report Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v140_1_13.yaml b/compliance/controls/aws/aws_cis_v140_1_13.yaml index dc0abc6cc..e6147bede 100755 --- a/compliance/controls/aws/aws_cis_v140_1_13.yaml +++ b/compliance/controls/aws/aws_cis_v140_1_13.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v140_1_13 Title: "1.13 Ensure there is only one active access key available for any single IAM user" Description: "Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK)." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -30,8 +28,10 @@ Query: u.og_resource_id; PrimaryTable: aws_iam_user ListOfTables: - - aws_iam_user - - aws_iam_access_key + - aws_iam_user + - aws_iam_access_key Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v140_1_14.yaml b/compliance/controls/aws/aws_cis_v140_1_14.yaml index 68b949372..51bf033bd 100755 --- a/compliance/controls/aws/aws_cis_v140_1_14.yaml +++ b/compliance/controls/aws/aws_cis_v140_1_14.yaml @@ -1,28 +1,14 @@ ID: aws_cis_v140_1_14 Title: "1.14 Ensure access keys are rotated every 90 days or less" Description: "Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':iam::' || account_id || ':user/' || user_name || '/accesskey/' || access_key_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when create_date <= (current_date - interval '90' day) then 'alarm' - else 'ok' - end status, - user_name || ' ' || access_key_id || ' created ' || to_char(create_date , 'DD-Mon-YYYY') || - ' (' || extract(day from current_timestamp - create_date) || ' days).' - as reason - - from - aws_iam_access_key; + QueryToExecute: "select\n 'arn:' || partition || ':iam::' || account_id || ':user/' || user_name || '/accesskey/' || access_key_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when create_date <= (current_date - interval '90' day) then 'alarm'\n else 'ok'\n end status,\n user_name || ' ' || access_key_id || ' created ' || to_char(create_date , 'DD-Mon-YYYY') ||\n ' (' || extract(day from current_timestamp - create_date) || ' days).'\n as reason\n \nfrom\n aws_iam_access_key;" PrimaryTable: aws_iam_access_key ListOfTables: - - aws_iam_access_key + - aws_iam_access_key Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v140_1_15.yaml b/compliance/controls/aws/aws_cis_v140_1_15.yaml index de6431ba8..646e00f67 100755 --- a/compliance/controls/aws/aws_cis_v140_1_15.yaml +++ b/compliance/controls/aws/aws_cis_v140_1_15.yaml @@ -1,28 +1,14 @@ ID: aws_cis_v140_1_15 Title: "1.15 Ensure IAM Users Receive Permissions Only Through Groups" Description: "IAM users are granted access to services, functions, and data through IAM policies. There are three ways to define policies for a user: 1) Edit the user policy directly, aka an inline, or user, policy; 2) attach a policy directly to a user; 3) add the user to an IAM group that has an attached policy. Only the third implementation is recommended." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when inline_policies is null and attached_policy_arns is null then 'ok' - else 'alarm' - end status, - name || ' has ' || coalesce(jsonb_array_length(inline_policies),0) || ' inline and ' || - coalesce(jsonb_array_length(attached_policy_arns),0) || ' directly attached policies.' as reason - - - from - aws_iam_user; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when inline_policies is null and attached_policy_arns is null then 'ok'\n else 'alarm'\n end status,\n name || ' has ' || coalesce(jsonb_array_length(inline_policies),0) || ' inline and ' ||\n coalesce(jsonb_array_length(attached_policy_arns),0) || ' directly attached policies.' as reason\n \n \nfrom\n aws_iam_user;" PrimaryTable: aws_iam_user ListOfTables: - - aws_iam_user + - aws_iam_user Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v140_1_16.yaml b/compliance/controls/aws/aws_cis_v140_1_16.yaml index d8b43a0ba..e03178f1b 100755 --- a/compliance/controls/aws/aws_cis_v140_1_16.yaml +++ b/compliance/controls/aws/aws_cis_v140_1_16.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v140_1_16 Title: "1.16 Ensure IAM policies that allow full \\\"*:*\\\" administrative privileges are not attached" Description: "IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege -that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -49,7 +47,9 @@ Query: p.is_attached; PrimaryTable: aws_iam_policy ListOfTables: - - aws_iam_policy + - aws_iam_policy Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v140_1_17.yaml b/compliance/controls/aws/aws_cis_v140_1_17.yaml index fd0250ed5..02c7f250a 100755 --- a/compliance/controls/aws/aws_cis_v140_1_17.yaml +++ b/compliance/controls/aws/aws_cis_v140_1_17.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v140_1_17 Title: "1.17 Ensure a support role has been created to manage incidents with AWS Support" Description: "AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -47,8 +45,10 @@ Query: support_role_count; PrimaryTable: aws_iam_role ListOfTables: - - aws_account - - aws_iam_role + - aws_account + - aws_iam_role Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v140_1_18.yaml b/compliance/controls/aws/aws_cis_v140_1_18.yaml index 859a97b13..2848beae9 100755 --- a/compliance/controls/aws/aws_cis_v140_1_18.yaml +++ b/compliance/controls/aws/aws_cis_v140_1_18.yaml @@ -1,23 +1,14 @@ ID: aws_cis_v140_1_18 Title: "1.18 Ensure IAM instance roles are used for AWS resource access from instances" Description: "AWS access from within AWS instances can be done by either encoding AWS keys into AWS API calls or by assigning the instance to a role which has an appropriate permissions policy for the required access. \\\"AWS Access\\\" means accessing the APIs of AWS in order to access AWS resources or manage AWS account resources." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'info' as status, - 'Manual verification required.' as reason - - from - aws_account; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'info' as status,\n 'Manual verification required.' as reason\n \nfrom\n aws_account;" PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v140_1_19.yaml b/compliance/controls/aws/aws_cis_v140_1_19.yaml index 514a26858..5ffae0ec6 100755 --- a/compliance/controls/aws/aws_cis_v140_1_19.yaml +++ b/compliance/controls/aws/aws_cis_v140_1_19.yaml @@ -1,30 +1,14 @@ ID: aws_cis_v140_1_19 Title: "1.19 Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed" Description: "To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates. Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case when expiration < (current_date - interval '1' second) then 'alarm' - else 'ok' - end as status, - case when expiration < (current_date - interval '1' second) then - name || ' expired ' || to_char(expiration, 'DD-Mon-YYYY') || '.' - else - name || ' valid until ' || to_char(expiration, 'DD-Mon-YYYY') || '.' - end as reason - - - from - aws_iam_server_certificate; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case when expiration < (current_date - interval '1' second) then 'alarm'\n else 'ok'\n end as status,\n case when expiration < (current_date - interval '1' second) then\n name || ' expired ' || to_char(expiration, 'DD-Mon-YYYY') || '.'\n else\n name || ' valid until ' || to_char(expiration, 'DD-Mon-YYYY') || '.'\n end as reason\n \n \nfrom\n aws_iam_server_certificate;" PrimaryTable: aws_iam_server_certificate ListOfTables: - - aws_iam_server_certificate + - aws_iam_server_certificate Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v140_1_2.yaml b/compliance/controls/aws/aws_cis_v140_1_2.yaml index fd938ed12..654c98420 100755 --- a/compliance/controls/aws/aws_cis_v140_1_2.yaml +++ b/compliance/controls/aws/aws_cis_v140_1_2.yaml @@ -1,57 +1,15 @@ ID: aws_cis_v140_1_2 Title: "1.2 Ensure security contact information is registered" Description: "AWS provides customers with the option of specifying the contact information for account's security team. It is recommended that this information be provided." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - with alternate_security_contact as ( - select - name, - account_id - from - aws_account_alternate_contact - where - contact_type = 'SECURITY' - ), - account as ( - select - arn, - partition, - title, - account_id, - _ctx, - og_account_id as og_account_id, - og_resource_id as og_resource_id - from - aws_account - ) - select - arn as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when a.partition = 'aws-us-gov' then 'info' - -- Name is a required field if setting a security contact - when c.name is not null then 'ok' - else 'alarm' - end as status, - case - when a.partition = 'aws-us-gov' then a.title || ' in GovCloud, manual verification required.' - when c.name is not null then a.title || ' has security contact ' || c.name || ' registered.' - else a.title || ' security contact not registered.' - end as reason - - from - account as a, - alternate_security_contact as c - where - c.account_id = a.account_id; + QueryToExecute: "with alternate_security_contact as (\n select\n name,\n account_id\n from\n aws_account_alternate_contact\n where\n contact_type = 'SECURITY'\n),\naccount as (\n select\n arn,\n partition,\n title,\n account_id,\n _ctx,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id\n from\n aws_account\n)\nselect\n arn as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when a.partition = 'aws-us-gov' then 'info'\n -- Name is a required field if setting a security contact\n when c.name is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when a.partition = 'aws-us-gov' then a.title || ' in GovCloud, manual verification required.'\n when c.name is not null then a.title || ' has security contact ' || c.name || ' registered.'\n else a.title || ' security contact not registered.'\n end as reason\n \nfrom\n account as a,\n alternate_security_contact as c\nwhere\n c.account_id = a.account_id;" PrimaryTable: aws_account ListOfTables: - - aws_account_alternate_contact - - aws_account + - aws_account_alternate_contact + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v140_1_20.yaml b/compliance/controls/aws/aws_cis_v140_1_20.yaml index 6e5e6981d..1cab4d435 100755 --- a/compliance/controls/aws/aws_cis_v140_1_20.yaml +++ b/compliance/controls/aws/aws_cis_v140_1_20.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v140_1_20 Title: "1.20 Ensure that IAM Access analyzer is enabled for all regions" Description: "Enable IAM Access analyzer for IAM policies about all resources in each region. IAM Access Analyzer is a technology introduced at AWS reinvent 2019. After the Analyzer is enabled in IAM, scan results are displayed on the console showing the accessible resources. Scans show resources that other accounts and federated users can access, such as KMS keys and IAM roles. So the results allow you to determine if an unintended user is allowed, making it easier for administrators to monitor least privileges access. Access Analyzer analyzes only policies that are applied to resources in the same AWS Region." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -26,8 +24,10 @@ Query: left join aws_accessanalyzer_analyzer as aa on r.account_id = aa.account_id and r.region = aa.region; PrimaryTable: aws_region ListOfTables: - - aws_region - - aws_accessanalyzer_analyzer + - aws_region + - aws_accessanalyzer_analyzer Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v140_1_21.yaml b/compliance/controls/aws/aws_cis_v140_1_21.yaml index 9da3098e0..e7db6987e 100755 --- a/compliance/controls/aws/aws_cis_v140_1_21.yaml +++ b/compliance/controls/aws/aws_cis_v140_1_21.yaml @@ -1,23 +1,14 @@ ID: aws_cis_v140_1_21 Title: "1.21 Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments" Description: "In multi-account environments, IAM user centralization facilitates greater user control. User access beyond the initial account is then provide via role assumption. Centralization of users can be accomplished through federation with an external identity provider or through the use of AWS Organizations." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'info' as status, - 'Manual verification required.' as reason - - from - aws_account; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'info' as status,\n 'Manual verification required.' as reason\n \nfrom\n aws_account;" PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v140_1_3.yaml b/compliance/controls/aws/aws_cis_v140_1_3.yaml index 468771a70..6d05f1158 100755 --- a/compliance/controls/aws/aws_cis_v140_1_3.yaml +++ b/compliance/controls/aws/aws_cis_v140_1_3.yaml @@ -1,23 +1,14 @@ ID: aws_cis_v140_1_3 Title: "1.3 Ensure security questions are registered in the AWS account" Description: "The AWS support portal allows account owners to establish security questions that can be used to authenticate individuals calling AWS customer service for support. It is recommended that security questions be established." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'info' as status, - 'Manual verification required.' as reason - - from - aws_account; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'info' as status,\n 'Manual verification required.' as reason\n \nfrom\n aws_account;" PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v140_1_4.yaml b/compliance/controls/aws/aws_cis_v140_1_4.yaml index d16a8fa03..efcf3bab9 100755 --- a/compliance/controls/aws/aws_cis_v140_1_4.yaml +++ b/compliance/controls/aws/aws_cis_v140_1_4.yaml @@ -1,29 +1,14 @@ ID: aws_cis_v140_1_4 Title: "1.4 Ensure no 'root' user account access key exists" Description: "The 'root' user account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the 'root' user account be removed." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when account_access_keys_present > 0 then 'alarm' - else 'ok' - end status, - case - when account_access_keys_present > 0 then 'Root user access keys exist.' - else 'No root user access keys exist.' - end reason - - from - aws_iam_account_summary; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when account_access_keys_present > 0 then 'alarm'\n else 'ok'\n end status,\n case\n when account_access_keys_present > 0 then 'Root user access keys exist.'\n else 'No root user access keys exist.'\n end reason\n \nfrom\n aws_iam_account_summary;" PrimaryTable: aws_iam_account_summary ListOfTables: - - aws_iam_account_summary + - aws_iam_account_summary Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v140_1_5.yaml b/compliance/controls/aws/aws_cis_v140_1_5.yaml index 5a4d99397..2c66cd989 100755 --- a/compliance/controls/aws/aws_cis_v140_1_5.yaml +++ b/compliance/controls/aws/aws_cis_v140_1_5.yaml @@ -1,29 +1,14 @@ ID: aws_cis_v140_1_5 Title: "1.5 Ensure MFA is enabled for the 'root' user account" Description: "The 'root' user account is the most privileged user in an AWS account. Multi-factor Authentication (MFA) adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their username and password as well as for an authentication code from their AWS MFA device." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when account_mfa_enabled then 'ok' - else 'alarm' - end status, - case - when account_mfa_enabled then 'MFA enabled for root account.' - else 'MFA not enabled for root account.' - end reason - - from - aws_iam_account_summary; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when account_mfa_enabled then 'ok'\n else 'alarm'\n end status,\n case\n when account_mfa_enabled then 'MFA enabled for root account.'\n else 'MFA not enabled for root account.'\n end reason\n \nfrom\n aws_iam_account_summary;" PrimaryTable: aws_iam_account_summary ListOfTables: - - aws_iam_account_summary + - aws_iam_account_summary Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v140_1_7.yaml b/compliance/controls/aws/aws_cis_v140_1_7.yaml index 1fd0000bf..7efc29ac3 100755 --- a/compliance/controls/aws/aws_cis_v140_1_7.yaml +++ b/compliance/controls/aws/aws_cis_v140_1_7.yaml @@ -1,41 +1,14 @@ ID: aws_cis_v140_1_7 Title: "1.7 Eliminate use of the 'root' user for administrative and daily tasks" Description: "With the creation of an AWS account, a 'root user' is created that cannot be disabled or deleted. That user has unrestricted access to and control over all resources in the AWS account. It is highly recommended that the use of this account be avoided for everyday tasks." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - user_arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when password_last_used >= (current_date - interval '90' day) then 'alarm' - when access_key_1_last_used_date <= (current_date - interval '90' day) then 'alarm' - when access_key_2_last_used_date <= (current_date - interval '90' day) then 'alarm' - else 'ok' - end as status, - case - when password_last_used is null then 'Root never logged in with password.' - else 'Root password used ' || to_char(password_last_used , 'DD-Mon-YYYY') || ' (' || extract(day from current_timestamp - password_last_used) || ' days).' - end || - case - when access_key_1_last_used_date is null then ' Access Key 1 never used.' - else ' Access Key 1 used ' || to_char(access_key_1_last_used_date , 'DD-Mon-YYYY') || ' (' || extract(day from current_timestamp - access_key_1_last_used_date) || ' days).' - end || - case - when access_key_2_last_used_date is null then ' Access Key 2 never used.' - else ' Access Key 2 used ' || to_char(access_key_2_last_used_date , 'DD-Mon-YYYY') || ' (' || extract(day from current_timestamp - access_key_2_last_used_date) || ' days).' - end as reason - - from - aws_iam_credential_report - where - user_name = ''; + QueryToExecute: "select\n user_arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when password_last_used >= (current_date - interval '90' day) then 'alarm'\n when access_key_1_last_used_date <= (current_date - interval '90' day) then 'alarm'\n when access_key_2_last_used_date <= (current_date - interval '90' day) then 'alarm'\n else 'ok'\n end as status,\n case\n when password_last_used is null then 'Root never logged in with password.'\n else 'Root password used ' || to_char(password_last_used , 'DD-Mon-YYYY') || ' (' || extract(day from current_timestamp - password_last_used) || ' days).'\n end ||\n case\n when access_key_1_last_used_date is null then ' Access Key 1 never used.'\n else ' Access Key 1 used ' || to_char(access_key_1_last_used_date , 'DD-Mon-YYYY') || ' (' || extract(day from current_timestamp - access_key_1_last_used_date) || ' days).'\n end ||\n case\n when access_key_2_last_used_date is null then ' Access Key 2 never used.'\n else ' Access Key 2 used ' || to_char(access_key_2_last_used_date , 'DD-Mon-YYYY') || ' (' || extract(day from current_timestamp - access_key_2_last_used_date) || ' days).'\n end as reason\n \nfrom\n aws_iam_credential_report\nwhere\n user_name = '';" PrimaryTable: aws_iam_credential_report ListOfTables: - - aws_iam_credential_report + - aws_iam_credential_report Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v140_2_1_1.yaml b/compliance/controls/aws/aws_cis_v140_2_1_1.yaml index c6fc84a9b..7f1b1a35a 100755 --- a/compliance/controls/aws/aws_cis_v140_2_1_1.yaml +++ b/compliance/controls/aws/aws_cis_v140_2_1_1.yaml @@ -1,30 +1,14 @@ ID: aws_cis_v140_2_1_1 Title: "2.1.1 Ensure all S3 buckets employ encryption-at-rest" Description: "Amazon S3 provides a variety of no, or low, cost encryption options to protect data at rest." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when server_side_encryption_configuration is not null then 'ok' - else 'alarm' - end status, - case - when server_side_encryption_configuration is not null then name || ' default encryption enabled.' - else name || ' default encryption disabled.' - end reason - - - from - aws_s3_bucket; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when server_side_encryption_configuration is not null then 'ok'\n else 'alarm'\n end status,\n case\n when server_side_encryption_configuration is not null then name || ' default encryption enabled.'\n else name || ' default encryption disabled.'\n end reason\n \n \nfrom\n aws_s3_bucket;" PrimaryTable: aws_s3_bucket ListOfTables: - - aws_s3_bucket + - aws_s3_bucket Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v140_2_1_2.yaml b/compliance/controls/aws/aws_cis_v140_2_1_2.yaml index 770978e8e..b94aeb365 100755 --- a/compliance/controls/aws/aws_cis_v140_2_1_2.yaml +++ b/compliance/controls/aws/aws_cis_v140_2_1_2.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v140_2_1_2 Title: "2.1.2 Ensure S3 Bucket Policy is set to deny HTTP requests" Description: "At the Amazon S3 bucket level, you can configure permissions through a bucket policy making the objects accessible only through HTTPS." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,7 +23,7 @@ Query: and s ->> 'Effect' = 'Deny' and ssl :: bool = false ) - + select b.arn as resource, b.og_account_id as og_account_id, @@ -43,7 +41,9 @@ Query: left join ssl_ok as ok on ok.name = b.name; PrimaryTable: aws_s3_bucket ListOfTables: - - aws_s3_bucket + - aws_s3_bucket Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v140_2_1_3.yaml b/compliance/controls/aws/aws_cis_v140_2_1_3.yaml index e07355207..e9181311c 100755 --- a/compliance/controls/aws/aws_cis_v140_2_1_3.yaml +++ b/compliance/controls/aws/aws_cis_v140_2_1_3.yaml @@ -1,30 +1,14 @@ ID: aws_cis_v140_2_1_3 Title: "2.1.3 Ensure MFA Delete is enabled on S3 buckets" Description: "Once MFA Delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when versioning_mfa_delete then 'ok' - else 'alarm' - end as status, - case - when versioning_mfa_delete then name || ' MFA delete enabled.' - else name || ' MFA delete disabled.' - end as reason - - - from - aws_s3_bucket; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when versioning_mfa_delete then 'ok'\n else 'alarm'\n end as status,\n case\n when versioning_mfa_delete then name || ' MFA delete enabled.'\n else name || ' MFA delete disabled.'\n end as reason\n \n \nfrom\n aws_s3_bucket;" PrimaryTable: aws_s3_bucket ListOfTables: - - aws_s3_bucket + - aws_s3_bucket Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v140_2_1_4.yaml b/compliance/controls/aws/aws_cis_v140_2_1_4.yaml index 4bc0eaef9..eb54475c4 100755 --- a/compliance/controls/aws/aws_cis_v140_2_1_4.yaml +++ b/compliance/controls/aws/aws_cis_v140_2_1_4.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v140_2_1_4 Title: "2.1.4 Ensure all data in Amazon S3 has been discovered, classified and secured when required" Description: "Amazon S3 buckets can contain sensitive data, that for security purposes should be discovered, monitored, classified and protected. Macie along with other 3rd party tools can automatically provide an inventory of Amazon S3 buckets." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -33,8 +31,10 @@ Query: left join bucket_list as l on b.name = l.bucket_name; PrimaryTable: aws_s3_bucket ListOfTables: - - aws_macie2_classification_job - - aws_s3_bucket + - aws_macie2_classification_job + - aws_s3_bucket Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v140_2_2_1.yaml b/compliance/controls/aws/aws_cis_v140_2_2_1.yaml index 9a4c1ce3b..103cbddaa 100755 --- a/compliance/controls/aws/aws_cis_v140_2_2_1.yaml +++ b/compliance/controls/aws/aws_cis_v140_2_2_1.yaml @@ -1,30 +1,14 @@ ID: aws_cis_v140_2_2_1 Title: "2.2.1 Ensure EBS volume encryption is enabled" Description: "Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when encrypted then 'ok' - else 'alarm' - end as status, - case - when encrypted then volume_id || ' encrypted.' - else volume_id || ' not encrypted.' - end as reason - - - from - aws_ebs_volume; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when encrypted then 'ok'\n else 'alarm'\n end as status,\n case\n when encrypted then volume_id || ' encrypted.'\n else volume_id || ' not encrypted.'\n end as reason\n \n \nfrom\n aws_ebs_volume;" PrimaryTable: aws_ebs_volume ListOfTables: - - aws_ebs_volume + - aws_ebs_volume Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v140_2_3_1.yaml b/compliance/controls/aws/aws_cis_v140_2_3_1.yaml index 7e3416811..f23da5a96 100755 --- a/compliance/controls/aws/aws_cis_v140_2_3_1.yaml +++ b/compliance/controls/aws/aws_cis_v140_2_3_1.yaml @@ -1,30 +1,14 @@ ID: aws_cis_v140_2_3_1 Title: "2.3.1 Ensure that encryption is enabled for RDS Instances" Description: "Amazon RDS encrypted DB instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances. After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when storage_encrypted then 'ok' - else 'alarm' - end as status, - case - when storage_encrypted then title || ' encrypted at rest.' - else title || ' not encrypted at rest.' - end as reason - - - from - aws_rds_db_instance; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when storage_encrypted then 'ok'\n else 'alarm'\n end as status,\n case\n when storage_encrypted then title || ' encrypted at rest.'\n else title || ' not encrypted at rest.'\n end as reason\n \n \nfrom\n aws_rds_db_instance;" PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_rds_db_instance + - aws_rds_db_instance Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v140_3_10.yaml b/compliance/controls/aws/aws_cis_v140_3_10.yaml index a41ae253c..c4c36a50b 100755 --- a/compliance/controls/aws/aws_cis_v140_3_10.yaml +++ b/compliance/controls/aws/aws_cis_v140_3_10.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v140_3_10 Title: "3.10 Ensure that Object-level logging for write events is enabled for S3 bucket" Description: "S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -48,8 +46,10 @@ Query: b.account_id, b.region, b.arn, b.name, b.tags, b._ctx; PrimaryTable: aws_s3_bucket ListOfTables: - - aws_cloudtrail_trail - - aws_s3_bucket + - aws_cloudtrail_trail + - aws_s3_bucket Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v140_3_11.yaml b/compliance/controls/aws/aws_cis_v140_3_11.yaml index 6a270fd81..b1bc69d54 100755 --- a/compliance/controls/aws/aws_cis_v140_3_11.yaml +++ b/compliance/controls/aws/aws_cis_v140_3_11.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v140_3_11 Title: "3.11 Ensure that Object-level logging for read events is enabled for S3 bucket" Description: "S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -48,8 +46,10 @@ Query: b.account_id, b.region, b.arn, b.name, b.tags, b._ctx; PrimaryTable: aws_s3_bucket ListOfTables: - - aws_cloudtrail_trail - - aws_s3_bucket + - aws_cloudtrail_trail + - aws_s3_bucket Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v140_3_2.yaml b/compliance/controls/aws/aws_cis_v140_3_2.yaml index 5065a4035..4ed7e8fe5 100755 --- a/compliance/controls/aws/aws_cis_v140_3_2.yaml +++ b/compliance/controls/aws/aws_cis_v140_3_2.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v140_3_2 Title: "3.2 Ensure CloudTrail log file validation is enabled" Description: "CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. It is recommended that file validation be enabled on all CloudTrails." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -24,7 +22,9 @@ Query: region = home_region; PrimaryTable: aws_cloudtrail_trail ListOfTables: - - aws_cloudtrail_trail + - aws_cloudtrail_trail Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v140_3_3.yaml b/compliance/controls/aws/aws_cis_v140_3_3.yaml index c54655f61..78e784288 100755 --- a/compliance/controls/aws/aws_cis_v140_3_3.yaml +++ b/compliance/controls/aws/aws_cis_v140_3_3.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v140_3_3 Title: "3.3 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible" Description: "CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy or access control list (ACL) applied to the S3 bucket that CloudTrail logs to prevent public access to the CloudTrail logs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -58,13 +56,15 @@ Query: when anon_statements > 0 then name || ' grants access to AWS:*" in bucket policy.' else name || ' does not grant anonymous access in ACL or bucket policy.' end as reason - + from public_bucket_data; PrimaryTable: aws_s3_bucket ListOfTables: - - aws_cloudtrail_trail - - aws_s3_bucket + - aws_cloudtrail_trail + - aws_s3_bucket Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v140_3_4.yaml b/compliance/controls/aws/aws_cis_v140_3_4.yaml index b4517a1a5..ee653572c 100755 --- a/compliance/controls/aws/aws_cis_v140_3_4.yaml +++ b/compliance/controls/aws/aws_cis_v140_3_4.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v140_3_4 Title: "3.4 Ensure CloudTrail trails are integrated with CloudWatch Logs" Description: "AWS CloudTrail is a web service that records AWS API calls made in a given AWS account. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, realtime analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is recommended that CloudTrail logs be sent to CloudWatch Logs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -24,7 +22,9 @@ Query: region = home_region; PrimaryTable: aws_cloudtrail_trail ListOfTables: - - aws_cloudtrail_trail + - aws_cloudtrail_trail Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v140_3_5.yaml b/compliance/controls/aws/aws_cis_v140_3_5.yaml index 183ed9656..17b4b7d64 100755 --- a/compliance/controls/aws/aws_cis_v140_3_5.yaml +++ b/compliance/controls/aws/aws_cis_v140_3_5.yaml @@ -1,71 +1,15 @@ ID: aws_cis_v140_3_5 Title: "3.5 Ensure AWS Config is enabled in all regions" Description: "AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. It is recommended AWS Config be enabled in all regions." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - -- pgFormatter-ignore - -- Get count for any region with all matching criteria - with global_recorders as ( - select - count(*) as global_config_recorders - from - aws_config_configuration_recorder - where - recording_group -> 'IncludeGlobalResourceTypes' = 'true' - and recording_group -> 'AllSupported' = 'true' - and status ->> 'Recording' = 'true' - and status ->> 'LastStatus' = 'SUCCESS' - ) - select - 'arn:aws::' || a.region || ':' || a.account_id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - -- When any of the region satisfies with above CTE - -- In left join of table, regions now having - -- 'Recording' and 'LastStatus' matching criteria can be considered as OK - when - g.global_config_recorders >= 1 - and status ->> 'Recording' = 'true' - and status ->> 'LastStatus' = 'SUCCESS' - then 'ok' - -- Skip any regions that are disabled in the account. - when a.opt_in_status = 'not-opted-in' then 'skip' - else 'alarm' - end as status, - -- Below cases are for citing respective reasons for control state - case - when a.opt_in_status = 'not-opted-in' then a.region || ' region is disabled.' - else - case - when recording_group -> 'IncludeGlobalResourceTypes' = 'true' then a.region || ' IncludeGlobalResourceTypes enabled,' - else a.region || ' IncludeGlobalResourceTypes disabled,' - end || - case - when recording_group -> 'AllSupported' = 'true' then ' AllSupported enabled,' - else ' AllSupported disabled,' - end || - case - when status ->> 'Recording' = 'true' then ' Recording enabled' - else ' Recording disabled' - end || - case - when status ->> 'LastStatus' = 'SUCCESS' then ' and LastStatus is SUCCESS.' - else ' and LastStatus is not SUCCESS.' - end - end as reason - - from - global_recorders as g, - aws_region as a - left join aws_config_configuration_recorder as r on r.account_id = a.account_id and r.region = a.name; + QueryToExecute: "-- pgFormatter-ignore\n-- Get count for any region with all matching criteria\nwith global_recorders as (\n select\n count(*) as global_config_recorders\n from\n aws_config_configuration_recorder\n where\n recording_group -> 'IncludeGlobalResourceTypes' = 'true'\n and recording_group -> 'AllSupported' = 'true'\n and status ->> 'Recording' = 'true'\n and status ->> 'LastStatus' = 'SUCCESS'\n)\nselect\n 'arn:aws::' || a.region || ':' || a.account_id as resource,\na.og_account_id as og_account_id,\na.og_resource_id as og_resource_id,\n case\n -- When any of the region satisfies with above CTE\n -- In left join of table, regions now having\n -- 'Recording' and 'LastStatus' matching criteria can be considered as OK\n when\n g.global_config_recorders >= 1\n and status ->> 'Recording' = 'true'\n and status ->> 'LastStatus' = 'SUCCESS'\n then 'ok'\n -- Skip any regions that are disabled in the account.\n when a.opt_in_status = 'not-opted-in' then 'skip'\n else 'alarm'\n end as status,\n -- Below cases are for citing respective reasons for control state\n case\n when a.opt_in_status = 'not-opted-in' then a.region || ' region is disabled.'\n else\n case\n when recording_group -> 'IncludeGlobalResourceTypes' = 'true' then a.region || ' IncludeGlobalResourceTypes enabled,'\n else a.region || ' IncludeGlobalResourceTypes disabled,'\n end ||\n case\n when recording_group -> 'AllSupported' = 'true' then ' AllSupported enabled,'\n else ' AllSupported disabled,'\n end ||\n case\n when status ->> 'Recording' = 'true' then ' Recording enabled'\n else ' Recording disabled'\n end ||\n case\n when status ->> 'LastStatus' = 'SUCCESS' then ' and LastStatus is SUCCESS.'\n else ' and LastStatus is not SUCCESS.'\n end\n end as reason\n \nfrom\n global_recorders as g,\n aws_region as a\n left join aws_config_configuration_recorder as r on r.account_id = a.account_id and r.region = a.name;" PrimaryTable: aws_region ListOfTables: - - aws_config_configuration_recorder - - aws_region + - aws_config_configuration_recorder + - aws_region Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v140_3_6.yaml b/compliance/controls/aws/aws_cis_v140_3_6.yaml index 973f93d79..087d5f9f5 100755 --- a/compliance/controls/aws/aws_cis_v140_3_6.yaml +++ b/compliance/controls/aws/aws_cis_v140_3_6.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v140_3_6 Title: "3.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket" Description: "S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: t.region = t.home_region; PrimaryTable: aws_cloudtrail_trail ListOfTables: - - aws_cloudtrail_trail - - aws_s3_bucket + - aws_cloudtrail_trail + - aws_s3_bucket Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v140_3_7.yaml b/compliance/controls/aws/aws_cis_v140_3_7.yaml index c60f3e8a3..9d6976e23 100755 --- a/compliance/controls/aws/aws_cis_v140_3_7.yaml +++ b/compliance/controls/aws/aws_cis_v140_3_7.yaml @@ -1,32 +1,14 @@ ID: aws_cis_v140_3_7 Title: "3.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs" Description: "AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when kms_key_id is null then 'alarm' - else 'ok' - end as status, - case - when kms_key_id is null then title || ' logs are not encrypted at rest.' - else title || ' logs are encrypted at rest.' - end as reason - - - from - aws_cloudtrail_trail - where - region = home_region; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when kms_key_id is null then 'alarm'\n else 'ok'\n end as status,\n case\n when kms_key_id is null then title || ' logs are not encrypted at rest.'\n else title || ' logs are encrypted at rest.'\n end as reason\n \n \nfrom\n aws_cloudtrail_trail\nwhere\n region = home_region;" PrimaryTable: aws_cloudtrail_trail ListOfTables: - - aws_cloudtrail_trail + - aws_cloudtrail_trail Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v140_3_8.yaml b/compliance/controls/aws/aws_cis_v140_3_8.yaml index 03c15e26f..aee86b467 100755 --- a/compliance/controls/aws/aws_cis_v140_3_8.yaml +++ b/compliance/controls/aws/aws_cis_v140_3_8.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v140_3_8 Title: "3.8 Ensure rotation for customer created CMKs is enabled" Description: "AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -30,7 +28,9 @@ Query: key_manager = 'CUSTOMER'; PrimaryTable: aws_kms_key ListOfTables: - - aws_kms_key + - aws_kms_key Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v140_3_9.yaml b/compliance/controls/aws/aws_cis_v140_3_9.yaml index 96714961c..3291cdcca 100755 --- a/compliance/controls/aws/aws_cis_v140_3_9.yaml +++ b/compliance/controls/aws/aws_cis_v140_3_9.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v140_3_9 Title: "3.9 Ensure VPC flow logging is enabled in all VPCs" Description: "VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet \\\"Rejects\\\" for VPCs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -51,8 +49,10 @@ Query: left join flowlogs as f on v.vpc_id = f.resource_id; PrimaryTable: aws_vpc ListOfTables: - - aws_vpc - - aws_vpc_flow_log + - aws_vpc + - aws_vpc_flow_log Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v140_4_14.yaml b/compliance/controls/aws/aws_cis_v140_4_14.yaml index 63388b9a3..35cab8559 100755 --- a/compliance/controls/aws/aws_cis_v140_4_14.yaml +++ b/compliance/controls/aws/aws_cis_v140_4_14.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v140_4_14 Title: "4.14 Ensure a log metric filter and alarm exist for VPC changes" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -86,11 +84,13 @@ Query: left join filter_data as f on a.account_id = f.account_id; PrimaryTable: aws_cloudtrail_trail ListOfTables: - - aws_cloudtrail_trail - - aws_cloudwatch_alarm - - aws_sns_topic_subscription - - aws_cloudwatch_log_metric_filter - - aws_account + - aws_cloudtrail_trail + - aws_cloudwatch_alarm + - aws_sns_topic_subscription + - aws_cloudwatch_log_metric_filter + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v140_4_5.yaml b/compliance/controls/aws/aws_cis_v140_4_5.yaml index 1824f65ff..fe3d20e4c 100755 --- a/compliance/controls/aws/aws_cis_v140_4_5.yaml +++ b/compliance/controls/aws/aws_cis_v140_4_5.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v140_4_5 Title: "4.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -86,11 +84,13 @@ Query: left join filter_data as f on a.account_id = f.account_id; PrimaryTable: aws_cloudtrail_trail ListOfTables: - - aws_cloudtrail_trail - - aws_cloudwatch_alarm - - aws_sns_topic_subscription - - aws_cloudwatch_log_metric_filter - - aws_account + - aws_cloudtrail_trail + - aws_cloudwatch_alarm + - aws_sns_topic_subscription + - aws_cloudwatch_log_metric_filter + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v140_4_7.yaml b/compliance/controls/aws/aws_cis_v140_4_7.yaml index df00050a0..42cff988d 100755 --- a/compliance/controls/aws/aws_cis_v140_4_7.yaml +++ b/compliance/controls/aws/aws_cis_v140_4_7.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v140_4_7 Title: "4.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -86,11 +84,13 @@ Query: left join filter_data as f on a.account_id = f.account_id; PrimaryTable: aws_account ListOfTables: - - aws_cloudtrail_trail - - aws_cloudwatch_alarm - - aws_sns_topic_subscription - - aws_cloudwatch_log_metric_filter - - aws_account + - aws_cloudtrail_trail + - aws_cloudwatch_alarm + - aws_sns_topic_subscription + - aws_cloudwatch_log_metric_filter + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v140_4_8.yaml b/compliance/controls/aws/aws_cis_v140_4_8.yaml index 1ea16b055..ce04bdc7d 100755 --- a/compliance/controls/aws/aws_cis_v140_4_8.yaml +++ b/compliance/controls/aws/aws_cis_v140_4_8.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v140_4_8 Title: "4.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for changes to S3 bucket policies." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -86,11 +84,13 @@ Query: left join filter_data as f on a.account_id = f.account_id; PrimaryTable: aws_account ListOfTables: - - aws_cloudtrail_trail - - aws_cloudwatch_alarm - - aws_sns_topic_subscription - - aws_cloudwatch_log_metric_filter - - aws_account + - aws_cloudtrail_trail + - aws_cloudwatch_alarm + - aws_sns_topic_subscription + - aws_cloudwatch_log_metric_filter + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v140_5_1.yaml b/compliance/controls/aws/aws_cis_v140_5_1.yaml index 1e192b417..181a3c74a 100755 --- a/compliance/controls/aws/aws_cis_v140_5_1.yaml +++ b/compliance/controls/aws/aws_cis_v140_5_1.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v140_5_1 Title: "5.1 Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports" Description: "The Network Access Control List (NACL) function provide stateless filtering of ingress and egress network traffic to AWS resources. It is recommended that no NACL allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -81,7 +79,9 @@ Query: left join bad_rules on bad_rules.network_acl_id = acl.network_acl_id; PrimaryTable: aws_vpc_network_acl ListOfTables: - - aws_vpc_network_acl + - aws_vpc_network_acl Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v140_5_2.yaml b/compliance/controls/aws/aws_cis_v140_5_2.yaml index c3fcc9f92..e05dca1f2 100755 --- a/compliance/controls/aws/aws_cis_v140_5_2.yaml +++ b/compliance/controls/aws/aws_cis_v140_5_2.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v140_5_2 Title: "5.2 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports" Description: "Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -51,8 +49,10 @@ Query: left join bad_rules on bad_rules.group_id = sg.group_id; PrimaryTable: aws_vpc_security_group ListOfTables: - - aws_vpc_security_group_rule - - aws_vpc_security_group + - aws_vpc_security_group_rule + - aws_vpc_security_group Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v140_5_4.yaml b/compliance/controls/aws/aws_cis_v140_5_4.yaml index cf388e4c2..7dcaf3599 100755 --- a/compliance/controls/aws/aws_cis_v140_5_4.yaml +++ b/compliance/controls/aws/aws_cis_v140_5_4.yaml @@ -1,23 +1,14 @@ ID: aws_cis_v140_5_4 Title: "5.4 Ensure routing tables for VPC peering are \\\"least access\\\"" Description: "Once a VPC peering connection is established, routing tables must be updated to establish any connections between the peered VPCs. These routes can be as specific as desired - even peering a VPC to only a single host on the other side of the connection." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'info' as status, - 'Manual verification required.' as reason - - from - aws_account; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'info' as status,\n 'Manual verification required.' as reason\n \nfrom\n aws_account;" PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v150_1_1.yaml b/compliance/controls/aws/aws_cis_v150_1_1.yaml index 0fa6b9749..3b6be1bdd 100755 --- a/compliance/controls/aws/aws_cis_v150_1_1.yaml +++ b/compliance/controls/aws/aws_cis_v150_1_1.yaml @@ -1,23 +1,14 @@ ID: aws_cis_v150_1_1 Title: "1.1 Maintain current contact details" Description: "Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'info' as status, - 'Manual verification required.' as reason - - from - aws_account; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'info' as status,\n 'Manual verification required.' as reason\n \nfrom\n aws_account;" PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v150_1_10.yaml b/compliance/controls/aws/aws_cis_v150_1_10.yaml index 0eee16e5d..696469062 100755 --- a/compliance/controls/aws/aws_cis_v150_1_10.yaml +++ b/compliance/controls/aws/aws_cis_v150_1_10.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v150_1_10 Title: "1.10 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password" Description: "Multi-Factor Authentication (MFA) adds an extra layer of authentication assurance beyond traditional credentials. With MFA enabled, when a user signs in to the AWS Console, they will be prompted for their user name and password as well as for an authentication code from their physical or virtual MFA token. It is recommended that MFA be enabled for all accounts that have a console password." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -23,7 +21,9 @@ Query: aws_iam_credential_report; PrimaryTable: aws_iam_credential_report ListOfTables: - - aws_iam_credential_report + - aws_iam_credential_report Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v150_1_11.yaml b/compliance/controls/aws/aws_cis_v150_1_11.yaml index b168e6718..d2bbc481a 100755 --- a/compliance/controls/aws/aws_cis_v150_1_11.yaml +++ b/compliance/controls/aws/aws_cis_v150_1_11.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v150_1_11 Title: "1.11 Do not setup access keys during initial user setup for all IAM users that have a console password" Description: "AWS console defaults to no check boxes selected when creating a new IAM user. When creating the IAM User credentials you have to determine what type of access they require." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -26,7 +24,9 @@ Query: aws_iam_credential_report; PrimaryTable: aws_iam_credential_report ListOfTables: - - aws_iam_credential_report + - aws_iam_credential_report Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v150_1_12.yaml b/compliance/controls/aws/aws_cis_v150_1_12.yaml index 0725a9d15..c452b29de 100755 --- a/compliance/controls/aws/aws_cis_v150_1_12.yaml +++ b/compliance/controls/aws/aws_cis_v150_1_12.yaml @@ -1,65 +1,14 @@ ID: aws_cis_v150_1_12 Title: "1.12 Ensure credentials unused for 45 days or greater are disabled" Description: "AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have been unused in 45 or greater days be deactivated or removed." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - user_arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - --root_account will have always password associated even though AWS credential report returns 'not_supported' for password_enabled - when user_name = '' - then 'info' - when password_enabled and password_last_used is null and password_last_changed < (current_date - interval '45' day) - then 'alarm' - when password_enabled and password_last_used < (current_date - interval '45' day) - then 'alarm' - when access_key_1_active and access_key_1_last_used_date is null and access_key_1_last_rotated < (current_date - interval '45' day) - then 'alarm' - when access_key_1_active and access_key_1_last_used_date < (current_date - interval '45' day) - then 'alarm' - when access_key_2_active and access_key_2_last_used_date is null and access_key_2_last_rotated < (current_date - interval '45' day) - then 'alarm' - when access_key_2_active and access_key_2_last_used_date < (current_date - interval '45' day) - then 'alarm' - else 'ok' - end status, - user_name || - case - when not password_enabled - then ' password not enabled,' - when password_enabled and password_last_used is null - then ' password created ' || to_char(password_last_changed, 'DD-Mon-YYYY') || ' never used,' - else - ' password used ' || to_char(password_last_used, 'DD-Mon-YYYY') || ',' - end || - case - when not access_key_1_active - then ' key 1 not enabled,' - when access_key_1_active and access_key_1_last_used_date is null - then ' key 1 created ' || to_char(access_key_1_last_rotated, 'DD-Mon-YYYY') || ' never used,' - else - ' key 1 used ' || to_char(access_key_1_last_used_date, 'DD-Mon-YYYY') || ',' - end || - case - when not access_key_2_active - then ' key 2 not enabled.' - when access_key_2_active and access_key_2_last_used_date is null - then ' key 2 created ' || to_char(access_key_2_last_rotated, 'DD-Mon-YYYY') || ' never used.' - else - ' key 2 used ' || to_char(access_key_2_last_used_date, 'DD-Mon-YYYY') || '.' - end - as reason - - from - aws_iam_credential_report; + QueryToExecute: "select\n user_arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n --root_account will have always password associated even though AWS credential report returns 'not_supported' for password_enabled\n when user_name = ''\n then 'info'\n when password_enabled and password_last_used is null and password_last_changed < (current_date - interval '45' day)\n then 'alarm'\n when password_enabled and password_last_used < (current_date - interval '45' day)\n then 'alarm'\n when access_key_1_active and access_key_1_last_used_date is null and access_key_1_last_rotated < (current_date - interval '45' day)\n then 'alarm'\n when access_key_1_active and access_key_1_last_used_date < (current_date - interval '45' day)\n then 'alarm'\n when access_key_2_active and access_key_2_last_used_date is null and access_key_2_last_rotated < (current_date - interval '45' day)\n then 'alarm'\n when access_key_2_active and access_key_2_last_used_date < (current_date - interval '45' day)\n then 'alarm'\n else 'ok'\n end status,\n user_name ||\n case\n when not password_enabled\n then ' password not enabled,'\n when password_enabled and password_last_used is null\n then ' password created ' || to_char(password_last_changed, 'DD-Mon-YYYY') || ' never used,'\n else\n ' password used ' || to_char(password_last_used, 'DD-Mon-YYYY') || ','\n end ||\n case\n when not access_key_1_active\n then ' key 1 not enabled,'\n when access_key_1_active and access_key_1_last_used_date is null\n then ' key 1 created ' || to_char(access_key_1_last_rotated, 'DD-Mon-YYYY') || ' never used,'\n else\n ' key 1 used ' || to_char(access_key_1_last_used_date, 'DD-Mon-YYYY') || ','\n end ||\n case\n when not access_key_2_active\n then ' key 2 not enabled.'\n when access_key_2_active and access_key_2_last_used_date is null\n then ' key 2 created ' || to_char(access_key_2_last_rotated, 'DD-Mon-YYYY') || ' never used.'\n else\n ' key 2 used ' || to_char(access_key_2_last_used_date, 'DD-Mon-YYYY') || '.'\n end\n as reason\n \nfrom\n aws_iam_credential_report;" PrimaryTable: aws_iam_credential_report ListOfTables: - - aws_iam_credential_report + - aws_iam_credential_report Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v150_1_13.yaml b/compliance/controls/aws/aws_cis_v150_1_13.yaml index 03dd4aec2..638ed535a 100755 --- a/compliance/controls/aws/aws_cis_v150_1_13.yaml +++ b/compliance/controls/aws/aws_cis_v150_1_13.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v150_1_13 Title: "1.13 Ensure there is only one active access key available for any single IAM user" Description: "Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK)." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -30,8 +28,10 @@ Query: u.og_resource_id; PrimaryTable: aws_iam_user ListOfTables: - - aws_iam_user - - aws_iam_access_key + - aws_iam_user + - aws_iam_access_key Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v150_1_14.yaml b/compliance/controls/aws/aws_cis_v150_1_14.yaml index 14c63bf4d..207ad5c2d 100755 --- a/compliance/controls/aws/aws_cis_v150_1_14.yaml +++ b/compliance/controls/aws/aws_cis_v150_1_14.yaml @@ -1,28 +1,14 @@ ID: aws_cis_v150_1_14 Title: "1.14 Ensure access keys are rotated every 90 days or less" Description: "Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':iam::' || account_id || ':user/' || user_name || '/accesskey/' || access_key_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when create_date <= (current_date - interval '90' day) then 'alarm' - else 'ok' - end status, - user_name || ' ' || access_key_id || ' created ' || to_char(create_date , 'DD-Mon-YYYY') || - ' (' || extract(day from current_timestamp - create_date) || ' days).' - as reason - - from - aws_iam_access_key; + QueryToExecute: "select\n 'arn:' || partition || ':iam::' || account_id || ':user/' || user_name || '/accesskey/' || access_key_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when create_date <= (current_date - interval '90' day) then 'alarm'\n else 'ok'\n end status,\n user_name || ' ' || access_key_id || ' created ' || to_char(create_date , 'DD-Mon-YYYY') ||\n ' (' || extract(day from current_timestamp - create_date) || ' days).'\n as reason\n \nfrom\n aws_iam_access_key;" PrimaryTable: aws_iam_access_key ListOfTables: - - aws_iam_access_key + - aws_iam_access_key Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v150_1_15.yaml b/compliance/controls/aws/aws_cis_v150_1_15.yaml index 056bd9066..d9cbc7a51 100755 --- a/compliance/controls/aws/aws_cis_v150_1_15.yaml +++ b/compliance/controls/aws/aws_cis_v150_1_15.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v150_1_15 Title: "1.15 Ensure IAM Users Receive Permissions Only Through Groups" Description: "IAM users are granted access to services, functions, and data through IAM policies. There are three ways to define policies for a user: 1) Edit the user policy directly, aka an inline, or user, policy; 2) attach a policy directly to a user; 3) add the user to an IAM group that has an attached policy. Only the third implementation is recommended." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -20,7 +18,9 @@ Query: aws_iam_user; PrimaryTable: aws_iam_user ListOfTables: - - aws_iam_user + - aws_iam_user Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v150_1_16.yaml b/compliance/controls/aws/aws_cis_v150_1_16.yaml index ecd398fe4..6a0adf41e 100755 --- a/compliance/controls/aws/aws_cis_v150_1_16.yaml +++ b/compliance/controls/aws/aws_cis_v150_1_16.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v150_1_16 Title: "1.16 Ensure IAM policies that allow full \\\"*:*\\\" administrative privileges are not attached" Description: "IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege -that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -49,7 +47,9 @@ Query: p.is_attached; PrimaryTable: aws_iam_policy ListOfTables: - - aws_iam_policy + - aws_iam_policy Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v150_1_17.yaml b/compliance/controls/aws/aws_cis_v150_1_17.yaml index 12d4c72ee..798caa0af 100755 --- a/compliance/controls/aws/aws_cis_v150_1_17.yaml +++ b/compliance/controls/aws/aws_cis_v150_1_17.yaml @@ -1,55 +1,15 @@ ID: aws_cis_v150_1_17 Title: "1.17 Ensure a support role has been created to manage incidents with AWS Support" Description: "AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - -- pgFormatter-ignore - with support_role_count as - ( - select - 'arn:' || a.partition || ':::' || a.account_id as resource, - count(policy_arn), - a.account_id, - a._ctx, - a.og_account_id, - a.og_resource_id - from - aws_account as a - left join aws_iam_role as r on r.account_id = a.account_id - left join jsonb_array_elements_text(attached_policy_arns) as policy_arn on true - where - split_part(policy_arn, '/', 2) = 'AWSSupportAccess' - or policy_arn is null - group by - a.account_id, - a.partition, - a._ctx, - a.og_account_id, - a.og_resource_id - ) - select - resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when count > 0 then 'ok' - else 'alarm' - end as status, - case - when count = 1 then 'AWSSupportAccess policy attached to 1 role.' - when count > 1 then 'AWSSupportAccess policy attached to ' || count || ' roles.' - else 'AWSSupportAccess policy not attached to any role.' - end as reason - - from - support_role_count; + QueryToExecute: "-- pgFormatter-ignore\nwith support_role_count as\n(\n select\n 'arn:' || a.partition || ':::' || a.account_id as resource,\n count(policy_arn),\n a.account_id,\n a._ctx,\n a.og_account_id,\n a.og_resource_id\n from\n aws_account as a\n left join aws_iam_role as r on r.account_id = a.account_id\n left join jsonb_array_elements_text(attached_policy_arns) as policy_arn on true\n where\n split_part(policy_arn, '/', 2) = 'AWSSupportAccess'\n or policy_arn is null\n group by\n a.account_id,\n a.partition,\n a._ctx,\n a.og_account_id,\n a.og_resource_id\n)\nselect\n resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when count > 0 then 'ok'\n else 'alarm'\n end as status,\n case\n when count = 1 then 'AWSSupportAccess policy attached to 1 role.'\n when count > 1 then 'AWSSupportAccess policy attached to ' || count || ' roles.'\n else 'AWSSupportAccess policy not attached to any role.'\n end as reason\n \nfrom\n support_role_count;" PrimaryTable: aws_iam_role ListOfTables: - - aws_account - - aws_iam_role + - aws_account + - aws_iam_role Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v150_1_18.yaml b/compliance/controls/aws/aws_cis_v150_1_18.yaml index 02f08d001..9944ee724 100755 --- a/compliance/controls/aws/aws_cis_v150_1_18.yaml +++ b/compliance/controls/aws/aws_cis_v150_1_18.yaml @@ -1,23 +1,14 @@ ID: aws_cis_v150_1_18 Title: "1.18 Ensure IAM instance roles are used for AWS resource access from instances" Description: "AWS access from within AWS instances can be done by either encoding AWS keys into AWS API calls or by assigning the instance to a role which has an appropriate permissions policy for the required access. \\\"AWS Access\\\" means accessing the APIs of AWS in order to access AWS resources or manage AWS account resources." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'info' as status, - 'Manual verification required.' as reason - - from - aws_account; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'info' as status,\n 'Manual verification required.' as reason\n \nfrom\n aws_account;" PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v150_1_19.yaml b/compliance/controls/aws/aws_cis_v150_1_19.yaml index b1660c284..2552c3be5 100755 --- a/compliance/controls/aws/aws_cis_v150_1_19.yaml +++ b/compliance/controls/aws/aws_cis_v150_1_19.yaml @@ -1,30 +1,14 @@ ID: aws_cis_v150_1_19 Title: "1.19 Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed" Description: "To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates. Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case when expiration < (current_date - interval '1' second) then 'alarm' - else 'ok' - end as status, - case when expiration < (current_date - interval '1' second) then - name || ' expired ' || to_char(expiration, 'DD-Mon-YYYY') || '.' - else - name || ' valid until ' || to_char(expiration, 'DD-Mon-YYYY') || '.' - end as reason - - - from - aws_iam_server_certificate; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case when expiration < (current_date - interval '1' second) then 'alarm'\n else 'ok'\n end as status,\n case when expiration < (current_date - interval '1' second) then\n name || ' expired ' || to_char(expiration, 'DD-Mon-YYYY') || '.'\n else\n name || ' valid until ' || to_char(expiration, 'DD-Mon-YYYY') || '.'\n end as reason\n \n \nfrom\n aws_iam_server_certificate;" PrimaryTable: aws_iam_server_certificate ListOfTables: - - aws_iam_server_certificate + - aws_iam_server_certificate Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v150_1_2.yaml b/compliance/controls/aws/aws_cis_v150_1_2.yaml index fc112ac29..bc3efd182 100755 --- a/compliance/controls/aws/aws_cis_v150_1_2.yaml +++ b/compliance/controls/aws/aws_cis_v150_1_2.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v150_1_2 Title: "1.2 Ensure security contact information is registered" Description: "AWS provides customers with the option of specifying the contact information for account's security team. It is recommended that this information be provided." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -49,8 +47,10 @@ Query: c.account_id = a.account_id; PrimaryTable: aws_account ListOfTables: - - aws_account - - aws_account_alternate_contact + - aws_account + - aws_account_alternate_contact Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v150_1_21.yaml b/compliance/controls/aws/aws_cis_v150_1_21.yaml index ddebecbab..57810b9f8 100755 --- a/compliance/controls/aws/aws_cis_v150_1_21.yaml +++ b/compliance/controls/aws/aws_cis_v150_1_21.yaml @@ -1,23 +1,14 @@ ID: aws_cis_v150_1_21 Title: "1.21 Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments" Description: "In multi-account environments, IAM user centralization facilitates greater user control. User access beyond the initial account is then provide via role assumption. Centralization of users can be accomplished through federation with an external identity provider or through the use of AWS Organizations." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'info' as status, - 'Manual verification required.' as reason - - from - aws_account; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'info' as status,\n 'Manual verification required.' as reason\n \nfrom\n aws_account;" PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v150_1_3.yaml b/compliance/controls/aws/aws_cis_v150_1_3.yaml index ea947ccf0..932350a26 100755 --- a/compliance/controls/aws/aws_cis_v150_1_3.yaml +++ b/compliance/controls/aws/aws_cis_v150_1_3.yaml @@ -1,23 +1,14 @@ ID: aws_cis_v150_1_3 Title: "1.3 Ensure security questions are registered in the AWS account" Description: "The AWS support portal allows account owners to establish security questions that can be used to authenticate individuals calling AWS customer service for support. It is recommended that security questions be established." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'info' as status, - 'Manual verification required.' as reason - - from - aws_account; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'info' as status,\n 'Manual verification required.' as reason\n \nfrom\n aws_account;" PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v150_1_4.yaml b/compliance/controls/aws/aws_cis_v150_1_4.yaml index 099ba2bed..5b9c1a741 100755 --- a/compliance/controls/aws/aws_cis_v150_1_4.yaml +++ b/compliance/controls/aws/aws_cis_v150_1_4.yaml @@ -1,29 +1,14 @@ ID: aws_cis_v150_1_4 Title: "1.4 Ensure no 'root' user account access key exists" Description: "The 'root' user account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the 'root' user account be removed." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when account_access_keys_present > 0 then 'alarm' - else 'ok' - end status, - case - when account_access_keys_present > 0 then 'Root user access keys exist.' - else 'No root user access keys exist.' - end reason - - from - aws_iam_account_summary; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when account_access_keys_present > 0 then 'alarm'\n else 'ok'\n end status,\n case\n when account_access_keys_present > 0 then 'Root user access keys exist.'\n else 'No root user access keys exist.'\n end reason\n \nfrom\n aws_iam_account_summary;" PrimaryTable: aws_iam_account_summary ListOfTables: - - aws_iam_account_summary + - aws_iam_account_summary Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v150_1_5.yaml b/compliance/controls/aws/aws_cis_v150_1_5.yaml index c0239200b..c9e85a7a2 100755 --- a/compliance/controls/aws/aws_cis_v150_1_5.yaml +++ b/compliance/controls/aws/aws_cis_v150_1_5.yaml @@ -1,29 +1,14 @@ ID: aws_cis_v150_1_5 Title: "1.5 Ensure MFA is enabled for the 'root' user account" Description: "The 'root' user account is the most privileged user in an AWS account. Multi-factor Authentication (MFA) adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their username and password as well as for an authentication code from their AWS MFA device." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when account_mfa_enabled then 'ok' - else 'alarm' - end status, - case - when account_mfa_enabled then 'MFA enabled for root account.' - else 'MFA not enabled for root account.' - end reason - - from - aws_iam_account_summary; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when account_mfa_enabled then 'ok'\n else 'alarm'\n end status,\n case\n when account_mfa_enabled then 'MFA enabled for root account.'\n else 'MFA not enabled for root account.'\n end reason\n \nfrom\n aws_iam_account_summary;" PrimaryTable: aws_iam_account_summary ListOfTables: - - aws_iam_account_summary + - aws_iam_account_summary Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v150_1_7.yaml b/compliance/controls/aws/aws_cis_v150_1_7.yaml index e00ca5ca4..217c2e0dd 100755 --- a/compliance/controls/aws/aws_cis_v150_1_7.yaml +++ b/compliance/controls/aws/aws_cis_v150_1_7.yaml @@ -1,41 +1,14 @@ ID: aws_cis_v150_1_7 Title: "1.7 Eliminate use of the 'root' user for administrative and daily tasks" Description: "With the creation of an AWS account, a 'root user' is created that cannot be disabled or deleted. That user has unrestricted access to and control over all resources in the AWS account. It is highly recommended that the use of this account be avoided for everyday tasks." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - user_arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when password_last_used >= (current_date - interval '90' day) then 'alarm' - when access_key_1_last_used_date <= (current_date - interval '90' day) then 'alarm' - when access_key_2_last_used_date <= (current_date - interval '90' day) then 'alarm' - else 'ok' - end as status, - case - when password_last_used is null then 'Root never logged in with password.' - else 'Root password used ' || to_char(password_last_used , 'DD-Mon-YYYY') || ' (' || extract(day from current_timestamp - password_last_used) || ' days).' - end || - case - when access_key_1_last_used_date is null then ' Access Key 1 never used.' - else ' Access Key 1 used ' || to_char(access_key_1_last_used_date , 'DD-Mon-YYYY') || ' (' || extract(day from current_timestamp - access_key_1_last_used_date) || ' days).' - end || - case - when access_key_2_last_used_date is null then ' Access Key 2 never used.' - else ' Access Key 2 used ' || to_char(access_key_2_last_used_date , 'DD-Mon-YYYY') || ' (' || extract(day from current_timestamp - access_key_2_last_used_date) || ' days).' - end as reason - - from - aws_iam_credential_report - where - user_name = ''; + QueryToExecute: "select\n user_arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when password_last_used >= (current_date - interval '90' day) then 'alarm'\n when access_key_1_last_used_date <= (current_date - interval '90' day) then 'alarm'\n when access_key_2_last_used_date <= (current_date - interval '90' day) then 'alarm'\n else 'ok'\n end as status,\n case\n when password_last_used is null then 'Root never logged in with password.'\n else 'Root password used ' || to_char(password_last_used , 'DD-Mon-YYYY') || ' (' || extract(day from current_timestamp - password_last_used) || ' days).'\n end ||\n case\n when access_key_1_last_used_date is null then ' Access Key 1 never used.'\n else ' Access Key 1 used ' || to_char(access_key_1_last_used_date , 'DD-Mon-YYYY') || ' (' || extract(day from current_timestamp - access_key_1_last_used_date) || ' days).'\n end ||\n case\n when access_key_2_last_used_date is null then ' Access Key 2 never used.'\n else ' Access Key 2 used ' || to_char(access_key_2_last_used_date , 'DD-Mon-YYYY') || ' (' || extract(day from current_timestamp - access_key_2_last_used_date) || ' days).'\n end as reason\n \nfrom\n aws_iam_credential_report\nwhere\n user_name = '';" PrimaryTable: aws_iam_credential_report ListOfTables: - - aws_iam_credential_report + - aws_iam_credential_report Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v150_1_8.yaml b/compliance/controls/aws/aws_cis_v150_1_8.yaml index 04fd32957..5057bd2fc 100755 --- a/compliance/controls/aws/aws_cis_v150_1_8.yaml +++ b/compliance/controls/aws/aws_cis_v150_1_8.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v150_1_8 Title: "1.8 Ensure IAM password policy requires minimum length of 14 or greater" Description: "Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length. It is recommended that the password policy require a minimum password length 14." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -23,8 +21,10 @@ Query: left join aws_iam_account_password_policy as pol on a.account_id = pol.account_id; PrimaryTable: aws_iam_account_password_policy ListOfTables: - - aws_account - - aws_iam_account_password_policy + - aws_account + - aws_iam_account_password_policy Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v150_1_9.yaml b/compliance/controls/aws/aws_cis_v150_1_9.yaml index 5de1e9c48..de9716dcf 100755 --- a/compliance/controls/aws/aws_cis_v150_1_9.yaml +++ b/compliance/controls/aws/aws_cis_v150_1_9.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v150_1_9 Title: "1.9 Ensure IAM password policy prevents password reuse" Description: "IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -24,8 +22,10 @@ Query: left join aws_iam_account_password_policy as pol on a.account_id = pol.account_id; PrimaryTable: aws_iam_account_password_policy ListOfTables: - - aws_account - - aws_iam_account_password_policy + - aws_account + - aws_iam_account_password_policy Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v150_2_1_1.yaml b/compliance/controls/aws/aws_cis_v150_2_1_1.yaml index f627d1250..9fdea8b12 100755 --- a/compliance/controls/aws/aws_cis_v150_2_1_1.yaml +++ b/compliance/controls/aws/aws_cis_v150_2_1_1.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v150_2_1_1 Title: "2.1.1 Ensure all S3 buckets employ encryption-at-rest" Description: "Amazon S3 provides a variety of no, or low, cost encryption options to protect data at rest." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_s3_bucket; PrimaryTable: aws_s3_bucket ListOfTables: - - aws_s3_bucket + - aws_s3_bucket Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v150_2_1_2.yaml b/compliance/controls/aws/aws_cis_v150_2_1_2.yaml index eb1c137e7..977fd107b 100755 --- a/compliance/controls/aws/aws_cis_v150_2_1_2.yaml +++ b/compliance/controls/aws/aws_cis_v150_2_1_2.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v150_2_1_2 Title: "2.1.2 Ensure S3 Bucket Policy is set to deny HTTP requests" Description: "At the Amazon S3 bucket level, you can configure permissions through a bucket policy making the objects accessible only through HTTPS." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -42,7 +40,9 @@ Query: left join ssl_ok as ok on ok.name = b.name; PrimaryTable: aws_s3_bucket ListOfTables: - - aws_s3_bucket + - aws_s3_bucket Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v150_2_1_3.yaml b/compliance/controls/aws/aws_cis_v150_2_1_3.yaml index f156b680a..eac833cc9 100755 --- a/compliance/controls/aws/aws_cis_v150_2_1_3.yaml +++ b/compliance/controls/aws/aws_cis_v150_2_1_3.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v150_2_1_3 Title: "2.1.3 Ensure MFA Delete is enabled on S3 buckets" Description: "Once MFA Delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_s3_bucket; PrimaryTable: aws_s3_bucket ListOfTables: - - aws_s3_bucket + - aws_s3_bucket Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v150_2_1_4.yaml b/compliance/controls/aws/aws_cis_v150_2_1_4.yaml index d87a7f01d..a4b233e01 100755 --- a/compliance/controls/aws/aws_cis_v150_2_1_4.yaml +++ b/compliance/controls/aws/aws_cis_v150_2_1_4.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v150_2_1_4 Title: "2.1.4 Ensure all data in Amazon S3 has been discovered, classified and secured when required" Description: "Amazon S3 buckets can contain sensitive data, that for security purposes should be discovered, monitored, classified and protected. Macie along with other 3rd party tools can automatically provide an inventory of Amazon S3 buckets." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -33,8 +31,10 @@ Query: left join bucket_list as l on b.name = l.bucket_name; PrimaryTable: aws_s3_bucket ListOfTables: - - aws_macie2_classification_job - - aws_s3_bucket + - aws_macie2_classification_job + - aws_s3_bucket Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v150_2_2_1.yaml b/compliance/controls/aws/aws_cis_v150_2_2_1.yaml index b083fb7b3..1f5e4cfbd 100755 --- a/compliance/controls/aws/aws_cis_v150_2_2_1.yaml +++ b/compliance/controls/aws/aws_cis_v150_2_2_1.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v150_2_2_1 Title: "2.2.1 Ensure EBS Volume Encryption is Enabled in all Regions" Description: "Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_ebs_volume; PrimaryTable: aws_ebs_volume ListOfTables: - - aws_ebs_volume + - aws_ebs_volume Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v150_2_3_1.yaml b/compliance/controls/aws/aws_cis_v150_2_3_1.yaml index b86427823..ab455cde6 100755 --- a/compliance/controls/aws/aws_cis_v150_2_3_1.yaml +++ b/compliance/controls/aws/aws_cis_v150_2_3_1.yaml @@ -1,30 +1,14 @@ ID: aws_cis_v150_2_3_1 Title: "2.3.1 Ensure that encryption is enabled for RDS Instances" Description: "Amazon RDS encrypted DB instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances. After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when storage_encrypted then 'ok' - else 'alarm' - end as status, - case - when storage_encrypted then title || ' encrypted at rest.' - else title || ' not encrypted at rest.' - end as reason - - - from - aws_rds_db_instance; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when storage_encrypted then 'ok'\n else 'alarm'\n end as status,\n case\n when storage_encrypted then title || ' encrypted at rest.'\n else title || ' not encrypted at rest.'\n end as reason\n \n \nfrom\n aws_rds_db_instance;" PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_rds_db_instance + - aws_rds_db_instance Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v150_2_3_2.yaml b/compliance/controls/aws/aws_cis_v150_2_3_2.yaml index 32628d7f2..6eb19974c 100755 --- a/compliance/controls/aws/aws_cis_v150_2_3_2.yaml +++ b/compliance/controls/aws/aws_cis_v150_2_3_2.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v150_2_3_2 Title: "2.3.2 Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances" Description: "Ensure that RDS database instances have the Auto Minor Version Upgrade flag enabled in order to receive automatically minor engine upgrades during the specified maintenance window. So, RDS instances can get the new features, bug fixes, and security patches for their database engines." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_rds_db_instance; PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_rds_db_instance + - aws_rds_db_instance Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v150_2_3_3.yaml b/compliance/controls/aws/aws_cis_v150_2_3_3.yaml index b7f977b93..d7533f3a0 100755 --- a/compliance/controls/aws/aws_cis_v150_2_3_3.yaml +++ b/compliance/controls/aws/aws_cis_v150_2_3_3.yaml @@ -1,29 +1,14 @@ ID: aws_cis_v150_2_3_3 Title: "2.3.3 Ensure that public access is not given to RDS Instance" Description: "Ensure and verify that RDS database instances provisioned in your AWS account do restrict unauthorized access in order to minimize security risks. To restrict access to any publicly accessible RDS database instance, you must disable the database Publicly Accessible flag and update the VPC security group associated with the instance." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when publicly_accessible then 'alarm' - else 'ok' - end status, - case - when publicly_accessible then title || ' publicly accessible.' - else title || ' not publicly accessible.' - end reason - - from - aws_rds_db_instance; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when publicly_accessible then 'alarm'\n else 'ok'\n end status,\n case\n when publicly_accessible then title || ' publicly accessible.'\n else title || ' not publicly accessible.'\n end reason\n \nfrom\n aws_rds_db_instance;" PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_rds_db_instance + - aws_rds_db_instance Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v150_2_4_1.yaml b/compliance/controls/aws/aws_cis_v150_2_4_1.yaml index 1b57f9ddf..d8f5e770e 100755 --- a/compliance/controls/aws/aws_cis_v150_2_4_1.yaml +++ b/compliance/controls/aws/aws_cis_v150_2_4_1.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v150_2_4_1 Title: "2.4.1 Ensure that encryption is enabled for EFS file systems" Description: "EFS data should be encrypted at rest using AWS KMS (Key Management Service)." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_efs_file_system; PrimaryTable: aws_efs_file_system ListOfTables: - - aws_efs_file_system + - aws_efs_file_system Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v150_3_10.yaml b/compliance/controls/aws/aws_cis_v150_3_10.yaml index f0cdaa57f..67c0c9a38 100755 --- a/compliance/controls/aws/aws_cis_v150_3_10.yaml +++ b/compliance/controls/aws/aws_cis_v150_3_10.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v150_3_10 Title: "3.10 Ensure that Object-level logging for write events is enabled for S3 bucket" Description: "S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -48,8 +46,10 @@ Query: b.account_id, b.region, b.arn, b.name, b.tags, b._ctx; PrimaryTable: aws_s3_bucket ListOfTables: - - aws_cloudtrail_trail - - aws_s3_bucket + - aws_cloudtrail_trail + - aws_s3_bucket Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v150_3_11.yaml b/compliance/controls/aws/aws_cis_v150_3_11.yaml index a2cefeaa3..ef50f6280 100755 --- a/compliance/controls/aws/aws_cis_v150_3_11.yaml +++ b/compliance/controls/aws/aws_cis_v150_3_11.yaml @@ -1,57 +1,15 @@ ID: aws_cis_v150_3_11 Title: "3.11 Ensure that Object-level logging for read events is enabled for S3 bucket" Description: "S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - with s3_selectors as - ( - select - name as trail_name, - is_multi_region_trail, - bucket_selector - from - aws_cloudtrail_trail, - jsonb_array_elements(event_selectors) as event_selector, - jsonb_array_elements(event_selector -> 'DataResources') as data_resource, - jsonb_array_elements_text(data_resource -> 'Values') as bucket_selector - where - is_multi_region_trail - and data_resource ->> 'Type' = 'AWS::S3::Object' - and event_selector ->> 'ReadWriteType' in - ( - 'ReadOnly', - 'All' - ) - ) - select - b.arn as resource, - b.og_account_id as og_account_id, - b.og_resource_id as og_resource_id, - case - when count(bucket_selector) > 0 then 'ok' - else 'alarm' - end as status, - case - when count(bucket_selector) > 0 then b.name || ' object-level read events logging enabled.' - else b.name || ' object-level read events logging disabled.' - end as reason - - - from - aws_s3_bucket as b - left join - s3_selectors - on bucket_selector like (b.arn || '%') - or bucket_selector = 'arn:aws:s3' - group by - b.account_id, b.region, b.arn, b.name, b.tags, b._ctx; + QueryToExecute: "with s3_selectors as\n(\n select\n name as trail_name,\n is_multi_region_trail,\n bucket_selector\n from\n aws_cloudtrail_trail,\n jsonb_array_elements(event_selectors) as event_selector,\n jsonb_array_elements(event_selector -> 'DataResources') as data_resource,\n jsonb_array_elements_text(data_resource -> 'Values') as bucket_selector\n where\n is_multi_region_trail\n and data_resource ->> 'Type' = 'AWS::S3::Object'\n and event_selector ->> 'ReadWriteType' in\n (\n 'ReadOnly',\n 'All'\n )\n)\nselect\n b.arn as resource,\n b.og_account_id as og_account_id,\n b.og_resource_id as og_resource_id,\n case\n when count(bucket_selector) > 0 then 'ok'\n else 'alarm'\n end as status,\n case\n when count(bucket_selector) > 0 then b.name || ' object-level read events logging enabled.'\n else b.name || ' object-level read events logging disabled.'\n end as reason\n \n \nfrom\n aws_s3_bucket as b\n left join\n s3_selectors\n on bucket_selector like (b.arn || '%')\n or bucket_selector = 'arn:aws:s3'\ngroup by\n b.account_id, b.region, b.arn, b.name, b.tags, b._ctx;" PrimaryTable: aws_s3_bucket ListOfTables: - - aws_cloudtrail_trail - - aws_s3_bucket + - aws_cloudtrail_trail + - aws_s3_bucket Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v150_3_2.yaml b/compliance/controls/aws/aws_cis_v150_3_2.yaml index 8639f012a..033a748f4 100755 --- a/compliance/controls/aws/aws_cis_v150_3_2.yaml +++ b/compliance/controls/aws/aws_cis_v150_3_2.yaml @@ -1,32 +1,14 @@ ID: aws_cis_v150_3_2 Title: "3.2 Ensure CloudTrail log file validation is enabled" Description: "CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. It is recommended that file validation be enabled on all CloudTrails." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when log_file_validation_enabled then 'ok' - else 'alarm' - end as status, - case - when log_file_validation_enabled then title || ' log file validation enabled.' - else title || ' log file validation disabled.' - end as reason - - - from - aws_cloudtrail_trail - where - region = home_region; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when log_file_validation_enabled then 'ok'\n else 'alarm'\n end as status,\n case\n when log_file_validation_enabled then title || ' log file validation enabled.'\n else title || ' log file validation disabled.'\n end as reason\n \n \nfrom\n aws_cloudtrail_trail\nwhere\n region = home_region;" PrimaryTable: aws_cloudtrail_trail ListOfTables: - - aws_cloudtrail_trail + - aws_cloudtrail_trail Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v150_3_3.yaml b/compliance/controls/aws/aws_cis_v150_3_3.yaml index 08246db63..24f0fca2f 100755 --- a/compliance/controls/aws/aws_cis_v150_3_3.yaml +++ b/compliance/controls/aws/aws_cis_v150_3_3.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v150_3_3 Title: "3.3 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible" Description: "CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy or access control list (ACL) applied to the S3 bucket that CloudTrail logs to prevent public access to the CloudTrail logs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -58,13 +56,15 @@ Query: when anon_statements > 0 then name || ' grants access to AWS:*" in bucket policy.' else name || ' does not grant anonymous access in ACL or bucket policy.' end as reason - + from public_bucket_data; PrimaryTable: aws_s3_bucket ListOfTables: - - aws_cloudtrail_trail - - aws_s3_bucket + - aws_cloudtrail_trail + - aws_s3_bucket Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v150_3_4.yaml b/compliance/controls/aws/aws_cis_v150_3_4.yaml index 0f6c9b64b..c40e9d786 100755 --- a/compliance/controls/aws/aws_cis_v150_3_4.yaml +++ b/compliance/controls/aws/aws_cis_v150_3_4.yaml @@ -1,32 +1,14 @@ ID: aws_cis_v150_3_4 Title: "3.4 Ensure CloudTrail trails are integrated with CloudWatch Logs" Description: "AWS CloudTrail is a web service that records AWS API calls made in a given AWS account. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, realtime analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is recommended that CloudTrail logs be sent to CloudWatch Logs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when log_group_arn != 'null' and ((latest_delivery_time) > current_date - 1) then 'ok' - else 'alarm' - end as status, - case - when log_group_arn != 'null' and ((latest_delivery_time) > current_date - 1) then title || ' integrated with CloudWatch logs.' - else title || ' not integrated with CloudWatch logs.' - end as reason - - - from - aws_cloudtrail_trail - where - region = home_region; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when log_group_arn != 'null' and ((latest_delivery_time) > current_date - 1) then 'ok'\n else 'alarm'\n end as status,\n case\n when log_group_arn != 'null' and ((latest_delivery_time) > current_date - 1) then title || ' integrated with CloudWatch logs.'\n else title || ' not integrated with CloudWatch logs.'\n end as reason\n \n \nfrom\n aws_cloudtrail_trail\nwhere\n region = home_region;" PrimaryTable: aws_cloudtrail_trail ListOfTables: - - aws_cloudtrail_trail + - aws_cloudtrail_trail Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v150_3_5.yaml b/compliance/controls/aws/aws_cis_v150_3_5.yaml index c9ca83eb5..9b77454f4 100755 --- a/compliance/controls/aws/aws_cis_v150_3_5.yaml +++ b/compliance/controls/aws/aws_cis_v150_3_5.yaml @@ -1,71 +1,15 @@ ID: aws_cis_v150_3_5 Title: "3.5 Ensure AWS Config is enabled in all regions" Description: "AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. It is recommended AWS Config be enabled in all regions." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - -- pgFormatter-ignore - -- Get count for any region with all matching criteria - with global_recorders as ( - select - count(*) as global_config_recorders - from - aws_config_configuration_recorder - where - recording_group -> 'IncludeGlobalResourceTypes' = 'true' - and recording_group -> 'AllSupported' = 'true' - and status ->> 'Recording' = 'true' - and status ->> 'LastStatus' = 'SUCCESS' - ) - select - 'arn:aws::' || a.region || ':' || a.account_id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - -- When any of the region satisfies with above CTE - -- In left join of table, regions now having - -- 'Recording' and 'LastStatus' matching criteria can be considered as OK - when - g.global_config_recorders >= 1 - and status ->> 'Recording' = 'true' - and status ->> 'LastStatus' = 'SUCCESS' - then 'ok' - -- Skip any regions that are disabled in the account. - when a.opt_in_status = 'not-opted-in' then 'skip' - else 'alarm' - end as status, - -- Below cases are for citing respective reasons for control state - case - when a.opt_in_status = 'not-opted-in' then a.region || ' region is disabled.' - else - case - when recording_group -> 'IncludeGlobalResourceTypes' = 'true' then a.region || ' IncludeGlobalResourceTypes enabled,' - else a.region || ' IncludeGlobalResourceTypes disabled,' - end || - case - when recording_group -> 'AllSupported' = 'true' then ' AllSupported enabled,' - else ' AllSupported disabled,' - end || - case - when status ->> 'Recording' = 'true' then ' Recording enabled' - else ' Recording disabled' - end || - case - when status ->> 'LastStatus' = 'SUCCESS' then ' and LastStatus is SUCCESS.' - else ' and LastStatus is not SUCCESS.' - end - end as reason - - from - global_recorders as g, - aws_region as a - left join aws_config_configuration_recorder as r on r.account_id = a.account_id and r.region = a.name; + QueryToExecute: "-- pgFormatter-ignore\n-- Get count for any region with all matching criteria\nwith global_recorders as (\n select\n count(*) as global_config_recorders\n from\n aws_config_configuration_recorder\n where\n recording_group -> 'IncludeGlobalResourceTypes' = 'true'\n and recording_group -> 'AllSupported' = 'true'\n and status ->> 'Recording' = 'true'\n and status ->> 'LastStatus' = 'SUCCESS'\n)\nselect\n 'arn:aws::' || a.region || ':' || a.account_id as resource,\na.og_account_id as og_account_id,\na.og_resource_id as og_resource_id,\n case\n -- When any of the region satisfies with above CTE\n -- In left join of table, regions now having\n -- 'Recording' and 'LastStatus' matching criteria can be considered as OK\n when\n g.global_config_recorders >= 1\n and status ->> 'Recording' = 'true'\n and status ->> 'LastStatus' = 'SUCCESS'\n then 'ok'\n -- Skip any regions that are disabled in the account.\n when a.opt_in_status = 'not-opted-in' then 'skip'\n else 'alarm'\n end as status,\n -- Below cases are for citing respective reasons for control state\n case\n when a.opt_in_status = 'not-opted-in' then a.region || ' region is disabled.'\n else\n case\n when recording_group -> 'IncludeGlobalResourceTypes' = 'true' then a.region || ' IncludeGlobalResourceTypes enabled,'\n else a.region || ' IncludeGlobalResourceTypes disabled,'\n end ||\n case\n when recording_group -> 'AllSupported' = 'true' then ' AllSupported enabled,'\n else ' AllSupported disabled,'\n end ||\n case\n when status ->> 'Recording' = 'true' then ' Recording enabled'\n else ' Recording disabled'\n end ||\n case\n when status ->> 'LastStatus' = 'SUCCESS' then ' and LastStatus is SUCCESS.'\n else ' and LastStatus is not SUCCESS.'\n end\n end as reason\n \nfrom\n global_recorders as g,\n aws_region as a\n left join aws_config_configuration_recorder as r on r.account_id = a.account_id and r.region = a.name;" PrimaryTable: aws_config_configuration_recorder ListOfTables: - - aws_config_configuration_recorder - - aws_region + - aws_config_configuration_recorder + - aws_region Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v150_3_6.yaml b/compliance/controls/aws/aws_cis_v150_3_6.yaml index 035e23569..24adb2160 100755 --- a/compliance/controls/aws/aws_cis_v150_3_6.yaml +++ b/compliance/controls/aws/aws_cis_v150_3_6.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v150_3_6 Title: "3.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket" Description: "S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: t.region = t.home_region; PrimaryTable: aws_cloudtrail_trail ListOfTables: - - aws_cloudtrail_trail - - aws_s3_bucket + - aws_cloudtrail_trail + - aws_s3_bucket Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v150_3_7.yaml b/compliance/controls/aws/aws_cis_v150_3_7.yaml index 28d9cfa70..d2a04fc12 100755 --- a/compliance/controls/aws/aws_cis_v150_3_7.yaml +++ b/compliance/controls/aws/aws_cis_v150_3_7.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v150_3_7 Title: "3.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs" Description: "AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -24,7 +22,9 @@ Query: region = home_region; PrimaryTable: aws_cloudtrail_trail ListOfTables: - - aws_cloudtrail_trail + - aws_cloudtrail_trail Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v150_3_8.yaml b/compliance/controls/aws/aws_cis_v150_3_8.yaml index b1073bb88..cde14c339 100755 --- a/compliance/controls/aws/aws_cis_v150_3_8.yaml +++ b/compliance/controls/aws/aws_cis_v150_3_8.yaml @@ -1,38 +1,14 @@ ID: aws_cis_v150_3_8 Title: "3.8 Ensure rotation for customer created symmetric CMKs is enabled" Description: "AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled for symmetric keys. Key rotation can not be enabled for any asymmetric CMK." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when origin = 'EXTERNAL' then 'skip' - when key_state = 'PendingDeletion' then 'skip' - when key_state = 'Disabled' then 'skip' - when not key_rotation_enabled then 'alarm' - else 'ok' - end as status, - case - when origin = 'EXTERNAL' then title || ' has imported key material.' - when key_state = 'PendingDeletion' then title || ' is pending deletion.' - when key_state = 'Disabled' then title || ' is disabled.' - when not key_rotation_enabled then title || ' key rotation disabled.' - else title || ' key rotation enabled.' - end as reason - - - from - aws_kms_key - where - key_manager = 'CUSTOMER'; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when origin = 'EXTERNAL' then 'skip'\n when key_state = 'PendingDeletion' then 'skip'\n when key_state = 'Disabled' then 'skip'\n when not key_rotation_enabled then 'alarm'\n else 'ok'\n end as status,\n case\n when origin = 'EXTERNAL' then title || ' has imported key material.'\n when key_state = 'PendingDeletion' then title || ' is pending deletion.'\n when key_state = 'Disabled' then title || ' is disabled.'\n when not key_rotation_enabled then title || ' key rotation disabled.'\n else title || ' key rotation enabled.'\n end as reason\n \n \nfrom\n aws_kms_key\nwhere\n key_manager = 'CUSTOMER';" PrimaryTable: aws_kms_key ListOfTables: - - aws_kms_key + - aws_kms_key Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v150_3_9.yaml b/compliance/controls/aws/aws_cis_v150_3_9.yaml index 560ac05b6..9e972bfbc 100755 --- a/compliance/controls/aws/aws_cis_v150_3_9.yaml +++ b/compliance/controls/aws/aws_cis_v150_3_9.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v150_3_9 Title: "3.9 Ensure VPC flow logging is enabled in all VPCs" Description: "VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet \\\"Rejects\\\" for VPCs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -51,8 +49,10 @@ Query: left join flowlogs as f on v.vpc_id = f.resource_id; PrimaryTable: aws_vpc ListOfTables: - - aws_vpc - - aws_vpc_flow_log + - aws_vpc + - aws_vpc_flow_log Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v150_4_10.yaml b/compliance/controls/aws/aws_cis_v150_4_10.yaml index ee6cf4606..2000eba7e 100755 --- a/compliance/controls/aws/aws_cis_v150_4_10.yaml +++ b/compliance/controls/aws/aws_cis_v150_4_10.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v150_4_10 Title: "4.10 Ensure a log metric filter and alarm exist for security group changes" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Groups are a stateful packet filter that controls ingress and egress traffic within a VPC. It is recommended that a metric filter and alarm be established for detecting changes to Security Groups." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -86,11 +84,13 @@ Query: left join filter_data as f on a.account_id = f.account_id; PrimaryTable: aws_cloudtrail_trail ListOfTables: - - aws_cloudtrail_trail - - aws_cloudwatch_alarm - - aws_sns_topic_subscription - - aws_cloudwatch_log_metric_filter - - aws_account + - aws_cloudtrail_trail + - aws_cloudwatch_alarm + - aws_sns_topic_subscription + - aws_cloudwatch_log_metric_filter + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v150_4_14.yaml b/compliance/controls/aws/aws_cis_v150_4_14.yaml index 1cee1264f..095dcccb6 100755 --- a/compliance/controls/aws/aws_cis_v150_4_14.yaml +++ b/compliance/controls/aws/aws_cis_v150_4_14.yaml @@ -1,96 +1,18 @@ ID: aws_cis_v150_4_14 Title: "4.14 Ensure a log metric filter and alarm exist for VPC changes" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*CreateVpc.+\$\.eventName\s*=\s*DeleteVpc.+\$\.eventName\s*=\s*ModifyVpcAttribute.+\$\.eventName\s*=\s*AcceptVpcPeeringConnection.+\$\.eventName\s*=\s*CreateVpcPeeringConnection.+\$\.eventName\s*=\s*DeleteVpcPeeringConnection.+\$\.eventName\s*=\s*RejectVpcPeeringConnection.+\$\.eventName\s*=\s*AttachClassicLinkVpc.+\$\.eventName\s*=\s*DetachClassicLinkVpc.+\$\.eventName\s*=\s*DisableVpcClassicLink.+\$\.eventName\s*=\s*EnableVpcClassicLink' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - t.og_account_id as og_account_id, - t.og_resource_id as og_resource_id, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for VPC changes.' - else filter_name || ' forwards events for VPC changes.' - end as reason - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.eventName\\s*=\\s*CreateVpc.+\\$\\.eventName\\s*=\\s*DeleteVpc.+\\$\\.eventName\\s*=\\s*ModifyVpcAttribute.+\\$\\.eventName\\s*=\\s*AcceptVpcPeeringConnection.+\\$\\.eventName\\s*=\\s*CreateVpcPeeringConnection.+\\$\\.eventName\\s*=\\s*DeleteVpcPeeringConnection.+\\$\\.eventName\\s*=\\s*RejectVpcPeeringConnection.+\\$\\.eventName\\s*=\\s*AttachClassicLinkVpc.+\\$\\.eventName\\s*=\\s*DetachClassicLinkVpc.+\\$\\.eventName\\s*=\\s*DisableVpcClassicLink.+\\$\\.eventName\\s*=\\s*EnableVpcClassicLink'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n t.og_account_id as og_account_id,\n t.og_resource_id as og_resource_id,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for VPC changes.'\n else filter_name || ' forwards events for VPC changes.'\n end as reason \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;" PrimaryTable: aws_cloudtrail_trail ListOfTables: - - aws_cloudtrail_trail - - aws_cloudwatch_alarm - - aws_sns_topic_subscription - - aws_cloudwatch_log_metric_filter - - aws_account + - aws_cloudtrail_trail + - aws_cloudwatch_alarm + - aws_sns_topic_subscription + - aws_cloudwatch_log_metric_filter + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v150_4_16.yaml b/compliance/controls/aws/aws_cis_v150_4_16.yaml index 190b30bed..105fbef06 100755 --- a/compliance/controls/aws/aws_cis_v150_4_16.yaml +++ b/compliance/controls/aws/aws_cis_v150_4_16.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v150_4_16 Title: "4.16 Ensure AWS Security Hub is enabled" Description: "Security Hub collects security data from across AWS accounts, services, and supported third-party partner products and helps you analyze your security trends and identify the highest priority security issues. When you enable Security Hub, it begins to consume, aggregate, organize, and prioritize findings from AWS services that you have enabled, such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie. You can also enable integrations with AWS partner security products." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -28,8 +26,10 @@ Query: left join aws_securityhub_hub as h on r.account_id = h.account_id and r.name = h.region; PrimaryTable: aws_securityhub_hub ListOfTables: - - aws_region - - aws_securityhub_hub + - aws_region + - aws_securityhub_hub Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v150_4_3.yaml b/compliance/controls/aws/aws_cis_v150_4_3.yaml index 746ec9d12..56f005a53 100755 --- a/compliance/controls/aws/aws_cis_v150_4_3.yaml +++ b/compliance/controls/aws/aws_cis_v150_4_3.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v150_4_3 Title: "4.3 Ensure a log metric filter and alarm exist for usage of 'root' account" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for root login attempts." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -84,8 +82,10 @@ Query: left join filter_data as f on a.account_id = f.account_id; PrimaryTable: aws_account ListOfTables: - - aws_account - - filter_data + - aws_account + - filter_data Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v150_4_5.yaml b/compliance/controls/aws/aws_cis_v150_4_5.yaml index b4aa0e34d..b48c977d9 100755 --- a/compliance/controls/aws/aws_cis_v150_4_5.yaml +++ b/compliance/controls/aws/aws_cis_v150_4_5.yaml @@ -1,97 +1,18 @@ ID: aws_cis_v150_4_5 Title: "4.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*CreateTrail.+\$\.eventName\s*=\s*UpdateTrail.+\$\.eventName\s*=\s*DeleteTrail.+\$\.eventName\s*=\s*StartLogging.+\$\.eventName\s*=\s*StopLogging' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for CloudTrail configuration changes.' - else filter_name || ' forwards events for CloudTrail configuration changes.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.eventName\\s*=\\s*CreateTrail.+\\$\\.eventName\\s*=\\s*UpdateTrail.+\\$\\.eventName\\s*=\\s*DeleteTrail.+\\$\\.eventName\\s*=\\s*StartLogging.+\\$\\.eventName\\s*=\\s*StopLogging'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for CloudTrail configuration changes.'\n else filter_name || ' forwards events for CloudTrail configuration changes.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;" PrimaryTable: aws_cloudtrail_trail ListOfTables: - - aws_cloudtrail_trail - - aws_cloudwatch_alarm - - aws_sns_topic_subscription - - aws_cloudwatch_log_metric_filter - - aws_account + - aws_cloudtrail_trail + - aws_cloudwatch_alarm + - aws_sns_topic_subscription + - aws_cloudwatch_log_metric_filter + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v150_4_7.yaml b/compliance/controls/aws/aws_cis_v150_4_7.yaml index 614723e5b..51e6897eb 100755 --- a/compliance/controls/aws/aws_cis_v150_4_7.yaml +++ b/compliance/controls/aws/aws_cis_v150_4_7.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v150_4_7 Title: "4.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -86,11 +84,13 @@ Query: left join filter_data as f on a.account_id = f.account_id; PrimaryTable: aws_account ListOfTables: - - aws_cloudtrail_trail - - aws_cloudwatch_alarm - - aws_sns_topic_subscription - - aws_cloudwatch_log_metric_filter - - aws_account + - aws_cloudtrail_trail + - aws_cloudwatch_alarm + - aws_sns_topic_subscription + - aws_cloudwatch_log_metric_filter + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v150_4_8.yaml b/compliance/controls/aws/aws_cis_v150_4_8.yaml index a6a777812..628ba7457 100755 --- a/compliance/controls/aws/aws_cis_v150_4_8.yaml +++ b/compliance/controls/aws/aws_cis_v150_4_8.yaml @@ -1,97 +1,18 @@ ID: aws_cis_v150_4_8 Title: "4.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for changes to S3 bucket policies." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.eventSource\s*=\s*s3.amazonaws.com.+\$\.eventName\s*=\s*PutBucketAcl.+\$\.eventName\s*=\s*PutBucketPolicy.+\$\.eventName\s*=\s*PutBucketCors.+\$\.eventName\s*=\s*PutBucketLifecycle.+\$\.eventName\s*=\s*PutBucketReplication.+\$\.eventName\s*=\s*DeleteBucketPolicy.+\$\.eventName\s*=\s*DeleteBucketCors.+\$\.eventName\s*=\s*DeleteBucketLifecycle.+\$\.eventName\s*=\s*DeleteBucketReplication' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for S3 bucket policy changes.' - else filter_name || ' forwards events for S3 bucket policy changes.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.eventSource\\s*=\\s*s3.amazonaws.com.+\\$\\.eventName\\s*=\\s*PutBucketAcl.+\\$\\.eventName\\s*=\\s*PutBucketPolicy.+\\$\\.eventName\\s*=\\s*PutBucketCors.+\\$\\.eventName\\s*=\\s*PutBucketLifecycle.+\\$\\.eventName\\s*=\\s*PutBucketReplication.+\\$\\.eventName\\s*=\\s*DeleteBucketPolicy.+\\$\\.eventName\\s*=\\s*DeleteBucketCors.+\\$\\.eventName\\s*=\\s*DeleteBucketLifecycle.+\\$\\.eventName\\s*=\\s*DeleteBucketReplication'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for S3 bucket policy changes.'\n else filter_name || ' forwards events for S3 bucket policy changes.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;" PrimaryTable: aws_account ListOfTables: - - aws_cloudtrail_trail - - aws_cloudwatch_alarm - - aws_sns_topic_subscription - - aws_cloudwatch_log_metric_filter - - aws_account + - aws_cloudtrail_trail + - aws_cloudwatch_alarm + - aws_sns_topic_subscription + - aws_cloudwatch_log_metric_filter + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v150_5_2.yaml b/compliance/controls/aws/aws_cis_v150_5_2.yaml index cb0943641..e6cdea7f7 100755 --- a/compliance/controls/aws/aws_cis_v150_5_2.yaml +++ b/compliance/controls/aws/aws_cis_v150_5_2.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v150_5_2 Title: "5.2 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports" Description: "Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -64,8 +62,10 @@ Query: left join bad_rules on bad_rules.group_id = sg.group_id; PrimaryTable: aws_vpc_security_group ListOfTables: - - aws_vpc_security_group_rule - - aws_vpc_security_group + - aws_vpc_security_group_rule + - aws_vpc_security_group Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v150_5_3.yaml b/compliance/controls/aws/aws_cis_v150_5_3.yaml index 41fc6eea4..391f12e1c 100755 --- a/compliance/controls/aws/aws_cis_v150_5_3.yaml +++ b/compliance/controls/aws/aws_cis_v150_5_3.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v150_5_3 Title: "5.3 Ensure no security groups allow ingress from ::/0 to remote server administration ports" Description: "Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -50,8 +48,10 @@ Query: left join bad_rules on bad_rules.group_id = sg.group_id; PrimaryTable: aws_vpc_security_group ListOfTables: - - aws_vpc_security_group_rule - - aws_vpc_security_group + - aws_vpc_security_group_rule + - aws_vpc_security_group Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v150_5_4.yaml b/compliance/controls/aws/aws_cis_v150_5_4.yaml index e206827d3..a6e8dd523 100755 --- a/compliance/controls/aws/aws_cis_v150_5_4.yaml +++ b/compliance/controls/aws/aws_cis_v150_5_4.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v150_5_4 Title: "5.4 Ensure the default security group of every VPC restricts all traffic" Description: "A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -29,7 +27,9 @@ Query: group_name = 'default'; PrimaryTable: aws_vpc_security_group ListOfTables: - - aws_vpc_security_group + - aws_vpc_security_group Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v150_5_5.yaml b/compliance/controls/aws/aws_cis_v150_5_5.yaml index 0a3a7747a..0b1aa5aff 100755 --- a/compliance/controls/aws/aws_cis_v150_5_5.yaml +++ b/compliance/controls/aws/aws_cis_v150_5_5.yaml @@ -1,23 +1,14 @@ ID: aws_cis_v150_5_5 Title: "5.5 Ensure routing tables for VPC peering are \\\"least access\\\"" Description: "Once a VPC peering connection is established, routing tables must be updated to establish any connections between the peered VPCs. These routes can be as specific as desired - even peering a VPC to only a single host on the other side of the connection." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'info' as status, - 'Manual verification required.' as reason - - from - aws_account; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'info' as status,\n 'Manual verification required.' as reason\n \nfrom\n aws_account;" PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v200_1_1.yaml b/compliance/controls/aws/aws_cis_v200_1_1.yaml index f73cef8b9..50cf08c30 100755 --- a/compliance/controls/aws/aws_cis_v200_1_1.yaml +++ b/compliance/controls/aws/aws_cis_v200_1_1.yaml @@ -1,23 +1,14 @@ ID: aws_cis_v200_1_1 Title: "1.1 Maintain current contact details" Description: "Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'info' as status, - 'Manual verification required.' as reason - - from - aws_account; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'info' as status,\n 'Manual verification required.' as reason\n \nfrom\n aws_account;" PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v200_1_10.yaml b/compliance/controls/aws/aws_cis_v200_1_10.yaml index 7a79db400..5f128479b 100755 --- a/compliance/controls/aws/aws_cis_v200_1_10.yaml +++ b/compliance/controls/aws/aws_cis_v200_1_10.yaml @@ -1,30 +1,14 @@ ID: aws_cis_v200_1_10 Title: "1.10 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password" Description: "Multi-Factor Authentication (MFA) adds an extra layer of authentication assurance beyond traditional credentials. With MFA enabled, when a user signs in to the AWS Console, they will be prompted for their user name and password as well as for an authentication code from their physical or virtual MFA token. It is recommended that MFA be enabled for all accounts that have a console password." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - user_arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when password_enabled and not mfa_active then 'alarm' - else 'ok' - end as status, - case - when not password_enabled then user_name || ' password login disabled.' - when password_enabled and not mfa_active then user_name || ' password login enabled but no MFA device configured.' - else user_name || ' password login enabled and MFA device configured.' - end as reason - - from - aws_iam_credential_report; + QueryToExecute: "select\n user_arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when password_enabled and not mfa_active then 'alarm'\n else 'ok'\n end as status,\n case\n when not password_enabled then user_name || ' password login disabled.'\n when password_enabled and not mfa_active then user_name || ' password login enabled but no MFA device configured.'\n else user_name || ' password login enabled and MFA device configured.'\n end as reason\n \nfrom\n aws_iam_credential_report;" PrimaryTable: aws_iam_credential_report ListOfTables: - - aws_iam_credential_report + - aws_iam_credential_report Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v200_1_11.yaml b/compliance/controls/aws/aws_cis_v200_1_11.yaml index fd41a95dc..a0e99986b 100755 --- a/compliance/controls/aws/aws_cis_v200_1_11.yaml +++ b/compliance/controls/aws/aws_cis_v200_1_11.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v200_1_11 Title: "1.11 Do not setup access keys during initial user setup for all IAM users that have a console password" Description: "AWS console defaults to no check boxes selected when creating a new IAM user. When creating the IAM User credentials you have to determine what type of access they require." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -26,7 +24,9 @@ Query: aws_iam_credential_report; PrimaryTable: aws_iam_credential_report ListOfTables: - - aws_iam_credential_report + - aws_iam_credential_report Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v200_1_12.yaml b/compliance/controls/aws/aws_cis_v200_1_12.yaml index af4542982..ed5ab7fc4 100755 --- a/compliance/controls/aws/aws_cis_v200_1_12.yaml +++ b/compliance/controls/aws/aws_cis_v200_1_12.yaml @@ -1,65 +1,14 @@ ID: aws_cis_v200_1_12 Title: "1.12 Ensure credentials unused for 45 days or greater are disabled" Description: "AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have been unused in 45 or greater days be deactivated or removed." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - user_arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - --root_account will have always password associated even though AWS credential report returns 'not_supported' for password_enabled - when user_name = '' - then 'info' - when password_enabled and password_last_used is null and password_last_changed < (current_date - interval '45' day) - then 'alarm' - when password_enabled and password_last_used < (current_date - interval '45' day) - then 'alarm' - when access_key_1_active and access_key_1_last_used_date is null and access_key_1_last_rotated < (current_date - interval '45' day) - then 'alarm' - when access_key_1_active and access_key_1_last_used_date < (current_date - interval '45' day) - then 'alarm' - when access_key_2_active and access_key_2_last_used_date is null and access_key_2_last_rotated < (current_date - interval '45' day) - then 'alarm' - when access_key_2_active and access_key_2_last_used_date < (current_date - interval '45' day) - then 'alarm' - else 'ok' - end status, - user_name || - case - when not password_enabled - then ' password not enabled,' - when password_enabled and password_last_used is null - then ' password created ' || to_char(password_last_changed, 'DD-Mon-YYYY') || ' never used,' - else - ' password used ' || to_char(password_last_used, 'DD-Mon-YYYY') || ',' - end || - case - when not access_key_1_active - then ' key 1 not enabled,' - when access_key_1_active and access_key_1_last_used_date is null - then ' key 1 created ' || to_char(access_key_1_last_rotated, 'DD-Mon-YYYY') || ' never used,' - else - ' key 1 used ' || to_char(access_key_1_last_used_date, 'DD-Mon-YYYY') || ',' - end || - case - when not access_key_2_active - then ' key 2 not enabled.' - when access_key_2_active and access_key_2_last_used_date is null - then ' key 2 created ' || to_char(access_key_2_last_rotated, 'DD-Mon-YYYY') || ' never used.' - else - ' key 2 used ' || to_char(access_key_2_last_used_date, 'DD-Mon-YYYY') || '.' - end - as reason - - from - aws_iam_credential_report; + QueryToExecute: "select\n user_arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n --root_account will have always password associated even though AWS credential report returns 'not_supported' for password_enabled\n when user_name = ''\n then 'info'\n when password_enabled and password_last_used is null and password_last_changed < (current_date - interval '45' day)\n then 'alarm'\n when password_enabled and password_last_used < (current_date - interval '45' day)\n then 'alarm'\n when access_key_1_active and access_key_1_last_used_date is null and access_key_1_last_rotated < (current_date - interval '45' day)\n then 'alarm'\n when access_key_1_active and access_key_1_last_used_date < (current_date - interval '45' day)\n then 'alarm'\n when access_key_2_active and access_key_2_last_used_date is null and access_key_2_last_rotated < (current_date - interval '45' day)\n then 'alarm'\n when access_key_2_active and access_key_2_last_used_date < (current_date - interval '45' day)\n then 'alarm'\n else 'ok'\n end status,\n user_name ||\n case\n when not password_enabled\n then ' password not enabled,'\n when password_enabled and password_last_used is null\n then ' password created ' || to_char(password_last_changed, 'DD-Mon-YYYY') || ' never used,'\n else\n ' password used ' || to_char(password_last_used, 'DD-Mon-YYYY') || ','\n end ||\n case\n when not access_key_1_active\n then ' key 1 not enabled,'\n when access_key_1_active and access_key_1_last_used_date is null\n then ' key 1 created ' || to_char(access_key_1_last_rotated, 'DD-Mon-YYYY') || ' never used,'\n else\n ' key 1 used ' || to_char(access_key_1_last_used_date, 'DD-Mon-YYYY') || ','\n end ||\n case\n when not access_key_2_active\n then ' key 2 not enabled.'\n when access_key_2_active and access_key_2_last_used_date is null\n then ' key 2 created ' || to_char(access_key_2_last_rotated, 'DD-Mon-YYYY') || ' never used.'\n else\n ' key 2 used ' || to_char(access_key_2_last_used_date, 'DD-Mon-YYYY') || '.'\n end\n as reason\n \nfrom\n aws_iam_credential_report;" PrimaryTable: aws_iam_credential_report ListOfTables: - - aws_iam_credential_report + - aws_iam_credential_report Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v200_1_13.yaml b/compliance/controls/aws/aws_cis_v200_1_13.yaml index 841d54de8..98bda7320 100755 --- a/compliance/controls/aws/aws_cis_v200_1_13.yaml +++ b/compliance/controls/aws/aws_cis_v200_1_13.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v200_1_13 Title: "1.13 Ensure there is only one active access key available for any single IAM user" Description: "Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK)." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -28,8 +26,10 @@ Query: u._ctx; PrimaryTable: aws_iam_user ListOfTables: - - aws_iam_user - - aws_iam_access_key + - aws_iam_user + - aws_iam_access_key Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v200_1_14.yaml b/compliance/controls/aws/aws_cis_v200_1_14.yaml index 1690c15a1..0b7fcf640 100755 --- a/compliance/controls/aws/aws_cis_v200_1_14.yaml +++ b/compliance/controls/aws/aws_cis_v200_1_14.yaml @@ -1,28 +1,14 @@ ID: aws_cis_v200_1_14 Title: "1.14 Ensure access keys are rotated every 90 days or less" Description: "Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':iam::' || account_id || ':user/' || user_name || '/accesskey/' || access_key_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when create_date <= (current_date - interval '90' day) then 'alarm' - else 'ok' - end status, - user_name || ' ' || access_key_id || ' created ' || to_char(create_date , 'DD-Mon-YYYY') || - ' (' || extract(day from current_timestamp - create_date) || ' days).' - as reason - - from - aws_iam_access_key; + QueryToExecute: "select\n 'arn:' || partition || ':iam::' || account_id || ':user/' || user_name || '/accesskey/' || access_key_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when create_date <= (current_date - interval '90' day) then 'alarm'\n else 'ok'\n end status,\n user_name || ' ' || access_key_id || ' created ' || to_char(create_date , 'DD-Mon-YYYY') ||\n ' (' || extract(day from current_timestamp - create_date) || ' days).'\n as reason\n \nfrom\n aws_iam_access_key;" PrimaryTable: aws_iam_access_key ListOfTables: - - aws_iam_access_key + - aws_iam_access_key Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v200_1_15.yaml b/compliance/controls/aws/aws_cis_v200_1_15.yaml index df51f0645..c88259192 100755 --- a/compliance/controls/aws/aws_cis_v200_1_15.yaml +++ b/compliance/controls/aws/aws_cis_v200_1_15.yaml @@ -1,28 +1,14 @@ ID: aws_cis_v200_1_15 Title: "1.15 Ensure IAM Users Receive Permissions Only Through Groups" Description: "IAM users are granted access to services, functions, and data through IAM policies. There are three ways to define policies for a user: 1) Edit the user policy directly, aka an inline, or user, policy; 2) attach a policy directly to a user; 3) add the user to an IAM group that has an attached policy. Only the third implementation is recommended." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when inline_policies is null and attached_policy_arns is null then 'ok' - else 'alarm' - end status, - name || ' has ' || coalesce(jsonb_array_length(inline_policies),0) || ' inline and ' || - coalesce(jsonb_array_length(attached_policy_arns),0) || ' directly attached policies.' as reason - - - from - aws_iam_user; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when inline_policies is null and attached_policy_arns is null then 'ok'\n else 'alarm'\n end status,\n name || ' has ' || coalesce(jsonb_array_length(inline_policies),0) || ' inline and ' ||\n coalesce(jsonb_array_length(attached_policy_arns),0) || ' directly attached policies.' as reason\n \n \nfrom\n aws_iam_user;" PrimaryTable: aws_iam_user ListOfTables: - - aws_iam_user + - aws_iam_user Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v200_1_16.yaml b/compliance/controls/aws/aws_cis_v200_1_16.yaml index 2de45fe2e..630f18999 100755 --- a/compliance/controls/aws/aws_cis_v200_1_16.yaml +++ b/compliance/controls/aws/aws_cis_v200_1_16.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v200_1_16 Title: "1.16 Ensure IAM policies that allow full \\\"*:*\\\" administrative privileges are not attached" Description: "IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege -that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -49,7 +47,9 @@ Query: p.is_attached; PrimaryTable: aws_iam_policy ListOfTables: - - aws_iam_policy + - aws_iam_policy Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v200_1_17.yaml b/compliance/controls/aws/aws_cis_v200_1_17.yaml index ca61c4148..18c8dec93 100755 --- a/compliance/controls/aws/aws_cis_v200_1_17.yaml +++ b/compliance/controls/aws/aws_cis_v200_1_17.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v200_1_17 Title: "1.17 Ensure a support role has been created to manage incidents with AWS Support" Description: "AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -43,8 +41,10 @@ Query: support_role_count; PrimaryTable: aws_iam_role ListOfTables: - - aws_account - - aws_iam_role + - aws_account + - aws_iam_role Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v200_1_18.yaml b/compliance/controls/aws/aws_cis_v200_1_18.yaml index 3e037dcb2..5d9267927 100755 --- a/compliance/controls/aws/aws_cis_v200_1_18.yaml +++ b/compliance/controls/aws/aws_cis_v200_1_18.yaml @@ -1,23 +1,14 @@ ID: aws_cis_v200_1_18 Title: "1.18 Ensure IAM instance roles are used for AWS resource access from instances" Description: "AWS access from within AWS instances can be done by either encoding AWS keys into AWS API calls or by assigning the instance to a role which has an appropriate permissions policy for the required access. \\\"AWS Access\\\" means accessing the APIs of AWS in order to access AWS resources or manage AWS account resources." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'info' as status, - 'Manual verification required.' as reason - - from - aws_account; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'info' as status,\n 'Manual verification required.' as reason\n \nfrom\n aws_account;" PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v200_1_19.yaml b/compliance/controls/aws/aws_cis_v200_1_19.yaml index 80d592bc8..f7e4419cf 100755 --- a/compliance/controls/aws/aws_cis_v200_1_19.yaml +++ b/compliance/controls/aws/aws_cis_v200_1_19.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v200_1_19 Title: "1.19 Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed" Description: "To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates. Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_iam_server_certificate; PrimaryTable: aws_iam_server_certificate ListOfTables: - - aws_iam_server_certificate + - aws_iam_server_certificate Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v200_1_2.yaml b/compliance/controls/aws/aws_cis_v200_1_2.yaml index 9dd42039e..b52b579f2 100755 --- a/compliance/controls/aws/aws_cis_v200_1_2.yaml +++ b/compliance/controls/aws/aws_cis_v200_1_2.yaml @@ -1,55 +1,15 @@ ID: aws_cis_v200_1_2 Title: "1.2 Ensure security contact information is registered" Description: "AWS provides customers with the option of specifying the contact information for account's security team. It is recommended that this information be provided." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - with alternate_security_contact as ( - select - name, - account_id - from - aws_account_alternate_contact - where - contact_type = 'SECURITY' - ), - account as ( - select - arn, - partition, - title, - account_id, - _ctx - from - aws_account - ) - select - arn as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when a.partition = 'aws-us-gov' then 'info' - -- Name is a required field if setting a security contact - when c.name is not null then 'ok' - else 'alarm' - end as status, - case - when a.partition = 'aws-us-gov' then a.title || ' in GovCloud, manual verification required.' - when c.name is not null then a.title || ' has security contact ' || c.name || ' registered.' - else a.title || ' security contact not registered.' - end as reason - - from - account as a, - alternate_security_contact as c - where - c.account_id = a.account_id; + QueryToExecute: "with alternate_security_contact as (\n select\n name,\n account_id\n from\n aws_account_alternate_contact\n where\n contact_type = 'SECURITY'\n),\naccount as (\n select\n arn,\n partition,\n title,\n account_id,\n _ctx\n from\n aws_account\n)\nselect\n arn as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when a.partition = 'aws-us-gov' then 'info'\n -- Name is a required field if setting a security contact\n when c.name is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when a.partition = 'aws-us-gov' then a.title || ' in GovCloud, manual verification required.'\n when c.name is not null then a.title || ' has security contact ' || c.name || ' registered.'\n else a.title || ' security contact not registered.'\n end as reason\n \nfrom\n account as a,\n alternate_security_contact as c\nwhere\n c.account_id = a.account_id;" PrimaryTable: aws_account ListOfTables: - - aws_account_alternate_contact - - aws_account + - aws_account_alternate_contact + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v200_1_20.yaml b/compliance/controls/aws/aws_cis_v200_1_20.yaml index 8c5719b22..a1f5ba253 100755 --- a/compliance/controls/aws/aws_cis_v200_1_20.yaml +++ b/compliance/controls/aws/aws_cis_v200_1_20.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v200_1_20 Title: "1.20 Ensure that IAM Access analyzer is enabled for all regions" Description: "Enable IAM Access analyzer for IAM policies about all resources in each region. IAM Access Analyzer is a technology introduced at AWS reinvent 2019. After the Analyzer is enabled in IAM, scan results are displayed on the console showing the accessible resources. Scans show resources that other accounts and federated users can access, such as KMS keys and IAM roles. So the results allow you to determine if an unintended user is allowed, making it easier for administrators to monitor least privileges access. Access Analyzer analyzes only policies that are applied to resources in the same AWS Region." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -26,8 +24,10 @@ Query: left join aws_accessanalyzer_analyzer as aa on r.account_id = aa.account_id and r.region = aa.region; PrimaryTable: aws_region ListOfTables: - - aws_region - - aws_accessanalyzer_analyzer + - aws_region + - aws_accessanalyzer_analyzer Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v200_1_21.yaml b/compliance/controls/aws/aws_cis_v200_1_21.yaml index 3940e9bb6..dafb74177 100755 --- a/compliance/controls/aws/aws_cis_v200_1_21.yaml +++ b/compliance/controls/aws/aws_cis_v200_1_21.yaml @@ -1,23 +1,14 @@ ID: aws_cis_v200_1_21 Title: "1.21 Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments" Description: "In multi-account environments, IAM user centralization facilitates greater user control. User access beyond the initial account is then provide via role assumption. Centralization of users can be accomplished through federation with an external identity provider or through the use of AWS Organizations." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'info' as status, - 'Manual verification required.' as reason - - from - aws_account; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'info' as status,\n 'Manual verification required.' as reason\n \nfrom\n aws_account;" PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v200_1_3.yaml b/compliance/controls/aws/aws_cis_v200_1_3.yaml index f9e579bc4..391af0e03 100755 --- a/compliance/controls/aws/aws_cis_v200_1_3.yaml +++ b/compliance/controls/aws/aws_cis_v200_1_3.yaml @@ -1,23 +1,14 @@ ID: aws_cis_v200_1_3 Title: "1.3 Ensure security questions are registered in the AWS account" Description: "The AWS support portal allows account owners to establish security questions that can be used to authenticate individuals calling AWS customer service for support. It is recommended that security questions be established." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'info' as status, - 'Manual verification required.' as reason - - from - aws_account; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'info' as status,\n 'Manual verification required.' as reason\n \nfrom\n aws_account;" PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v200_1_4.yaml b/compliance/controls/aws/aws_cis_v200_1_4.yaml index ac6deffc1..e4cb972ff 100755 --- a/compliance/controls/aws/aws_cis_v200_1_4.yaml +++ b/compliance/controls/aws/aws_cis_v200_1_4.yaml @@ -1,29 +1,14 @@ ID: aws_cis_v200_1_4 Title: "1.4 Ensure no 'root' user account access key exists" Description: "The 'root' user account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the 'root' user account be deleted." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when account_access_keys_present > 0 then 'alarm' - else 'ok' - end status, - case - when account_access_keys_present > 0 then 'Root user access keys exist.' - else 'No root user access keys exist.' - end reason - - from - aws_iam_account_summary; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when account_access_keys_present > 0 then 'alarm'\n else 'ok'\n end status,\n case\n when account_access_keys_present > 0 then 'Root user access keys exist.'\n else 'No root user access keys exist.'\n end reason\n \nfrom\n aws_iam_account_summary;" PrimaryTable: aws_iam_account_summary ListOfTables: - - aws_iam_account_summary + - aws_iam_account_summary Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v200_1_5.yaml b/compliance/controls/aws/aws_cis_v200_1_5.yaml index 27ce7ecbc..2d0d4af3f 100755 --- a/compliance/controls/aws/aws_cis_v200_1_5.yaml +++ b/compliance/controls/aws/aws_cis_v200_1_5.yaml @@ -1,29 +1,14 @@ ID: aws_cis_v200_1_5 Title: "1.5 Ensure MFA is enabled for the 'root' user account" Description: "The 'root' user account is the most privileged user in an AWS account. Multi-factor Authentication (MFA) adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their username and password as well as for an authentication code from their AWS MFA device." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when account_mfa_enabled then 'ok' - else 'alarm' - end status, - case - when account_mfa_enabled then 'MFA enabled for root account.' - else 'MFA not enabled for root account.' - end reason - - from - aws_iam_account_summary; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when account_mfa_enabled then 'ok'\n else 'alarm'\n end status,\n case\n when account_mfa_enabled then 'MFA enabled for root account.'\n else 'MFA not enabled for root account.'\n end reason\n \nfrom\n aws_iam_account_summary;" PrimaryTable: aws_iam_account_summary ListOfTables: - - aws_iam_account_summary + - aws_iam_account_summary Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v200_1_7.yaml b/compliance/controls/aws/aws_cis_v200_1_7.yaml index edf4f6aff..44b41f227 100755 --- a/compliance/controls/aws/aws_cis_v200_1_7.yaml +++ b/compliance/controls/aws/aws_cis_v200_1_7.yaml @@ -1,41 +1,14 @@ ID: aws_cis_v200_1_7 Title: "1.7 Eliminate use of the 'root' user for administrative and daily tasks" Description: "With the creation of an AWS account, a 'root user' is created that cannot be disabled or deleted. That user has unrestricted access to and control over all resources in the AWS account. It is highly recommended that the use of this account be avoided for everyday tasks." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - user_arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when password_last_used >= (current_date - interval '90' day) then 'alarm' - when access_key_1_last_used_date <= (current_date - interval '90' day) then 'alarm' - when access_key_2_last_used_date <= (current_date - interval '90' day) then 'alarm' - else 'ok' - end as status, - case - when password_last_used is null then 'Root never logged in with password.' - else 'Root password used ' || to_char(password_last_used , 'DD-Mon-YYYY') || ' (' || extract(day from current_timestamp - password_last_used) || ' days).' - end || - case - when access_key_1_last_used_date is null then ' Access Key 1 never used.' - else ' Access Key 1 used ' || to_char(access_key_1_last_used_date , 'DD-Mon-YYYY') || ' (' || extract(day from current_timestamp - access_key_1_last_used_date) || ' days).' - end || - case - when access_key_2_last_used_date is null then ' Access Key 2 never used.' - else ' Access Key 2 used ' || to_char(access_key_2_last_used_date , 'DD-Mon-YYYY') || ' (' || extract(day from current_timestamp - access_key_2_last_used_date) || ' days).' - end as reason - - from - aws_iam_credential_report - where - user_name = ''; + QueryToExecute: "select\n user_arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when password_last_used >= (current_date - interval '90' day) then 'alarm'\n when access_key_1_last_used_date <= (current_date - interval '90' day) then 'alarm'\n when access_key_2_last_used_date <= (current_date - interval '90' day) then 'alarm'\n else 'ok'\n end as status,\n case\n when password_last_used is null then 'Root never logged in with password.'\n else 'Root password used ' || to_char(password_last_used , 'DD-Mon-YYYY') || ' (' || extract(day from current_timestamp - password_last_used) || ' days).'\n end ||\n case\n when access_key_1_last_used_date is null then ' Access Key 1 never used.'\n else ' Access Key 1 used ' || to_char(access_key_1_last_used_date , 'DD-Mon-YYYY') || ' (' || extract(day from current_timestamp - access_key_1_last_used_date) || ' days).'\n end ||\n case\n when access_key_2_last_used_date is null then ' Access Key 2 never used.'\n else ' Access Key 2 used ' || to_char(access_key_2_last_used_date , 'DD-Mon-YYYY') || ' (' || extract(day from current_timestamp - access_key_2_last_used_date) || ' days).'\n end as reason\n \nfrom\n aws_iam_credential_report\nwhere\n user_name = '';" PrimaryTable: aws_iam_credential_report ListOfTables: - - aws_iam_credential_report + - aws_iam_credential_report Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v200_1_8.yaml b/compliance/controls/aws/aws_cis_v200_1_8.yaml index f8ec3a384..1fc25fdb4 100755 --- a/compliance/controls/aws/aws_cis_v200_1_8.yaml +++ b/compliance/controls/aws/aws_cis_v200_1_8.yaml @@ -1,31 +1,15 @@ ID: aws_cis_v200_1_8 Title: "1.8 Ensure IAM password policy requires minimum length of 14 or greater" Description: "Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length. It is recommended that the password policy require a minimum password length 14." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || a.partition || ':::' || a.account_id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when minimum_password_length >= 14 then 'ok' - else 'alarm' - end as status, - case - when minimum_password_length is null then 'No password policy set.' - else 'Minimum password length set to ' || minimum_password_length || '.' - end as reason - - from - aws_account as a - left join aws_iam_account_password_policy as pol on a.account_id = pol.account_id; + QueryToExecute: "select\n 'arn:' || a.partition || ':::' || a.account_id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when minimum_password_length >= 14 then 'ok'\n else 'alarm'\n end as status,\n case\n when minimum_password_length is null then 'No password policy set.'\n else 'Minimum password length set to ' || minimum_password_length || '.'\n end as reason\n \nfrom\n aws_account as a\n left join aws_iam_account_password_policy as pol on a.account_id = pol.account_id;" PrimaryTable: aws_account ListOfTables: - - aws_account - - aws_iam_account_password_policy + - aws_account + - aws_iam_account_password_policy Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v200_2_1_1.yaml b/compliance/controls/aws/aws_cis_v200_2_1_1.yaml index b557c6a6a..0f2ea125f 100755 --- a/compliance/controls/aws/aws_cis_v200_2_1_1.yaml +++ b/compliance/controls/aws/aws_cis_v200_2_1_1.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v200_2_1_1 Title: "2.1.1 Ensure S3 Bucket Policy is set to deny HTTP requests" Description: "At the Amazon S3 bucket level, you can configure permissions through a bucket policy making the objects accessible only through HTTPS." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -42,7 +40,9 @@ Query: left join ssl_ok as ok on ok.name = b.name; PrimaryTable: aws_s3_bucket ListOfTables: - - aws_s3_bucket + - aws_s3_bucket Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v200_2_1_2.yaml b/compliance/controls/aws/aws_cis_v200_2_1_2.yaml index fbf9b501b..e1753ab32 100755 --- a/compliance/controls/aws/aws_cis_v200_2_1_2.yaml +++ b/compliance/controls/aws/aws_cis_v200_2_1_2.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v200_2_1_2 Title: "2.1.2 Ensure MFA Delete is enabled on S3 buckets" Description: "Once MFA Delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_s3_bucket; PrimaryTable: aws_s3_bucket ListOfTables: - - aws_s3_bucket + - aws_s3_bucket Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v200_2_1_3.yaml b/compliance/controls/aws/aws_cis_v200_2_1_3.yaml index 2ba90c426..7f680d11a 100755 --- a/compliance/controls/aws/aws_cis_v200_2_1_3.yaml +++ b/compliance/controls/aws/aws_cis_v200_2_1_3.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v200_2_1_3 Title: "2.1.3 Ensure all data in Amazon S3 has been discovered, classified and secured when required" Description: "Amazon S3 buckets can contain sensitive data, that for security purposes should be discovered, monitored, classified and protected. Macie along with other 3rd party tools can automatically provide an inventory of Amazon S3 buckets." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -33,8 +31,10 @@ Query: left join bucket_list as l on b.name = l.bucket_name; PrimaryTable: aws_s3_bucket ListOfTables: - - aws_macie2_classification_job - - aws_s3_bucket + - aws_macie2_classification_job + - aws_s3_bucket Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v200_2_1_4.yaml b/compliance/controls/aws/aws_cis_v200_2_1_4.yaml index 00ad3fae1..ee111477a 100755 --- a/compliance/controls/aws/aws_cis_v200_2_1_4.yaml +++ b/compliance/controls/aws/aws_cis_v200_2_1_4.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v200_2_1_4 Title: "2.1.4 Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'" Description: "Amazon S3 provides Block public access (bucket settings) and Block public access (account settings) to help you manage public access to Amazon S3 resources. By default, S3 buckets and objects are created with public access disabled. However, an IAM principle with sufficient S3 permissions can enable public access at the bucket and/or object level. While enabled, Block public access (bucket settings) prevents an individual bucket, and its contained objects, from becoming publicly accessible. Similarly, Block public access (account settings) prevents all buckets, and contained objects, from becoming publicly accessible across the entire account." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -39,8 +37,10 @@ Query: s3account.account_id = bucket.account_id; PrimaryTable: aws_s3_bucket ListOfTables: - - aws_s3_bucket - - aws_s3_account_settings + - aws_s3_bucket + - aws_s3_account_settings Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v200_2_2_1.yaml b/compliance/controls/aws/aws_cis_v200_2_2_1.yaml index 110c26954..a59ed4d26 100755 --- a/compliance/controls/aws/aws_cis_v200_2_2_1.yaml +++ b/compliance/controls/aws/aws_cis_v200_2_2_1.yaml @@ -1,30 +1,14 @@ ID: aws_cis_v200_2_2_1 Title: "2.2.1 Ensure EBS Volume Encryption is Enabled in all Regions" Description: "Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when encrypted then 'ok' - else 'alarm' - end as status, - case - when encrypted then volume_id || ' encrypted.' - else volume_id || ' not encrypted.' - end as reason - - - from - aws_ebs_volume; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when encrypted then 'ok'\n else 'alarm'\n end as status,\n case\n when encrypted then volume_id || ' encrypted.'\n else volume_id || ' not encrypted.'\n end as reason\n \n \nfrom\n aws_ebs_volume;" PrimaryTable: aws_ebs_volume ListOfTables: - - aws_ebs_volume + - aws_ebs_volume Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v200_2_3_1.yaml b/compliance/controls/aws/aws_cis_v200_2_3_1.yaml index ba18b92b0..1a9f291e8 100755 --- a/compliance/controls/aws/aws_cis_v200_2_3_1.yaml +++ b/compliance/controls/aws/aws_cis_v200_2_3_1.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v200_2_3_1 Title: "2.3.1 Ensure that encryption-at-rest is enabled for RDS Instances" Description: "Amazon RDS encrypted DB instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances. After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_rds_db_instance; PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_rds_db_instance + - aws_rds_db_instance Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v200_2_3_2.yaml b/compliance/controls/aws/aws_cis_v200_2_3_2.yaml index 296cb9695..718da7825 100755 --- a/compliance/controls/aws/aws_cis_v200_2_3_2.yaml +++ b/compliance/controls/aws/aws_cis_v200_2_3_2.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v200_2_3_2 Title: "2.3.2 Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances" Description: "Ensure that RDS database instances have the Auto Minor Version Upgrade flag enabled in order to receive automatically minor engine upgrades during the specified maintenance window. So, RDS instances can get the new features, bug fixes, and security patches for their database engines." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_rds_db_instance; PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_rds_db_instance + - aws_rds_db_instance Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v200_2_3_3.yaml b/compliance/controls/aws/aws_cis_v200_2_3_3.yaml index 2101c28f4..49961a706 100755 --- a/compliance/controls/aws/aws_cis_v200_2_3_3.yaml +++ b/compliance/controls/aws/aws_cis_v200_2_3_3.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v200_2_3_3 Title: "2.3.3 Ensure that public access is not given to RDS Instance" Description: "Ensure and verify that RDS database instances provisioned in your AWS account do restrict unauthorized access in order to minimize security risks. To restrict access to any publicly accessible RDS database instance, you must disable the database Publicly Accessible flag and update the VPC security group associated with the instance." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_rds_db_instance; PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_rds_db_instance + - aws_rds_db_instance Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v200_2_4_1.yaml b/compliance/controls/aws/aws_cis_v200_2_4_1.yaml index 943fe2deb..ec9e59bfd 100755 --- a/compliance/controls/aws/aws_cis_v200_2_4_1.yaml +++ b/compliance/controls/aws/aws_cis_v200_2_4_1.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v200_2_4_1 Title: "2.4.1 Ensure that encryption is enabled for EFS file systems" Description: "EFS data should be encrypted at rest using AWS KMS (Key Management Service)." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_efs_file_system; PrimaryTable: aws_efs_file_system ListOfTables: - - aws_efs_file_system + - aws_efs_file_system Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v200_3_10.yaml b/compliance/controls/aws/aws_cis_v200_3_10.yaml index ee1e078a2..07c721bb3 100755 --- a/compliance/controls/aws/aws_cis_v200_3_10.yaml +++ b/compliance/controls/aws/aws_cis_v200_3_10.yaml @@ -1,57 +1,15 @@ ID: aws_cis_v200_3_10 Title: "3.10 Ensure that Object-level logging for write events is enabled for S3 bucket" Description: "S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - with s3_selectors as - ( - select - name as trail_name, - is_multi_region_trail, - bucket_selector - from - aws_cloudtrail_trail, - jsonb_array_elements(event_selectors) as event_selector, - jsonb_array_elements(event_selector -> 'DataResources') as data_resource, - jsonb_array_elements_text(data_resource -> 'Values') as bucket_selector - where - is_multi_region_trail - and data_resource ->> 'Type' = 'AWS::S3::Object' - and event_selector ->> 'ReadWriteType' in - ( - 'WriteOnly', - 'All' - ) - ) - select - b.arn as resource, - b.og_account_id as og_account_id, - b.og_resource_id as og_resource_id, - case - when count(bucket_selector) > 0 then 'ok' - else 'alarm' - end as status, - case - when count(bucket_selector) > 0 then b.name || ' object-level write events logging enabled.' - else b.name || ' object-level write events logging disabled.' - end as reason - - - from - aws_s3_bucket as b - left join - s3_selectors - on bucket_selector like (b.arn || '%') - or bucket_selector = 'arn:aws:s3' - group by - b.account_id, b.region, b.arn, b.name, b.tags, b._ctx; + QueryToExecute: "with s3_selectors as\n(\n select\n name as trail_name,\n is_multi_region_trail,\n bucket_selector\n from\n aws_cloudtrail_trail,\n jsonb_array_elements(event_selectors) as event_selector,\n jsonb_array_elements(event_selector -> 'DataResources') as data_resource,\n jsonb_array_elements_text(data_resource -> 'Values') as bucket_selector\n where\n is_multi_region_trail\n and data_resource ->> 'Type' = 'AWS::S3::Object'\n and event_selector ->> 'ReadWriteType' in\n (\n 'WriteOnly',\n 'All'\n )\n)\nselect\n b.arn as resource,\n b.og_account_id as og_account_id,\n b.og_resource_id as og_resource_id,\n case\n when count(bucket_selector) > 0 then 'ok'\n else 'alarm'\n end as status,\n case\n when count(bucket_selector) > 0 then b.name || ' object-level write events logging enabled.'\n else b.name || ' object-level write events logging disabled.'\n end as reason\n \n \nfrom\n aws_s3_bucket as b\n left join\n s3_selectors\n on bucket_selector like (b.arn || '%')\n or bucket_selector = 'arn:aws:s3'\ngroup by\n b.account_id, b.region, b.arn, b.name, b.tags, b._ctx;" PrimaryTable: aws_s3_bucket ListOfTables: - - aws_cloudtrail_trail - - aws_s3_bucket + - aws_cloudtrail_trail + - aws_s3_bucket Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v200_3_11.yaml b/compliance/controls/aws/aws_cis_v200_3_11.yaml index 33a270ee2..6c4fecddb 100755 --- a/compliance/controls/aws/aws_cis_v200_3_11.yaml +++ b/compliance/controls/aws/aws_cis_v200_3_11.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v200_3_11 Title: "3.11 Ensure that Object-level logging for read events is enabled for S3 bucket" Description: "S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -48,8 +46,10 @@ Query: b.account_id, b.region, b.arn, b.name, b.tags, b._ctx; PrimaryTable: aws_s3_bucket ListOfTables: - - aws_cloudtrail_trail - - aws_s3_bucket + - aws_cloudtrail_trail + - aws_s3_bucket Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v200_3_2.yaml b/compliance/controls/aws/aws_cis_v200_3_2.yaml index 6e266f061..1e2b27ef9 100755 --- a/compliance/controls/aws/aws_cis_v200_3_2.yaml +++ b/compliance/controls/aws/aws_cis_v200_3_2.yaml @@ -1,32 +1,14 @@ ID: aws_cis_v200_3_2 Title: "3.2 Ensure CloudTrail log file validation is enabled" Description: "CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. It is recommended that file validation be enabled on all CloudTrails." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when log_file_validation_enabled then 'ok' - else 'alarm' - end as status, - case - when log_file_validation_enabled then title || ' log file validation enabled.' - else title || ' log file validation disabled.' - end as reason - - - from - aws_cloudtrail_trail - where - region = home_region; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when log_file_validation_enabled then 'ok'\n else 'alarm'\n end as status,\n case\n when log_file_validation_enabled then title || ' log file validation enabled.'\n else title || ' log file validation disabled.'\n end as reason\n \n \nfrom\n aws_cloudtrail_trail\nwhere\n region = home_region;" PrimaryTable: aws_cloudtrail_trail ListOfTables: - - aws_cloudtrail_trail + - aws_cloudtrail_trail Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v200_3_3.yaml b/compliance/controls/aws/aws_cis_v200_3_3.yaml index 8c2ac668a..d88d9cee6 100755 --- a/compliance/controls/aws/aws_cis_v200_3_3.yaml +++ b/compliance/controls/aws/aws_cis_v200_3_3.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v200_3_3 Title: "3.3 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible" Description: "CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy or access control list (ACL) applied to the S3 bucket that CloudTrail logs to prevent public access to the CloudTrail logs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -58,8 +56,10 @@ Query: public_bucket_data; PrimaryTable: aws_cloudtrail_trail ListOfTables: - - aws_cloudtrail_trail - - aws_s3_bucket + - aws_cloudtrail_trail + - aws_s3_bucket Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v200_3_4.yaml b/compliance/controls/aws/aws_cis_v200_3_4.yaml index 5ce736448..8458f908d 100755 --- a/compliance/controls/aws/aws_cis_v200_3_4.yaml +++ b/compliance/controls/aws/aws_cis_v200_3_4.yaml @@ -1,31 +1,13 @@ ID: aws_cis_v200_3_4 Title: "3.4 Ensure CloudTrail trails are integrated with CloudWatch Logs" Description: "AWS CloudTrail is a web service that records AWS API calls made in a given AWS account. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, realtime analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is recommended that CloudTrail logs be sent to CloudWatch Logs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when log_group_arn != 'null' and ((latest_delivery_time) > current_date - 1) then 'ok' - else 'alarm' - end as status, - case - when log_group_arn != 'null' and ((latest_delivery_time) > current_date - 1) then title || ' integrated with CloudWatch logs.' - else title || ' not integrated with CloudWatch logs.' - end as reason - - - from - aws_cloudtrail_trail - where - region = home_region; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when log_group_arn != 'null' and ((latest_delivery_time) > current_date - 1) then 'ok'\n else 'alarm'\n end as status,\n case\n when log_group_arn != 'null' and ((latest_delivery_time) > current_date - 1) then title || ' integrated with CloudWatch logs.'\n else title || ' not integrated with CloudWatch logs.'\n end as reason\n \n \nfrom\n aws_cloudtrail_trail\nwhere\n region = home_region;" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v200_3_5.yaml b/compliance/controls/aws/aws_cis_v200_3_5.yaml index 9cdd096b8..35aa017de 100755 --- a/compliance/controls/aws/aws_cis_v200_3_5.yaml +++ b/compliance/controls/aws/aws_cis_v200_3_5.yaml @@ -1,71 +1,15 @@ ID: aws_cis_v200_3_5 Title: "3.5 Ensure AWS Config is enabled in all regions" Description: "AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. It is recommended AWS Config be enabled in all regions." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - -- pgFormatter-ignore - -- Get count for any region with all matching criteria - with global_recorders as ( - select - count(*) as global_config_recorders - from - aws_config_configuration_recorder - where - recording_group -> 'IncludeGlobalResourceTypes' = 'true' - and recording_group -> 'AllSupported' = 'true' - and status ->> 'Recording' = 'true' - and status ->> 'LastStatus' = 'SUCCESS' - ) - select - 'arn:aws::' || a.region || ':' || a.account_id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - -- When any of the region satisfies with above CTE - -- In left join of table, regions now having - -- 'Recording' and 'LastStatus' matching criteria can be considered as OK - when - g.global_config_recorders >= 1 - and status ->> 'Recording' = 'true' - and status ->> 'LastStatus' = 'SUCCESS' - then 'ok' - -- Skip any regions that are disabled in the account. - when a.opt_in_status = 'not-opted-in' then 'skip' - else 'alarm' - end as status, - -- Below cases are for citing respective reasons for control state - case - when a.opt_in_status = 'not-opted-in' then a.region || ' region is disabled.' - else - case - when recording_group -> 'IncludeGlobalResourceTypes' = 'true' then a.region || ' IncludeGlobalResourceTypes enabled,' - else a.region || ' IncludeGlobalResourceTypes disabled,' - end || - case - when recording_group -> 'AllSupported' = 'true' then ' AllSupported enabled,' - else ' AllSupported disabled,' - end || - case - when status ->> 'Recording' = 'true' then ' Recording enabled' - else ' Recording disabled' - end || - case - when status ->> 'LastStatus' = 'SUCCESS' then ' and LastStatus is SUCCESS.' - else ' and LastStatus is not SUCCESS.' - end - end as reason - - from - global_recorders as g, - aws_region as a - left join aws_config_configuration_recorder as r on r.account_id = a.account_id and r.region = a.name; + QueryToExecute: "-- pgFormatter-ignore\n-- Get count for any region with all matching criteria\nwith global_recorders as (\n select\n count(*) as global_config_recorders\n from\n aws_config_configuration_recorder\n where\n recording_group -> 'IncludeGlobalResourceTypes' = 'true'\n and recording_group -> 'AllSupported' = 'true'\n and status ->> 'Recording' = 'true'\n and status ->> 'LastStatus' = 'SUCCESS'\n)\nselect\n 'arn:aws::' || a.region || ':' || a.account_id as resource,\na.og_account_id as og_account_id,\na.og_resource_id as og_resource_id,\n case\n -- When any of the region satisfies with above CTE\n -- In left join of table, regions now having\n -- 'Recording' and 'LastStatus' matching criteria can be considered as OK\n when\n g.global_config_recorders >= 1\n and status ->> 'Recording' = 'true'\n and status ->> 'LastStatus' = 'SUCCESS'\n then 'ok'\n -- Skip any regions that are disabled in the account.\n when a.opt_in_status = 'not-opted-in' then 'skip'\n else 'alarm'\n end as status,\n -- Below cases are for citing respective reasons for control state\n case\n when a.opt_in_status = 'not-opted-in' then a.region || ' region is disabled.'\n else\n case\n when recording_group -> 'IncludeGlobalResourceTypes' = 'true' then a.region || ' IncludeGlobalResourceTypes enabled,'\n else a.region || ' IncludeGlobalResourceTypes disabled,'\n end ||\n case\n when recording_group -> 'AllSupported' = 'true' then ' AllSupported enabled,'\n else ' AllSupported disabled,'\n end ||\n case\n when status ->> 'Recording' = 'true' then ' Recording enabled'\n else ' Recording disabled'\n end ||\n case\n when status ->> 'LastStatus' = 'SUCCESS' then ' and LastStatus is SUCCESS.'\n else ' and LastStatus is not SUCCESS.'\n end\n end as reason\n \nfrom\n global_recorders as g,\n aws_region as a\n left join aws_config_configuration_recorder as r on r.account_id = a.account_id and r.region = a.name;" PrimaryTable: aws_config_configuration_recorder ListOfTables: - - aws_config_configuration_recorder - - aws_region + - aws_config_configuration_recorder + - aws_region Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v200_3_6.yaml b/compliance/controls/aws/aws_cis_v200_3_6.yaml index 0e1c5949d..7eb0cc51e 100755 --- a/compliance/controls/aws/aws_cis_v200_3_6.yaml +++ b/compliance/controls/aws/aws_cis_v200_3_6.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v200_3_6 Title: "3.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket" Description: "S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: t.region = t.home_region; PrimaryTable: aws_cloudtrail_trail ListOfTables: - - aws_cloudtrail_trail - - aws_s3_bucket + - aws_cloudtrail_trail + - aws_s3_bucket Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v200_3_7.yaml b/compliance/controls/aws/aws_cis_v200_3_7.yaml index 56495eb63..84a4f906b 100755 --- a/compliance/controls/aws/aws_cis_v200_3_7.yaml +++ b/compliance/controls/aws/aws_cis_v200_3_7.yaml @@ -1,32 +1,14 @@ ID: aws_cis_v200_3_7 Title: "3.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs" Description: "AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when kms_key_id is null then 'alarm' - else 'ok' - end as status, - case - when kms_key_id is null then title || ' logs are not encrypted at rest.' - else title || ' logs are encrypted at rest.' - end as reason - - - from - aws_cloudtrail_trail - where - region = home_region; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when kms_key_id is null then 'alarm'\n else 'ok'\n end as status,\n case\n when kms_key_id is null then title || ' logs are not encrypted at rest.'\n else title || ' logs are encrypted at rest.'\n end as reason\n \n \nfrom\n aws_cloudtrail_trail\nwhere\n region = home_region;" PrimaryTable: aws_cloudtrail_trail ListOfTables: - - aws_cloudtrail_trail + - aws_cloudtrail_trail Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v200_3_8.yaml b/compliance/controls/aws/aws_cis_v200_3_8.yaml index 1a55c3ddc..34714d57b 100755 --- a/compliance/controls/aws/aws_cis_v200_3_8.yaml +++ b/compliance/controls/aws/aws_cis_v200_3_8.yaml @@ -1,38 +1,14 @@ ID: aws_cis_v200_3_8 Title: "3.8 Ensure rotation for customer created symmetric CMKs is enabled" Description: "AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled for symmetric keys. Key rotation can not be enabled for any asymmetric CMK." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when origin = 'EXTERNAL' then 'skip' - when key_state = 'PendingDeletion' then 'skip' - when key_state = 'Disabled' then 'skip' - when not key_rotation_enabled then 'alarm' - else 'ok' - end as status, - case - when origin = 'EXTERNAL' then title || ' has imported key material.' - when key_state = 'PendingDeletion' then title || ' is pending deletion.' - when key_state = 'Disabled' then title || ' is disabled.' - when not key_rotation_enabled then title || ' key rotation disabled.' - else title || ' key rotation enabled.' - end as reason - - - from - aws_kms_key - where - key_manager = 'CUSTOMER'; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when origin = 'EXTERNAL' then 'skip'\n when key_state = 'PendingDeletion' then 'skip'\n when key_state = 'Disabled' then 'skip'\n when not key_rotation_enabled then 'alarm'\n else 'ok'\n end as status,\n case\n when origin = 'EXTERNAL' then title || ' has imported key material.'\n when key_state = 'PendingDeletion' then title || ' is pending deletion.'\n when key_state = 'Disabled' then title || ' is disabled.'\n when not key_rotation_enabled then title || ' key rotation disabled.'\n else title || ' key rotation enabled.'\n end as reason\n \n \nfrom\n aws_kms_key\nwhere\n key_manager = 'CUSTOMER';" PrimaryTable: aws_kms_key ListOfTables: - - aws_kms_key + - aws_kms_key Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v200_3_9.yaml b/compliance/controls/aws/aws_cis_v200_3_9.yaml index b33881df3..f6ee90e45 100755 --- a/compliance/controls/aws/aws_cis_v200_3_9.yaml +++ b/compliance/controls/aws/aws_cis_v200_3_9.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v200_3_9 Title: "3.9 Ensure VPC flow logging is enabled in all VPCs" Description: "VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet \\\"Rejects\\\" for VPCs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -49,8 +47,10 @@ Query: left join flowlogs as f on v.vpc_id = f.resource_id; PrimaryTable: aws_vpc ListOfTables: - - aws_vpc - - aws_vpc_flow_log + - aws_vpc + - aws_vpc_flow_log Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v200_4_12.yaml b/compliance/controls/aws/aws_cis_v200_4_12.yaml index 4f7ef5729..710d79063 100755 --- a/compliance/controls/aws/aws_cis_v200_4_12.yaml +++ b/compliance/controls/aws/aws_cis_v200_4_12.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v200_4_12 Title: "4.12 Ensure changes to network gateways are monitored" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -86,11 +84,13 @@ Query: left join filter_data as f on a.account_id = f.account_id; PrimaryTable: aws_account ListOfTables: - - aws_cloudtrail_trail - - aws_cloudwatch_alarm - - aws_sns_topic_subscription - - aws_cloudwatch_log_metric_filter - - aws_account + - aws_cloudtrail_trail + - aws_cloudwatch_alarm + - aws_sns_topic_subscription + - aws_cloudwatch_log_metric_filter + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v200_4_3.yaml b/compliance/controls/aws/aws_cis_v200_4_3.yaml index d45091994..988efac4b 100755 --- a/compliance/controls/aws/aws_cis_v200_4_3.yaml +++ b/compliance/controls/aws/aws_cis_v200_4_3.yaml @@ -1,97 +1,18 @@ ID: aws_cis_v200_4_3 Title: "4.3 Ensure usage of 'root' account is monitored" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, and establishing corresponding metric filters and alarms." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.userIdentity\.type\s*=\s*"Root".+\$\.userIdentity\.invokedBy NOT EXISTS.+\$\.eventType\s*!=\s*"AwsServiceEvent"' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for usage of "root" account.' - else filter_name || ' forwards events for usage of "root" account.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.userIdentity\\.type\\s*=\\s*\"Root\".+\\$\\.userIdentity\\.invokedBy NOT EXISTS.+\\$\\.eventType\\s*!=\\s*\"AwsServiceEvent\"'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for usage of \"root\" account.'\n else filter_name || ' forwards events for usage of \"root\" account.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;" PrimaryTable: aws_cloudtrail_trail ListOfTables: - - aws_cloudtrail_trail - - aws_cloudwatch_alarm - - aws_sns_topic_subscription - - aws_cloudwatch_log_metric_filter - - aws_account + - aws_cloudtrail_trail + - aws_cloudwatch_alarm + - aws_sns_topic_subscription + - aws_cloudwatch_log_metric_filter + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v200_4_6.yaml b/compliance/controls/aws/aws_cis_v200_4_6.yaml index d43de2e4a..cfbe253d9 100755 --- a/compliance/controls/aws/aws_cis_v200_4_6.yaml +++ b/compliance/controls/aws/aws_cis_v200_4_6.yaml @@ -1,97 +1,18 @@ ID: aws_cis_v200_4_6 Title: "4.6 Ensure AWS Management Console authentication failures are monitored" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for failed console authentication attempts." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*ConsoleLogin.+\$\.errorMessage\s*=\s*"Failed authentication"' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - f.account_id as og_account_id, - f.trail_name as og_resource_id, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for console authentication failures.' - else f.filter_name || ' forwards events for console authentication failures.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.eventName\\s*=\\s*ConsoleLogin.+\\$\\.errorMessage\\s*=\\s*\"Failed authentication\"'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n f.account_id as og_account_id,\n f.trail_name as og_resource_id,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for console authentication failures.'\n else f.filter_name || ' forwards events for console authentication failures.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;" PrimaryTable: aws_cloudtrail_trail ListOfTables: - - aws_cloudtrail_trail - - aws_cloudwatch_alarm - - aws_sns_topic_subscription - - aws_cloudwatch_log_metric_filter - - aws_account + - aws_cloudtrail_trail + - aws_cloudwatch_alarm + - aws_sns_topic_subscription + - aws_cloudwatch_log_metric_filter + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v200_5_2.yaml b/compliance/controls/aws/aws_cis_v200_5_2.yaml index fe0518761..1fb0247ab 100755 --- a/compliance/controls/aws/aws_cis_v200_5_2.yaml +++ b/compliance/controls/aws/aws_cis_v200_5_2.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v200_5_2 Title: "5.2 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports" Description: "Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389, using either the TCP (6), UDP (17) or ALL (-1) protocols." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -64,8 +62,10 @@ Query: left join bad_rules on bad_rules.group_id = sg.group_id; PrimaryTable: aws_vpc_security_group ListOfTables: - - aws_vpc_security_group_rule - - aws_vpc_security_group + - aws_vpc_security_group_rule + - aws_vpc_security_group Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v200_5_3.yaml b/compliance/controls/aws/aws_cis_v200_5_3.yaml index 0d050c174..66cae91a0 100755 --- a/compliance/controls/aws/aws_cis_v200_5_3.yaml +++ b/compliance/controls/aws/aws_cis_v200_5_3.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v200_5_3 Title: "5.3 Ensure no security groups allow ingress from ::/0 to remote server administration ports" Description: "Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -50,8 +48,10 @@ Query: left join bad_rules on bad_rules.group_id = sg.group_id; PrimaryTable: aws_vpc_security_group ListOfTables: - - aws_vpc_security_group_rule - - aws_vpc_security_group + - aws_vpc_security_group_rule + - aws_vpc_security_group Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v200_5_4.yaml b/compliance/controls/aws/aws_cis_v200_5_4.yaml index 1e290f606..75d5bf07e 100755 --- a/compliance/controls/aws/aws_cis_v200_5_4.yaml +++ b/compliance/controls/aws/aws_cis_v200_5_4.yaml @@ -1,37 +1,14 @@ ID: aws_cis_v200_5_4 Title: "5.4 Ensure the default security group of every VPC restricts all traffic" Description: "A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when jsonb_array_length(ip_permissions) = 0 and jsonb_array_length(ip_permissions_egress) = 0 then 'ok' - else 'alarm' - end status, - case - when jsonb_array_length(ip_permissions) > 0 and jsonb_array_length(ip_permissions_egress) > 0 - then 'Default security group ' || group_id || ' has inbound and outbound rules.' - when jsonb_array_length(ip_permissions) > 0 and jsonb_array_length(ip_permissions_egress) = 0 - then 'Default security group ' || group_id || ' has inbound rules.' - when jsonb_array_length(ip_permissions) = 0 and jsonb_array_length(ip_permissions_egress) > 0 - then 'Default security group ' || group_id || ' has outbound rules.' - else 'Default security group ' || group_id || ' has no inbound or outbound rules.' - end reason - - - from - aws_vpc_security_group - where - group_name = 'default'; + QueryToExecute: "select\n arn resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when jsonb_array_length(ip_permissions) = 0 and jsonb_array_length(ip_permissions_egress) = 0 then 'ok'\n else 'alarm'\n end status,\n case\n when jsonb_array_length(ip_permissions) > 0 and jsonb_array_length(ip_permissions_egress) > 0\n then 'Default security group ' || group_id || ' has inbound and outbound rules.'\n when jsonb_array_length(ip_permissions) > 0 and jsonb_array_length(ip_permissions_egress) = 0\n then 'Default security group ' || group_id || ' has inbound rules.'\n when jsonb_array_length(ip_permissions) = 0 and jsonb_array_length(ip_permissions_egress) > 0\n then 'Default security group ' || group_id || ' has outbound rules.'\n else 'Default security group ' || group_id || ' has no inbound or outbound rules.'\n end reason\n \n \nfrom\n aws_vpc_security_group\nwhere\n group_name = 'default';" PrimaryTable: aws_vpc_security_group ListOfTables: - - aws_vpc_security_group + - aws_vpc_security_group Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v200_5_5.yaml b/compliance/controls/aws/aws_cis_v200_5_5.yaml index 4e461afd5..0cc0cf1af 100755 --- a/compliance/controls/aws/aws_cis_v200_5_5.yaml +++ b/compliance/controls/aws/aws_cis_v200_5_5.yaml @@ -1,23 +1,14 @@ ID: aws_cis_v200_5_5 Title: "5.5 Ensure routing tables for VPC peering are \\\"least access\\\"" Description: "Once a VPC peering connection is established, routing tables must be updated to establish any connections between the peered VPCs. These routes can be as specific as desired - even peering a VPC to only a single host on the other side of the connection." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'info' as status, - 'Manual verification required.' as reason - - from - aws_account; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'info' as status,\n 'Manual verification required.' as reason\n \nfrom\n aws_account;" PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v200_5_6.yaml b/compliance/controls/aws/aws_cis_v200_5_6.yaml index d45be5263..cdaf0a7b2 100755 --- a/compliance/controls/aws/aws_cis_v200_5_6.yaml +++ b/compliance/controls/aws/aws_cis_v200_5_6.yaml @@ -1,30 +1,14 @@ ID: aws_cis_v200_5_6 Title: "5.6 Ensure that EC2 Metadata Service only allows IMDSv2" Description: "When enabling the Metadata Service on AWS EC2 instances, users have the option of using either Instance Metadata Service Version 1 (IMDSv1; a request/response method) or Instance Metadata Service Version 2 (IMDSv2; a session-oriented method)." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when metadata_options ->> 'HttpTokens' = 'optional' then 'alarm' - else 'ok' - end as status, - case - when metadata_options ->> 'HttpTokens' = 'optional' then title || ' not configured to use Instance Metadata Service Version 2 (IMDSv2).' - else title || ' configured to use Instance Metadata Service Version 2 (IMDSv2).' - end as reason - - - from - aws_ec2_instance; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when metadata_options ->> 'HttpTokens' = 'optional' then 'alarm'\n else 'ok'\n end as status,\n case\n when metadata_options ->> 'HttpTokens' = 'optional' then title || ' not configured to use Instance Metadata Service Version 2 (IMDSv2).'\n else title || ' configured to use Instance Metadata Service Version 2 (IMDSv2).'\n end as reason\n \n \nfrom\n aws_ec2_instance;" PrimaryTable: aws_ec2_instance ListOfTables: - - aws_ec2_instance + - aws_ec2_instance Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v300_1_1.yaml b/compliance/controls/aws/aws_cis_v300_1_1.yaml index 42565d79e..30b6cbf90 100755 --- a/compliance/controls/aws/aws_cis_v300_1_1.yaml +++ b/compliance/controls/aws/aws_cis_v300_1_1.yaml @@ -1,23 +1,14 @@ ID: aws_cis_v300_1_1 Title: "1.1 Maintain current contact details" Description: "Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'info' as status, - 'Manual verification required.' as reason - - from - aws_account; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'info' as status,\n 'Manual verification required.' as reason\n \nfrom\n aws_account;" PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v300_1_10.yaml b/compliance/controls/aws/aws_cis_v300_1_10.yaml index 620b6353a..820a69937 100755 --- a/compliance/controls/aws/aws_cis_v300_1_10.yaml +++ b/compliance/controls/aws/aws_cis_v300_1_10.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v300_1_10 Title: "1.10 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password" Description: "Multi-Factor Authentication (MFA) adds an extra layer of authentication assurance beyond traditional credentials. With MFA enabled, when a user signs in to the AWS Console, they will be prompted for their user name and password as well as for an authentication code from their physical or virtual MFA token. It is recommended that MFA be enabled for all accounts that have a console password." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -23,7 +21,9 @@ Query: aws_iam_credential_report; PrimaryTable: aws_iam_credential_report ListOfTables: - - aws_iam_credential_report + - aws_iam_credential_report Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v300_1_11.yaml b/compliance/controls/aws/aws_cis_v300_1_11.yaml index 1cbbb0221..a86311cd5 100755 --- a/compliance/controls/aws/aws_cis_v300_1_11.yaml +++ b/compliance/controls/aws/aws_cis_v300_1_11.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v300_1_11 Title: "1.11 Do not setup access keys during initial user setup for all IAM users that have a console password" Description: "AWS console defaults to no check boxes selected when creating a new IAM user. When creating the IAM User credentials you have to determine what type of access they require." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -26,7 +24,9 @@ Query: aws_iam_credential_report; PrimaryTable: aws_iam_credential_report ListOfTables: - - aws_iam_credential_report + - aws_iam_credential_report Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v300_1_12.yaml b/compliance/controls/aws/aws_cis_v300_1_12.yaml index efe55c75d..329aa4562 100755 --- a/compliance/controls/aws/aws_cis_v300_1_12.yaml +++ b/compliance/controls/aws/aws_cis_v300_1_12.yaml @@ -1,65 +1,14 @@ ID: aws_cis_v300_1_12 Title: "1.12 Ensure credentials unused for 45 days or greater are disabled" Description: "AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have been unused in 45 or greater days be deactivated or removed." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - user_arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - --root_account will have always password associated even though AWS credential report returns 'not_supported' for password_enabled - when user_name = '' - then 'info' - when password_enabled and password_last_used is null and password_last_changed < (current_date - interval '45' day) - then 'alarm' - when password_enabled and password_last_used < (current_date - interval '45' day) - then 'alarm' - when access_key_1_active and access_key_1_last_used_date is null and access_key_1_last_rotated < (current_date - interval '45' day) - then 'alarm' - when access_key_1_active and access_key_1_last_used_date < (current_date - interval '45' day) - then 'alarm' - when access_key_2_active and access_key_2_last_used_date is null and access_key_2_last_rotated < (current_date - interval '45' day) - then 'alarm' - when access_key_2_active and access_key_2_last_used_date < (current_date - interval '45' day) - then 'alarm' - else 'ok' - end status, - user_name || - case - when not password_enabled - then ' password not enabled,' - when password_enabled and password_last_used is null - then ' password created ' || to_char(password_last_changed, 'DD-Mon-YYYY') || ' never used,' - else - ' password used ' || to_char(password_last_used, 'DD-Mon-YYYY') || ',' - end || - case - when not access_key_1_active - then ' key 1 not enabled,' - when access_key_1_active and access_key_1_last_used_date is null - then ' key 1 created ' || to_char(access_key_1_last_rotated, 'DD-Mon-YYYY') || ' never used,' - else - ' key 1 used ' || to_char(access_key_1_last_used_date, 'DD-Mon-YYYY') || ',' - end || - case - when not access_key_2_active - then ' key 2 not enabled.' - when access_key_2_active and access_key_2_last_used_date is null - then ' key 2 created ' || to_char(access_key_2_last_rotated, 'DD-Mon-YYYY') || ' never used.' - else - ' key 2 used ' || to_char(access_key_2_last_used_date, 'DD-Mon-YYYY') || '.' - end - as reason - - from - aws_iam_credential_report; + QueryToExecute: "select\n user_arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n --root_account will have always password associated even though AWS credential report returns 'not_supported' for password_enabled\n when user_name = ''\n then 'info'\n when password_enabled and password_last_used is null and password_last_changed < (current_date - interval '45' day)\n then 'alarm'\n when password_enabled and password_last_used < (current_date - interval '45' day)\n then 'alarm'\n when access_key_1_active and access_key_1_last_used_date is null and access_key_1_last_rotated < (current_date - interval '45' day)\n then 'alarm'\n when access_key_1_active and access_key_1_last_used_date < (current_date - interval '45' day)\n then 'alarm'\n when access_key_2_active and access_key_2_last_used_date is null and access_key_2_last_rotated < (current_date - interval '45' day)\n then 'alarm'\n when access_key_2_active and access_key_2_last_used_date < (current_date - interval '45' day)\n then 'alarm'\n else 'ok'\n end status,\n user_name ||\n case\n when not password_enabled\n then ' password not enabled,'\n when password_enabled and password_last_used is null\n then ' password created ' || to_char(password_last_changed, 'DD-Mon-YYYY') || ' never used,'\n else\n ' password used ' || to_char(password_last_used, 'DD-Mon-YYYY') || ','\n end ||\n case\n when not access_key_1_active\n then ' key 1 not enabled,'\n when access_key_1_active and access_key_1_last_used_date is null\n then ' key 1 created ' || to_char(access_key_1_last_rotated, 'DD-Mon-YYYY') || ' never used,'\n else\n ' key 1 used ' || to_char(access_key_1_last_used_date, 'DD-Mon-YYYY') || ','\n end ||\n case\n when not access_key_2_active\n then ' key 2 not enabled.'\n when access_key_2_active and access_key_2_last_used_date is null\n then ' key 2 created ' || to_char(access_key_2_last_rotated, 'DD-Mon-YYYY') || ' never used.'\n else\n ' key 2 used ' || to_char(access_key_2_last_used_date, 'DD-Mon-YYYY') || '.'\n end\n as reason\n \nfrom\n aws_iam_credential_report;" PrimaryTable: aws_iam_credential_report ListOfTables: - - aws_iam_credential_report + - aws_iam_credential_report Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v300_1_14.yaml b/compliance/controls/aws/aws_cis_v300_1_14.yaml index 55490b138..17abec454 100755 --- a/compliance/controls/aws/aws_cis_v300_1_14.yaml +++ b/compliance/controls/aws/aws_cis_v300_1_14.yaml @@ -1,28 +1,14 @@ ID: aws_cis_v300_1_14 Title: "1.14 Ensure access keys are rotated every 90 days or less" Description: "Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':iam::' || account_id || ':user/' || user_name || '/accesskey/' || access_key_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when create_date <= (current_date - interval '90' day) then 'alarm' - else 'ok' - end status, - user_name || ' ' || access_key_id || ' created ' || to_char(create_date , 'DD-Mon-YYYY') || - ' (' || extract(day from current_timestamp - create_date) || ' days).' - as reason - - from - aws_iam_access_key; + QueryToExecute: "select\n 'arn:' || partition || ':iam::' || account_id || ':user/' || user_name || '/accesskey/' || access_key_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when create_date <= (current_date - interval '90' day) then 'alarm'\n else 'ok'\n end status,\n user_name || ' ' || access_key_id || ' created ' || to_char(create_date , 'DD-Mon-YYYY') ||\n ' (' || extract(day from current_timestamp - create_date) || ' days).'\n as reason\n \nfrom\n aws_iam_access_key;" PrimaryTable: aws_iam_access_key ListOfTables: - - aws_iam_access_key + - aws_iam_access_key Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v300_1_15.yaml b/compliance/controls/aws/aws_cis_v300_1_15.yaml index cfdd963ca..8be77c33a 100755 --- a/compliance/controls/aws/aws_cis_v300_1_15.yaml +++ b/compliance/controls/aws/aws_cis_v300_1_15.yaml @@ -1,28 +1,14 @@ ID: aws_cis_v300_1_15 Title: "1.15 Ensure IAM Users Receive Permissions Only Through Groups" Description: "IAM users are granted access to services, functions, and data through IAM policies. There are three ways to define policies for a user: 1) Edit the user policy directly, aka an inline, or user, policy; 2) attach a policy directly to a user; 3) add the user to an IAM group that has an attached policy. Only the third implementation is recommended." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when inline_policies is null and attached_policy_arns is null then 'ok' - else 'alarm' - end status, - name || ' has ' || coalesce(jsonb_array_length(inline_policies),0) || ' inline and ' || - coalesce(jsonb_array_length(attached_policy_arns),0) || ' directly attached policies.' as reason - - - from - aws_iam_user; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when inline_policies is null and attached_policy_arns is null then 'ok'\n else 'alarm'\n end status,\n name || ' has ' || coalesce(jsonb_array_length(inline_policies),0) || ' inline and ' ||\n coalesce(jsonb_array_length(attached_policy_arns),0) || ' directly attached policies.' as reason\n \n \nfrom\n aws_iam_user;" PrimaryTable: aws_iam_user ListOfTables: - - aws_iam_user + - aws_iam_user Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v300_1_16.yaml b/compliance/controls/aws/aws_cis_v300_1_16.yaml index 62676597e..75bf4f232 100755 --- a/compliance/controls/aws/aws_cis_v300_1_16.yaml +++ b/compliance/controls/aws/aws_cis_v300_1_16.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v300_1_16 Title: "1.16 Ensure IAM policies that allow full \\\"*:*\\\" administrative privileges are not attached" Description: "IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege -that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -49,7 +47,9 @@ Query: p.is_attached; PrimaryTable: aws_iam_policy ListOfTables: - - aws_iam_policy + - aws_iam_policy Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v300_1_17.yaml b/compliance/controls/aws/aws_cis_v300_1_17.yaml index 29c05eb09..57fdd6f42 100755 --- a/compliance/controls/aws/aws_cis_v300_1_17.yaml +++ b/compliance/controls/aws/aws_cis_v300_1_17.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v300_1_17 Title: "1.17 Ensure a support role has been created to manage incidents with AWS Support" Description: "AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -47,8 +45,10 @@ Query: support_role_count; PrimaryTable: aws_iam_role ListOfTables: - - aws_account - - aws_iam_role + - aws_account + - aws_iam_role Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v300_1_18.yaml b/compliance/controls/aws/aws_cis_v300_1_18.yaml index 2acbb9813..c07e9b404 100755 --- a/compliance/controls/aws/aws_cis_v300_1_18.yaml +++ b/compliance/controls/aws/aws_cis_v300_1_18.yaml @@ -1,23 +1,14 @@ ID: aws_cis_v300_1_18 Title: "1.18 Ensure IAM instance roles are used for AWS resource access from instances" Description: "AWS access from within AWS instances can be done by either encoding AWS keys into AWS API calls or by assigning the instance to a role which has an appropriate permissions policy for the required access. \\\"AWS Access\\\" means accessing the APIs of AWS in order to access AWS resources or manage AWS account resources." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'info' as status, - 'Manual verification required.' as reason - - from - aws_account; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'info' as status,\n 'Manual verification required.' as reason\n \nfrom\n aws_account;" PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v300_1_19.yaml b/compliance/controls/aws/aws_cis_v300_1_19.yaml index e1f71d2ca..6422dc774 100755 --- a/compliance/controls/aws/aws_cis_v300_1_19.yaml +++ b/compliance/controls/aws/aws_cis_v300_1_19.yaml @@ -1,30 +1,14 @@ ID: aws_cis_v300_1_19 Title: "1.19 Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed" Description: "To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates. Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case when expiration < (current_date - interval '1' second) then 'alarm' - else 'ok' - end as status, - case when expiration < (current_date - interval '1' second) then - name || ' expired ' || to_char(expiration, 'DD-Mon-YYYY') || '.' - else - name || ' valid until ' || to_char(expiration, 'DD-Mon-YYYY') || '.' - end as reason - - - from - aws_iam_server_certificate; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case when expiration < (current_date - interval '1' second) then 'alarm'\n else 'ok'\n end as status,\n case when expiration < (current_date - interval '1' second) then\n name || ' expired ' || to_char(expiration, 'DD-Mon-YYYY') || '.'\n else\n name || ' valid until ' || to_char(expiration, 'DD-Mon-YYYY') || '.'\n end as reason\n \n \nfrom\n aws_iam_server_certificate;" PrimaryTable: aws_iam_server_certificate ListOfTables: - - aws_iam_server_certificate + - aws_iam_server_certificate Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v300_1_2.yaml b/compliance/controls/aws/aws_cis_v300_1_2.yaml index e924edf03..230e6c10f 100755 --- a/compliance/controls/aws/aws_cis_v300_1_2.yaml +++ b/compliance/controls/aws/aws_cis_v300_1_2.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v300_1_2 Title: "1.2 Ensure security contact information is registered" Description: "AWS provides customers with the option of specifying the contact information for account's security team. It is recommended that this information be provided." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -49,8 +47,10 @@ Query: c.account_id = a.account_id; PrimaryTable: aws_account ListOfTables: - - aws_account_alternate_contact - - aws_account + - aws_account_alternate_contact + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v300_1_20.yaml b/compliance/controls/aws/aws_cis_v300_1_20.yaml index f91895f92..263ca184e 100755 --- a/compliance/controls/aws/aws_cis_v300_1_20.yaml +++ b/compliance/controls/aws/aws_cis_v300_1_20.yaml @@ -1,34 +1,15 @@ ID: aws_cis_v300_1_20 Title: "1.20 Ensure that IAM Access analyzer is enabled for all regions" Description: "Enable IAM Access analyzer for IAM policies about all resources in each region. IAM Access Analyzer is a technology introduced at AWS reinvent 2019. After the Analyzer is enabled in IAM, scan results are displayed on the console showing the accessible resources. Scans show resources that other accounts and federated users can access, such as KMS keys and IAM roles. So the results allow you to determine if an unintended user is allowed, making it easier for administrators to monitor least privileges access. Access Analyzer analyzes only policies that are applied to resources in the same AWS Region." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || r.partition || '::' || r.region || ':' || r.account_id as resource, - r.og_account_id as og_account_id, - r.og_resource_id as og_resource_id, - case - -- Skip any regions that are disabled in the account. - when r.opt_in_status = 'not-opted-in' then 'skip' - when aa.arn is not null then 'ok' - else 'alarm' - end as status, - case - when r.opt_in_status = 'not-opted-in' then r.region || ' region is disabled.' - when aa.arn is not null then aa.name || ' enabled in ' || r.region || '.' - else 'Access Analyzer not enabled in ' || r.region || '.' - end as reason - - from - aws_region as r - left join aws_accessanalyzer_analyzer as aa on r.account_id = aa.account_id and r.region = aa.region; + QueryToExecute: "select\n 'arn:' || r.partition || '::' || r.region || ':' || r.account_id as resource,\n r.og_account_id as og_account_id,\n r.og_resource_id as og_resource_id,\n case\n -- Skip any regions that are disabled in the account.\n when r.opt_in_status = 'not-opted-in' then 'skip'\n when aa.arn is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when r.opt_in_status = 'not-opted-in' then r.region || ' region is disabled.'\n when aa.arn is not null then aa.name || ' enabled in ' || r.region || '.'\n else 'Access Analyzer not enabled in ' || r.region || '.'\n end as reason\n \nfrom\n aws_region as r\n left join aws_accessanalyzer_analyzer as aa on r.account_id = aa.account_id and r.region = aa.region;" PrimaryTable: aws_accessanalyzer_analyzer ListOfTables: - - aws_region - - aws_accessanalyzer_analyzer + - aws_region + - aws_accessanalyzer_analyzer Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v300_1_21.yaml b/compliance/controls/aws/aws_cis_v300_1_21.yaml index 42e6c383d..a17554287 100755 --- a/compliance/controls/aws/aws_cis_v300_1_21.yaml +++ b/compliance/controls/aws/aws_cis_v300_1_21.yaml @@ -1,23 +1,14 @@ ID: aws_cis_v300_1_21 Title: "1.21 Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments" Description: "In multi-account environments, IAM user centralization facilitates greater user control. User access beyond the initial account is then provide via role assumption. Centralization of users can be accomplished through federation with an external identity provider or through the use of AWS Organizations." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'info' as status, - 'Manual verification required.' as reason - - from - aws_account; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'info' as status,\n 'Manual verification required.' as reason\n \nfrom\n aws_account;" PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v300_1_3.yaml b/compliance/controls/aws/aws_cis_v300_1_3.yaml index 7942c2451..63bfbf650 100755 --- a/compliance/controls/aws/aws_cis_v300_1_3.yaml +++ b/compliance/controls/aws/aws_cis_v300_1_3.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v300_1_3 Title: "1.3 Ensure security questions are registered in the AWS account" Description: "The AWS support portal allows account owners to establish security questions that can be used to authenticate individuals calling AWS customer service for support. It is recommended that security questions be established." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -12,12 +10,14 @@ Query: og_resource_id as og_resource_id, 'info' as status, 'Manual verification required.' as reason - + from aws_account; PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v300_1_4.yaml b/compliance/controls/aws/aws_cis_v300_1_4.yaml index 520d9e1c2..136aa53cb 100755 --- a/compliance/controls/aws/aws_cis_v300_1_4.yaml +++ b/compliance/controls/aws/aws_cis_v300_1_4.yaml @@ -1,29 +1,14 @@ ID: aws_cis_v300_1_4 Title: "1.4 Ensure no 'root' user account access key exists" Description: "The 'root' user account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the 'root' user account be deleted." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when account_access_keys_present > 0 then 'alarm' - else 'ok' - end status, - case - when account_access_keys_present > 0 then 'Root user access keys exist.' - else 'No root user access keys exist.' - end reason - - from - aws_iam_account_summary; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when account_access_keys_present > 0 then 'alarm'\n else 'ok'\n end status,\n case\n when account_access_keys_present > 0 then 'Root user access keys exist.'\n else 'No root user access keys exist.'\n end reason\n \nfrom\n aws_iam_account_summary;" PrimaryTable: aws_iam_account_summary ListOfTables: - - aws_iam_account_summary + - aws_iam_account_summary Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v300_1_5.yaml b/compliance/controls/aws/aws_cis_v300_1_5.yaml index 05ab62ab2..835a9e11c 100755 --- a/compliance/controls/aws/aws_cis_v300_1_5.yaml +++ b/compliance/controls/aws/aws_cis_v300_1_5.yaml @@ -1,29 +1,14 @@ ID: aws_cis_v300_1_5 Title: "1.5 Ensure MFA is enabled for the 'root' user account" Description: "The 'root' user account is the most privileged user in an AWS account. Multi-factor Authentication (MFA) adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their username and password as well as for an authentication code from their AWS MFA device." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when account_mfa_enabled then 'ok' - else 'alarm' - end status, - case - when account_mfa_enabled then 'MFA enabled for root account.' - else 'MFA not enabled for root account.' - end reason - - from - aws_iam_account_summary; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when account_mfa_enabled then 'ok'\n else 'alarm'\n end status,\n case\n when account_mfa_enabled then 'MFA enabled for root account.'\n else 'MFA not enabled for root account.'\n end reason\n \nfrom\n aws_iam_account_summary;" PrimaryTable: aws_iam_account_summary ListOfTables: - - aws_iam_account_summary + - aws_iam_account_summary Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v300_1_6.yaml b/compliance/controls/aws/aws_cis_v300_1_6.yaml index f454989d6..02e2f9b3f 100755 --- a/compliance/controls/aws/aws_cis_v300_1_6.yaml +++ b/compliance/controls/aws/aws_cis_v300_1_6.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v300_1_6 Title: "1.6 Ensure hardware MFA is enabled for the 'root' user account" Description: "The 'root' user account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2, it is recommended that the root user account be protected with a hardware MFA." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -24,8 +22,10 @@ Query: left join aws_iam_virtual_mfa_device as d on (d.user ->> 'Arn') = 'arn:' || s.partition || ':iam::' || s.account_id || ':root'; PrimaryTable: aws_iam_account_summary ListOfTables: - - aws_iam_account_summary - - aws_iam_virtual_mfa_device + - aws_iam_account_summary + - aws_iam_virtual_mfa_device Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v300_1_7.yaml b/compliance/controls/aws/aws_cis_v300_1_7.yaml index d80e78df9..11c6a9ce5 100755 --- a/compliance/controls/aws/aws_cis_v300_1_7.yaml +++ b/compliance/controls/aws/aws_cis_v300_1_7.yaml @@ -1,41 +1,14 @@ ID: aws_cis_v300_1_7 Title: "1.7 Eliminate use of the 'root' user for administrative and daily tasks" Description: "With the creation of an AWS account, a 'root user' is created that cannot be disabled or deleted. That user has unrestricted access to and control over all resources in the AWS account. It is highly recommended that the use of this account be avoided for everyday tasks." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - user_arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when password_last_used >= (current_date - interval '90' day) then 'alarm' - when access_key_1_last_used_date <= (current_date - interval '90' day) then 'alarm' - when access_key_2_last_used_date <= (current_date - interval '90' day) then 'alarm' - else 'ok' - end as status, - case - when password_last_used is null then 'Root never logged in with password.' - else 'Root password used ' || to_char(password_last_used , 'DD-Mon-YYYY') || ' (' || extract(day from current_timestamp - password_last_used) || ' days).' - end || - case - when access_key_1_last_used_date is null then ' Access Key 1 never used.' - else ' Access Key 1 used ' || to_char(access_key_1_last_used_date , 'DD-Mon-YYYY') || ' (' || extract(day from current_timestamp - access_key_1_last_used_date) || ' days).' - end || - case - when access_key_2_last_used_date is null then ' Access Key 2 never used.' - else ' Access Key 2 used ' || to_char(access_key_2_last_used_date , 'DD-Mon-YYYY') || ' (' || extract(day from current_timestamp - access_key_2_last_used_date) || ' days).' - end as reason - - from - aws_iam_credential_report - where - user_name = ''; + QueryToExecute: "select\n user_arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when password_last_used >= (current_date - interval '90' day) then 'alarm'\n when access_key_1_last_used_date <= (current_date - interval '90' day) then 'alarm'\n when access_key_2_last_used_date <= (current_date - interval '90' day) then 'alarm'\n else 'ok'\n end as status,\n case\n when password_last_used is null then 'Root never logged in with password.'\n else 'Root password used ' || to_char(password_last_used , 'DD-Mon-YYYY') || ' (' || extract(day from current_timestamp - password_last_used) || ' days).'\n end ||\n case\n when access_key_1_last_used_date is null then ' Access Key 1 never used.'\n else ' Access Key 1 used ' || to_char(access_key_1_last_used_date , 'DD-Mon-YYYY') || ' (' || extract(day from current_timestamp - access_key_1_last_used_date) || ' days).'\n end ||\n case\n when access_key_2_last_used_date is null then ' Access Key 2 never used.'\n else ' Access Key 2 used ' || to_char(access_key_2_last_used_date , 'DD-Mon-YYYY') || ' (' || extract(day from current_timestamp - access_key_2_last_used_date) || ' days).'\n end as reason\n \nfrom\n aws_iam_credential_report\nwhere\n user_name = '';" PrimaryTable: aws_iam_credential_report ListOfTables: - - aws_iam_credential_report + - aws_iam_credential_report Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v300_1_8.yaml b/compliance/controls/aws/aws_cis_v300_1_8.yaml index 1efd849b1..900910c2d 100755 --- a/compliance/controls/aws/aws_cis_v300_1_8.yaml +++ b/compliance/controls/aws/aws_cis_v300_1_8.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v300_1_8 Title: "1.8 Ensure IAM password policy requires minimum length of 14 or greater" Description: "Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length. It is recommended that the password policy require a minimum password length 14." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -23,8 +21,10 @@ Query: left join aws_iam_account_password_policy as pol on a.account_id = pol.account_id; PrimaryTable: aws_account ListOfTables: - - aws_account - - aws_iam_account_password_policy + - aws_account + - aws_iam_account_password_policy Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v300_2_1_1.yaml b/compliance/controls/aws/aws_cis_v300_2_1_1.yaml index df945c6fc..f0c08c153 100755 --- a/compliance/controls/aws/aws_cis_v300_2_1_1.yaml +++ b/compliance/controls/aws/aws_cis_v300_2_1_1.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v300_2_1_1 Title: "2.1.1 Ensure S3 Bucket Policy is set to deny HTTP requests" Description: "At the Amazon S3 bucket level, you can configure permissions through a bucket policy making the objects accessible only through HTTPS." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,7 +23,7 @@ Query: and s ->> 'Effect' = 'Deny' and ssl :: bool = false ) - + select b.arn as resource, b.og_account_id as og_account_id, @@ -43,7 +41,9 @@ Query: left join ssl_ok as ok on ok.name = b.name; PrimaryTable: aws_s3_bucket ListOfTables: - - aws_s3_bucket + - aws_s3_bucket Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v300_2_1_2.yaml b/compliance/controls/aws/aws_cis_v300_2_1_2.yaml index 6b169b8a2..a6a1b122b 100755 --- a/compliance/controls/aws/aws_cis_v300_2_1_2.yaml +++ b/compliance/controls/aws/aws_cis_v300_2_1_2.yaml @@ -1,30 +1,14 @@ ID: aws_cis_v300_2_1_2 Title: "2.1.2 Ensure MFA Delete is enabled on S3 buckets" Description: "Once MFA Delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when versioning_mfa_delete then 'ok' - else 'alarm' - end as status, - case - when versioning_mfa_delete then name || ' MFA delete enabled.' - else name || ' MFA delete disabled.' - end as reason - - - from - aws_s3_bucket; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when versioning_mfa_delete then 'ok'\n else 'alarm'\n end as status,\n case\n when versioning_mfa_delete then name || ' MFA delete enabled.'\n else name || ' MFA delete disabled.'\n end as reason\n \n \nfrom\n aws_s3_bucket;" PrimaryTable: aws_s3_bucket ListOfTables: - - aws_s3_bucket + - aws_s3_bucket Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v300_2_1_3.yaml b/compliance/controls/aws/aws_cis_v300_2_1_3.yaml index 43ab5b2c1..f9752893c 100755 --- a/compliance/controls/aws/aws_cis_v300_2_1_3.yaml +++ b/compliance/controls/aws/aws_cis_v300_2_1_3.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v300_2_1_3 Title: "2.1.3 Ensure all data in Amazon S3 has been discovered, classified and secured when required" Description: "Amazon S3 buckets can contain sensitive data, that for security purposes should be discovered, monitored, classified and protected. Macie along with other 3rd party tools can automatically provide an inventory of Amazon S3 buckets." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -33,8 +31,10 @@ Query: left join bucket_list as l on b.name = l.bucket_name; PrimaryTable: aws_s3_bucket ListOfTables: - - aws_macie2_classification_job - - aws_s3_bucket + - aws_macie2_classification_job + - aws_s3_bucket Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v300_2_2_1.yaml b/compliance/controls/aws/aws_cis_v300_2_2_1.yaml index 7fa52aead..9672591b0 100755 --- a/compliance/controls/aws/aws_cis_v300_2_2_1.yaml +++ b/compliance/controls/aws/aws_cis_v300_2_2_1.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v300_2_2_1 Title: "2.2.1 Ensure EBS Volume Encryption is Enabled in all Regions" Description: "Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_ebs_volume; PrimaryTable: aws_ebs_volume ListOfTables: - - aws_ebs_volume + - aws_ebs_volume Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v300_2_3_1.yaml b/compliance/controls/aws/aws_cis_v300_2_3_1.yaml index 41103418c..72105f004 100755 --- a/compliance/controls/aws/aws_cis_v300_2_3_1.yaml +++ b/compliance/controls/aws/aws_cis_v300_2_3_1.yaml @@ -1,30 +1,14 @@ ID: aws_cis_v300_2_3_1 Title: "2.3.1 Ensure that encryption-at-rest is enabled for RDS Instances" Description: "Amazon RDS encrypted DB instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances. After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when storage_encrypted then 'ok' - else 'alarm' - end as status, - case - when storage_encrypted then title || ' encrypted at rest.' - else title || ' not encrypted at rest.' - end as reason - - - from - aws_rds_db_instance; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when storage_encrypted then 'ok'\n else 'alarm'\n end as status,\n case\n when storage_encrypted then title || ' encrypted at rest.'\n else title || ' not encrypted at rest.'\n end as reason\n \n \nfrom\n aws_rds_db_instance;" PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_rds_db_instance + - aws_rds_db_instance Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v300_2_3_2.yaml b/compliance/controls/aws/aws_cis_v300_2_3_2.yaml index 156ef4e0c..6b3416597 100755 --- a/compliance/controls/aws/aws_cis_v300_2_3_2.yaml +++ b/compliance/controls/aws/aws_cis_v300_2_3_2.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v300_2_3_2 Title: "2.3.2 Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances" Description: "Ensure that RDS database instances have the Auto Minor Version Upgrade flag enabled in order to receive automatically minor engine upgrades during the specified maintenance window. So, RDS instances can get the new features, bug fixes, and security patches for their database engines." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_rds_db_instance; PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_rds_db_instance + - aws_rds_db_instance Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v300_2_3_3.yaml b/compliance/controls/aws/aws_cis_v300_2_3_3.yaml index a0736e272..2729d8eb8 100755 --- a/compliance/controls/aws/aws_cis_v300_2_3_3.yaml +++ b/compliance/controls/aws/aws_cis_v300_2_3_3.yaml @@ -1,30 +1,14 @@ ID: aws_cis_v300_2_3_3 Title: "2.3.3 Ensure that public access is not given to RDS Instance" Description: "Ensure and verify that RDS database instances provisioned in your AWS account do restrict unauthorized access in order to minimize security risks. To restrict access to any publicly accessible RDS database instance, you must disable the database Publicly Accessible flag and update the VPC security group associated with the instance." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when publicly_accessible then 'alarm' - else 'ok' - end status, - case - when publicly_accessible then title || ' publicly accessible.' - else title || ' not publicly accessible.' - end reason - - - from - aws_rds_db_instance; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when publicly_accessible then 'alarm'\n else 'ok'\n end status,\n case\n when publicly_accessible then title || ' publicly accessible.'\n else title || ' not publicly accessible.'\n end reason\n \n \nfrom\n aws_rds_db_instance;" PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_rds_db_instance + - aws_rds_db_instance Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v300_2_4_1.yaml b/compliance/controls/aws/aws_cis_v300_2_4_1.yaml index 96a0f523e..7c7a5fa16 100755 --- a/compliance/controls/aws/aws_cis_v300_2_4_1.yaml +++ b/compliance/controls/aws/aws_cis_v300_2_4_1.yaml @@ -1,30 +1,14 @@ ID: aws_cis_v300_2_4_1 Title: "2.4.1 Ensure that encryption is enabled for EFS file systems" Description: "EFS data should be encrypted at rest using AWS KMS (Key Management Service)." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when encrypted then 'ok' - else 'alarm' - end as status, - case - when encrypted then title || ' encrypted at rest.' - else title || ' not encrypted at rest.' - end as reason - - - from - aws_efs_file_system; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when encrypted then 'ok'\n else 'alarm'\n end as status,\n case\n when encrypted then title || ' encrypted at rest.'\n else title || ' not encrypted at rest.'\n end as reason\n \n \nfrom\n aws_efs_file_system;" PrimaryTable: aws_efs_file_system ListOfTables: - - aws_efs_file_system + - aws_efs_file_system Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v300_3_2.yaml b/compliance/controls/aws/aws_cis_v300_3_2.yaml index 3ee4e9c72..f7104d69a 100755 --- a/compliance/controls/aws/aws_cis_v300_3_2.yaml +++ b/compliance/controls/aws/aws_cis_v300_3_2.yaml @@ -1,32 +1,14 @@ ID: aws_cis_v300_3_2 Title: "3.2 Ensure CloudTrail log file validation is enabled" Description: "CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. It is recommended that file validation be enabled on all CloudTrails." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when log_file_validation_enabled then 'ok' - else 'alarm' - end as status, - case - when log_file_validation_enabled then title || ' log file validation enabled.' - else title || ' log file validation disabled.' - end as reason - - - from - aws_cloudtrail_trail - where - region = home_region; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when log_file_validation_enabled then 'ok'\n else 'alarm'\n end as status,\n case\n when log_file_validation_enabled then title || ' log file validation enabled.'\n else title || ' log file validation disabled.'\n end as reason\n \n \nfrom\n aws_cloudtrail_trail\nwhere\n region = home_region;" PrimaryTable: aws_cloudtrail_trail ListOfTables: - - aws_cloudtrail_trail + - aws_cloudtrail_trail Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v300_3_3.yaml b/compliance/controls/aws/aws_cis_v300_3_3.yaml index 8581857e3..c5c30ca00 100755 --- a/compliance/controls/aws/aws_cis_v300_3_3.yaml +++ b/compliance/controls/aws/aws_cis_v300_3_3.yaml @@ -1,71 +1,15 @@ ID: aws_cis_v300_3_3 Title: "3.3 Ensure AWS Config is enabled in all regions" Description: "AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. It is recommended AWS Config be enabled in all regions." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - -- pgFormatter-ignore - -- Get count for any region with all matching criteria - with global_recorders as ( - select - count(*) as global_config_recorders - from - aws_config_configuration_recorder - where - recording_group -> 'IncludeGlobalResourceTypes' = 'true' - and recording_group -> 'AllSupported' = 'true' - and status ->> 'Recording' = 'true' - and status ->> 'LastStatus' = 'SUCCESS' - ) - select - 'arn:aws::' || a.region || ':' || a.account_id as resource, - r.og_account_id as og_account_id, - r.og_resource_id as og_resource_id, - case - -- When any of the region satisfies with above CTE - -- In left join of table, regions now having - -- 'Recording' and 'LastStatus' matching criteria can be considered as OK - when - g.global_config_recorders >= 1 - and status ->> 'Recording' = 'true' - and status ->> 'LastStatus' = 'SUCCESS' - then 'ok' - -- Skip any regions that are disabled in the account. - when a.opt_in_status = 'not-opted-in' then 'skip' - else 'alarm' - end as status, - -- Below cases are for citing respective reasons for control state - case - when a.opt_in_status = 'not-opted-in' then a.region || ' region is disabled.' - else - case - when recording_group -> 'IncludeGlobalResourceTypes' = 'true' then a.region || ' IncludeGlobalResourceTypes enabled,' - else a.region || ' IncludeGlobalResourceTypes disabled,' - end || - case - when recording_group -> 'AllSupported' = 'true' then ' AllSupported enabled,' - else ' AllSupported disabled,' - end || - case - when status ->> 'Recording' = 'true' then ' Recording enabled' - else ' Recording disabled' - end || - case - when status ->> 'LastStatus' = 'SUCCESS' then ' and LastStatus is SUCCESS.' - else ' and LastStatus is not SUCCESS.' - end - end as reason - - from - global_recorders as g, - aws_region as a - left join aws_config_configuration_recorder as r on r.account_id = a.account_id and r.region = a.name; + QueryToExecute: "-- pgFormatter-ignore\n-- Get count for any region with all matching criteria\nwith global_recorders as (\n select\n count(*) as global_config_recorders\n from\n aws_config_configuration_recorder\n where\n recording_group -> 'IncludeGlobalResourceTypes' = 'true'\n and recording_group -> 'AllSupported' = 'true'\n and status ->> 'Recording' = 'true'\n and status ->> 'LastStatus' = 'SUCCESS'\n)\nselect\n 'arn:aws::' || a.region || ':' || a.account_id as resource,\nr.og_account_id as og_account_id,\nr.og_resource_id as og_resource_id,\n case\n -- When any of the region satisfies with above CTE\n -- In left join of table, regions now having\n -- 'Recording' and 'LastStatus' matching criteria can be considered as OK\n when\n g.global_config_recorders >= 1\n and status ->> 'Recording' = 'true'\n and status ->> 'LastStatus' = 'SUCCESS'\n then 'ok'\n -- Skip any regions that are disabled in the account.\n when a.opt_in_status = 'not-opted-in' then 'skip'\n else 'alarm'\n end as status,\n -- Below cases are for citing respective reasons for control state\n case\n when a.opt_in_status = 'not-opted-in' then a.region || ' region is disabled.'\n else\n case\n when recording_group -> 'IncludeGlobalResourceTypes' = 'true' then a.region || ' IncludeGlobalResourceTypes enabled,'\n else a.region || ' IncludeGlobalResourceTypes disabled,'\n end ||\n case\n when recording_group -> 'AllSupported' = 'true' then ' AllSupported enabled,'\n else ' AllSupported disabled,'\n end ||\n case\n when status ->> 'Recording' = 'true' then ' Recording enabled'\n else ' Recording disabled'\n end ||\n case\n when status ->> 'LastStatus' = 'SUCCESS' then ' and LastStatus is SUCCESS.'\n else ' and LastStatus is not SUCCESS.'\n end\n end as reason\n \nfrom\n global_recorders as g,\n aws_region as a\n left join aws_config_configuration_recorder as r on r.account_id = a.account_id and r.region = a.name;" PrimaryTable: aws_config_configuration_recorder ListOfTables: - - aws_config_configuration_recorder - - aws_region + - aws_config_configuration_recorder + - aws_region Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v300_3_4.yaml b/compliance/controls/aws/aws_cis_v300_3_4.yaml index 7d2318d61..d867c6760 100755 --- a/compliance/controls/aws/aws_cis_v300_3_4.yaml +++ b/compliance/controls/aws/aws_cis_v300_3_4.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v300_3_4 Title: "3.4 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket" Description: "S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: t.region = t.home_region; PrimaryTable: aws_cloudtrail_trail ListOfTables: - - aws_cloudtrail_trail - - aws_s3_bucket + - aws_cloudtrail_trail + - aws_s3_bucket Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v300_3_5.yaml b/compliance/controls/aws/aws_cis_v300_3_5.yaml index 54520cd22..50890fd8b 100755 --- a/compliance/controls/aws/aws_cis_v300_3_5.yaml +++ b/compliance/controls/aws/aws_cis_v300_3_5.yaml @@ -1,32 +1,14 @@ ID: aws_cis_v300_3_5 Title: "3.5 Ensure CloudTrail logs are encrypted at rest using KMS CMKs" Description: "AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when kms_key_id is null then 'alarm' - else 'ok' - end as status, - case - when kms_key_id is null then title || ' logs are not encrypted at rest.' - else title || ' logs are encrypted at rest.' - end as reason - - - from - aws_cloudtrail_trail - where - region = home_region; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when kms_key_id is null then 'alarm'\n else 'ok'\n end as status,\n case\n when kms_key_id is null then title || ' logs are not encrypted at rest.'\n else title || ' logs are encrypted at rest.'\n end as reason\n \n \nfrom\n aws_cloudtrail_trail\nwhere\n region = home_region;" PrimaryTable: aws_cloudtrail_trail ListOfTables: - - aws_cloudtrail_trail + - aws_cloudtrail_trail Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v300_3_6.yaml b/compliance/controls/aws/aws_cis_v300_3_6.yaml index 73d6c42e0..507f7bfbb 100755 --- a/compliance/controls/aws/aws_cis_v300_3_6.yaml +++ b/compliance/controls/aws/aws_cis_v300_3_6.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v300_3_6 Title: "3.6 Ensure rotation for customer-created symmetric CMKs is enabled" Description: "AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the customercreated customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled for symmetric keys. Key rotation can not be enabled for any asymmetric CMK" -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -30,7 +28,9 @@ Query: key_manager = 'CUSTOMER'; PrimaryTable: aws_kms_key ListOfTables: - - aws_kms_key + - aws_kms_key Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v300_3_8.yaml b/compliance/controls/aws/aws_cis_v300_3_8.yaml index 738b1f96c..4de466397 100755 --- a/compliance/controls/aws/aws_cis_v300_3_8.yaml +++ b/compliance/controls/aws/aws_cis_v300_3_8.yaml @@ -1,59 +1,15 @@ ID: aws_cis_v300_3_8 Title: "3.8 Ensure that Object-level logging for write events is enabled for S3 bucket" Description: "S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - with s3_selectors as - ( - select - name as trail_name, - is_multi_region_trail, - bucket_selector, - og_account_id, - og_resource_id - from - aws_cloudtrail_trail, - jsonb_array_elements(event_selectors) as event_selector, - jsonb_array_elements(event_selector -> 'DataResources') as data_resource, - jsonb_array_elements_text(data_resource -> 'Values') as bucket_selector - where - is_multi_region_trail - and data_resource ->> 'Type' = 'AWS::S3::Object' - and event_selector ->> 'ReadWriteType' in - ( - 'WriteOnly', - 'All' - ) - ) - select - b.arn as resource, - b.og_account_id as og_account_id, - b.og_resource_id as og_resource_id, - case - when count(bucket_selector) > 0 then 'ok' - else 'alarm' - end as status, - case - when count(bucket_selector) > 0 then b.name || ' object-level write events logging enabled.' - else b.name || ' object-level write events logging disabled.' - end as reason - - - from - aws_s3_bucket as b - left join - s3_selectors - on bucket_selector like (b.arn || '%') - or bucket_selector = 'arn:aws:s3' - group by - b.account_id, b.og_account_id, b.og_resource_id, b.region, b.arn, b.name, b.tags, b._ctx; + QueryToExecute: "with s3_selectors as\n(\n select\n name as trail_name,\n is_multi_region_trail,\n bucket_selector,\n og_account_id,\n og_resource_id\n from\n aws_cloudtrail_trail,\n jsonb_array_elements(event_selectors) as event_selector,\n jsonb_array_elements(event_selector -> 'DataResources') as data_resource,\n jsonb_array_elements_text(data_resource -> 'Values') as bucket_selector\n where\n is_multi_region_trail\n and data_resource ->> 'Type' = 'AWS::S3::Object'\n and event_selector ->> 'ReadWriteType' in\n (\n 'WriteOnly',\n 'All'\n )\n)\nselect\n b.arn as resource,\n b.og_account_id as og_account_id,\n b.og_resource_id as og_resource_id,\n case\n when count(bucket_selector) > 0 then 'ok'\n else 'alarm'\n end as status,\n case\n when count(bucket_selector) > 0 then b.name || ' object-level write events logging enabled.'\n else b.name || ' object-level write events logging disabled.'\n end as reason\n \n \nfrom\n aws_s3_bucket as b\n left join\n s3_selectors\n on bucket_selector like (b.arn || '%')\n or bucket_selector = 'arn:aws:s3'\ngroup by\n b.account_id, b.og_account_id, b.og_resource_id, b.region, b.arn, b.name, b.tags, b._ctx;" PrimaryTable: aws_s3_bucket ListOfTables: - - aws_cloudtrail_trail - - aws_s3_bucket + - aws_cloudtrail_trail + - aws_s3_bucket Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v300_3_9.yaml b/compliance/controls/aws/aws_cis_v300_3_9.yaml index efb04c7ef..56a991b04 100755 --- a/compliance/controls/aws/aws_cis_v300_3_9.yaml +++ b/compliance/controls/aws/aws_cis_v300_3_9.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v300_3_9 Title: "3.9 Ensure that Object-level logging for read events is enabled for S3 bucket" Description: "S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -50,8 +48,10 @@ Query: b.account_id, b.og_account_id, b.og_resource_id, b.region, b.arn, b.name, b.tags, b._ctx; PrimaryTable: aws_s3_bucket ListOfTables: - - aws_cloudtrail_trail - - aws_s3_bucket + - aws_cloudtrail_trail + - aws_s3_bucket Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v300_4_11.yaml b/compliance/controls/aws/aws_cis_v300_4_11.yaml index e7a2cf607..8620ca2ba 100755 --- a/compliance/controls/aws/aws_cis_v300_4_11.yaml +++ b/compliance/controls/aws/aws_cis_v300_4_11.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v300_4_11 Title: "4.11 Ensure Network Access Control Lists (NACL) changes are monitored" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC. It is recommended that a metric filter and alarm be established for changes made to NACLs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -86,11 +84,13 @@ Query: left join filter_data as f on a.account_id = f.account_id; PrimaryTable: aws_account ListOfTables: - - aws_cloudtrail_trail - - aws_cloudwatch_alarm - - aws_sns_topic_subscription - - aws_cloudwatch_log_metric_filter - - aws_account + - aws_cloudtrail_trail + - aws_cloudwatch_alarm + - aws_sns_topic_subscription + - aws_cloudwatch_log_metric_filter + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v300_4_12.yaml b/compliance/controls/aws/aws_cis_v300_4_12.yaml index 47173d219..93b17a446 100755 --- a/compliance/controls/aws/aws_cis_v300_4_12.yaml +++ b/compliance/controls/aws/aws_cis_v300_4_12.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v300_4_12 Title: "4.12 Ensure changes to network gateways are monitored" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -86,11 +84,13 @@ Query: left join filter_data as f on a.account_id = f.account_id; PrimaryTable: aws_cloudtrail_trail ListOfTables: - - aws_cloudtrail_trail - - aws_cloudwatch_alarm - - aws_sns_topic_subscription - - aws_cloudwatch_log_metric_filter - - aws_account + - aws_cloudtrail_trail + - aws_cloudwatch_alarm + - aws_sns_topic_subscription + - aws_cloudwatch_log_metric_filter + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v300_4_14.yaml b/compliance/controls/aws/aws_cis_v300_4_14.yaml index dd747fcc1..f8895e804 100755 --- a/compliance/controls/aws/aws_cis_v300_4_14.yaml +++ b/compliance/controls/aws/aws_cis_v300_4_14.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v300_4_14 Title: "4.14 Ensure VPC changes are monitored" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, and establishing corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -86,11 +84,13 @@ Query: left join filter_data as f on a.account_id = f.account_id; PrimaryTable: aws_cloudtrail_trail ListOfTables: - - aws_cloudtrail_trail - - aws_cloudwatch_alarm - - aws_sns_topic_subscription - - aws_cloudwatch_log_metric_filter - - aws_account + - aws_cloudtrail_trail + - aws_cloudwatch_alarm + - aws_sns_topic_subscription + - aws_cloudwatch_log_metric_filter + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v300_5_2.yaml b/compliance/controls/aws/aws_cis_v300_5_2.yaml index d09b53dbe..42db5cec3 100755 --- a/compliance/controls/aws/aws_cis_v300_5_2.yaml +++ b/compliance/controls/aws/aws_cis_v300_5_2.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v300_5_2 Title: "5.2 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports" Description: "Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389, using either the TCP (6), UDP (17) or ALL (-1) protocols." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -66,8 +64,10 @@ Query: left join bad_rules on bad_rules.group_id = sg.group_id; PrimaryTable: aws_vpc_security_group ListOfTables: - - aws_vpc_security_group_rule - - aws_vpc_security_group + - aws_vpc_security_group_rule + - aws_vpc_security_group Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v300_5_3.yaml b/compliance/controls/aws/aws_cis_v300_5_3.yaml index ab78774fa..9dec4335d 100755 --- a/compliance/controls/aws/aws_cis_v300_5_3.yaml +++ b/compliance/controls/aws/aws_cis_v300_5_3.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v300_5_3 Title: "5.3 Ensure no security groups allow ingress from ::/0 to remote server administration ports" Description: "Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -50,8 +48,10 @@ Query: left join bad_rules on bad_rules.group_id = sg.group_id; PrimaryTable: aws_vpc_security_group ListOfTables: - - aws_vpc_security_group_rule - - aws_vpc_security_group + - aws_vpc_security_group_rule + - aws_vpc_security_group Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v300_5_5.yaml b/compliance/controls/aws/aws_cis_v300_5_5.yaml index bf0cb34b2..ef9253f54 100755 --- a/compliance/controls/aws/aws_cis_v300_5_5.yaml +++ b/compliance/controls/aws/aws_cis_v300_5_5.yaml @@ -1,23 +1,14 @@ ID: aws_cis_v300_5_5 Title: "5.5 Ensure routing tables for VPC peering are \\\"least access\\\"" Description: "Once a VPC peering connection is established, routing tables must be updated to establish any connections between the peered VPCs. These routes can be as specific as desired - even peering a VPC to only a single host on the other side of the connection." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'info' as status, - 'Manual verification required.' as reason - - from - aws_account; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'info' as status,\n 'Manual verification required.' as reason\n \nfrom\n aws_account;" PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cis_v300_5_6.yaml b/compliance/controls/aws/aws_cis_v300_5_6.yaml index d927906ef..3636d4b10 100755 --- a/compliance/controls/aws/aws_cis_v300_5_6.yaml +++ b/compliance/controls/aws/aws_cis_v300_5_6.yaml @@ -1,8 +1,6 @@ ID: aws_cis_v300_5_6 Title: "5.6 Ensure that EC2 Metadata Service only allows IMDSv2" Description: "When enabling the Metadata Service on AWS EC2 instances, users have the option of using either Instance Metadata Service Version 1 (IMDSv1; a request/response method) or Instance Metadata Service Version 2 (IMDSv2; a session-oriented method)." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_ec2_instance; PrimaryTable: aws_ec2_instance ListOfTables: - - aws_ec2_instance + - aws_ec2_instance Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cloudformation_stack_drift_detection_check.yaml b/compliance/controls/aws/aws_cloudformation_stack_drift_detection_check.yaml index 620cb87d1..6c5b2d877 100755 --- a/compliance/controls/aws/aws_cloudformation_stack_drift_detection_check.yaml +++ b/compliance/controls/aws/aws_cloudformation_stack_drift_detection_check.yaml @@ -1,42 +1,24 @@ ID: aws_cloudformation_stack_drift_detection_check Title: "CloudFormation stacks differ from the expected configuration" Description: "Ensure that the actual configuration of a Cloud Formation stack differs, or has drifted, from the expected configuration, a stack is considered to have drifted if one or more of its resources differ from their expected configuration." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when stack_drift_status = 'IN_SYNC' then 'ok' - when stack_drift_status = 'DRIFTED' then 'alarm' - else 'skip' - end as status, - case - when stack_drift_status = 'IN_SYNC' then title || ' drift status is ' || stack_drift_status || '.' - when stack_drift_status = 'DRIFTED' then title || ' drift status is ' || stack_drift_status || '.' - else title || ' drift status is ' || stack_drift_status || '.' - end as reason - - , region, account_id - from - aws_cloudformation_stack; + QueryToExecute: "select\n id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when stack_drift_status = 'IN_SYNC' then 'ok'\n when stack_drift_status = 'DRIFTED' then 'alarm'\n else 'skip'\n end as status,\n case\n when stack_drift_status = 'IN_SYNC' then title || ' drift status is ' || stack_drift_status || '.'\n when stack_drift_status = 'DRIFTED' then title || ' drift status is ' || stack_drift_status || '.'\n else title || ' drift status is ' || stack_drift_status || '.'\n end as reason\n \n , region, account_id\nfrom\n aws_cloudformation_stack;\n" PrimaryTable: aws_cloudformation_stack ListOfTables: - - aws_cloudformation_stack + - aws_cloudformation_stack Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/CloudFormation + - AWS/CloudFormation +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cloudformation_stack_notifications_enabled.yaml b/compliance/controls/aws/aws_cloudformation_stack_notifications_enabled.yaml index 595eec345..2f683f50a 100755 --- a/compliance/controls/aws/aws_cloudformation_stack_notifications_enabled.yaml +++ b/compliance/controls/aws/aws_cloudformation_stack_notifications_enabled.yaml @@ -1,42 +1,26 @@ ID: aws_cloudformation_stack_notifications_enabled Title: "CloudFormation stacks should have notifications enabled" Description: "Ensure CloudFormation stacks are associated with an SNS topic to receive notifications when an event occurs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when jsonb_array_length(notification_arns) > 0 then 'ok' - else 'alarm' - end as status, - case - when jsonb_array_length(notification_arns) > 0 then title || ' notifications enabled.' - else title || ' notifications disabled.' - end as reason - - , region, account_id - from - aws_cloudformation_stack; + QueryToExecute: "select\n id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when jsonb_array_length(notification_arns) > 0 then 'ok'\n else 'alarm'\n end as status,\n case\n when jsonb_array_length(notification_arns) > 0 then title || ' notifications enabled.'\n else title || ' notifications disabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_cloudformation_stack;\n" PrimaryTable: aws_cloudformation_stack ListOfTables: - - aws_cloudformation_stack + - aws_cloudformation_stack Parameters: [] Severity: low Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - application_monitoring + - application_monitoring foundational_security_item_id: - - cloudformation_1 + - cloudformation_1 plugin: - - aws + - aws service: - - AWS/CloudFormation + - AWS/CloudFormation +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cloudformation_stack_output_no_secrets.yaml b/compliance/controls/aws/aws_cloudformation_stack_output_no_secrets.yaml index 0d417d593..9d12e2b30 100755 --- a/compliance/controls/aws/aws_cloudformation_stack_output_no_secrets.yaml +++ b/compliance/controls/aws/aws_cloudformation_stack_output_no_secrets.yaml @@ -1,8 +1,6 @@ ID: aws_cloudformation_stack_output_no_secrets Title: "CloudFormation stacks outputs should not have any secrets" Description: "Ensure CloudFormation stacks outputs do not contain secrets like user names, passwords, and tokens. It is recommended to remove secrets since outputs cannot be encrypted resulting in any entity with basic read-metadata-only and access to CloudFormation outputs having access to these secrets." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -50,7 +48,9 @@ Query: left join stack_with_secrets as s on c.id = s.id PrimaryTable: aws_cloudformation_stack ListOfTables: - - aws_cloudformation_stack + - aws_cloudformation_stack Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cloudformation_stack_rollback_enabled.yaml b/compliance/controls/aws/aws_cloudformation_stack_rollback_enabled.yaml index 6d4a42f2f..ad8d07c9b 100755 --- a/compliance/controls/aws/aws_cloudformation_stack_rollback_enabled.yaml +++ b/compliance/controls/aws/aws_cloudformation_stack_rollback_enabled.yaml @@ -1,30 +1,14 @@ ID: aws_cloudformation_stack_rollback_enabled Title: "CloudFormation stacks should have rollback enabled" Description: "Ensure CloudFormation stacks have the rollback feature enabled. Rollback triggers enable you to have AWS CloudFormation monitor the state of your application during stack creation and updating, and to rollback that operation if the application breaches the threshold of any of the alarms you've specified." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when not disable_rollback then 'ok' - else 'alarm' - end as status, - case - when not disable_rollback then title || ' rollback enabled.' - else title || ' rollback disabled.' - end as reason - - - from - aws_cloudformation_stack; + QueryToExecute: "select\n id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when not disable_rollback then 'ok'\n else 'alarm'\n end as status,\n case\n when not disable_rollback then title || ' rollback enabled.'\n else title || ' rollback disabled.'\n end as reason\n \n \nfrom\n aws_cloudformation_stack;" PrimaryTable: aws_cloudformation_stack ListOfTables: - - aws_cloudformation_stack + - aws_cloudformation_stack Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cloudformation_stack_termination_protection_enabled.yaml b/compliance/controls/aws/aws_cloudformation_stack_termination_protection_enabled.yaml index 1dd7951d3..b8fc661ca 100755 --- a/compliance/controls/aws/aws_cloudformation_stack_termination_protection_enabled.yaml +++ b/compliance/controls/aws/aws_cloudformation_stack_termination_protection_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_cloudformation_stack_termination_protection_enabled Title: "Cloudformation stacks termination protection should be enabled" Description: "Ensure that AWS CloudFormation stacks have termination protection feature enabled in order to protect them from being accidentally deleted. The safety feature can be enabled when you create the CloudFormation stack or for existing stacks using the AWS API (UpdateTerminationProtection command)." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_cloudformation_stack; PrimaryTable: aws_cloudformation_stack ListOfTables: - - aws_cloudformation_stack + - aws_cloudformation_stack Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cloudfront_distribution_configured_with_origin_failover.yaml b/compliance/controls/aws/aws_cloudfront_distribution_configured_with_origin_failover.yaml index e6fe34007..86593e1a1 100755 --- a/compliance/controls/aws/aws_cloudfront_distribution_configured_with_origin_failover.yaml +++ b/compliance/controls/aws/aws_cloudfront_distribution_configured_with_origin_failover.yaml @@ -1,42 +1,26 @@ ID: aws_cloudfront_distribution_configured_with_origin_failover Title: "CloudFront distributions should have origin failover configured" Description: "This control checks whether an AWS CloudFront distribution is configured with an origin group that has two or more origins. CloudFront origin failover can increase availability. Origin failover automatically redirects traffic to a secondary origin if the primary origin is unavailable or if it returns specific HTTP response status codes." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when origin_groups ->> 'Items' is not null then 'ok' - else 'alarm' - end as status, - case - when origin_groups ->> 'Items' is not null then title || ' origin group is configured.' - else title || ' origin group not configured.' - end as reason - - , region, account_id - from - aws_cloudfront_distribution; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when origin_groups ->> 'Items' is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when origin_groups ->> 'Items' is not null then title || ' origin group is configured.'\n else title || ' origin group not configured.'\n end as reason\n \n , region, account_id\nfrom\n aws_cloudfront_distribution;\n" PrimaryTable: aws_cloudfront_distribution ListOfTables: - - aws_cloudfront_distribution + - aws_cloudfront_distribution Parameters: [] Severity: low Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - high_availability + - high_availability foundational_security_item_id: - - cloudfront_4 + - cloudfront_4 plugin: - - aws + - aws service: - - AWS/CloudFront + - AWS/CloudFront +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cloudfront_distribution_custom_origins_encryption_in_transit_enabled.yaml b/compliance/controls/aws/aws_cloudfront_distribution_custom_origins_encryption_in_transit_enabled.yaml index 76e5b9bc6..06fc5050b 100755 --- a/compliance/controls/aws/aws_cloudfront_distribution_custom_origins_encryption_in_transit_enabled.yaml +++ b/compliance/controls/aws/aws_cloudfront_distribution_custom_origins_encryption_in_transit_enabled.yaml @@ -1,70 +1,26 @@ ID: aws_cloudfront_distribution_custom_origins_encryption_in_transit_enabled Title: "CloudFront distributions should encrypt traffic to custom origins" Description: "This control checks if AWS CloudFront distributions are encrypting traffic to custom origins. This control fails for a CloudFront distribution whose origin protocol policy allows 'http-only'. This control also fails if the distribution's origin protocol policy is 'match-viewer' while the viewer protocol policy is 'allow-all'." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with viewer_protocol_policy_value as ( - select - distinct arn - from - aws_cloudfront_distribution, - jsonb_array_elements( - case jsonb_typeof(cache_behaviors -> 'Items') - when 'array' then (cache_behaviors -> 'Items') - else null end - ) as cb - where - cb ->> 'ViewerProtocolPolicy' = 'allow-all' - ), - origin_protocol_policy_value as ( - select - distinct arn, - o -> 'CustomOriginConfig' ->> 'OriginProtocolPolicy' as origin_protocol_policy - from - aws_cloudfront_distribution, - jsonb_array_elements(origins) as o - where - o -> 'CustomOriginConfig' ->> 'OriginProtocolPolicy' = 'http-only' - or o -> 'CustomOriginConfig' ->> 'OriginProtocolPolicy' = 'match-viewer' - ) - select - b.arn as resource, - b.og_account_id as og_account_id, - b.og_resource_id as og_resource_id, - case - when o.arn is not null and o.origin_protocol_policy = 'http-only' then 'alarm' - when o.arn is not null and o.origin_protocol_policy = 'match-viewer' and ( v.arn is not null or (default_cache_behavior ->> 'ViewerProtocolPolicy' = 'allow-all') ) then 'alarm' - else 'ok' - end as status, - case - when o.arn is not null and o.origin_protocol_policy = 'http-only' then title || ' custom origins traffic not encrypted in transit.' - when o.arn is not null and o.origin_protocol_policy = 'match-viewer' and ( v.arn is not null or (default_cache_behavior ->> 'ViewerProtocolPolicy' = 'allow-all') ) then title || ' custom origins traffic not encrypted in transit.' - else title || ' custom origins traffic encrypted in transit.' - end as reason - - , region, account_id - from - aws_cloudfront_distribution as b - left join origin_protocol_policy_value as o on b.arn = o.arn - left join viewer_protocol_policy_value as v on b.arn = v.arn; + QueryToExecute: "with viewer_protocol_policy_value as (\n select\n distinct arn\n from\n aws_cloudfront_distribution,\n jsonb_array_elements(\n case jsonb_typeof(cache_behaviors -> 'Items')\n when 'array' then (cache_behaviors -> 'Items')\n else null end\n ) as cb\n where\n cb ->> 'ViewerProtocolPolicy' = 'allow-all'\n),\norigin_protocol_policy_value as (\n select\n distinct arn,\n o -> 'CustomOriginConfig' ->> 'OriginProtocolPolicy' as origin_protocol_policy\n from\n aws_cloudfront_distribution,\n jsonb_array_elements(origins) as o\n where\n o -> 'CustomOriginConfig' ->> 'OriginProtocolPolicy' = 'http-only'\n or o -> 'CustomOriginConfig' ->> 'OriginProtocolPolicy' = 'match-viewer'\n)\nselect\n b.arn as resource,\n b.og_account_id as og_account_id,\n b.og_resource_id as og_resource_id,\n case\n when o.arn is not null and o.origin_protocol_policy = 'http-only' then 'alarm'\n when o.arn is not null and o.origin_protocol_policy = 'match-viewer' and ( v.arn is not null or (default_cache_behavior ->> 'ViewerProtocolPolicy' = 'allow-all') ) then 'alarm'\n else 'ok'\n end as status,\n case\n when o.arn is not null and o.origin_protocol_policy = 'http-only' then title || ' custom origins traffic not encrypted in transit.'\n when o.arn is not null and o.origin_protocol_policy = 'match-viewer' and ( v.arn is not null or (default_cache_behavior ->> 'ViewerProtocolPolicy' = 'allow-all') ) then title || ' custom origins traffic not encrypted in transit.'\n else title || ' custom origins traffic encrypted in transit.'\n end as reason\n \n , region, account_id\nfrom\n aws_cloudfront_distribution as b\n left join origin_protocol_policy_value as o on b.arn = o.arn\n left join viewer_protocol_policy_value as v on b.arn = v.arn;\n" PrimaryTable: aws_cloudfront_distribution ListOfTables: - - aws_cloudfront_distribution + - aws_cloudfront_distribution Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - encryption_of_data_in_transit + - encryption_of_data_in_transit foundational_security_item_id: - - cloudfront_9 + - cloudfront_9 plugin: - - aws + - aws service: - - AWS/CloudFront + - AWS/CloudFront +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cloudfront_distribution_default_root_object_configured.yaml b/compliance/controls/aws/aws_cloudfront_distribution_default_root_object_configured.yaml index 2c01dc6c5..b407273d4 100755 --- a/compliance/controls/aws/aws_cloudfront_distribution_default_root_object_configured.yaml +++ b/compliance/controls/aws/aws_cloudfront_distribution_default_root_object_configured.yaml @@ -1,42 +1,26 @@ ID: aws_cloudfront_distribution_default_root_object_configured Title: "CloudFront distributions should have a default root object configured" Description: "This control checks whether an AWS CloudFront distribution is configured to return a specific object that is the default root object. The control fails if the CloudFront distribution does not have a default root object configured." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when default_root_object = '' then 'alarm' - else 'ok' - end as status, - case - when default_root_object = '' then title || ' default root object not configured.' - else title || ' default root object configured.' - end as reason - - , region, account_id - from - aws_cloudfront_distribution; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when default_root_object = '' then 'alarm'\n else 'ok'\n end as status,\n case\n when default_root_object = '' then title || ' default root object not configured.'\n else title || ' default root object configured.'\n end as reason\n \n , region, account_id\nfrom\n aws_cloudfront_distribution;\n" PrimaryTable: aws_cloudfront_distribution ListOfTables: - - aws_cloudfront_distribution + - aws_cloudfront_distribution Parameters: [] Severity: critical Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - resources_not_publicly_accessible + - resources_not_publicly_accessible foundational_security_item_id: - - cloudfront_1 + - cloudfront_1 plugin: - - aws + - aws service: - - AWS/CloudFront + - AWS/CloudFront +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cloudfront_distribution_encryption_in_transit_enabled.yaml b/compliance/controls/aws/aws_cloudfront_distribution_encryption_in_transit_enabled.yaml index 250a0cb70..d646a99e2 100755 --- a/compliance/controls/aws/aws_cloudfront_distribution_encryption_in_transit_enabled.yaml +++ b/compliance/controls/aws/aws_cloudfront_distribution_encryption_in_transit_enabled.yaml @@ -1,56 +1,26 @@ ID: aws_cloudfront_distribution_encryption_in_transit_enabled Title: "CloudFront distributions should require encryption in transit" Description: "This control checks whether an AWS CloudFront distribution requires viewers to use HTTPS directly or whether it uses redirection. The control fails if ViewerProtocolPolicy is set to allow-all for defaultCacheBehavior or for cacheBehaviors." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with data as ( - select - distinct arn - from - aws_cloudfront_distribution, - jsonb_array_elements( - case jsonb_typeof(cache_behaviors -> 'Items') - when 'array' then (cache_behaviors -> 'Items') - else null end - ) as cb - where - cb ->> 'ViewerProtocolPolicy' = 'allow-all' - ) - select - b.arn as resource, - b.og_account_id as og_account_id, - b.og_resource_id as og_resource_id, - case - when d.arn is not null or (default_cache_behavior ->> 'ViewerProtocolPolicy' = 'allow-all') then 'alarm' - else 'ok' - end as status, - case - when d.arn is not null or (default_cache_behavior ->> 'ViewerProtocolPolicy' = 'allow-all') then title || ' data not encrypted in transit.' - else title || ' data encrypted in transit.' - end as reason - - , b.region, b.account_id - from - aws_cloudfront_distribution as b - left join data as d on b.arn = d.arn; + QueryToExecute: "with data as (\n select\n distinct arn\n from\n aws_cloudfront_distribution,\n jsonb_array_elements(\n case jsonb_typeof(cache_behaviors -> 'Items')\n when 'array' then (cache_behaviors -> 'Items')\n else null end\n ) as cb\n where\n cb ->> 'ViewerProtocolPolicy' = 'allow-all'\n)\nselect\n b.arn as resource,\n b.og_account_id as og_account_id,\n b.og_resource_id as og_resource_id,\n case\n when d.arn is not null or (default_cache_behavior ->> 'ViewerProtocolPolicy' = 'allow-all') then 'alarm'\n else 'ok'\n end as status,\n case\n when d.arn is not null or (default_cache_behavior ->> 'ViewerProtocolPolicy' = 'allow-all') then title || ' data not encrypted in transit.'\n else title || ' data encrypted in transit.'\n end as reason\n \n , b.region, b.account_id\nfrom\n aws_cloudfront_distribution as b\n left join data as d on b.arn = d.arn;\n" PrimaryTable: aws_cloudfront_distribution ListOfTables: - - aws_cloudfront_distribution + - aws_cloudfront_distribution Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - encryption_of_data_in_transit + - encryption_of_data_in_transit foundational_security_item_id: - - cloudfront_3 + - cloudfront_3 plugin: - - aws + - aws service: - - AWS/CloudFront + - AWS/CloudFront +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cloudfront_distribution_field_level_encryption_enabled.yaml b/compliance/controls/aws/aws_cloudfront_distribution_field_level_encryption_enabled.yaml index f231a49f1..694cf4d7f 100755 --- a/compliance/controls/aws/aws_cloudfront_distribution_field_level_encryption_enabled.yaml +++ b/compliance/controls/aws/aws_cloudfront_distribution_field_level_encryption_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_cloudfront_distribution_field_level_encryption_enabled Title: "CloudFront distributions should have field level encryption enabled" Description: "This control checks whether an AWS CloudFront distribution has field-level encryption enabled. The control fails if CloudFront distribution field-level encryption is not enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_cloudfront_distribution; PrimaryTable: aws_cloudfront_distribution ListOfTables: - - aws_cloudfront_distribution + - aws_cloudfront_distribution Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cloudfront_distribution_geo_restrictions_enabled.yaml b/compliance/controls/aws/aws_cloudfront_distribution_geo_restrictions_enabled.yaml index 36c456836..c5b67d440 100755 --- a/compliance/controls/aws/aws_cloudfront_distribution_geo_restrictions_enabled.yaml +++ b/compliance/controls/aws/aws_cloudfront_distribution_geo_restrictions_enabled.yaml @@ -1,30 +1,14 @@ ID: aws_cloudfront_distribution_geo_restrictions_enabled Title: "CloudFront distributions should have geo restriction enabled" Description: "Geographic restriction is used to restrict access to all of the files that are associated with a distribution at the country level." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when restrictions -> 'GeoRestriction' ->> 'RestrictionType' = 'none' then 'alarm' - else 'ok' - end as status, - case - when restrictions -> 'GeoRestriction' ->> 'RestrictionType' = 'none' then title || ' Geo Restriction disabled.' - else title || ' Geo Restriction enabled.' - end as reason - - - from - aws_cloudfront_distribution; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when restrictions -> 'GeoRestriction' ->> 'RestrictionType' = 'none' then 'alarm'\n else 'ok'\n end as status,\n case\n when restrictions -> 'GeoRestriction' ->> 'RestrictionType' = 'none' then title || ' Geo Restriction disabled.'\n else title || ' Geo Restriction enabled.'\n end as reason\n \n \nfrom\n aws_cloudfront_distribution;" PrimaryTable: aws_cloudfront_distribution ListOfTables: - - aws_cloudfront_distribution + - aws_cloudfront_distribution Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cloudfront_distribution_latest_tls_version.yaml b/compliance/controls/aws/aws_cloudfront_distribution_latest_tls_version.yaml index d18c14cd7..fcf22fa1a 100755 --- a/compliance/controls/aws/aws_cloudfront_distribution_latest_tls_version.yaml +++ b/compliance/controls/aws/aws_cloudfront_distribution_latest_tls_version.yaml @@ -1,8 +1,6 @@ ID: aws_cloudfront_distribution_latest_tls_version Title: "CloudFront distributions should have latest TLS version" Description: "This control checks whether CloudFront distribution uses latest TLS version." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -24,7 +22,9 @@ Query: aws_cloudfront_distribution; PrimaryTable: aws_cloudfront_distribution ListOfTables: - - aws_cloudfront_distribution + - aws_cloudfront_distribution Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cloudfront_distribution_logging_enabled.yaml b/compliance/controls/aws/aws_cloudfront_distribution_logging_enabled.yaml index 3630687e7..ad29c7b04 100755 --- a/compliance/controls/aws/aws_cloudfront_distribution_logging_enabled.yaml +++ b/compliance/controls/aws/aws_cloudfront_distribution_logging_enabled.yaml @@ -1,44 +1,28 @@ ID: aws_cloudfront_distribution_logging_enabled Title: "CloudFront distributions access logs should be enabled" Description: "This control checks if AWS CloudFront distributions are configured to capture information from AWS Simple Storage Service (AWS S3) server access logs. This rule is non-compliant if a CloudFront distribution does not have logging configured." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when logging ->> 'Enabled' = 'true' then 'ok' - else 'alarm' - end as status, - case - when logging ->> 'Enabled' = 'true' then title || ' logging enabled.' - else title || ' logging disabled.' - end as reason - - , region, account_id - from - aws_cloudfront_distribution; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when logging ->> 'Enabled' = 'true' then 'ok'\n else 'alarm'\n end as status,\n case\n when logging ->> 'Enabled' = 'true' then title || ' logging enabled.'\n else title || ' logging disabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_cloudfront_distribution;\n" PrimaryTable: aws_cloudfront_distribution ListOfTables: - - aws_cloudfront_distribution + - aws_cloudfront_distribution Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_csf: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/CloudFront + - AWS/CloudFront +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cloudfront_distribution_no_deprecated_ssl_protocol.yaml b/compliance/controls/aws/aws_cloudfront_distribution_no_deprecated_ssl_protocol.yaml index 9c4b46591..d78aa53d0 100755 --- a/compliance/controls/aws/aws_cloudfront_distribution_no_deprecated_ssl_protocol.yaml +++ b/compliance/controls/aws/aws_cloudfront_distribution_no_deprecated_ssl_protocol.yaml @@ -1,53 +1,26 @@ ID: aws_cloudfront_distribution_no_deprecated_ssl_protocol Title: "CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins" Description: "This control checks if AWS CloudFront distributions are using deprecated SSL protocols for HTTPS communication between CloudFront edge locations and your custom origins. This control fails if a CloudFront distribution has a CustomOriginConfig where OriginSslProtocols includes SSLv3." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with origin_ssl_protocols as ( - select - distinct arn, - o -> 'CustomOriginConfig' ->> 'OriginProtocolPolicy' as origin_protocol_policy - from - aws_cloudfront_distribution, - jsonb_array_elements(origins) as o - where - o -> 'CustomOriginConfig' -> 'OriginSslProtocols' -> 'Items' @> '["SSLv3"]' - ) - select - b.arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when o.arn is null then 'ok' - else 'alarm' - end as status, - case - when o.arn is null then title || ' does not have deprecated SSL protocols.' - else title || ' has deprecated SSL protocols.' - end as reason - - , region, account_id - from - aws_cloudfront_distribution as b - left join origin_ssl_protocols as o on b.arn = o.arn; + QueryToExecute: "with origin_ssl_protocols as (\n select\n distinct arn,\n o -> 'CustomOriginConfig' ->> 'OriginProtocolPolicy' as origin_protocol_policy\n from\n aws_cloudfront_distribution,\n jsonb_array_elements(origins) as o\n where\n o -> 'CustomOriginConfig' -> 'OriginSslProtocols' -> 'Items' @> '[\"SSLv3\"]'\n)\nselect\n b.arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when o.arn is null then 'ok'\n else 'alarm'\n end as status,\n case\n when o.arn is null then title || ' does not have deprecated SSL protocols.'\n else title || ' has deprecated SSL protocols.'\n end as reason\n \n , region, account_id\nfrom\n aws_cloudfront_distribution as b\n left join origin_ssl_protocols as o on b.arn = o.arn;\n" PrimaryTable: aws_cloudfront_distribution ListOfTables: - - aws_cloudfront_distribution + - aws_cloudfront_distribution Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - encryption_of_data_in_transit + - encryption_of_data_in_transit foundational_security_item_id: - - cloudfront_10 + - cloudfront_10 plugin: - - aws + - aws service: - - AWS/CloudFront + - AWS/CloudFront +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cloudfront_distribution_no_non_existent_s3_origin.yaml b/compliance/controls/aws/aws_cloudfront_distribution_no_non_existent_s3_origin.yaml index 928a9dd03..2d7549987 100755 --- a/compliance/controls/aws/aws_cloudfront_distribution_no_non_existent_s3_origin.yaml +++ b/compliance/controls/aws/aws_cloudfront_distribution_no_non_existent_s3_origin.yaml @@ -1,8 +1,6 @@ ID: aws_cloudfront_distribution_no_non_existent_s3_origin Title: "CloudFront distributions should not point to non-existent S3 origins" Description: "This control checks whether AWS CloudFront distributions are pointing to non-existent AWS S3 origins. The control fails for a CloudFront distribution if the origin is configured to point to a non-existent bucket. This control only applies to CloudFront distributions where an S3 bucket without static website hosting is the S3 origin." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -40,27 +38,29 @@ Query: else concat(' point to non-existent S3 origin ', b.bucket_name_list #>> '{0}', '.') end end as reason - + , region, account_id from aws_cloudfront_distribution as d left join distribution_with_non_existent_bucket as b on b.arn = d.arn; PrimaryTable: aws_cloudfront_distribution ListOfTables: - - aws_cloudfront_distribution - - aws_s3_bucket + - aws_cloudfront_distribution + - aws_s3_bucket Parameters: [] Severity: high Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - resource_configuration + - resource_configuration foundational_security_item_id: - - cloudfront_12 + - cloudfront_12 plugin: - - aws + - aws service: - - AWS/CloudFront + - AWS/CloudFront +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cloudfront_distribution_origin_access_identity_enabled.yaml b/compliance/controls/aws/aws_cloudfront_distribution_origin_access_identity_enabled.yaml index 6894dbcb9..aed42d7e9 100755 --- a/compliance/controls/aws/aws_cloudfront_distribution_origin_access_identity_enabled.yaml +++ b/compliance/controls/aws/aws_cloudfront_distribution_origin_access_identity_enabled.yaml @@ -1,47 +1,26 @@ ID: aws_cloudfront_distribution_origin_access_identity_enabled Title: "CloudFront distributions should have origin access identity enabled" Description: "This control checks whether an AWS CloudFront distribution with AWS S3 Origin type has Origin Access Identity (OAI) configured. The control fails if OAI is not configured." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when o ->> 'DomainName' not like '%s3.amazonaws.com' then 'skip' - when o ->> 'DomainName' like '%s3.amazonaws.com' - and o -> 'S3OriginConfig' ->> 'OriginAccessIdentity' = '' then 'alarm' - else 'ok' - end as status, - case - when o ->> 'DomainName' not like '%s3.amazonaws.com' then title || ' origin type is not s3.' - when o ->> 'DomainName' like '%s3.amazonaws.com' - and o -> 'S3OriginConfig' ->> 'OriginAccessIdentity' = '' then title || ' origin access identity not configured.' - else title || ' origin access identity configured.' - end as reason - - , region, account_id - from - aws_cloudfront_distribution, - jsonb_array_elements(origins) as o; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when o ->> 'DomainName' not like '%s3.amazonaws.com' then 'skip'\n when o ->> 'DomainName' like '%s3.amazonaws.com'\n and o -> 'S3OriginConfig' ->> 'OriginAccessIdentity' = '' then 'alarm'\n else 'ok'\n end as status,\n case\n when o ->> 'DomainName' not like '%s3.amazonaws.com' then title || ' origin type is not s3.'\n when o ->> 'DomainName' like '%s3.amazonaws.com'\n and o -> 'S3OriginConfig' ->> 'OriginAccessIdentity' = '' then title || ' origin access identity not configured.'\n else title || ' origin access identity configured.'\n end as reason\n \n , region, account_id\nfrom\n aws_cloudfront_distribution,\n jsonb_array_elements(origins) as o;\n" PrimaryTable: aws_cloudfront_distribution ListOfTables: - - aws_cloudfront_distribution + - aws_cloudfront_distribution Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - resource_policy_configuration + - resource_policy_configuration foundational_security_item_id: - - cloudfront_2 + - cloudfront_2 plugin: - - aws + - aws service: - - AWS/CloudFront + - AWS/CloudFront +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cloudfront_distribution_sni_enabled.yaml b/compliance/controls/aws/aws_cloudfront_distribution_sni_enabled.yaml index fa1c67f0b..ab81d17e3 100755 --- a/compliance/controls/aws/aws_cloudfront_distribution_sni_enabled.yaml +++ b/compliance/controls/aws/aws_cloudfront_distribution_sni_enabled.yaml @@ -1,42 +1,26 @@ ID: aws_cloudfront_distribution_sni_enabled Title: "CloudFront distributions should use SNI to serve HTTPS requests" Description: "This control checks if AWS CloudFront distributions are using a custom SSL/TLS certificate and are configured to use SNI to serve HTTPS requests. This control fails if a custom SSL/TLS certificate is associated but the SSL/TLS support method is a dedicated IP address." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when viewer_certificate ->> 'SSLSupportMethod' = 'sni-only' then 'ok' - else 'alarm' - end as status, - case - when viewer_certificate ->> 'SSLSupportMethod' = 'sni-only' then title || ' SNI enabled.' - else title || ' SNI disabled.' - end as reason - - , region, account_id - from - aws_cloudfront_distribution; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when viewer_certificate ->> 'SSLSupportMethod' = 'sni-only' then 'ok'\n else 'alarm'\n end as status,\n case\n when viewer_certificate ->> 'SSLSupportMethod' = 'sni-only' then title || ' SNI enabled.'\n else title || ' SNI disabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_cloudfront_distribution;\n" PrimaryTable: aws_cloudfront_distribution ListOfTables: - - aws_cloudfront_distribution + - aws_cloudfront_distribution Parameters: [] Severity: low Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - secure_network_configuration + - secure_network_configuration foundational_security_item_id: - - cloudfront_8 + - cloudfront_8 plugin: - - aws + - aws service: - - AWS/CloudFront + - AWS/CloudFront +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cloudfront_distribution_use_custom_ssl_certificate.yaml b/compliance/controls/aws/aws_cloudfront_distribution_use_custom_ssl_certificate.yaml index deddfa031..c1423e8ed 100755 --- a/compliance/controls/aws/aws_cloudfront_distribution_use_custom_ssl_certificate.yaml +++ b/compliance/controls/aws/aws_cloudfront_distribution_use_custom_ssl_certificate.yaml @@ -1,42 +1,26 @@ ID: aws_cloudfront_distribution_use_custom_ssl_certificate Title: "CloudFront distributions should use custom SSL/TLS certificates" Description: "This control checks whether CloudFront distributions are using the default SSL/TLS certificate CloudFront provides. This control passes if the CloudFront distribution uses a custom SSL/TLS certificate. This control fails if the CloudFront distribution uses the default SSL/TLS certificate." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when viewer_certificate ->> 'ACMCertificateArn' is not null and viewer_certificate ->> 'Certificate' is not null then 'ok' - else 'alarm' - end as status, - case - when viewer_certificate ->> 'ACMCertificateArn' is not null and viewer_certificate ->> 'Certificate' is not null then title || ' uses custom SSL certificate.' - else title || ' does not use custom SSL certificate.' - end as reason - - , region, account_id - from - aws_cloudfront_distribution; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when viewer_certificate ->> 'ACMCertificateArn' is not null and viewer_certificate ->> 'Certificate' is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when viewer_certificate ->> 'ACMCertificateArn' is not null and viewer_certificate ->> 'Certificate' is not null then title || ' uses custom SSL certificate.'\n else title || ' does not use custom SSL certificate.'\n end as reason\n \n , region, account_id\nfrom\n aws_cloudfront_distribution;\n" PrimaryTable: aws_cloudfront_distribution ListOfTables: - - aws_cloudfront_distribution + - aws_cloudfront_distribution Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - encryption_of_data_in_transi + - encryption_of_data_in_transi foundational_security_item_id: - - cloudfront_7 + - cloudfront_7 plugin: - - aws + - aws service: - - AWS/CloudFront + - AWS/CloudFront +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cloudfront_distribution_use_secure_cipher.yaml b/compliance/controls/aws/aws_cloudfront_distribution_use_secure_cipher.yaml index 7484be092..fc7b1c7ce 100755 --- a/compliance/controls/aws/aws_cloudfront_distribution_use_secure_cipher.yaml +++ b/compliance/controls/aws/aws_cloudfront_distribution_use_secure_cipher.yaml @@ -1,8 +1,6 @@ ID: aws_cloudfront_distribution_use_secure_cipher Title: "CloudFront distributions should use secure SSL cipher" Description: "Ensure that CloudFront distributions do not have any insecure SSL ciphers. Using insecure and deprecated ciphers could make the SSL connection between the CloudFront and the origins vulnerable to exploits." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -33,7 +31,9 @@ Query: left join origin_protocols as o on b.arn = o.arn; PrimaryTable: aws_cloudfront_distribution ListOfTables: - - aws_cloudfront_distribution + - aws_cloudfront_distribution Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cloudfront_distribution_waf_enabled.yaml b/compliance/controls/aws/aws_cloudfront_distribution_waf_enabled.yaml index 106b58813..9c03e16e8 100755 --- a/compliance/controls/aws/aws_cloudfront_distribution_waf_enabled.yaml +++ b/compliance/controls/aws/aws_cloudfront_distribution_waf_enabled.yaml @@ -1,42 +1,26 @@ ID: aws_cloudfront_distribution_waf_enabled Title: "CloudFront distributions should have AWS WAF enabled" Description: "This control checks whether CloudFront distributions are associated with either AWS WAF or AWS WAFv2 web ACLs. The control fails if the distribution is not associated with a web ACL." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when web_acl_id <> '' then 'ok' - else 'alarm' - end as status, - case - when web_acl_id <> '' then title || ' associated with WAF.' - else title || ' not associated with WAF.' - end as reason - - , region, account_id - from - aws_cloudfront_distribution; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when web_acl_id <> '' then 'ok'\n else 'alarm'\n end as status,\n case\n when web_acl_id <> '' then title || ' associated with WAF.'\n else title || ' not associated with WAF.'\n end as reason\n \n , region, account_id\nfrom\n aws_cloudfront_distribution;\n" PrimaryTable: aws_cloudfront_distribution ListOfTables: - - aws_cloudfront_distribution + - aws_cloudfront_distribution Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - protective_services + - protective_services foundational_security_item_id: - - cloudfront_6 + - cloudfront_6 plugin: - - aws + - aws service: - - AWS/CloudFront + - AWS/CloudFront +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cloudtrail_bucket_not_public.yaml b/compliance/controls/aws/aws_cloudtrail_bucket_not_public.yaml index 316d7e9a8..08b3953b6 100755 --- a/compliance/controls/aws/aws_cloudtrail_bucket_not_public.yaml +++ b/compliance/controls/aws/aws_cloudtrail_bucket_not_public.yaml @@ -1,8 +1,6 @@ ID: aws_cloudtrail_bucket_not_public Title: "Ensure the S3 bucket CloudTrail logs to is not publicly accessible" Description: "CloudTrail logs a record of every API call made in your account. These log files are stored in an S3 bucket. Security Hub recommends that the S3 bucket policy, or access control list (ACL), be applied to the S3 bucket that CloudTrail logs to prevent public access to the CloudTrail logs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -63,26 +61,28 @@ Query: public_bucket_data; PrimaryTable: aws_cloudtrail_trail ListOfTables: - - aws_cloudtrail_trail - - aws_s3_bucket + - aws_cloudtrail_trail + - aws_s3_bucket Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "2.3" + - "2.3" cis_level: - - "1" + - "1" cis_section_id: - - "2" + - "2" cis_type: - - scored + - scored cis_version: - - v1.2.0 + - v1.2.0 plugin: - - aws + - aws service: - - AWS/CloudTrail + - AWS/CloudTrail +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cloudtrail_multi_region_read_write_enabled.yaml b/compliance/controls/aws/aws_cloudtrail_multi_region_read_write_enabled.yaml index 40bead2c2..65f52d98b 100755 --- a/compliance/controls/aws/aws_cloudtrail_multi_region_read_write_enabled.yaml +++ b/compliance/controls/aws/aws_cloudtrail_multi_region_read_write_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_cloudtrail_multi_region_read_write_enabled Title: "CloudTrail trails should be enabled in all regions" Description: "AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation)." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -37,7 +35,7 @@ Query: when d.account_id is null and ad.account_id is null then 'cloudtrail disabled.' else 'cloudtrail enabled.' end as reason - + , a.account_id from aws_account as a @@ -45,26 +43,28 @@ Query: left join advanced_event_selectors_trail_details as ad on ad.account_id = a.account_id; PrimaryTable: aws_account ListOfTables: - - aws_account - - aws_cloudtrail_trail + - aws_account + - aws_cloudtrail_trail Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "2.1" + - "2.1" cis_level: - - "1" + - "1" cis_section_id: - - "2" + - "2" cis_type: - - scored + - scored cis_version: - - v1.2.0 + - v1.2.0 plugin: - - aws + - aws service: - - AWS/CloudTrail + - AWS/CloudTrail +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cloudtrail_multi_region_trail_enabled.yaml b/compliance/controls/aws/aws_cloudtrail_multi_region_trail_enabled.yaml index 52f82bd0a..9aa83e3cd 100755 --- a/compliance/controls/aws/aws_cloudtrail_multi_region_trail_enabled.yaml +++ b/compliance/controls/aws/aws_cloudtrail_multi_region_trail_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_cloudtrail_multi_region_trail_enabled Title: "At least one multi-region AWS CloudTrail should be present in an account" Description: "AWS CloudTrail records AWS Management Console actions and API calls. You can identify which users and accounts called AWS, the source IP address from where the calls were made, and when the calls occurred. CloudTrail will deliver log files from all AWS Regions to your S3 bucket if MULTI_REGION_CLOUD_TRAIL_ENABLED is enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -45,7 +43,7 @@ Query: when o.is_organization_trail and o.is_multi_region_trail and o.is_logging is null then a.title || ' has organization trail, check organization account for cloudtrail logging status.' else a.title || ' does not have multi-region trail(s).' end as reason - + , a.account_id from aws_account as a @@ -53,46 +51,48 @@ Query: left join organization_trails as o on a.account_id = o.account_id; PrimaryTable: aws_account ListOfTables: - - aws_account - - aws_cloudtrail_trail + - aws_account + - aws_cloudtrail_trail Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gdpr: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/CloudTrail + - AWS/CloudTrail soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cloudtrail_multi_region_trail_integrated_with_logs.yaml b/compliance/controls/aws/aws_cloudtrail_multi_region_trail_integrated_with_logs.yaml index 8306b4a07..3e9bb6f2a 100755 --- a/compliance/controls/aws/aws_cloudtrail_multi_region_trail_integrated_with_logs.yaml +++ b/compliance/controls/aws/aws_cloudtrail_multi_region_trail_integrated_with_logs.yaml @@ -1,8 +1,6 @@ ID: aws_cloudtrail_multi_region_trail_integrated_with_logs Title: "CloudTrail multi region trails should be integrated with CloudWatch logs" Description: "Ensure that CloudTrail multi region trail is itegrated with CloudWatch logs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,7 +23,9 @@ Query: and is_multi_region_trail; PrimaryTable: aws_cloudtrail_trail ListOfTables: - - aws_cloudtrail_trail + - aws_cloudtrail_trail Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cloudtrail_s3_data_events_enabled.yaml b/compliance/controls/aws/aws_cloudtrail_s3_data_events_enabled.yaml index 7bca2038c..c2c48a1cd 100755 --- a/compliance/controls/aws/aws_cloudtrail_s3_data_events_enabled.yaml +++ b/compliance/controls/aws/aws_cloudtrail_s3_data_events_enabled.yaml @@ -1,89 +1,55 @@ ID: aws_cloudtrail_s3_data_events_enabled Title: "All S3 buckets should log S3 data events in CloudTrail" Description: "The collection of Simple Storage Service (AWS S3) data events helps in detecting any anomalous activity. The details include AWS account information that accessed an AWS S3 bucket, IP address, and time of event." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with s3_selectors as ( - select - name as trail_name, - is_multi_region_trail, - bucket_selector - from - aws_cloudtrail_trail, - jsonb_array_elements(event_selectors) as event_selector, - jsonb_array_elements(event_selector -> 'DataResources') as data_resource, - jsonb_array_elements_text(data_resource -> 'Values') as bucket_selector - where - is_multi_region_trail - and data_resource ->> 'Type' = 'AWS::S3::Object' - and event_selector ->> 'ReadWriteType' = 'All' - ) - select - b.arn as resource, - b.og_account_id as og_account_id, - b.og_resource_id as og_resource_id, - case - when count(bucket_selector) > 0 then 'ok' - else 'alarm' - end as status, - case - when count(bucket_selector) > 0 then b.name || ' object-level data events logging enabled.' - else b.name || ' object-level data events logging disabled.' - end as reason - - , b.region, b.account_id - from - aws_s3_bucket as b - left join s3_selectors on bucket_selector like (b.arn || '%') or bucket_selector = 'arn:aws:s3' - group by - b.account_id, b.region, b.arn, b.name, b.tags, b.og_account_id, b.og_resource_id, b._ctx; + QueryToExecute: "with s3_selectors as (\n select\n name as trail_name,\n is_multi_region_trail,\n bucket_selector\n from\n aws_cloudtrail_trail,\n jsonb_array_elements(event_selectors) as event_selector,\n jsonb_array_elements(event_selector -> 'DataResources') as data_resource,\n jsonb_array_elements_text(data_resource -> 'Values') as bucket_selector\n where\n is_multi_region_trail\n and data_resource ->> 'Type' = 'AWS::S3::Object'\n and event_selector ->> 'ReadWriteType' = 'All'\n)\nselect\n b.arn as resource,\n b.og_account_id as og_account_id,\n b.og_resource_id as og_resource_id,\n case\n when count(bucket_selector) > 0 then 'ok'\n else 'alarm'\n end as status,\n case\n when count(bucket_selector) > 0 then b.name || ' object-level data events logging enabled.'\n else b.name || ' object-level data events logging disabled.'\n end as reason\n \n , b.region, b.account_id\nfrom\n aws_s3_bucket as b\n left join s3_selectors on bucket_selector like (b.arn || '%') or bucket_selector = 'arn:aws:s3'\ngroup by\n b.account_id, b.region, b.arn, b.name, b.tags, b.og_account_id, b.og_resource_id, b._ctx;\n" PrimaryTable: aws_s3_bucket ListOfTables: - - aws_cloudtrail_trail - - aws_s3_bucket + - aws_cloudtrail_trail + - aws_s3_bucket Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gdpr: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" gxp_eu_annex_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/CloudTrail + - AWS/CloudTrail soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cloudtrail_s3_logging_enabled.yaml b/compliance/controls/aws/aws_cloudtrail_s3_logging_enabled.yaml index a5e533321..1c8653dbf 100755 --- a/compliance/controls/aws/aws_cloudtrail_s3_logging_enabled.yaml +++ b/compliance/controls/aws/aws_cloudtrail_s3_logging_enabled.yaml @@ -1,52 +1,33 @@ ID: aws_cloudtrail_s3_logging_enabled Title: "Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket" Description: "S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - t.arn as resource, - t.og_account_id as og_account_id, - t.og_resource_id as og_resource_id, - case - when b.logging is not null then 'ok' - else 'alarm' - end as status, - case - when b.logging is not null then t.title || '''s logging bucket ' || t.s3_bucket_name || ' has access logging enabled.' - else t.title || '''s logging bucket ' || t.s3_bucket_name || ' has access logging disabled.' - end as reason - - , t.region, t.account_id - from - aws_cloudtrail_trail t - inner join aws_s3_bucket b on t.s3_bucket_name = b.name - where - t.region = t.home_region; + QueryToExecute: "select\n t.arn as resource,\n t.og_account_id as og_account_id,\n t.og_resource_id as og_resource_id,\n case\n when b.logging is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when b.logging is not null then t.title || '''s logging bucket ' || t.s3_bucket_name || ' has access logging enabled.'\n else t.title || '''s logging bucket ' || t.s3_bucket_name || ' has access logging disabled.'\n end as reason\n \n , t.region, t.account_id\nfrom\n aws_cloudtrail_trail t\n inner join aws_s3_bucket b on t.s3_bucket_name = b.name\nwhere\n t.region = t.home_region;\n" PrimaryTable: aws_cloudtrail_trail ListOfTables: - - aws_cloudtrail_trail - - aws_s3_bucket + - aws_cloudtrail_trail + - aws_s3_bucket Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "2.6" + - "2.6" cis_level: - - "1" + - "1" cis_section_id: - - "2" + - "2" cis_type: - - scored + - scored cis_version: - - v1.2.0 + - v1.2.0 plugin: - - aws + - aws service: - - AWS/CloudTrail + - AWS/CloudTrail +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cloudtrail_s3_object_read_events_audit_enabled.yaml b/compliance/controls/aws/aws_cloudtrail_s3_object_read_events_audit_enabled.yaml index a64028769..b8776cf43 100755 --- a/compliance/controls/aws/aws_cloudtrail_s3_object_read_events_audit_enabled.yaml +++ b/compliance/controls/aws/aws_cloudtrail_s3_object_read_events_audit_enabled.yaml @@ -1,78 +1,33 @@ ID: aws_cloudtrail_s3_object_read_events_audit_enabled Title: "Ensure that Object-level logging for read events is enabled for S3 bucket" Description: "This rule enables object-level logging for read events for S3 buckets. Object-level logging for read events helps in identifying the requestor who performed the read operation on the S3 bucket objects." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with s3_selectors as - ( - select - name as trail_name, - is_multi_region_trail, - bucket_selector - from - aws_cloudtrail_trail, - jsonb_array_elements(event_selectors) as event_selector, - jsonb_array_elements(case jsonb_typeof(event_selector -> 'DataResources') - when 'array' then event_selector -> 'DataResources' - else '[]' end) as data_resource, - jsonb_array_elements(case jsonb_typeof(data_resource -> 'Values') - when 'array' then data_resource -> 'Values' - else '[]' end) as bucket_selector - where - is_multi_region_trail - and data_resource ->> 'Type' = 'AWS::S3::Object' - and event_selector ->> 'ReadWriteType' in - ( - 'ReadOnly', - 'All' - ) - ) - select - b.arn as resource, - b.og_account_id as og_account_id, - b.og_resource_id as og_resource_id, - case - when count(bucket_selector) > 0 then 'ok' - else 'alarm' - end as status, - case - when count(bucket_selector) > 0 then b.name || ' object-level read events logging enabled.' - else b.name || ' object-level read events logging disabled.' - end as reason - , region, account_id - from - aws_s3_bucket as b - left join - s3_selectors - on bucket_selector::json::text like ('%' || b.arn || '%') - or bucket_selector::json::text = '"arn:aws:s3"' - group by - b.og_account_id, b.og_resource_id,b.account_id, b.region, b.arn, b.name, b.tags, b._ctx; + QueryToExecute: "with s3_selectors as\n(\n select\n name as trail_name,\n is_multi_region_trail,\n bucket_selector\n from\n aws_cloudtrail_trail,\n jsonb_array_elements(event_selectors) as event_selector,\n jsonb_array_elements(case jsonb_typeof(event_selector -> 'DataResources') \n when 'array' then event_selector -> 'DataResources'\n else '[]' end) as data_resource,\n jsonb_array_elements(case jsonb_typeof(data_resource -> 'Values') \n when 'array' then data_resource -> 'Values'\n else '[]' end) as bucket_selector\n where\n is_multi_region_trail\n and data_resource ->> 'Type' = 'AWS::S3::Object'\n and event_selector ->> 'ReadWriteType' in\n (\n 'ReadOnly',\n 'All'\n )\n)\nselect\n b.arn as resource,\n b.og_account_id as og_account_id,\n b.og_resource_id as og_resource_id,\n case\n when count(bucket_selector) > 0 then 'ok'\n else 'alarm'\n end as status,\n case\n when count(bucket_selector) > 0 then b.name || ' object-level read events logging enabled.'\n else b.name || ' object-level read events logging disabled.'\n end as reason\n , region, account_id\nfrom\n aws_s3_bucket as b\n left join\n s3_selectors\n on bucket_selector::json::text like ('%' || b.arn || '%')\n or bucket_selector::json::text = '\"arn:aws:s3\"'\ngroup by\n b.og_account_id, b.og_resource_id,b.account_id, b.region, b.arn, b.name, b.tags, b._ctx;\n" PrimaryTable: aws_s3_bucket ListOfTables: - - aws_cloudtrail_trail - - aws_s3_bucket + - aws_cloudtrail_trail + - aws_s3_bucket Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "3.11" + - "3.11" cis_level: - - "2" + - "2" cis_section_id: - - "3" + - "3" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - aws + - aws service: - - AWS/S3 + - AWS/S3 +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cloudtrail_s3_object_write_events_audit_enabled.yaml b/compliance/controls/aws/aws_cloudtrail_s3_object_write_events_audit_enabled.yaml index f49bb3ab2..0b493e00b 100755 --- a/compliance/controls/aws/aws_cloudtrail_s3_object_write_events_audit_enabled.yaml +++ b/compliance/controls/aws/aws_cloudtrail_s3_object_write_events_audit_enabled.yaml @@ -1,79 +1,33 @@ ID: aws_cloudtrail_s3_object_write_events_audit_enabled Title: "Ensure that Object-level logging for write events is enabled for S3 bucket" Description: "This rule enables object-level logging for write events for S3 buckets. Object-level logging for write events helps in identifying the requestor who performed the write operation on the S3 bucket objects." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with s3_selectors as - ( - select - name as trail_name, - is_multi_region_trail, - bucket_selector - from - aws_cloudtrail_trail, - jsonb_array_elements(event_selectors) as event_selector, - jsonb_array_elements(case jsonb_typeof(event_selector -> 'DataResources') - when 'array' then event_selector -> 'DataResources' - else '[]' end) as data_resource, - jsonb_array_elements(case jsonb_typeof(data_resource -> 'Values') - when 'array' then data_resource -> 'Values' - else '[]' end) as bucket_selector - where - is_multi_region_trail - and data_resource ->> 'Type' = 'AWS::S3::Object' - and event_selector ->> 'ReadWriteType' in - ( - 'WriteOnly', - 'All' - ) - ) - select - b.arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when count(bucket_selector) > 0 then 'ok' - else 'alarm' - end as status, - case - when count(bucket_selector) > 0 then b.name || ' object-level write events logging enabled.' - else b.name || ' object-level write events logging disabled.' - end as reason - - , region, account_id - from - aws_s3_bucket as b - left join - s3_selectors - on bucket_selector::json::text like ('%' || b.arn || '%') - or bucket_selector::json::text = '"arn:aws:s3"' - group by - b.og_account_id, b.og_resource_id, b.account_id, b.region, b.arn, b.name, b.tags, b._ctx; + QueryToExecute: "with s3_selectors as\n(\n select\n name as trail_name,\n is_multi_region_trail,\n bucket_selector\n from\n aws_cloudtrail_trail,\n jsonb_array_elements(event_selectors) as event_selector,\n jsonb_array_elements(case jsonb_typeof(event_selector -> 'DataResources') \n when 'array' then event_selector -> 'DataResources'\n else '[]' end) as data_resource,\n jsonb_array_elements(case jsonb_typeof(data_resource -> 'Values') \n when 'array' then data_resource -> 'Values'\n else '[]' end) as bucket_selector\n where\n is_multi_region_trail\n and data_resource ->> 'Type' = 'AWS::S3::Object'\n and event_selector ->> 'ReadWriteType' in\n (\n 'WriteOnly',\n 'All'\n )\n)\nselect\n b.arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when count(bucket_selector) > 0 then 'ok'\n else 'alarm'\n end as status,\n case\n when count(bucket_selector) > 0 then b.name || ' object-level write events logging enabled.'\n else b.name || ' object-level write events logging disabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_s3_bucket as b\n left join\n s3_selectors\n on bucket_selector::json::text like ('%' || b.arn || '%')\n or bucket_selector::json::text = '\"arn:aws:s3\"'\ngroup by\n b.og_account_id, b.og_resource_id, b.account_id, b.region, b.arn, b.name, b.tags, b._ctx;\n" PrimaryTable: aws_s3_bucket ListOfTables: - - aws_cloudtrail_trail - - aws_s3_bucket + - aws_cloudtrail_trail + - aws_s3_bucket Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "3.10" + - "3.10" cis_level: - - "2" + - "2" cis_section_id: - - "3" + - "3" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - aws + - aws service: - - AWS/S3 + - AWS/S3 +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cloudtrail_security_trail_enabled.yaml b/compliance/controls/aws/aws_cloudtrail_security_trail_enabled.yaml index 3d20fcf12..b00fb9a20 100755 --- a/compliance/controls/aws/aws_cloudtrail_security_trail_enabled.yaml +++ b/compliance/controls/aws/aws_cloudtrail_security_trail_enabled.yaml @@ -1,111 +1,36 @@ ID: aws_cloudtrail_security_trail_enabled Title: "At least one trail should be enabled with security best practices" Description: "This rule helps ensure the use of AWS recommended security best practices for AWS CloudTrail, by checking for the enablement of multiple settings. These include the use of log encryption, log validation, and enabling AWS CloudTrail in multiple regions." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails_enabled as ( - select - distinct arn, - is_logging, - event_selectors, - coalesce( - jsonb_agg(g) filter ( where not (g = 'null') ), - $$[]$$::jsonb - ) as excludeManagementEventSources - from - aws_cloudtrail_trail - left join jsonb_array_elements(event_selectors) as e on true - left join jsonb_array_elements_text(e -> 'ExcludeManagementEventSources') as g on true - where - home_region = region - group by arn, is_logging, event_selectors - ), - all_trails as ( - select - a.arn as arn, - tags, - _ctx, - case - when a.is_logging is null then b.is_logging - else a.is_logging - end as is_logging, - case - when a.event_selectors is null then b.event_selectors - else a.event_selectors - end as event_selectors, - b.excludeManagementEventSources, - a.include_global_service_events, - a.is_multi_region_trail, - a.log_file_validation_enabled, - a.kms_key_id, - a.region, - a.account_id, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - a.title - from - aws_cloudtrail_trail as a - left join trails_enabled as b on a.arn = b.arn - ) - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when not is_logging then 'alarm' - when not include_global_service_events then 'alarm' - when not is_multi_region_trail then 'alarm' - when not log_file_validation_enabled then 'alarm' - when kms_key_id is null then 'alarm' - when not (jsonb_array_length(event_selectors) = 1 and event_selectors @> '[{"ReadWriteType":"All"}]') then 'alarm' - when not (event_selectors @> '[{"IncludeManagementEvents":true}]') then 'alarm' - when jsonb_array_length(excludeManagementEventSources) > 0 then 'alarm' - else 'ok' - end as status, - case - when not is_logging then title || ' disabled.' - when not include_global_service_events then title || ' not recording global service events.' - when not is_multi_region_trail then title || ' not a muti-region trail.' - when not log_file_validation_enabled then title || ' log file validation disabled.' - when kms_key_id is null then title || ' not encrypted with a KMS key.' - when not (jsonb_array_length(event_selectors) = 1 and event_selectors @> '[{"ReadWriteType":"All"}]') then title || ' not recording events for both reads and writes.' - when not (event_selectors @> '[{"IncludeManagementEvents":true}]') then title || ' not recording management events.' - when jsonb_array_length(excludeManagementEventSources) > 0 then title || ' excludes management events for ' || trim(excludeManagementEventSources::text, '[]') || '.' - else title || ' meets all security best practices.' - end as reason - - - , region, account_id - from - all_trails; + QueryToExecute: "with trails_enabled as (\n select\n distinct arn,\n is_logging,\n event_selectors,\n coalesce(\n jsonb_agg(g) filter ( where not (g = 'null') ),\n $$[]$$::jsonb\n ) as excludeManagementEventSources\n from\n aws_cloudtrail_trail\n left join jsonb_array_elements(event_selectors) as e on true\n left join jsonb_array_elements_text(e -> 'ExcludeManagementEventSources') as g on true\n where\n home_region = region\n group by arn, is_logging, event_selectors\n ),\n all_trails as (\n select\n a.arn as arn,\n tags,\n _ctx,\n case\n when a.is_logging is null then b.is_logging\n else a.is_logging\n end as is_logging,\n case\n when a.event_selectors is null then b.event_selectors\n else a.event_selectors\n end as event_selectors,\n b.excludeManagementEventSources,\n a.include_global_service_events,\n a.is_multi_region_trail,\n a.log_file_validation_enabled,\n a.kms_key_id,\n a.region,\n a.account_id,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n a.title\n from\n aws_cloudtrail_trail as a\n left join trails_enabled as b on a.arn = b.arn\n )\nselect\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when not is_logging then 'alarm'\n when not include_global_service_events then 'alarm'\n when not is_multi_region_trail then 'alarm'\n when not log_file_validation_enabled then 'alarm'\n when kms_key_id is null then 'alarm'\n when not (jsonb_array_length(event_selectors) = 1 and event_selectors @> '[{\"ReadWriteType\":\"All\"}]') then 'alarm'\n when not (event_selectors @> '[{\"IncludeManagementEvents\":true}]') then 'alarm'\n when jsonb_array_length(excludeManagementEventSources) > 0 then 'alarm'\n else 'ok'\n end as status,\n case\n when not is_logging then title || ' disabled.'\n when not include_global_service_events then title || ' not recording global service events.'\n when not is_multi_region_trail then title || ' not a muti-region trail.'\n when not log_file_validation_enabled then title || ' log file validation disabled.'\n when kms_key_id is null then title || ' not encrypted with a KMS key.'\n when not (jsonb_array_length(event_selectors) = 1 and event_selectors @> '[{\"ReadWriteType\":\"All\"}]') then title || ' not recording events for both reads and writes.'\n when not (event_selectors @> '[{\"IncludeManagementEvents\":true}]') then title || ' not recording management events.'\n when jsonb_array_length(excludeManagementEventSources) > 0 then title || ' excludes management events for ' || trim(excludeManagementEventSources::text, '[]') || '.'\n else title || ' meets all security best practices.'\n end as reason\n\n \n , region, account_id\nfrom\n all_trails;\n" PrimaryTable: aws_cloudtrail_trail ListOfTables: - - aws_cloudtrail_trail + - aws_cloudtrail_trail Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" gdpr: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" gxp_eu_annex_11: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_csf: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/CloudTrail + - AWS/CloudTrail soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cloudtrail_trail_bucket_mfa_enabled.yaml b/compliance/controls/aws/aws_cloudtrail_trail_bucket_mfa_enabled.yaml index 22a2c200c..cf99aaa43 100755 --- a/compliance/controls/aws/aws_cloudtrail_trail_bucket_mfa_enabled.yaml +++ b/compliance/controls/aws/aws_cloudtrail_trail_bucket_mfa_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_cloudtrail_trail_bucket_mfa_enabled Title: "CloudTrail trail S3 buckets MFA delete should be enabled" Description: "Ensure that CloudTrail trail S3 buckets should have MFA delete enabled. MFA delete helps prevent accidental bucket deletions by requiring the user who initiates the delete action to prove physical possession of an MFA device with an MFA code and adding an extra layer of friction and security to the delete action." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -27,8 +25,10 @@ Query: t.region = t.home_region; PrimaryTable: aws_cloudtrail_trail ListOfTables: - - aws_cloudtrail_trail - - aws_s3_bucket + - aws_cloudtrail_trail + - aws_s3_bucket Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cloudtrail_trail_enabled.yaml b/compliance/controls/aws/aws_cloudtrail_trail_enabled.yaml index 2fb866db0..076a26fb7 100755 --- a/compliance/controls/aws/aws_cloudtrail_trail_enabled.yaml +++ b/compliance/controls/aws/aws_cloudtrail_trail_enabled.yaml @@ -1,80 +1,52 @@ ID: aws_cloudtrail_trail_enabled Title: "At least one enabled trail should be present in a region" Description: "AWS CloudTrail can help in non-repudiation by recording AWS Management Console actions and API calls. You can identify the users and AWS accounts that called an AWS service, the source IP address where the calls generated, and the timings of the calls. Details of captured data are seen within AWS CloudTrail Record Contents." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails_enabled as ( - select - arn, - is_logging - from - aws_cloudtrail_trail - where - home_region = region - ) - select - a.arn as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when b.is_logging is null and a.is_logging then 'ok' - when b.is_logging then 'ok' - else 'alarm' - end as status, - case - when b.is_logging is null and a.is_logging then a.title || ' enabled.' - when b.is_logging then a.title || ' enabled.' - else a.title || ' disabled.' - end as reason - - , a.region, a.account_id - from - aws_cloudtrail_trail as a - left join trails_enabled b on a.arn = b.arn; + QueryToExecute: "with trails_enabled as (\n select\n arn,\n is_logging\n from\n aws_cloudtrail_trail\n where\n home_region = region\n)\nselect\n a.arn as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when b.is_logging is null and a.is_logging then 'ok'\n when b.is_logging then 'ok'\n else 'alarm'\n end as status,\n case\n when b.is_logging is null and a.is_logging then a.title || ' enabled.'\n when b.is_logging then a.title || ' enabled.'\n else a.title || ' disabled.'\n end as reason\n \n , a.region, a.account_id\nfrom\n aws_cloudtrail_trail as a\nleft join trails_enabled b on a.arn = b.arn;\n" PrimaryTable: aws_cloudtrail_trail ListOfTables: - - aws_cloudtrail_trail + - aws_cloudtrail_trail Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" gxp_eu_annex_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/CloudTrail + - AWS/CloudTrail soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cloudtrail_trail_enabled_account.yaml b/compliance/controls/aws/aws_cloudtrail_trail_enabled_account.yaml index 154617ae2..78263245e 100755 --- a/compliance/controls/aws/aws_cloudtrail_trail_enabled_account.yaml +++ b/compliance/controls/aws/aws_cloudtrail_trail_enabled_account.yaml @@ -1,8 +1,6 @@ ID: aws_cloudtrail_trail_enabled_account Title: "At least one CloudTrail trail should be enabled in the AWS account" Description: "Ensure that at least one CloudTrail trail is enabled in the AWS account." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -35,8 +33,10 @@ Query: left join trails_enabled_account b on a.account_id = b.account_id; PrimaryTable: aws_account ListOfTables: - - aws_cloudtrail_trail - - aws_account + - aws_cloudtrail_trail + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cloudtrail_trail_insight_selectors_and_logging_enabled.yaml b/compliance/controls/aws/aws_cloudtrail_trail_insight_selectors_and_logging_enabled.yaml index 426fdffb5..2e2f69378 100755 --- a/compliance/controls/aws/aws_cloudtrail_trail_insight_selectors_and_logging_enabled.yaml +++ b/compliance/controls/aws/aws_cloudtrail_trail_insight_selectors_and_logging_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_cloudtrail_trail_insight_selectors_and_logging_enabled Title: "CloudTrail trails should have insight selectors and logging enabled" Description: "CloudTrail Insights provides a powerful way to search and analyze CloudTrail log data using pre-built queries and machine learning algorithms. This can help to identify potential security threats and suspicious activity in near real-time, such as unauthorized access attempts, policy changes, or resource modifications." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -26,7 +24,9 @@ Query: region = home_region; PrimaryTable: aws_cloudtrail_trail ListOfTables: - - aws_cloudtrail_trail + - aws_cloudtrail_trail Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cloudtrail_trail_integrated_with_logs.yaml b/compliance/controls/aws/aws_cloudtrail_trail_integrated_with_logs.yaml index b05cfef3b..bfb633143 100755 --- a/compliance/controls/aws/aws_cloudtrail_trail_integrated_with_logs.yaml +++ b/compliance/controls/aws/aws_cloudtrail_trail_integrated_with_logs.yaml @@ -1,70 +1,52 @@ ID: aws_cloudtrail_trail_integrated_with_logs Title: "CloudTrail trails should be integrated with CloudWatch logs" Description: "Use AWS CloudWatch to centrally collect and manage log event activity. Inclusion of AWS CloudTrail data provides details of API call activity within your AWS account." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when log_group_arn != 'null' and ((latest_delivery_time) > current_date - 1) then 'ok' - else 'alarm' - end as status, - case - when log_group_arn != 'null' and ((latest_delivery_time) > current_date - 1) then title || ' integrated with CloudWatch logs.' - else title || ' not integrated with CloudWatch logs.' - end as reason - - , region, account_id - from - aws_cloudtrail_trail - where - region = home_region; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when log_group_arn != 'null' and ((latest_delivery_time) > current_date - 1) then 'ok'\n else 'alarm'\n end as status,\n case\n when log_group_arn != 'null' and ((latest_delivery_time) > current_date - 1) then title || ' integrated with CloudWatch logs.'\n else title || ' not integrated with CloudWatch logs.'\n end as reason\n \n , region, account_id\nfrom\n aws_cloudtrail_trail\nwhere\n region = home_region;\n" PrimaryTable: aws_cloudtrail_trail ListOfTables: - - aws_cloudtrail_trail + - aws_cloudtrail_trail Parameters: [] Severity: low Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gdpr: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/CloudTrail + - AWS/CloudTrail soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cloudtrail_trail_logs_encrypted_with_kms_cmk.yaml b/compliance/controls/aws/aws_cloudtrail_trail_logs_encrypted_with_kms_cmk.yaml index c30edf6cf..cf69bb7c0 100755 --- a/compliance/controls/aws/aws_cloudtrail_trail_logs_encrypted_with_kms_cmk.yaml +++ b/compliance/controls/aws/aws_cloudtrail_trail_logs_encrypted_with_kms_cmk.yaml @@ -1,8 +1,6 @@ ID: aws_cloudtrail_trail_logs_encrypted_with_kms_cmk Title: "CloudTrail trail logs should be encrypted with KMS CMK" Description: "To help protect sensitive data at rest, ensure encryption is enabled for your AWS CloudWatch Log Groups." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -25,45 +23,47 @@ Query: region = home_region; PrimaryTable: aws_cloudtrail_trail ListOfTables: - - aws_cloudtrail_trail + - aws_cloudtrail_trail Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" gdpr: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" gxp_eu_annex_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/CloudTrail + - AWS/CloudTrail soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cloudtrail_trail_validation_enabled.yaml b/compliance/controls/aws/aws_cloudtrail_trail_validation_enabled.yaml index 9fb661725..cf9912e39 100755 --- a/compliance/controls/aws/aws_cloudtrail_trail_validation_enabled.yaml +++ b/compliance/controls/aws/aws_cloudtrail_trail_validation_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_cloudtrail_trail_validation_enabled Title: "CloudTrail trail log file validation should be enabled" Description: "Utilize AWS CloudTrail log file validation to check the integrity of CloudTrail logs. Log file validation helps determine if a log file was modified or deleted or unchanged after CloudTrail delivered it. This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -25,41 +23,43 @@ Query: region = home_region; PrimaryTable: aws_cloudtrail_trail ListOfTables: - - aws_cloudtrail_trail + - aws_cloudtrail_trail Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" gdpr: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/CloudTrail + - AWS/CloudTrail soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cloudwatch_alarm_action_enabled.yaml b/compliance/controls/aws/aws_cloudwatch_alarm_action_enabled.yaml index 6a062d5d8..c4955b252 100755 --- a/compliance/controls/aws/aws_cloudwatch_alarm_action_enabled.yaml +++ b/compliance/controls/aws/aws_cloudwatch_alarm_action_enabled.yaml @@ -1,65 +1,42 @@ ID: aws_cloudwatch_alarm_action_enabled Title: "CloudWatch alarm should have an action configured" Description: "Checks if CloudWatch alarms have an action configured for the ALARM, INSUFFICIENT_DATA, or OK state. Optionally checks if any actions match a named ARN. The rule is non-compliant if there is no action specified for the alarm or optional parameter." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when jsonb_array_length(alarm_actions) = 0 - and jsonb_array_length(insufficient_data_actions) = 0 - and jsonb_array_length(ok_actions) = 0 then 'alarm' - else 'ok' - end as status, - case - when jsonb_array_length(alarm_actions) = 0 - and jsonb_array_length(insufficient_data_actions) = 0 - and jsonb_array_length(ok_actions) = 0 then title || ' no action enabled.' - when jsonb_array_length(alarm_actions) != 0 then title || ' alarm action enabled.' - when jsonb_array_length(insufficient_data_actions) != 0 then title || ' insufficient data action enabled.' - when jsonb_array_length(ok_actions) != 0 then title || ' ok action enabled.' - else 'ok' - end as reason - - , region, account_id - from - aws_cloudwatch_alarm; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when jsonb_array_length(alarm_actions) = 0\n and jsonb_array_length(insufficient_data_actions) = 0\n and jsonb_array_length(ok_actions) = 0 then 'alarm'\n else 'ok'\n end as status,\n case\n when jsonb_array_length(alarm_actions) = 0\n and jsonb_array_length(insufficient_data_actions) = 0\n and jsonb_array_length(ok_actions) = 0 then title || ' no action enabled.'\n when jsonb_array_length(alarm_actions) != 0 then title || ' alarm action enabled.'\n when jsonb_array_length(insufficient_data_actions) != 0 then title || ' insufficient data action enabled.'\n when jsonb_array_length(ok_actions) != 0 then title || ' ok action enabled.'\n else 'ok'\n end as reason\n \n , region, account_id\nfrom\n aws_cloudwatch_alarm;\n" PrimaryTable: aws_cloudwatch_alarm ListOfTables: - - aws_cloudwatch_alarm + - aws_cloudwatch_alarm Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_eu_annex_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/CloudWatch + - AWS/CloudWatch soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cloudwatch_alarm_action_enabled_check.yaml b/compliance/controls/aws/aws_cloudwatch_alarm_action_enabled_check.yaml index 3cd54f503..e5ed4aa99 100755 --- a/compliance/controls/aws/aws_cloudwatch_alarm_action_enabled_check.yaml +++ b/compliance/controls/aws/aws_cloudwatch_alarm_action_enabled_check.yaml @@ -1,42 +1,26 @@ ID: aws_cloudwatch_alarm_action_enabled_check Title: "CloudWatch alarm action should be enabled" Description: "Checks if AWS CloudWatch alarm actions are in enabled state. The rule is non-compliant if the CloudWatch alarm actions are not in enabled state." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when actions_enabled then 'ok' - else 'alarm' - end as status, - case - when actions_enabled then title || ' alarm actions enabled.' - else title || ' alarm actions disabled.' - end as reason - - , region, account_id - from - aws_cloudwatch_alarm; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when actions_enabled then 'ok'\n else 'alarm'\n end as status,\n case\n when actions_enabled then title || ' alarm actions enabled.'\n else title || ' alarm actions disabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_cloudwatch_alarm;\n" PrimaryTable: aws_cloudwatch_alarm ListOfTables: - - aws_cloudwatch_alarm + - aws_cloudwatch_alarm Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/CloudWatch + - AWS/CloudWatch soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cloudwatch_cross_account_sharing.yaml b/compliance/controls/aws/aws_cloudwatch_cross_account_sharing.yaml index 412df18d3..6d47118c6 100755 --- a/compliance/controls/aws/aws_cloudwatch_cross_account_sharing.yaml +++ b/compliance/controls/aws/aws_cloudwatch_cross_account_sharing.yaml @@ -1,8 +1,6 @@ ID: aws_cloudwatch_cross_account_sharing Title: "CloudWatch should not allow cross-account sharing" Description: "Ensure that your AWS CloudWatch is configured to allow access only to friendly AWS accounts in order to prevent unauthorized users from sharing their CloudWatch events." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -34,8 +32,10 @@ Query: left join iam_role_cross_account_sharing_count as c on c.account_id = a.account_id; PrimaryTable: aws_iam_role ListOfTables: - - aws_iam_role - - aws_account + - aws_iam_role + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_cloudwatch_log_group_retention_period_365.yaml b/compliance/controls/aws/aws_cloudwatch_log_group_retention_period_365.yaml index db72f4509..27594e1f6 100755 --- a/compliance/controls/aws/aws_cloudwatch_log_group_retention_period_365.yaml +++ b/compliance/controls/aws/aws_cloudwatch_log_group_retention_period_365.yaml @@ -1,65 +1,48 @@ ID: aws_cloudwatch_log_group_retention_period_365 Title: "Log group retention period should be at least 365 days" Description: "Ensure a minimum duration of event log data is retained for your log groups to help with troubleshooting and forensics investigations." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when retention_in_days is null or retention_in_days < 365 then 'alarm' - else 'ok' - end as status, - case - when retention_in_days is null then title || ' retention period not set.' - when retention_in_days < 365 then title || ' retention period less than 365 days.' - else title || ' retention period 365 days or above.' - end as reason - - , region, account_id - from - aws_cloudwatch_log_group; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when retention_in_days is null or retention_in_days < 365 then 'alarm'\n else 'ok'\n end as status,\n case\n when retention_in_days is null then title || ' retention period not set.'\n when retention_in_days < 365 then title || ' retention period less than 365 days.'\n else title || ' retention period 365 days or above.'\n end as reason\n \n , region, account_id\nfrom\n aws_cloudwatch_log_group;\n" PrimaryTable: aws_cloudwatch_log_group ListOfTables: - - aws_cloudwatch_log_group + - aws_cloudwatch_log_group Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/CloudWatch + - AWS/CloudWatch soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_codebuild_project_artifact_encryption_enabled.yaml b/compliance/controls/aws/aws_codebuild_project_artifact_encryption_enabled.yaml index 3e54f380b..fbeab04e8 100755 --- a/compliance/controls/aws/aws_codebuild_project_artifact_encryption_enabled.yaml +++ b/compliance/controls/aws/aws_codebuild_project_artifact_encryption_enabled.yaml @@ -1,56 +1,28 @@ ID: aws_codebuild_project_artifact_encryption_enabled Title: "CodeBuild project artifact encryption should be enabled" Description: "This control checks if a CodeBuild project has encryption enabled for all of its artifacts. The rule is non-compliant if 'encryptionDisabled' is set to 'true' for any primary or secondary (if present) artifact configurations." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with secondary_artifact as ( - select - distinct arn - from - aws_codebuild_project, - jsonb_array_elements(secondary_artifacts) as a - where - a -> 'EncryptionDisabled' = 'true' - ) - select - a.arn as resource, - p.og_account_id as og_account_id, - p.og_resource_id as og_resource_id, - case - when p.artifacts ->> 'EncryptionDisabled' = 'false' - and (p.secondary_artifacts is null or a.arn is null) then 'ok' - else 'alarm' - end as status, - case - when p.artifacts ->> 'EncryptionDisabled' = 'false' - and (p.secondary_artifacts is null or a.arn is null) then p.title || ' all artifacts encryption enabled.' - else p.title || ' all artifacts encryption not enabled.' - end as reason - - , p.region, p.account_id - from - aws_codebuild_project as p - left join secondary_artifact as a on a.arn = p.arn; + QueryToExecute: "with secondary_artifact as (\n select\n distinct arn\n from\n aws_codebuild_project,\n jsonb_array_elements(secondary_artifacts) as a\n where\n a -> 'EncryptionDisabled' = 'true'\n)\nselect\n a.arn as resource,\n p.og_account_id as og_account_id,\n p.og_resource_id as og_resource_id,\n case\n when p.artifacts ->> 'EncryptionDisabled' = 'false'\n and (p.secondary_artifacts is null or a.arn is null) then 'ok'\n else 'alarm'\n end as status,\n case\n when p.artifacts ->> 'EncryptionDisabled' = 'false'\n and (p.secondary_artifacts is null or a.arn is null) then p.title || ' all artifacts encryption enabled.'\n else p.title || ' all artifacts encryption not enabled.'\n end as reason\n \n , p.region, p.account_id\nfrom\n aws_codebuild_project as p\n left join secondary_artifact as a on a.arn = p.arn;\n" PrimaryTable: aws_codebuild_project ListOfTables: - - aws_codebuild_project + - aws_codebuild_project Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" gxp_eu_annex_11: - - "true" + - "true" nist_csf: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/CodeBuild + - AWS/CodeBuild +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_codebuild_project_build_greater_then_90_days.yaml b/compliance/controls/aws/aws_codebuild_project_build_greater_then_90_days.yaml index 4eef23d0f..ef833e3aa 100755 --- a/compliance/controls/aws/aws_codebuild_project_build_greater_then_90_days.yaml +++ b/compliance/controls/aws/aws_codebuild_project_build_greater_then_90_days.yaml @@ -1,8 +1,6 @@ ID: aws_codebuild_project_build_greater_then_90_days Title: "CodeBuild projects should not be unused for 90 days or greater" Description: "Ensure CodeBuild projects are curently in use. It is recommended to remove the stale ones." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -61,8 +59,10 @@ Query: left join latest_codebuild_build as b on p.name = b.project_name and p.region = b.region and p.account_id = b.account_id; PrimaryTable: aws_codebuild_project ListOfTables: - - aws_codebuild_build - - aws_codebuild_project + - aws_codebuild_build + - aws_codebuild_project Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_codebuild_project_environment_privileged_mode_disabled.yaml b/compliance/controls/aws/aws_codebuild_project_environment_privileged_mode_disabled.yaml index 146386d20..76df8a988 100755 --- a/compliance/controls/aws/aws_codebuild_project_environment_privileged_mode_disabled.yaml +++ b/compliance/controls/aws/aws_codebuild_project_environment_privileged_mode_disabled.yaml @@ -1,42 +1,26 @@ ID: aws_codebuild_project_environment_privileged_mode_disabled Title: "CodeBuild project environments should not have privileged mode enabled" Description: "This control checks if an AWS CodeBuild project environment has privileged mode enabled. This control fails when an AWS CodeBuild project environment has privileged mode enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when environment ->> 'PrivilegedMode' = 'true' then 'alarm' - else 'ok' - end as status, - case - when environment ->> 'PrivilegedMode' = 'true' then title || ' environment privileged mode enabled.' - else title || ' environment privileged mode disabled.' - end as reason - - , region, account_id - from - aws_codebuild_project; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when environment ->> 'PrivilegedMode' = 'true' then 'alarm'\n else 'ok'\n end as status,\n case\n when environment ->> 'PrivilegedMode' = 'true' then title || ' environment privileged mode enabled.'\n else title || ' environment privileged mode disabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_codebuild_project;\n" PrimaryTable: aws_codebuild_project ListOfTables: - - aws_codebuild_project + - aws_codebuild_project Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/CodeBuild + - AWS/CodeBuild +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_codebuild_project_logging_enabled.yaml b/compliance/controls/aws/aws_codebuild_project_logging_enabled.yaml index f30bbe91c..4698c06e0 100755 --- a/compliance/controls/aws/aws_codebuild_project_logging_enabled.yaml +++ b/compliance/controls/aws/aws_codebuild_project_logging_enabled.yaml @@ -1,44 +1,28 @@ ID: aws_codebuild_project_logging_enabled Title: "CodeBuild projects should have logging enabled" Description: "This control checks if an AWS CodeBuild project environment has at least one log option enabled. The rule is non-compliant if the status of all present log configurations is set to 'DISABLED'." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when logs_config -> 'CloudWatchLogs' ->> 'Status' = 'ENABLED' or logs_config -> 'S3Logs' ->> 'Status' = 'ENABLED' then 'ok' - else 'alarm' - end as status, - case - when logs_config -> 'CloudWatchLogs' ->> 'Status' = 'ENABLED' or logs_config -> 'S3Logs' ->> 'Status' = 'ENABLED' then title || ' logging enabled.' - else title || ' logging disabled.' - end as reason - - , region, account_id - from - aws_codebuild_project; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when logs_config -> 'CloudWatchLogs' ->> 'Status' = 'ENABLED' or logs_config -> 'S3Logs' ->> 'Status' = 'ENABLED' then 'ok'\n else 'alarm'\n end as status,\n case\n when logs_config -> 'CloudWatchLogs' ->> 'Status' = 'ENABLED' or logs_config -> 'S3Logs' ->> 'Status' = 'ENABLED' then title || ' logging enabled.'\n else title || ' logging disabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_codebuild_project;\n" PrimaryTable: aws_codebuild_project ListOfTables: - - aws_codebuild_project + - aws_codebuild_project Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_csf: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/CodeBuild + - AWS/CodeBuild +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values.yaml b/compliance/controls/aws/aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values.yaml index 165d40db6..8cd045527 100755 --- a/compliance/controls/aws/aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values.yaml +++ b/compliance/controls/aws/aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values.yaml @@ -1,70 +1,42 @@ ID: aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values Title: "CodeBuild project plaintext environment variables should not contain sensitive AWS values" Description: "Ensure authentication credentials AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY do not exist within AWS CodeBuild project environments. Do not store these variables in clear text. Storing these variables in clear text leads to unintended data exposure and unauthorized access." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with invalid_key_name as ( - select - distinct arn, - name - from - aws_codebuild_project, - jsonb_array_elements(environment -> 'EnvironmentVariables') as env - where - env ->> 'Name' ilike any(array['%AWS_ACCESS_KEY_ID%', '%AWS_SECRET_ACCESS_KEY%', '%PASSWORD%']) - and env ->> 'Type' = 'PLAINTEXT' - ) - select - a.arn as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when b.arn is null then 'ok' - else 'alarm' - end as status, - case - when b.arn is null then a.title || ' has no plaintext environment variables with sensitive AWS values.' - else a.title || ' has plaintext environment variables with sensitive AWS values.' - end as reason - - , a.region, a.account_id - from - aws_codebuild_project as a - left join invalid_key_name b on a.arn = b.arn; + QueryToExecute: "with invalid_key_name as (\n select\n distinct arn,\n name\n from\n aws_codebuild_project,\n jsonb_array_elements(environment -> 'EnvironmentVariables') as env\n where\n env ->> 'Name' ilike any(array['%AWS_ACCESS_KEY_ID%', '%AWS_SECRET_ACCESS_KEY%', '%PASSWORD%'])\n and env ->> 'Type' = 'PLAINTEXT'\n)\nselect\n a.arn as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when b.arn is null then 'ok'\n else 'alarm'\n end as status,\n case\n when b.arn is null then a.title || ' has no plaintext environment variables with sensitive AWS values.'\n else a.title || ' has plaintext environment variables with sensitive AWS values.'\n end as reason\n \n , a.region, a.account_id\nfrom\n aws_codebuild_project as a\n left join invalid_key_name b on a.arn = b.arn;\n" PrimaryTable: aws_codebuild_project ListOfTables: - - aws_codebuild_project + - aws_codebuild_project Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/CodeBuild + - AWS/CodeBuild soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_codebuild_project_s3_logs_encryption_enabled.yaml b/compliance/controls/aws/aws_codebuild_project_s3_logs_encryption_enabled.yaml index 0a3ef3662..4fc74e38f 100755 --- a/compliance/controls/aws/aws_codebuild_project_s3_logs_encryption_enabled.yaml +++ b/compliance/controls/aws/aws_codebuild_project_s3_logs_encryption_enabled.yaml @@ -1,42 +1,26 @@ ID: aws_codebuild_project_s3_logs_encryption_enabled Title: "CodeBuild project S3 logs should be encrypted" Description: "This control checks if S3 logs for a CodeBuild project are encrypted. The control fails if encryption is deactivated for S3 logs for a CodeBuild project." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when not (logs_config -> 'S3Logs' ->> 'EncryptionDisabled')::bool then 'ok' - else 'alarm' - end as status, - case - when not (logs_config -> 'S3Logs' ->> 'EncryptionDisabled')::bool then title || ' S3Logs encryption enabled.' - else title || ' S3Logs encryption disabled.' - end as reason - - , region, account_id - from - aws_codebuild_project; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when not (logs_config -> 'S3Logs' ->> 'EncryptionDisabled')::bool then 'ok'\n else 'alarm'\n end as status,\n case\n when not (logs_config -> 'S3Logs' ->> 'EncryptionDisabled')::bool then title || ' S3Logs encryption enabled.'\n else title || ' S3Logs encryption disabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_codebuild_project;\n" PrimaryTable: aws_codebuild_project ListOfTables: - - aws_codebuild_project + - aws_codebuild_project Parameters: [] Severity: low Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - encryption_of_data_at_rest + - encryption_of_data_at_rest foundational_security_item_id: - - codebuild_3 + - codebuild_3 plugin: - - aws + - aws service: - - AWS/CodeBuild + - AWS/CodeBuild +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_codebuild_project_source_repo_oauth_configured.yaml b/compliance/controls/aws/aws_codebuild_project_source_repo_oauth_configured.yaml index 0f31eb4b3..fdfeddd32 100755 --- a/compliance/controls/aws/aws_codebuild_project_source_repo_oauth_configured.yaml +++ b/compliance/controls/aws/aws_codebuild_project_source_repo_oauth_configured.yaml @@ -1,63 +1,43 @@ ID: aws_codebuild_project_source_repo_oauth_configured Title: "CodeBuild GitHub or Bitbucket source repository URLs should use OAuth" Description: "Ensure the GitHub or Bitbucket source repository URL does not contain personal access tokens, user name and password within AWS Codebuild project environments." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - p.arn as resource, - p.og_account_id as og_account_id, - p.og_resource_id as og_resource_id, - case - when p.source ->> 'Type' not in ('GITHUB', 'BITBUCKET') then 'skip' - when c.auth_type = 'OAUTH' then 'ok' - else 'alarm' - end as status, - case - when p.source ->> 'Type' = 'NO_SOURCE' then p.title || ' doesn''t have input source code.' - when p.source ->> 'Type' not in ('GITHUB', 'BITBUCKET') then p.title || ' source code isn''t in GitHub/Bitbucket repository.' - when c.auth_type = 'OAUTH' then p.title || ' using OAuth to connect source repository.' - else p.title || ' not using OAuth to connect source repository.' - end as reason - - , p.region, p.account_id - from - aws_codebuild_project as p - left join aws_codebuild_source_credential as c on (p.region = c.region and p.source ->> 'Type' = c.server_type); + QueryToExecute: "select\n p.arn as resource,\n p.og_account_id as og_account_id,\n p.og_resource_id as og_resource_id,\n case\n when p.source ->> 'Type' not in ('GITHUB', 'BITBUCKET') then 'skip'\n when c.auth_type = 'OAUTH' then 'ok'\n else 'alarm'\n end as status,\n case\n when p.source ->> 'Type' = 'NO_SOURCE' then p.title || ' doesn''t have input source code.'\n when p.source ->> 'Type' not in ('GITHUB', 'BITBUCKET') then p.title || ' source code isn''t in GitHub/Bitbucket repository.'\n when c.auth_type = 'OAUTH' then p.title || ' using OAuth to connect source repository.'\n else p.title || ' not using OAuth to connect source repository.'\n end as reason\n \n , p.region, p.account_id\nfrom\n aws_codebuild_project as p\n left join aws_codebuild_source_credential as c on (p.region = c.region and p.source ->> 'Type' = c.server_type);\n" PrimaryTable: aws_codebuild_project ListOfTables: - - aws_codebuild_project - - aws_codebuild_source_credential + - aws_codebuild_project + - aws_codebuild_source_credential Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/CodeBuild + - AWS/CodeBuild soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_codebuild_project_with_user_controlled_buildspec.yaml b/compliance/controls/aws/aws_codebuild_project_with_user_controlled_buildspec.yaml index bc60b02ca..46eae70f5 100755 --- a/compliance/controls/aws/aws_codebuild_project_with_user_controlled_buildspec.yaml +++ b/compliance/controls/aws/aws_codebuild_project_with_user_controlled_buildspec.yaml @@ -1,30 +1,14 @@ ID: aws_codebuild_project_with_user_controlled_buildspec Title: "CodeBuild projects should not use an user controlled buildspec" Description: "This control checks if buildspec.yml is used from a trusted source which user cant interfere with." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when split_part(source ->> 'Buildspec', '.', -1) = 'yml' then 'alarm' - else 'ok' - end as status, - case - when split_part(source ->> 'Buildspec', '.', -1) = 'yml' then title || ' uses a user controlled buildspec.' - else title || ' does not uses a user controlled buildspec.' - end as reason - - - from - aws_codebuild_project; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when split_part(source ->> 'Buildspec', '.', -1) = 'yml' then 'alarm'\n else 'ok'\n end as status,\n case\n when split_part(source ->> 'Buildspec', '.', -1) = 'yml' then title || ' uses a user controlled buildspec.'\n else title || ' does not uses a user controlled buildspec.'\n end as reason\n \n \nfrom\n aws_codebuild_project;" PrimaryTable: aws_codebuild_project ListOfTables: - - aws_codebuild_project + - aws_codebuild_project Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_config_configuration_recorder_no_failed_deliver_logs.yaml b/compliance/controls/aws/aws_config_configuration_recorder_no_failed_deliver_logs.yaml index 0543ad94f..58ffb62f5 100755 --- a/compliance/controls/aws/aws_config_configuration_recorder_no_failed_deliver_logs.yaml +++ b/compliance/controls/aws/aws_config_configuration_recorder_no_failed_deliver_logs.yaml @@ -1,29 +1,14 @@ ID: aws_config_configuration_recorder_no_failed_deliver_logs Title: "Config configuration recorder should not fail to deliver logs" Description: "This control checks whether Config configuration recorder fails to deliver logs. This control is non-compliant if Config configuration recorder fails to deliver logs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when status ->> 'LastStatus' = 'FAILURE' then 'alarm' - else 'ok' - end as status, - case - when status ->> 'LastStatus' = 'FAILURE' then title || ' has failed deliver logs.' - else title || ' does not have failed deliver logs.' - end as reason - - from - aws_config_configuration_recorder; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when status ->> 'LastStatus' = 'FAILURE' then 'alarm'\n else 'ok'\n end as status,\n case\n when status ->> 'LastStatus' = 'FAILURE' then title || ' has failed deliver logs.'\n else title || ' does not have failed deliver logs.'\n end as reason\n \nfrom\n aws_config_configuration_recorder;" PrimaryTable: aws_config_configuration_recorder ListOfTables: - - aws_config_configuration_recorder + - aws_config_configuration_recorder Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_config_enabled_all_regions.yaml b/compliance/controls/aws/aws_config_enabled_all_regions.yaml index 2390a6d47..c32eede9b 100755 --- a/compliance/controls/aws/aws_config_enabled_all_regions.yaml +++ b/compliance/controls/aws/aws_config_enabled_all_regions.yaml @@ -1,90 +1,34 @@ ID: aws_config_enabled_all_regions Title: "AWS Config should be enabled" Description: "This control checks whether AWS Config is enabled in the account for the local Region and is recording all resources." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with global_recorders as ( - select - count(*) as global_config_recorders - from - aws_config_configuration_recorder - where - recording_group -> 'IncludeGlobalResourceTypes' = 'true' - and recording_group -> 'AllSupported' = 'true' - and status ->> 'Recording' = 'true' - and status ->> 'LastStatus' = 'SUCCESS' - ), - regions as ( - select - 'arn:aws::' || a.region || ':' || a.account_id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when - g.global_config_recorders >= 1 - and status ->> 'Recording' = 'true' - and status ->> 'LastStatus' = 'SUCCESS' - then 0 - when a.opt_in_status = 'not-opted-in' then 1 - else 2 - end as status, - a.region, a.account_id - from - global_recorders as g, - aws_region as a - left join aws_config_configuration_recorder as r on r.account_id = a.account_id and r.region = a.name - ), - results as ( - SELECT - account_id AS resource, - og_account_id as og_account_id, - og_account_id as og_resource_id, - case - when max(status) = 2 then 'alarm' - when max(status) = 1 then 'skip' - when max(status) = 0 then 'ok' - end as status, - case - when max(status) = 2 then 'AWS Config is not enabled for this account on regions: [' || string_agg(region, ',') || ']' - when max(status) = 1 then 'Account is not opted in regions: [' || string_agg(region, ',') || ']' - when max(status) = 0 then 'AWS Config is enabled for this account on regions: [' || string_agg(region, ',') || ']' - end as reason - FROM regions - GROUP BY account_id, og_account_id - ) - SELECT - r.resource AS resource, - r.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - r.status as status, - r.reason as reason - FROM results as r JOIN aws_account as a ON r.og_account_id = a.og_account_id + QueryToExecute: "with global_recorders as (\n select\n count(*) as global_config_recorders\n from\n aws_config_configuration_recorder\n where\n recording_group -> 'IncludeGlobalResourceTypes' = 'true'\n and recording_group -> 'AllSupported' = 'true'\n and status ->> 'Recording' = 'true'\n and status ->> 'LastStatus' = 'SUCCESS'\n),\nregions as (\n select\n 'arn:aws::' || a.region || ':' || a.account_id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when\n g.global_config_recorders >= 1\n and status ->> 'Recording' = 'true'\n and status ->> 'LastStatus' = 'SUCCESS'\n then 0\n when a.opt_in_status = 'not-opted-in' then 1\n else 2\n end as status,\n a.region, a.account_id\n from\n global_recorders as g,\n aws_region as a\n left join aws_config_configuration_recorder as r on r.account_id = a.account_id and r.region = a.name\n),\nresults as (\n SELECT \n account_id AS resource,\n og_account_id as og_account_id,\n og_account_id as og_resource_id,\n case\n when max(status) = 2 then 'alarm'\n when max(status) = 1 then 'skip'\n when max(status) = 0 then 'ok'\n end as status,\n case\n when max(status) = 2 then 'AWS Config is not enabled for this account on regions: [' || string_agg(region, ',') || ']' \n when max(status) = 1 then 'Account is not opted in regions: [' || string_agg(region, ',') || ']'\n when max(status) = 0 then 'AWS Config is enabled for this account on regions: [' || string_agg(region, ',') || ']'\n end as reason\n FROM regions\n GROUP BY account_id, og_account_id\n)\nSELECT \n r.resource AS resource,\n r.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n r.status as status,\n r.reason as reason\nFROM results as r JOIN aws_account as a ON r.og_account_id = a.og_account_id\n" PrimaryTable: aws_account ListOfTables: - - aws_account - - aws_config_configuration_recorder - - aws_region + - aws_account + - aws_config_configuration_recorder + - aws_region Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "2.5" + - "2.5" cis_level: - - "1" + - "1" cis_section_id: - - "2" + - "2" cis_type: - - scored + - scored cis_version: - - v1.2.0 + - v1.2.0 plugin: - - aws + - aws service: - - AWS/Config + - AWS/Config +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_dax_cluster_encryption_at_rest_enabled.yaml b/compliance/controls/aws/aws_dax_cluster_encryption_at_rest_enabled.yaml index 86ce5d4d6..5abb16be7 100755 --- a/compliance/controls/aws/aws_dax_cluster_encryption_at_rest_enabled.yaml +++ b/compliance/controls/aws/aws_dax_cluster_encryption_at_rest_enabled.yaml @@ -1,42 +1,26 @@ ID: aws_dax_cluster_encryption_at_rest_enabled Title: "DynamoDB Accelerator (DAX) clusters should be encrypted at rest" Description: "This control checks whether a DAX cluster is encrypted at rest. Encrypting data at rest reduces the risk of data stored on disk being accessed by a user not authenticated to AWS. The encryption adds another set of access controls to limit the ability of unauthorized users to access to the data. For example, API permissions are required to decrypt the data before it can be read." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when sse_description ->> 'Status' = 'ENABLED' then 'ok' - else 'alarm' - end as status, - case - when sse_description ->> 'Status' = 'ENABLED' then title || ' encryption at rest enabled.' - else title || ' encryption at rest not enabled.' - end as reason - - , region, account_id - from - aws_dax_cluster; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when sse_description ->> 'Status' = 'ENABLED' then 'ok'\n else 'alarm'\n end as status,\n case\n when sse_description ->> 'Status' = 'ENABLED' then title || ' encryption at rest enabled.'\n else title || ' encryption at rest not enabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_dax_cluster;\n" PrimaryTable: aws_dax_cluster ListOfTables: - - aws_dax_cluster + - aws_dax_cluster Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - encryption_of_data_at_rest + - encryption_of_data_at_rest foundational_security_item_id: - - dynamodb_3 + - dynamodb_3 plugin: - - aws + - aws service: - - AWS/DynamoDB + - AWS/DynamoDB +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_directory_service_certificate_expires_90_days.yaml b/compliance/controls/aws/aws_directory_service_certificate_expires_90_days.yaml index 2f0a1847d..ad8eb8850 100755 --- a/compliance/controls/aws/aws_directory_service_certificate_expires_90_days.yaml +++ b/compliance/controls/aws/aws_directory_service_certificate_expires_90_days.yaml @@ -1,8 +1,6 @@ ID: aws_directory_service_certificate_expires_90_days Title: "Directory Service certificates should not expire within 90 days" Description: "Is is recommended to monitor certificate expiration and implement automated alerts to notify the responsible team for timely certificate replacement or removal." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -20,7 +18,9 @@ Query: aws_directory_service_certificate; PrimaryTable: aws_directory_service_certificate ListOfTables: - - aws_directory_service_certificate + - aws_directory_service_certificate Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_directory_service_directory_snapshots_limit_2.yaml b/compliance/controls/aws/aws_directory_service_directory_snapshots_limit_2.yaml index eec6caa58..08832081c 100755 --- a/compliance/controls/aws/aws_directory_service_directory_snapshots_limit_2.yaml +++ b/compliance/controls/aws/aws_directory_service_directory_snapshots_limit_2.yaml @@ -1,8 +1,6 @@ ID: aws_directory_service_directory_snapshots_limit_2 Title: "Directory Service directories manual snapshots limit should not be less than 2" Description: "Ensure you keep track of the number of manual snapshots for your monitor to guarantee sufficient capacity when it becomes necessary." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -24,7 +22,9 @@ Query: aws_directory_service_directory; PrimaryTable: aws_directory_service_directory ListOfTables: - - aws_directory_service_directory + - aws_directory_service_directory Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_directory_service_directory_sns_notifications_enabled.yaml b/compliance/controls/aws/aws_directory_service_directory_sns_notifications_enabled.yaml index 1d5bb779e..effe35a61 100755 --- a/compliance/controls/aws/aws_directory_service_directory_sns_notifications_enabled.yaml +++ b/compliance/controls/aws/aws_directory_service_directory_sns_notifications_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_directory_service_directory_sns_notifications_enabled Title: "Directory Service directories should have SNS notification enabled" Description: "This control verifies whether SNS messaging has been set up to receive email or text notifications for any changes in the directory's status." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_directory_service_directory; PrimaryTable: aws_directory_service_directory ListOfTables: - - aws_directory_service_directory + - aws_directory_service_directory Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_dlm_ebs_snapshot_lifecycle_policy_enabled.yaml b/compliance/controls/aws/aws_dlm_ebs_snapshot_lifecycle_policy_enabled.yaml index 880ac4a2d..a681fd4d1 100755 --- a/compliance/controls/aws/aws_dlm_ebs_snapshot_lifecycle_policy_enabled.yaml +++ b/compliance/controls/aws/aws_dlm_ebs_snapshot_lifecycle_policy_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_dlm_ebs_snapshot_lifecycle_policy_enabled Title: "DLM EBS snapshot lifecycle policy should be enabled" Description: "Ensure DLM EBS snapshot lifecycle policy is enabled in all the regions with EBS snapshots." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -46,8 +44,10 @@ Query: left join dlm_ebs_lifecycle_policy as p on p.region = r.region and r.account_id = p.account_id; PrimaryTable: aws_dlm_lifecycle_policy ListOfTables: - - aws_ebs_snapshot - - aws_dlm_lifecycle_policy + - aws_ebs_snapshot + - aws_dlm_lifecycle_policy Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_dms_certificate_not_expired.yaml b/compliance/controls/aws/aws_dms_certificate_not_expired.yaml index bfcd04fb1..cdcd9876a 100755 --- a/compliance/controls/aws/aws_dms_certificate_not_expired.yaml +++ b/compliance/controls/aws/aws_dms_certificate_not_expired.yaml @@ -1,32 +1,14 @@ ID: aws_dms_certificate_not_expired Title: "Ensure that all the expired DMS certificates are removed" Description: "This control ensures that all expired DMS certificates are removed from AWS account." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when valid_to_date < (current_date - interval '1' second) then 'alarm' - else 'ok' - end as status, - case - when valid_to_date < (current_date - interval '1' second) then - title || ' expired ' || to_char(valid_to_date, 'DD-Mon-YYYY') || '.' - else - title || ' valid until ' || to_char(valid_to_date, 'DD-Mon-YYYY') || '.' - end as reason - - - from - aws_dms_certificate; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when valid_to_date < (current_date - interval '1' second) then 'alarm'\n else 'ok'\n end as status,\n case\n when valid_to_date < (current_date - interval '1' second) then\n title || ' expired ' || to_char(valid_to_date, 'DD-Mon-YYYY') || '.'\n else\n title || ' valid until ' || to_char(valid_to_date, 'DD-Mon-YYYY') || '.'\n end as reason\n \n \nfrom\n aws_dms_certificate;" PrimaryTable: aws_dms_certificate ListOfTables: - - aws_dms_certificate + - aws_dms_certificate Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_dms_endpoint_ssl_configured.yaml b/compliance/controls/aws/aws_dms_endpoint_ssl_configured.yaml index 55a7f2bc5..baa7f6623 100755 --- a/compliance/controls/aws/aws_dms_endpoint_ssl_configured.yaml +++ b/compliance/controls/aws/aws_dms_endpoint_ssl_configured.yaml @@ -1,30 +1,14 @@ ID: aws_dms_endpoint_ssl_configured Title: "DMS endpoints should use SSL" Description: "This control checks whether an AWS DMS endpoint uses an SSL connection. The control fails if the endpoint doesn't use SSL." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when ssl_mode = 'none' then 'alarm' - else 'ok' - end as status, - case - when ssl_mode = 'none' then title || ' SSL not configured.' - else title || ' SSL configured.' - end as reason - - - from - aws_dms_endpoint; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when ssl_mode = 'none' then 'alarm'\n else 'ok'\n end as status,\n case\n when ssl_mode = 'none' then title || ' SSL not configured.'\n else title || ' SSL configured.'\n end as reason\n \n \nfrom\n aws_dms_endpoint;" PrimaryTable: aws_dms_endpoint ListOfTables: - - aws_dms_endpoint + - aws_dms_endpoint Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_dms_replication_instance_automatic_minor_version_upgrade_enabled.yaml b/compliance/controls/aws/aws_dms_replication_instance_automatic_minor_version_upgrade_enabled.yaml index 52309f718..98415eb7c 100755 --- a/compliance/controls/aws/aws_dms_replication_instance_automatic_minor_version_upgrade_enabled.yaml +++ b/compliance/controls/aws/aws_dms_replication_instance_automatic_minor_version_upgrade_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_dms_replication_instance_automatic_minor_version_upgrade_enabled Title: "DMS replication instances should have automatic minor version upgrade enabled" Description: "This control checks if automatic minor version upgrade is enabled for an AWS DMS replication instance. The control fails if automatic minor version upgrade isn't enabled for a DMS replication instance." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_dms_replication_instance; PrimaryTable: aws_dms_replication_instance ListOfTables: - - aws_dms_replication_instance + - aws_dms_replication_instance Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_dms_replication_instance_not_publicly_accessible.yaml b/compliance/controls/aws/aws_dms_replication_instance_not_publicly_accessible.yaml index f2bec6076..cb9f8b978 100755 --- a/compliance/controls/aws/aws_dms_replication_instance_not_publicly_accessible.yaml +++ b/compliance/controls/aws/aws_dms_replication_instance_not_publicly_accessible.yaml @@ -1,66 +1,50 @@ ID: aws_dms_replication_instance_not_publicly_accessible Title: "DMS replication instances should not be publicly accessible" Description: "Manage access to the AWS Cloud by ensuring DMS replication instances cannot be publicly accessed." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when publicly_accessible then 'alarm' - else 'ok' - end as status, - case - when publicly_accessible then title || ' publicly accessible.' - else title || ' not publicly accessible.' - end as reason - - , region, account_id - from - aws_dms_replication_instance; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when publicly_accessible then 'alarm'\n else 'ok'\n end as status,\n case\n when publicly_accessible then title || ' publicly accessible.'\n else title || ' not publicly accessible.'\n end as reason\n \n , region, account_id\nfrom\n aws_dms_replication_instance;\n" PrimaryTable: aws_dms_replication_instance ListOfTables: - - aws_dms_replication_instance + - aws_dms_replication_instance Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/DMS + - AWS/DMS soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_dms_replication_task_source_database_logging_enabled.yaml b/compliance/controls/aws/aws_dms_replication_task_source_database_logging_enabled.yaml index 4cdef5b57..6b38a51db 100755 --- a/compliance/controls/aws/aws_dms_replication_task_source_database_logging_enabled.yaml +++ b/compliance/controls/aws/aws_dms_replication_task_source_database_logging_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_dms_replication_task_source_database_logging_enabled Title: "DMS replication tasks for the source database should have logging enabled" Description: "This control checks whether logging is enabled with the minimum severity level of LOGGER_SEVERITY_DEFAULT for DMS replication tasks SOURCE_CAPTURE and SOURCE_UNLOAD. The control fails if logging isn't enabled for these tasks or if the minimum severity level is less than LOGGER_SEVERITY_DEFAULT." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -39,7 +37,9 @@ Query: left join replication_task_logging as l on l.arn = t.arn; PrimaryTable: aws_dms_replication_task ListOfTables: - - aws_dms_replication_task + - aws_dms_replication_task Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_docdb_cluster_backup_retention_period_7_days.yaml b/compliance/controls/aws/aws_docdb_cluster_backup_retention_period_7_days.yaml index cb3ee1828..8c0394163 100755 --- a/compliance/controls/aws/aws_docdb_cluster_backup_retention_period_7_days.yaml +++ b/compliance/controls/aws/aws_docdb_cluster_backup_retention_period_7_days.yaml @@ -1,8 +1,6 @@ ID: aws_docdb_cluster_backup_retention_period_7_days Title: "AWS DocumentDB clusters should have an adequate backup retention period" Description: "This control checks whether an AWS DocumentDB cluster has a backup retention period greater than or equal to 7 days. The control fails if the backup retention period is less than 7 days." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -19,7 +17,9 @@ Query: aws_docdb_cluster; PrimaryTable: aws_docdb_cluster ListOfTables: - - aws_docdb_cluster + - aws_docdb_cluster Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_docdb_cluster_deletion_protection_enabled.yaml b/compliance/controls/aws/aws_docdb_cluster_deletion_protection_enabled.yaml index fb478952a..bcd157038 100755 --- a/compliance/controls/aws/aws_docdb_cluster_deletion_protection_enabled.yaml +++ b/compliance/controls/aws/aws_docdb_cluster_deletion_protection_enabled.yaml @@ -1,30 +1,14 @@ ID: aws_docdb_cluster_deletion_protection_enabled Title: "DocumentDB clusters should have deletion protection enabled" Description: "Ensure DocumentDB clusters have deletion protection enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when deletion_protection then 'ok' - else 'alarm' - end status, - case - when deletion_protection then title || ' deletion protection enabled.' - else title || ' deletion protection disabled.' - end reason - - - from - aws_docdb_cluster; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when deletion_protection then 'ok'\n else 'alarm'\n end status,\n case\n when deletion_protection then title || ' deletion protection enabled.'\n else title || ' deletion protection disabled.'\n end reason\n \n \nfrom\n aws_docdb_cluster;" PrimaryTable: aws_docdb_cluster ListOfTables: - - aws_docdb_cluster + - aws_docdb_cluster Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_docdb_cluster_encryption_at_rest_enabled.yaml b/compliance/controls/aws/aws_docdb_cluster_encryption_at_rest_enabled.yaml index 037fe9db6..4a5e0f9ad 100755 --- a/compliance/controls/aws/aws_docdb_cluster_encryption_at_rest_enabled.yaml +++ b/compliance/controls/aws/aws_docdb_cluster_encryption_at_rest_enabled.yaml @@ -1,30 +1,14 @@ ID: aws_docdb_cluster_encryption_at_rest_enabled Title: "AWS DocumentDB clusters should be encrypted at rest" Description: "This control checks whether an AWS DocumentDB cluster is encrypted at rest. The control fails if an AWS DocumentDB cluster isn't encrypted at rest." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when storage_encrypted then 'ok' - else 'alarm' - end as status, - case - when storage_encrypted then title || ' encrypted at rest.' - else title || ' not encrypted at rest.' - end as reason - - - from - aws_docdb_cluster; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when storage_encrypted then 'ok'\n else 'alarm'\n end as status,\n case\n when storage_encrypted then title || ' encrypted at rest.'\n else title || ' not encrypted at rest.'\n end as reason\n \n \nfrom\n aws_docdb_cluster;" PrimaryTable: aws_docdb_cluster ListOfTables: - - aws_docdb_cluster + - aws_docdb_cluster Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_docdb_cluster_instance_encryption_at_rest_enabled.yaml b/compliance/controls/aws/aws_docdb_cluster_instance_encryption_at_rest_enabled.yaml index d6405f3e6..fe7a57605 100755 --- a/compliance/controls/aws/aws_docdb_cluster_instance_encryption_at_rest_enabled.yaml +++ b/compliance/controls/aws/aws_docdb_cluster_instance_encryption_at_rest_enabled.yaml @@ -1,30 +1,14 @@ ID: aws_docdb_cluster_instance_encryption_at_rest_enabled Title: "DocumentDB instance should be encrypted at rest" Description: "This control checks whether an DocumentDB instance is encrypted at rest. The control fails if an DocumentDB instance isn't encrypted at rest." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - db_instance_arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when storage_encrypted then 'ok' - else 'alarm' - end as status, - case - when storage_encrypted then title || ' encrypted at rest.' - else title || ' not encrypted at rest.' - end as reason - - - from - aws_docdb_cluster_instance; + QueryToExecute: "select\n db_instance_arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when storage_encrypted then 'ok'\n else 'alarm'\n end as status,\n case\n when storage_encrypted then title || ' encrypted at rest.'\n else title || ' not encrypted at rest.'\n end as reason\n \n \nfrom\n aws_docdb_cluster_instance;" PrimaryTable: aws_docdb_cluster_instance ListOfTables: - - aws_docdb_cluster_instance + - aws_docdb_cluster_instance Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_docdb_cluster_instance_logging_enabled.yaml b/compliance/controls/aws/aws_docdb_cluster_instance_logging_enabled.yaml index e3a13ae63..d075a2e59 100755 --- a/compliance/controls/aws/aws_docdb_cluster_instance_logging_enabled.yaml +++ b/compliance/controls/aws/aws_docdb_cluster_instance_logging_enabled.yaml @@ -1,32 +1,14 @@ ID: aws_docdb_cluster_instance_logging_enabled Title: "DocumentDB instance logging should be enabled" Description: "To help with logging and monitoring within your environment, ensure AWS DocumentDB instance logging is enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - db_instance_arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - engine, - case - when engine like 'docdb' and enabled_cloudwatch_logs_exports ?& array ['error', 'slowquery'] then 'ok' - else 'alarm' - end as status, - case - when engine like 'docdb' and enabled_cloudwatch_logs_exports ?& array ['error', 'slowquery'] - then title || ' ' || engine || ' logging enabled.' - else title || ' logging not enabled.' - end as reason - - - from - aws_docdb_cluster_instance; + QueryToExecute: "select\n db_instance_arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n engine,\n case\n when engine like 'docdb' and enabled_cloudwatch_logs_exports ?& array ['error', 'slowquery'] then 'ok'\n else 'alarm'\n end as status,\n case\n when engine like 'docdb' and enabled_cloudwatch_logs_exports ?& array ['error', 'slowquery']\n then title || ' ' || engine || ' logging enabled.'\n else title || ' logging not enabled.'\n end as reason\n \n \nfrom\n aws_docdb_cluster_instance;" PrimaryTable: aws_docdb_cluster_instance ListOfTables: - - aws_docdb_cluster_instance + - aws_docdb_cluster_instance Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_drs_job_enabled.yaml b/compliance/controls/aws/aws_drs_job_enabled.yaml index b97a31366..5fe481000 100755 --- a/compliance/controls/aws/aws_drs_job_enabled.yaml +++ b/compliance/controls/aws/aws_drs_job_enabled.yaml @@ -1,44 +1,15 @@ ID: aws_drs_job_enabled Title: "DRS jobs should be enabled" Description: "Ensure that DRS is enabled with jobs. This rule is non-compliant if DRS is not enabled with jobs for a particular region." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - with drs_job_count as ( - select - count(*) as count, - region, - account_id, - _ctx - from - aws_drs_job - group by - region, - account_id, - _ctx - ) - select - 'arn:' || r.partition || '::' || r.region || ':' || r.account_id as resource, - r.og_account_id as og_account_id, - r.og_resource_id as og_resource_id, - case - when drs_job_count.count = 0 or drs_job_count.count is null then 'alarm' - else 'ok' - end as status, - case - when drs_job_count.count = 0 or drs_job_count.count is null then 'DRS job not enabled for region ' || r.region || '.' - else 'DRS job enabled for region ' || r.region || '.' - end as reason - - from - aws_region as r - left join drs_job_count on r.region = drs_job_count.region; + QueryToExecute: "with drs_job_count as (\n select\n count(*) as count,\n region,\n account_id,\n _ctx\n from\n aws_drs_job\n group by\n region,\n account_id,\n _ctx\n)\nselect\n 'arn:' || r.partition || '::' || r.region || ':' || r.account_id as resource,\nr.og_account_id as og_account_id,\nr.og_resource_id as og_resource_id,\n case\n when drs_job_count.count = 0 or drs_job_count.count is null then 'alarm'\n else 'ok'\n end as status,\n case\n when drs_job_count.count = 0 or drs_job_count.count is null then 'DRS job not enabled for region ' || r.region || '.'\n else 'DRS job enabled for region ' || r.region || '.'\n end as reason\n \nfrom\n aws_region as r\n left join drs_job_count on r.region = drs_job_count.region;" PrimaryTable: aws_drs_job ListOfTables: - - aws_drs_job - - aws_region + - aws_drs_job + - aws_region Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_dynamodb_table_auto_scaling_enabled.yaml b/compliance/controls/aws/aws_dynamodb_table_auto_scaling_enabled.yaml index 8b71bfa3c..a21faf265 100755 --- a/compliance/controls/aws/aws_dynamodb_table_auto_scaling_enabled.yaml +++ b/compliance/controls/aws/aws_dynamodb_table_auto_scaling_enabled.yaml @@ -1,72 +1,43 @@ ID: aws_dynamodb_table_auto_scaling_enabled Title: "DynamoDB table auto scaling should be enabled" Description: "AWS DynamoDB auto scaling uses the AWS Application Auto Scaling service to adjust provisioned throughput capacity that automatically responds to actual traffic patterns." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with table_with_autocaling as ( - select - t.resource_id as resource_id, - count(t.resource_id) as count - from - aws_appautoscaling_target as t where service_namespace = 'dynamodb' - group by t.resource_id - ) - select - d.arn as resource, - d.og_account_id as og_account_id, - d.og_resource_id as og_resource_id, - case - when d.billing_mode = 'PAY_PER_REQUEST' then 'ok' - when t.resource_id is null then 'alarm' - when t.count < 2 then 'alarm' - else 'ok' - end as status, - case - when d.billing_mode = 'PAY_PER_REQUEST' then d.title || ' on-demand mode enabled.' - when t.resource_id is null then d.title || ' autoscaling not enabled.' - when t.count < 2 then d.title || ' auto scaling not enabled for both read and write capacity.' - else d.title || ' autoscaling enabled for both read and write capacity.' - end as reason - - , d.region, d.account_id - from - aws_dynamodb_table as d - left join table_with_autocaling as t on concat('table/', d.name) = t.resource_id; + QueryToExecute: "with table_with_autocaling as (\n select\n t.resource_id as resource_id,\n count(t.resource_id) as count\n from\n aws_appautoscaling_target as t where service_namespace = 'dynamodb'\n group by t.resource_id\n)\nselect\n d.arn as resource,\n d.og_account_id as og_account_id,\n d.og_resource_id as og_resource_id,\n case\n when d.billing_mode = 'PAY_PER_REQUEST' then 'ok'\n when t.resource_id is null then 'alarm'\n when t.count < 2 then 'alarm'\n else 'ok'\n end as status,\n case\n when d.billing_mode = 'PAY_PER_REQUEST' then d.title || ' on-demand mode enabled.'\n when t.resource_id is null then d.title || ' autoscaling not enabled.'\n when t.count < 2 then d.title || ' auto scaling not enabled for both read and write capacity.'\n else d.title || ' autoscaling enabled for both read and write capacity.'\n end as reason\n \n , d.region, d.account_id\nfrom\n aws_dynamodb_table as d\n left join table_with_autocaling as t on concat('table/', d.name) = t.resource_id;\n" PrimaryTable: aws_dynamodb_table ListOfTables: - - aws_appautoscaling_target - - aws_dynamodb_table + - aws_appautoscaling_target + - aws_dynamodb_table Parameters: [] Severity: low Tags: category: - - Compliance + - Compliance cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/DynamoDB + - AWS/DynamoDB +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_dynamodb_table_deletion_protection_enabled.yaml b/compliance/controls/aws/aws_dynamodb_table_deletion_protection_enabled.yaml index b47823424..b6ee770dc 100755 --- a/compliance/controls/aws/aws_dynamodb_table_deletion_protection_enabled.yaml +++ b/compliance/controls/aws/aws_dynamodb_table_deletion_protection_enabled.yaml @@ -1,30 +1,14 @@ ID: aws_dynamodb_table_deletion_protection_enabled Title: "DynamoDB table should have deletion protection enabled" Description: "This control checks whether an Amazon DynamoDB table has deletion protection enabled. The control fails if a DynamoDB table doesn't have deletion protection enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when deletion_protection_enabled then 'ok' - else 'alarm' - end as status, - case - when deletion_protection_enabled then title || ' deletion protection enabled.' - else title || ' deletion protection disabled.' - end as reason - - - from - aws_dynamodb_table; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when deletion_protection_enabled then 'ok'\n else 'alarm'\n end as status,\n case\n when deletion_protection_enabled then title || ' deletion protection enabled.'\n else title || ' deletion protection disabled.'\n end as reason\n \n \nfrom\n aws_dynamodb_table;" PrimaryTable: aws_dynamodb_table ListOfTables: - - aws_dynamodb_table + - aws_dynamodb_table Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_dynamodb_table_encrypted_with_kms.yaml b/compliance/controls/aws/aws_dynamodb_table_encrypted_with_kms.yaml index f9dd0b9ff..3e57ad5e3 100755 --- a/compliance/controls/aws/aws_dynamodb_table_encrypted_with_kms.yaml +++ b/compliance/controls/aws/aws_dynamodb_table_encrypted_with_kms.yaml @@ -1,60 +1,44 @@ ID: aws_dynamodb_table_encrypted_with_kms Title: "DynamoDB table should be encrypted with AWS KMS" Description: "Ensure that encryption is enabled for your AWS DynamoDB tables. Because sensitive data can exist at rest in these tables, enable encryption at rest to help protect that data." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when sse_description is null then 'alarm' - else 'ok' - end as status, - case - when sse_description is null then title || ' not encrypted with KMS.' - else title || ' encrypted with KMS.' - end as reason - - , region, account_id - from - aws_dynamodb_table; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when sse_description is null then 'alarm'\n else 'ok'\n end as status,\n case\n when sse_description is null then title || ' not encrypted with KMS.'\n else title || ' encrypted with KMS.'\n end as reason\n \n , region, account_id\nfrom\n aws_dynamodb_table;\n" PrimaryTable: aws_dynamodb_table ListOfTables: - - aws_dynamodb_table + - aws_dynamodb_table Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cisa_cyber_essentials: - - "true" + - "true" gdpr: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" gxp_eu_annex_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/DynamoDB + - AWS/DynamoDB +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_dynamodb_table_encryption_enabled.yaml b/compliance/controls/aws/aws_dynamodb_table_encryption_enabled.yaml index 2e54fc3d4..9261030d0 100755 --- a/compliance/controls/aws/aws_dynamodb_table_encryption_enabled.yaml +++ b/compliance/controls/aws/aws_dynamodb_table_encryption_enabled.yaml @@ -1,51 +1,32 @@ ID: aws_dynamodb_table_encryption_enabled Title: "DynamoDB table should have encryption enabled" Description: "Ensure that encryption is enabled for your AWS DynamoDB tables. Because sensitive data can exist at rest in these tables, enable encryption at rest to help protect that data." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when sse_description is not null and sse_description ->> 'SSEType' = 'KMS' then 'ok' - when sse_description is null then 'ok' - else 'alarm' - end as status, - case - when sse_description is not null and sse_description ->> 'SSEType' = 'KMS' - then title || ' encrypted with AWS KMS.' - when sse_description is null then title || ' encrypted with DynamoDB managed CMK.' - else title || ' not encrypted with CMK.' - end as reason - - , region, account_id - from - aws_dynamodb_table; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when sse_description is not null and sse_description ->> 'SSEType' = 'KMS' then 'ok'\n when sse_description is null then 'ok'\n else 'alarm'\n end as status,\n case\n when sse_description is not null and sse_description ->> 'SSEType' = 'KMS'\n then title || ' encrypted with AWS KMS.'\n when sse_description is null then title || ' encrypted with DynamoDB managed CMK.'\n else title || ' not encrypted with CMK.'\n end as reason\n \n , region, account_id\nfrom\n aws_dynamodb_table;\n" PrimaryTable: aws_dynamodb_table ListOfTables: - - aws_dynamodb_table + - aws_dynamodb_table Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance gdpr: - - "true" + - "true" gxp_eu_annex_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/DynamoDB + - AWS/DynamoDB +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_dynamodb_table_in_backup_plan.yaml b/compliance/controls/aws/aws_dynamodb_table_in_backup_plan.yaml index 531b9b614..430669463 100755 --- a/compliance/controls/aws/aws_dynamodb_table_in_backup_plan.yaml +++ b/compliance/controls/aws/aws_dynamodb_table_in_backup_plan.yaml @@ -1,95 +1,49 @@ ID: aws_dynamodb_table_in_backup_plan Title: "DynamoDB tables should be in a backup plan" Description: "To help with data back-up processes, ensure your AWS DynamoDB tables are a part of an AWS Backup plan." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with mapped_with_id as ( - select - jsonb_agg(elems) as mapped_ids - from - aws_backup_selection, - jsonb_array_elements(resources) as elems - group by backup_plan_id - ), - mapped_with_tags as ( - select - jsonb_agg(elems ->> 'ConditionKey') as mapped_tags - from - aws_backup_selection, - jsonb_array_elements(list_of_tags) as elems - group by backup_plan_id - ), - backed_up_table as ( - select - t.name - from - aws_dynamodb_table as t - join mapped_with_id as m on m.mapped_ids ?| array[t.arn] - union - select - t.name - from - aws_dynamodb_table as t - join mapped_with_tags as m on m.mapped_tags ?| array(select jsonb_object_keys(tags)) - ) - select - t.arn as resource, - t.og_account_id as og_account_id, - t.og_resource_id as og_resource_id, - case - when b.name is null then 'alarm' - else 'ok' - end as status, - case - when b.name is null then t.title || ' not in backup plan.' - else t.title || ' in backup plan.' - end as reason - - , t.region, t.account_id - from - aws_dynamodb_table as t - left join backed_up_table as b on t.name = b.name; + QueryToExecute: "with mapped_with_id as (\n select\n jsonb_agg(elems) as mapped_ids\n from\n aws_backup_selection,\n jsonb_array_elements(resources) as elems\n group by backup_plan_id\n),\nmapped_with_tags as (\n select\n jsonb_agg(elems ->> 'ConditionKey') as mapped_tags\n from\n aws_backup_selection,\n jsonb_array_elements(list_of_tags) as elems\n group by backup_plan_id\n),\nbacked_up_table as (\n select\n t.name\n from\n aws_dynamodb_table as t\n join mapped_with_id as m on m.mapped_ids ?| array[t.arn]\n union\n select\n t.name\n from\n aws_dynamodb_table as t\n join mapped_with_tags as m on m.mapped_tags ?| array(select jsonb_object_keys(tags))\n)\nselect\n t.arn as resource,\n t.og_account_id as og_account_id,\n t.og_resource_id as og_resource_id,\n case\n when b.name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when b.name is null then t.title || ' not in backup plan.'\n else t.title || ' in backup plan.'\n end as reason\n \n , t.region, t.account_id\nfrom\n aws_dynamodb_table as t\n left join backed_up_table as b on t.name = b.name;\n" PrimaryTable: aws_dynamodb_table ListOfTables: - - aws_backup_selection - - aws_dynamodb_table + - aws_backup_selection + - aws_dynamodb_table Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" gxp_eu_annex_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/DynamoDB + - AWS/DynamoDB soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_dynamodb_table_point_in_time_recovery_enabled.yaml b/compliance/controls/aws/aws_dynamodb_table_point_in_time_recovery_enabled.yaml index b4343e9b2..1df5f3ede 100755 --- a/compliance/controls/aws/aws_dynamodb_table_point_in_time_recovery_enabled.yaml +++ b/compliance/controls/aws/aws_dynamodb_table_point_in_time_recovery_enabled.yaml @@ -1,68 +1,52 @@ ID: aws_dynamodb_table_point_in_time_recovery_enabled Title: "DynamoDB table point-in-time recovery should be enabled" Description: "Enable this rule to check that information has been backed up. It also maintains the backups by ensuring that point-in-time recovery is enabled in AWS DynamoDB." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when lower( point_in_time_recovery_description ->> 'PointInTimeRecoveryStatus' ) = 'disabled' then 'alarm' - else 'ok' - end as status, - case - when lower( point_in_time_recovery_description ->> 'PointInTimeRecoveryStatus' ) = 'disabled' then title || ' point-in-time recovery not enabled.' - else title || ' point-in-time recovery enabled.' - end as reason - - , region, account_id - from - aws_dynamodb_table; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when lower( point_in_time_recovery_description ->> 'PointInTimeRecoveryStatus' ) = 'disabled' then 'alarm'\n else 'ok'\n end as status,\n case\n when lower( point_in_time_recovery_description ->> 'PointInTimeRecoveryStatus' ) = 'disabled' then title || ' point-in-time recovery not enabled.'\n else title || ' point-in-time recovery enabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_dynamodb_table;\n" PrimaryTable: aws_dynamodb_table ListOfTables: - - aws_dynamodb_table + - aws_dynamodb_table Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" gxp_eu_annex_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/DynamoDB + - AWS/DynamoDB soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_dynamodb_table_protected_by_backup_plan.yaml b/compliance/controls/aws/aws_dynamodb_table_protected_by_backup_plan.yaml index 1a0ede4e1..e685e0ef8 100755 --- a/compliance/controls/aws/aws_dynamodb_table_protected_by_backup_plan.yaml +++ b/compliance/controls/aws/aws_dynamodb_table_protected_by_backup_plan.yaml @@ -1,68 +1,43 @@ ID: aws_dynamodb_table_protected_by_backup_plan Title: "DynamoDB table should be protected by backup plan" Description: "Ensure that AWS DynamoDB tables are protected by a backup plan. The rule is non-compliant if the DynamoDB Table is not covered by a backup plan." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with backup_protected_table as ( - select - resource_arn as arn - from - aws_backup_protected_resource as b - where - resource_type = 'DynamoDB' - ) - select - t.arn as resource, - t.og_account_id as og_account_id, - t.og_resource_id as og_resource_id, - case - when b.arn is not null then 'ok' - else 'alarm' - end as status, - case - when b.arn is not null then t.title || ' is protected by backup plan.' - else t.title || ' is not protected by backup plan.' - end as reason - - , t.region, t.account_id - from - aws_dynamodb_table as t - left join backup_protected_table as b on t.arn = b.arn; + QueryToExecute: "with backup_protected_table as (\n select\n resource_arn as arn\n from\n aws_backup_protected_resource as b\n where\n resource_type = 'DynamoDB'\n)\nselect\n t.arn as resource,\n t.og_account_id as og_account_id,\n t.og_resource_id as og_resource_id,\n case\n when b.arn is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when b.arn is not null then t.title || ' is protected by backup plan.'\n else t.title || ' is not protected by backup plan.'\n end as reason\n \n , t.region, t.account_id\nfrom\n aws_dynamodb_table as t\n left join backup_protected_table as b on t.arn = b.arn;\n" PrimaryTable: aws_dynamodb_table ListOfTables: - - aws_backup_protected_resource - - aws_dynamodb_table + - aws_backup_protected_resource + - aws_dynamodb_table Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" gxp_eu_annex_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/DynamoDB + - AWS/DynamoDB soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ebs_attached_volume_delete_on_termination_enabled.yaml b/compliance/controls/aws/aws_ebs_attached_volume_delete_on_termination_enabled.yaml index 9c9dec609..258ff4c21 100755 --- a/compliance/controls/aws/aws_ebs_attached_volume_delete_on_termination_enabled.yaml +++ b/compliance/controls/aws/aws_ebs_attached_volume_delete_on_termination_enabled.yaml @@ -1,47 +1,28 @@ ID: aws_ebs_attached_volume_delete_on_termination_enabled Title: "Attached EBS volumes should have delete on termination enabled" Description: "This rule ensures that AWS Elastic Block Store volumes that are attached to AWS Elastic Compute Cloud (AWS EC2) instances are marked for deletion when an instance is terminated." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when state != 'in-use' then 'skip' - when attachment ->> 'DeleteOnTermination' = 'true' then 'ok' - else 'alarm' - end as status, - case - when state != 'in-use' then title || ' not attached to EC2 instance.' - when attachment ->> 'DeleteOnTermination' = 'true' then title || ' attached to ' || (attachment ->> 'InstanceId') || ', delete on termination enabled.' - else title || ' attached to ' || (attachment ->> 'InstanceId') || ', delete on termination disabled.' - end as reason - - , region, account_id - from - aws_ebs_volume - left join jsonb_array_elements(attachments) as attachment on true; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when state != 'in-use' then 'skip'\n when attachment ->> 'DeleteOnTermination' = 'true' then 'ok'\n else 'alarm'\n end as status,\n case\n when state != 'in-use' then title || ' not attached to EC2 instance.'\n when attachment ->> 'DeleteOnTermination' = 'true' then title || ' attached to ' || (attachment ->> 'InstanceId') || ', delete on termination enabled.'\n else title || ' attached to ' || (attachment ->> 'InstanceId') || ', delete on termination disabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_ebs_volume\n left join jsonb_array_elements(attachments) as attachment on true;\n" PrimaryTable: aws_ebs_volume ListOfTables: - - aws_ebs_volume + - aws_ebs_volume Parameters: [] Severity: medium Tags: audit_manager_control_tower: - - "true" + - "true" category: - - Compliance + - Compliance fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/EBS + - AWS/EBS +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ebs_attached_volume_encryption_enabled.yaml b/compliance/controls/aws/aws_ebs_attached_volume_encryption_enabled.yaml index d8776ec96..dbdcd01c2 100755 --- a/compliance/controls/aws/aws_ebs_attached_volume_encryption_enabled.yaml +++ b/compliance/controls/aws/aws_ebs_attached_volume_encryption_enabled.yaml @@ -1,70 +1,52 @@ ID: aws_ebs_attached_volume_encryption_enabled Title: "Attached EBS volumes should have encryption enabled" Description: "Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your AWS Elastic Block Store (AWS EBS) volumes." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when state != 'in-use' then 'skip' - when encrypted then 'ok' - else 'alarm' - end as status, - case - when state != 'in-use' then volume_id || ' not attached.' - when encrypted then volume_id || ' encrypted.' - else volume_id || ' not encrypted.' - end as reason - - , region, account_id - from - aws_ebs_volume; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when state != 'in-use' then 'skip'\n when encrypted then 'ok'\n else 'alarm'\n end as status,\n case\n when state != 'in-use' then volume_id || ' not attached.'\n when encrypted then volume_id || ' encrypted.'\n else volume_id || ' not encrypted.'\n end as reason\n \n , region, account_id\nfrom\n aws_ebs_volume;\n" PrimaryTable: aws_ebs_volume ListOfTables: - - aws_ebs_volume + - aws_ebs_volume Parameters: [] Severity: high Tags: audit_manager_control_tower: - - "true" + - "true" category: - - Compliance + - Compliance cisa_cyber_essentials: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gdpr: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" gxp_eu_annex_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/EBS + - AWS/EBS soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ebs_snapshot_encryption_enabled.yaml b/compliance/controls/aws/aws_ebs_snapshot_encryption_enabled.yaml index a2c0511ee..eabf4f280 100755 --- a/compliance/controls/aws/aws_ebs_snapshot_encryption_enabled.yaml +++ b/compliance/controls/aws/aws_ebs_snapshot_encryption_enabled.yaml @@ -1,30 +1,14 @@ ID: aws_ebs_snapshot_encryption_enabled Title: "EBS snapshots should be encrypted" Description: "Ensure that EBS snapshots are encrypted. This rule is non-compliant if the EBS snapshot is not encrypted." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when encrypted then 'ok' - else 'alarm' - end as status, - case - when encrypted then title || ' encryption enabled.' - else title || ' encryption disabled.' - end as reason - - - from - aws_ebs_snapshot; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when encrypted then 'ok'\n else 'alarm'\n end as status,\n case\n when encrypted then title || ' encryption enabled.'\n else title || ' encryption disabled.'\n end as reason\n \n \nfrom\n aws_ebs_snapshot;" PrimaryTable: aws_ebs_snapshot ListOfTables: - - aws_ebs_snapshot + - aws_ebs_snapshot Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ebs_snapshot_not_publicly_restorable.yaml b/compliance/controls/aws/aws_ebs_snapshot_not_publicly_restorable.yaml index 1f0dc4cf2..789391be8 100755 --- a/compliance/controls/aws/aws_ebs_snapshot_not_publicly_restorable.yaml +++ b/compliance/controls/aws/aws_ebs_snapshot_not_publicly_restorable.yaml @@ -1,66 +1,50 @@ ID: aws_ebs_snapshot_not_publicly_restorable Title: "EBS snapshots should not be publicly restorable" Description: "\"Manage access to the AWS Cloud by ensuring EBS snapshots are not publicly restorable." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - 'arn:' || partition || ':ec2:' || region || ':' || account_id || ':snapshot/' || snapshot_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when create_volume_permissions @> '[{"Group": "all", "UserId": null}]' then 'alarm' - else 'ok' - end as status, - case - when create_volume_permissions @> '[{"Group": "all", "UserId": null}]' then title || ' is publicly restorable.' - else title || ' is not publicly restorable.' - end as reason - - , region, account_id - from - aws_ebs_snapshot; + QueryToExecute: "select\n 'arn:' || partition || ':ec2:' || region || ':' || account_id || ':snapshot/' || snapshot_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when create_volume_permissions @> '[{\"Group\": \"all\", \"UserId\": null}]' then 'alarm'\n else 'ok'\n end as status,\n case\n when create_volume_permissions @> '[{\"Group\": \"all\", \"UserId\": null}]' then title || ' is publicly restorable.'\n else title || ' is not publicly restorable.'\n end as reason\n \n , region, account_id\nfrom\n aws_ebs_snapshot;\n" PrimaryTable: aws_ebs_snapshot ListOfTables: - - aws_ebs_snapshot + - aws_ebs_snapshot Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/EBS + - AWS/EBS soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ebs_volume_encryption_at_rest_enabled.yaml b/compliance/controls/aws/aws_ebs_volume_encryption_at_rest_enabled.yaml index 1c810d49d..9a58fb950 100755 --- a/compliance/controls/aws/aws_ebs_volume_encryption_at_rest_enabled.yaml +++ b/compliance/controls/aws/aws_ebs_volume_encryption_at_rest_enabled.yaml @@ -1,46 +1,30 @@ ID: aws_ebs_volume_encryption_at_rest_enabled Title: "EBS volume encryption at rest should be enabled" Description: "Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your AWS Elastic Block Store (AWS EBS) volumes." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when encrypted then 'ok' - else 'alarm' - end as status, - case - when encrypted then volume_id || ' encrypted.' - else volume_id || ' not encrypted.' - end as reason - - , region, account_id - from - aws_ebs_volume; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when encrypted then 'ok'\n else 'alarm'\n end as status,\n case\n when encrypted then volume_id || ' encrypted.'\n else volume_id || ' not encrypted.'\n end as reason\n \n , region, account_id\nfrom\n aws_ebs_volume;\n" PrimaryTable: aws_ebs_volume ListOfTables: - - aws_ebs_volume + - aws_ebs_volume Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" gdpr: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/EBS + - AWS/EBS +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ebs_volume_in_backup_plan.yaml b/compliance/controls/aws/aws_ebs_volume_in_backup_plan.yaml index 8d0877f7b..203737c55 100755 --- a/compliance/controls/aws/aws_ebs_volume_in_backup_plan.yaml +++ b/compliance/controls/aws/aws_ebs_volume_in_backup_plan.yaml @@ -1,95 +1,49 @@ ID: aws_ebs_volume_in_backup_plan Title: "EBS volumes should be in a backup plan" Description: "To help with data back-up processes, ensure your AWS Elastic Block Store (AWS EBS) volumes are a part of an AWS Backup plan." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with mapped_with_id as ( - select - jsonb_agg(elems) as mapped_ids - from - aws_backup_selection, - jsonb_array_elements(resources) as elems - group by backup_plan_id - ), - mapped_with_tags as ( - select - jsonb_agg(elems ->> 'ConditionKey') as mapped_tags - from - aws_backup_selection, - jsonb_array_elements(list_of_tags) as elems - group by backup_plan_id - ), - backed_up_volume as ( - select - v.volume_id - from - aws_ebs_volume as v - join mapped_with_id as t on t.mapped_ids ?| array[v.arn] - union - select - v.volume_id - from - aws_ebs_volume as v - join mapped_with_tags as t on t.mapped_tags ?| array(select jsonb_object_keys(tags)) - ) - select - v.arn as resource, - v.og_account_id as og_account_id, - v.og_resource_id as og_resource_id, - case - when b.volume_id is null then 'alarm' - else 'ok' - end as status, - case - when b.volume_id is null then v.title || ' not in backup plan.' - else v.title || ' in backup plan.' - end as reason - - , v.region, v.account_id - from - aws_ebs_volume as v - left join backed_up_volume as b on v.volume_id = b.volume_id; + QueryToExecute: "with mapped_with_id as (\n select\n jsonb_agg(elems) as mapped_ids\n from\n aws_backup_selection,\n jsonb_array_elements(resources) as elems\n group by backup_plan_id\n),\nmapped_with_tags as (\n select\n jsonb_agg(elems ->> 'ConditionKey') as mapped_tags\n from\n aws_backup_selection,\n jsonb_array_elements(list_of_tags) as elems\n group by backup_plan_id\n),\nbacked_up_volume as (\n select\n v.volume_id\n from\n aws_ebs_volume as v\n join mapped_with_id as t on t.mapped_ids ?| array[v.arn]\n union\n select\n v.volume_id\n from\n aws_ebs_volume as v\n join mapped_with_tags as t on t.mapped_tags ?| array(select jsonb_object_keys(tags))\n)\nselect\n v.arn as resource,\n v.og_account_id as og_account_id,\n v.og_resource_id as og_resource_id,\n case\n when b.volume_id is null then 'alarm'\n else 'ok'\n end as status,\n case\n when b.volume_id is null then v.title || ' not in backup plan.'\n else v.title || ' in backup plan.'\n end as reason\n \n , v.region, v.account_id\nfrom\n aws_ebs_volume as v\n left join backed_up_volume as b on v.volume_id = b.volume_id;\n" PrimaryTable: aws_ebs_volume ListOfTables: - - aws_backup_selection - - aws_ebs_volume + - aws_backup_selection + - aws_ebs_volume Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" gxp_eu_annex_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/EBS + - AWS/EBS soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ebs_volume_protected_by_backup_plan.yaml b/compliance/controls/aws/aws_ebs_volume_protected_by_backup_plan.yaml index 3333d399d..0cbe18f06 100755 --- a/compliance/controls/aws/aws_ebs_volume_protected_by_backup_plan.yaml +++ b/compliance/controls/aws/aws_ebs_volume_protected_by_backup_plan.yaml @@ -1,68 +1,43 @@ ID: aws_ebs_volume_protected_by_backup_plan Title: "EBS volumes should be protected by a backup plan" Description: "Ensure that AWS Elastic Block Store (AWS EBS) volumes are protected by a backup plan. The rule is non-compliant if the AWS EBS volume is not covered by a backup plan." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with backup_protected_volume as ( - select - resource_arn as arn - from - aws_backup_protected_resource as b - where - resource_type = 'EBS' - ) - select - v.arn as resource, - v.og_account_id as og_account_id, - v.og_resource_id as og_resource_id, - case - when b.arn is not null then 'ok' - else 'alarm' - end as status, - case - when b.arn is not null then v.title || ' is protected by backup plan.' - else v.title || ' is not protected by backup plan.' - end as reason - - , v.region, v.account_id - from - aws_ebs_volume as v - left join backup_protected_volume as b on v.arn = b.arn; + QueryToExecute: "with backup_protected_volume as (\n select\n resource_arn as arn\n from\n aws_backup_protected_resource as b\n where\n resource_type = 'EBS'\n)\nselect\n v.arn as resource,\n v.og_account_id as og_account_id,\n v.og_resource_id as og_resource_id,\n case\n when b.arn is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when b.arn is not null then v.title || ' is protected by backup plan.'\n else v.title || ' is not protected by backup plan.'\n end as reason\n \n , v.region, v.account_id\nfrom\n aws_ebs_volume as v\n left join backup_protected_volume as b on v.arn = b.arn;\n" PrimaryTable: aws_ebs_volume ListOfTables: - - aws_backup_protected_resource - - aws_ebs_volume + - aws_backup_protected_resource + - aws_ebs_volume Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" gxp_eu_annex_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/EBS + - AWS/EBS soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ebs_volume_snapshot_exists.yaml b/compliance/controls/aws/aws_ebs_volume_snapshot_exists.yaml index 03bff2b5d..7f7dd61e5 100755 --- a/compliance/controls/aws/aws_ebs_volume_snapshot_exists.yaml +++ b/compliance/controls/aws/aws_ebs_volume_snapshot_exists.yaml @@ -1,8 +1,6 @@ ID: aws_ebs_volume_snapshot_exists Title: "EBS volume snapshots should exist" Description: "Ensure that EBS volume snapshots exist. This rule is non-compliant if the EBS volume does not have any snapshot." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -32,8 +30,10 @@ Query: left join volume_with_snapshots as s on s.volume_id = v.volume_id; PrimaryTable: aws_ebs_volume ListOfTables: - - aws_ebs_snapshot - - aws_ebs_volume + - aws_ebs_snapshot + - aws_ebs_volume Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ebs_volume_unused.yaml b/compliance/controls/aws/aws_ebs_volume_unused.yaml index 05516690e..04a8ccfed 100755 --- a/compliance/controls/aws/aws_ebs_volume_unused.yaml +++ b/compliance/controls/aws/aws_ebs_volume_unused.yaml @@ -1,56 +1,40 @@ ID: aws_ebs_volume_unused Title: "EBS volumes should be attached to EC2 instances" Description: "Checks if EBS volumes are attached to EC2 instances." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when state = 'in-use' then 'ok' - else 'alarm' - end as status, - case - when state = 'in-use' then title || ' attached to EC2 instance.' - else title || ' not attached to EC2 instance.' - end as reason - - , region, account_id - from - aws_ebs_volume; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when state = 'in-use' then 'ok'\n else 'alarm'\n end as status,\n case\n when state = 'in-use' then title || ' attached to EC2 instance.'\n else title || ' not attached to EC2 instance.'\n end as reason\n \n , region, account_id\nfrom\n aws_ebs_volume;\n" PrimaryTable: aws_ebs_volume ListOfTables: - - aws_ebs_volume + - aws_ebs_volume Parameters: [] Severity: low Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" plugin: - - aws + - aws score_tags: - - Optimization + - Optimization service: - - AWS/EBS + - AWS/EBS +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ec2_ami_ebs_encryption_enabled.yaml b/compliance/controls/aws/aws_ec2_ami_ebs_encryption_enabled.yaml index b3001d8a9..0c33455fb 100755 --- a/compliance/controls/aws/aws_ec2_ami_ebs_encryption_enabled.yaml +++ b/compliance/controls/aws/aws_ec2_ami_ebs_encryption_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_ec2_ami_ebs_encryption_enabled Title: "Ensure Images (AMI's) are encrypted" Description: "Amazon Machine Images should utilize EBS Encrypted snapshots." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -40,7 +38,9 @@ Query: encryption_status e; PrimaryTable: aws_ec2_ami ListOfTables: - - aws_ec2_ami + - aws_ec2_ami Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ec2_ami_not_older_than_90_days.yaml b/compliance/controls/aws/aws_ec2_ami_not_older_than_90_days.yaml index 305bf76ee..9f52503ca 100755 --- a/compliance/controls/aws/aws_ec2_ami_not_older_than_90_days.yaml +++ b/compliance/controls/aws/aws_ec2_ami_not_older_than_90_days.yaml @@ -1,27 +1,14 @@ ID: aws_ec2_ami_not_older_than_90_days Title: "Ensure Images (AMI) are not older than 90 days" Description: "Ensure that your AMIs are not older than 90 days." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - image_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when creation_date >= (current_date - interval '90 days') then 'ok' - else 'alarm' - end as status, - title || ' created ' || to_char(creation_date , 'DD-Mon-YYYY') || ' (' || extract(day from current_timestamp - creation_date) || ' days).' as reason - - - from - aws_ec2_ami; + QueryToExecute: "select\n image_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when creation_date >= (current_date - interval '90 days') then 'ok'\n else 'alarm'\n end as status,\n title || ' created ' || to_char(creation_date , 'DD-Mon-YYYY') || ' (' || extract(day from current_timestamp - creation_date) || ' days).' as reason\n \n \nfrom\n aws_ec2_ami;" PrimaryTable: aws_ec2_ami ListOfTables: - - aws_ec2_ami + - aws_ec2_ami Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ec2_ami_restrict_public_access.yaml b/compliance/controls/aws/aws_ec2_ami_restrict_public_access.yaml index 2f43f4ac1..0ea9728cc 100755 --- a/compliance/controls/aws/aws_ec2_ami_restrict_public_access.yaml +++ b/compliance/controls/aws/aws_ec2_ami_restrict_public_access.yaml @@ -1,30 +1,14 @@ ID: aws_ec2_ami_restrict_public_access Title: "EC2 AMIs should restrict public access" Description: "This control checks whether EC2 AMIs are set as private or not. The control fails if the EC2 AMIs are set as public." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':ec2:' || region || ':' || account_id || ':image/' || image_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when public then 'alarm' - else 'ok' - end status, - case - when public then title || ' publicly accessible.' - else title || ' not publicly accessible.' - end reason - - - from - aws_ec2_ami; + QueryToExecute: "select\n 'arn:' || partition || ':ec2:' || region || ':' || account_id || ':image/' || image_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when public then 'alarm'\n else 'ok'\n end status,\n case\n when public then title || ' publicly accessible.'\n else title || ' not publicly accessible.'\n end reason\n \n \nfrom\n aws_ec2_ami;" PrimaryTable: aws_ec2_ami ListOfTables: - - aws_ec2_ami + - aws_ec2_ami Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ec2_classic_lb_connection_draining_enabled.yaml b/compliance/controls/aws/aws_ec2_classic_lb_connection_draining_enabled.yaml index 7d9c1f891..18da30bcd 100755 --- a/compliance/controls/aws/aws_ec2_classic_lb_connection_draining_enabled.yaml +++ b/compliance/controls/aws/aws_ec2_classic_lb_connection_draining_enabled.yaml @@ -1,42 +1,26 @@ ID: aws_ec2_classic_lb_connection_draining_enabled Title: "Classic Load Balancers should have connection draining enabled" Description: "This control checks whether Classic Load Balancers have connection draining enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when connection_draining_enabled then 'ok' - else 'alarm' - end as status, - case - when connection_draining_enabled then title || ' connection draining enabled.' - else title || ' connection draining disabled.' - end as reason - - , region, account_id - from - aws_ec2_classic_load_balancer; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when connection_draining_enabled then 'ok'\n else 'alarm'\n end as status,\n case\n when connection_draining_enabled then title || ' connection draining enabled.'\n else title || ' connection draining disabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_ec2_classic_load_balancer;\n" PrimaryTable: aws_ec2_classic_load_balancer ListOfTables: - - aws_ec2_classic_load_balancer + - aws_ec2_classic_load_balancer Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - resilience + - resilience foundational_security_item_id: - - elb_7 + - elb_7 plugin: - - aws + - aws service: - - AWS/ELB + - AWS/ELB +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ec2_client_vpn_endpoint_client_connection_logging_enabled.yaml b/compliance/controls/aws/aws_ec2_client_vpn_endpoint_client_connection_logging_enabled.yaml index 76a4d8434..95757d171 100755 --- a/compliance/controls/aws/aws_ec2_client_vpn_endpoint_client_connection_logging_enabled.yaml +++ b/compliance/controls/aws/aws_ec2_client_vpn_endpoint_client_connection_logging_enabled.yaml @@ -1,30 +1,14 @@ ID: aws_ec2_client_vpn_endpoint_client_connection_logging_enabled Title: "EC2 Client VPN endpoints should have client connection logging enabled" Description: "This control checks whether an AWS Client VPN endpoint has client connection logging enabled. The control fails if the endpoint doesn't have client connection logging enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - client_vpn_endpoint_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when (connection_log_options ->> 'Enabled')::bool then 'ok' - else 'alarm' - end as status, - case - when (connection_log_options ->> 'Enabled')::bool then title || ' client connection logging enabled.' - else title || ' client connection logging disabled.' - end as reason - - - from - aws_ec2_client_vpn_endpoint; + QueryToExecute: "select\n client_vpn_endpoint_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when (connection_log_options ->> 'Enabled')::bool then 'ok'\n else 'alarm'\n end as status,\n case\n when (connection_log_options ->> 'Enabled')::bool then title || ' client connection logging enabled.'\n else title || ' client connection logging disabled.'\n end as reason\n \n \nfrom\n aws_ec2_client_vpn_endpoint;" PrimaryTable: aws_ec2_client_vpn_endpoint ListOfTables: - - aws_ec2_client_vpn_endpoint + - aws_ec2_client_vpn_endpoint Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ec2_ebs_default_encryption_enabled.yaml b/compliance/controls/aws/aws_ec2_ebs_default_encryption_enabled.yaml index 7e5b17996..1c0f0539b 100755 --- a/compliance/controls/aws/aws_ec2_ebs_default_encryption_enabled.yaml +++ b/compliance/controls/aws/aws_ec2_ebs_default_encryption_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_ec2_ebs_default_encryption_enabled Title: "EBS default encryption should be enabled" Description: "To help protect data at rest, ensure that encryption is enabled for your AWS Elastic Block Store (AWS EBS) volumes." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -23,39 +21,41 @@ Query: aws_ec2_regional_settings; PrimaryTable: aws_ec2_regional_settings ListOfTables: - - aws_ec2_regional_settings + - aws_ec2_regional_settings Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" gxp_eu_annex_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/EC2 + - AWS/EC2 soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ec2_instance_attached_ebs_volume_delete_on_termination_enabled.yaml b/compliance/controls/aws/aws_ec2_instance_attached_ebs_volume_delete_on_termination_enabled.yaml index 916cd9ebb..57e252e60 100755 --- a/compliance/controls/aws/aws_ec2_instance_attached_ebs_volume_delete_on_termination_enabled.yaml +++ b/compliance/controls/aws/aws_ec2_instance_attached_ebs_volume_delete_on_termination_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_ec2_instance_attached_ebs_volume_delete_on_termination_enabled Title: "Ensure EBS volumes attached to an EC2 instance is marked for deletion upon instance termination" Description: "This rule ensures that Amazon Elastic Block Store volumes that are attached to Amazon Elastic Compute Cloud (Amazon EC2) instances are marked for deletion when an instance is terminated. If an Amazon EBS volume isn't deleted when the instance that it's attached to is terminated, it may violate the concept of least functionality." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -35,7 +33,9 @@ Query: left join ebs_volume_with_delete_on_termination_enabled as e on e.arn = i.arn; PrimaryTable: aws_ec2_instance ListOfTables: - - aws_ec2_instance + - aws_ec2_instance Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ec2_instance_detailed_monitoring_enabled.yaml b/compliance/controls/aws/aws_ec2_instance_detailed_monitoring_enabled.yaml index 3b640de83..83da4a279 100755 --- a/compliance/controls/aws/aws_ec2_instance_detailed_monitoring_enabled.yaml +++ b/compliance/controls/aws/aws_ec2_instance_detailed_monitoring_enabled.yaml @@ -1,50 +1,34 @@ ID: aws_ec2_instance_detailed_monitoring_enabled Title: "EC2 instance detailed monitoring should be enabled" Description: "Enable this rule to help improve AWS Elastic Compute Cloud (AWS EC2) instance monitoring on the AWS EC2 console, which displays monitoring graphs with a 1-minute period for the instance." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when monitoring_state = 'enabled' then 'ok' - else 'alarm' - end as status, - case - when monitoring_state = 'enabled' then instance_id || ' detailed monitoring enabled.' - else instance_id || ' detailed monitoring disabled.' - end as reason - - , region, account_id - from - aws_ec2_instance; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when monitoring_state = 'enabled' then 'ok'\n else 'alarm'\n end as status,\n case\n when monitoring_state = 'enabled' then instance_id || ' detailed monitoring enabled.'\n else instance_id || ' detailed monitoring disabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_ec2_instance;\n" PrimaryTable: aws_ec2_instance ListOfTables: - - aws_ec2_instance + - aws_ec2_instance Parameters: [] Severity: low Tags: category: - - Compliance + - Compliance fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_csf: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/EC2 + - AWS/EC2 soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ec2_instance_ebs_optimized.yaml b/compliance/controls/aws/aws_ec2_instance_ebs_optimized.yaml index 5cc2cd6f8..38f39e28f 100755 --- a/compliance/controls/aws/aws_ec2_instance_ebs_optimized.yaml +++ b/compliance/controls/aws/aws_ec2_instance_ebs_optimized.yaml @@ -1,64 +1,48 @@ ID: aws_ec2_instance_ebs_optimized Title: "EC2 instance should have EBS optimization enabled" Description: "An optimized instance in AWS Elastic Block Store (AWS EBS) provides additional, dedicated capacity for AWS EBS I/O operations." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when ebs_optimized then 'ok' - else 'alarm' - end as status, - case - when ebs_optimized then title || ' EBS optimization enabled.' - else title || ' EBS optimization disabled.' - end as reason - - , region, account_id - from - aws_ec2_instance; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when ebs_optimized then 'ok'\n else 'alarm'\n end as status,\n case\n when ebs_optimized then title || ' EBS optimization enabled.'\n else title || ' EBS optimization disabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_ec2_instance;\n" PrimaryTable: aws_ec2_instance ListOfTables: - - aws_ec2_instance + - aws_ec2_instance Parameters: [] Severity: medium Tags: audit_manager_control_tower: - - "true" + - "true" category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" gxp_eu_annex_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/EC2 + - AWS/EC2 soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ec2_instance_iam_profile_attached.yaml b/compliance/controls/aws/aws_ec2_instance_iam_profile_attached.yaml index 4e3a5bb4c..d81d6972c 100755 --- a/compliance/controls/aws/aws_ec2_instance_iam_profile_attached.yaml +++ b/compliance/controls/aws/aws_ec2_instance_iam_profile_attached.yaml @@ -1,50 +1,34 @@ ID: aws_ec2_instance_iam_profile_attached Title: "EC2 instances should have IAM profile attached" Description: "Ensure that an AWS Elastic Compute Cloud (AWS EC2) instance has an Identity and Access Management (IAM) profile attached to it. This rule is non-compliant if no IAM profile is attached to the AWS EC2 instance." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when iam_instance_profile_id is not null then 'ok' - else 'alarm' - end as status, - case - when iam_instance_profile_id is not null then title || ' IAM profile attached.' - else title || ' IAM profile not attached.' - end as reason - - , region, account_id - from - aws_ec2_instance; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when iam_instance_profile_id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when iam_instance_profile_id is not null then title || ' IAM profile attached.'\n else title || ' IAM profile not attached.'\n end as reason\n \n , region, account_id\nfrom\n aws_ec2_instance;\n" PrimaryTable: aws_ec2_instance ListOfTables: - - aws_ec2_instance + - aws_ec2_instance Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/EC2 + - AWS/EC2 +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ec2_instance_in_vpc.yaml b/compliance/controls/aws/aws_ec2_instance_in_vpc.yaml index ca81b608c..3eb9fb1ee 100755 --- a/compliance/controls/aws/aws_ec2_instance_in_vpc.yaml +++ b/compliance/controls/aws/aws_ec2_instance_in_vpc.yaml @@ -1,68 +1,52 @@ ID: aws_ec2_instance_in_vpc Title: "EC2 instances should be in a VPC" Description: "Deploy AWS Elastic Compute Cloud (AWS EC2) instances within an AWS Virtual Private Cloud (AWS VPC) to enable secure communication between an instance and other services within the amazon VPC, without requiring an internet gateway, NAT device, or VPN connection." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when vpc_id is null then 'alarm' - else 'ok' - end as status, - case - when vpc_id is null then title || ' not in VPC.' - else title || ' in VPC.' - end as reason - - , region, account_id - from - aws_ec2_instance; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when vpc_id is null then 'alarm'\n else 'ok'\n end as status,\n case\n when vpc_id is null then title || ' not in VPC.'\n else title || ' in VPC.'\n end as reason\n \n , region, account_id\nfrom\n aws_ec2_instance;\n" PrimaryTable: aws_ec2_instance ListOfTables: - - aws_ec2_instance + - aws_ec2_instance Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" score_tags: - - Exposed Endpoints + - Exposed Endpoints service: - - AWS/EC2 + - AWS/EC2 soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ec2_instance_no_amazon_key_pair.yaml b/compliance/controls/aws/aws_ec2_instance_no_amazon_key_pair.yaml index eda2b513d..64b2598e4 100755 --- a/compliance/controls/aws/aws_ec2_instance_no_amazon_key_pair.yaml +++ b/compliance/controls/aws/aws_ec2_instance_no_amazon_key_pair.yaml @@ -1,40 +1,22 @@ ID: aws_ec2_instance_no_amazon_key_pair Title: "EC2 instances should not use key pairs in running state" Description: "This control checks whether running EC2 instances are using key pairs. The control fails if a running EC2 instance uses a key pair." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when instance_state <> 'running' then 'skip' - when key_name is null then 'ok' - else 'alarm' - end as status, - case - when instance_state <> 'running' then title || ' is in ' || instance_state || ' state.' - when key_name is null then title || ' not launched using amazon key pairs.' - else title || ' launched using amazon key pairs.' - end as reason - - , region, account_id - from - aws_ec2_instance; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when instance_state <> 'running' then 'skip'\n when key_name is null then 'ok'\n else 'alarm'\n end as status,\n case\n when instance_state <> 'running' then title || ' is in ' || instance_state || ' state.'\n when key_name is null then title || ' not launched using amazon key pairs.'\n else title || ' launched using amazon key pairs.'\n end as reason\n \n , region, account_id\nfrom\n aws_ec2_instance;\n" PrimaryTable: aws_ec2_instance ListOfTables: - - aws_ec2_instance + - aws_ec2_instance Parameters: [] Severity: low Tags: category: - - Compliance + - Compliance nist_csf: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/EC2 + - AWS/EC2 +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ec2_instance_no_iam_passrole_and_lambda_invoke_function_access.yaml b/compliance/controls/aws/aws_ec2_instance_no_iam_passrole_and_lambda_invoke_function_access.yaml index 4793b6989..3868c3abe 100755 --- a/compliance/controls/aws/aws_ec2_instance_no_iam_passrole_and_lambda_invoke_function_access.yaml +++ b/compliance/controls/aws/aws_ec2_instance_no_iam_passrole_and_lambda_invoke_function_access.yaml @@ -1,57 +1,15 @@ ID: aws_ec2_instance_no_iam_passrole_and_lambda_invoke_function_access Title: "EC2 instance IAM should not allow pass role and lambda invoke function access." Description: "This control ensures that EC2 instance IAM role does not allow pass role and lambda invoke function access." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - with iam_roles as ( - select - r.arn as role_arn, - i.arn as intance_arn - from - aws_iam_role as r, - jsonb_array_elements_text(instance_profile_arns) as p - left join aws_ec2_instance as i on p = i.iam_instance_profile_arn - where - i.arn is not null - ), iam_role_with_permission as ( - select - arn - from - aws_iam_role, - jsonb_array_elements(assume_role_policy_std -> 'Statement') as s, - jsonb_array_elements_text(s -> 'Principal' -> 'Service') as service, - jsonb_array_elements_text(s -> 'Action') as action - where - arn in (select role_arn from iam_roles) - and s ->> 'Effect' = 'Allow' - and service = 'ec2.amazonaws.com' - and action in ( 'iam:passrole','lambda:createfunction', 'lambda:invokefunction', '*:*') - ) - select - i.arn as resource, - i.og_account_id as og_account_id, - i.og_resource_id as og_resource_id, - case - when p.arn is null then 'ok' - else 'alarm' - end status, - case - when p.arn is null then title || ' has no IAM pass role and lambda invoke function access.' - else title || ' has IAM pass role and lambda invoke function access.' - end as reason - - - from - aws_ec2_instance as i - left join iam_roles as r on r.intance_arn = i.arn - left join iam_role_with_permission as p on p.arn = r.role_arn; + QueryToExecute: "with iam_roles as (\n select\n r.arn as role_arn,\n i.arn as intance_arn\n from\n aws_iam_role as r,\n jsonb_array_elements_text(instance_profile_arns) as p\n left join aws_ec2_instance as i on p = i.iam_instance_profile_arn\n where\n i.arn is not null\n), iam_role_with_permission as (\n select\n arn\n from\n aws_iam_role,\n jsonb_array_elements(assume_role_policy_std -> 'Statement') as s,\n jsonb_array_elements_text(s -> 'Principal' -> 'Service') as service,\n jsonb_array_elements_text(s -> 'Action') as action\n where\n arn in (select role_arn from iam_roles)\n and s ->> 'Effect' = 'Allow'\n and service = 'ec2.amazonaws.com'\n and action in ( 'iam:passrole','lambda:createfunction', 'lambda:invokefunction', '*:*')\n)\nselect\n i.arn as resource,\n i.og_account_id as og_account_id,\n i.og_resource_id as og_resource_id,\n case\n when p.arn is null then 'ok'\n else 'alarm'\n end status,\n case\n when p.arn is null then title || ' has no IAM pass role and lambda invoke function access.'\n else title || ' has IAM pass role and lambda invoke function access.'\n end as reason\n \n \nfrom\n aws_ec2_instance as i\n left join iam_roles as r on r.intance_arn = i.arn\n left join iam_role_with_permission as p on p.arn = r.role_arn;" PrimaryTable: aws_ec2_instance ListOfTables: - - aws_iam_role - - aws_ec2_instance + - aws_iam_role + - aws_ec2_instance Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ec2_instance_no_iam_role_attached_with_credentials_exposure_access.yaml b/compliance/controls/aws/aws_ec2_instance_no_iam_role_attached_with_credentials_exposure_access.yaml index dc2fca3e3..3e96fcfe3 100755 --- a/compliance/controls/aws/aws_ec2_instance_no_iam_role_attached_with_credentials_exposure_access.yaml +++ b/compliance/controls/aws/aws_ec2_instance_no_iam_role_attached_with_credentials_exposure_access.yaml @@ -1,8 +1,6 @@ ID: aws_ec2_instance_no_iam_role_attached_with_credentials_exposure_access Title: "EC2 instance IAM role should not be attached with credentials exposure access" Description: "This control ensures that EC2 instance IAM role should not be attached with credentials exposure access." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -50,8 +48,10 @@ Query: left join iam_role_with_permission as p on p.arn = r.role_arn; PrimaryTable: aws_ec2_instance ListOfTables: - - aws_iam_role - - aws_ec2_instance + - aws_iam_role + - aws_ec2_instance Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_alter_critical_s3_permissions_configuration.yaml b/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_alter_critical_s3_permissions_configuration.yaml index 3772bd9e6..d350d6df0 100755 --- a/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_alter_critical_s3_permissions_configuration.yaml +++ b/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_alter_critical_s3_permissions_configuration.yaml @@ -1,8 +1,6 @@ ID: aws_ec2_instance_no_iam_role_with_alter_critical_s3_permissions_configuration Title: "EC2 instance IAM role should not allow to alter critical s3 permissions configuration" Description: "This control ensures that EC2 instance IAM role does not allow to alter critical s3 permissions configuration." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -50,8 +48,10 @@ Query: left join iam_role_with_permission as p on p.arn = r.role_arn; PrimaryTable: aws_ec2_instance ListOfTables: - - aws_iam_role - - aws_ec2_instance + - aws_iam_role + - aws_ec2_instance Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_cloud_log_tampering_access.yaml b/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_cloud_log_tampering_access.yaml index 7f68e5226..701fa873e 100755 --- a/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_cloud_log_tampering_access.yaml +++ b/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_cloud_log_tampering_access.yaml @@ -1,8 +1,6 @@ ID: aws_ec2_instance_no_iam_role_with_cloud_log_tampering_access Title: "EC2 instance IAM role should not allow cloud log tampering access" Description: "This control ensures that EC2 instance IAM roles do not allow cloud log tampering access." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -84,9 +82,11 @@ Query: left join iam_role_with_permission as p on p.arn = r.role_arn; PrimaryTable: aws_ec2_instance ListOfTables: - - aws_ec2_instance - - iam_roles - - iam_role_with_permission + - aws_ec2_instance + - iam_roles + - iam_role_with_permission Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_data_destruction_access.yaml b/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_data_destruction_access.yaml index 3e1f9cef4..362d694f0 100755 --- a/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_data_destruction_access.yaml +++ b/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_data_destruction_access.yaml @@ -1,8 +1,6 @@ ID: aws_ec2_instance_no_iam_role_with_data_destruction_access Title: "EC2 instance IAM role should not allow data destruction access" Description: "This control ensures that EC2 instance IAM role does not allow data destruction access." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -51,8 +49,10 @@ Query: left join iam_role_with_permission as p on p.arn = r.role_arn; PrimaryTable: aws_ec2_instance ListOfTables: - - aws_iam_role - - aws_ec2_instance + - aws_iam_role + - aws_ec2_instance Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_destruction_kms_access.yaml b/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_destruction_kms_access.yaml index 0b9f883ae..eaa94b3fa 100755 --- a/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_destruction_kms_access.yaml +++ b/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_destruction_kms_access.yaml @@ -1,8 +1,6 @@ ID: aws_ec2_instance_no_iam_role_with_destruction_kms_access Title: "EC2 instance IAM role should not allow destruction KMS access" Description: "This control ensures that EC2 instance IAM roles do not allow destruction KMS access." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -48,8 +46,10 @@ Query: left join iam_role_with_permission as p on p.arn = r.role_arn; PrimaryTable: aws_ec2_instance ListOfTables: - - aws_iam_role - - aws_ec2_instance + - aws_iam_role + - aws_ec2_instance Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_destruction_rds_access.yaml b/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_destruction_rds_access.yaml index dd24ef546..809cc7821 100755 --- a/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_destruction_rds_access.yaml +++ b/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_destruction_rds_access.yaml @@ -1,57 +1,15 @@ ID: aws_ec2_instance_no_iam_role_with_destruction_rds_access Title: "EC2 instance IAM role should not allow destruction RDS access" Description: "This control ensures that EC2 instance IAM roles do not allow destruction RDS access." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - with iam_roles as ( - select - r.arn as role_arn, - i.arn as intance_arn - from - aws_iam_role as r, - jsonb_array_elements_text(instance_profile_arns) as p - left join aws_ec2_instance as i on p = i.iam_instance_profile_arn - where - i.arn is not null - ), iam_role_with_permission as ( - select - arn - from - aws_iam_role, - jsonb_array_elements(assume_role_policy_std -> 'Statement') as s, - jsonb_array_elements_text(s -> 'Principal' -> 'Service') as service, - jsonb_array_elements_text(s -> 'Action') as action - where - arn in (select role_arn from iam_roles) - and s ->> 'Effect' = 'Allow' - and service = 'ec2.amazonaws.com' - and action in ( 'srds-data:ExecuteStatement', 'rds-data:BatchExecuteStatement', '*:*') - ) - select - i.arn as resource, - i.og_account_id as og_account_id, - i.og_resource_id as og_resource_id, - case - when p.arn is null then 'ok' - else 'alarm' - end status, - case - when p.arn is null then title || ' has no IAM role with destruction RDS permission.' - else title || ' has IAM role with destruction RDS permission.' - end as reason - - - from - aws_ec2_instance as i - left join iam_roles as r on r.intance_arn = i.arn - left join iam_role_with_permission as p on p.arn = r.role_arn; + QueryToExecute: "with iam_roles as (\n select\n r.arn as role_arn,\n i.arn as intance_arn\n from\n aws_iam_role as r,\n jsonb_array_elements_text(instance_profile_arns) as p\n left join aws_ec2_instance as i on p = i.iam_instance_profile_arn\n where\n i.arn is not null\n), iam_role_with_permission as (\n select\n arn\n from\n aws_iam_role,\n jsonb_array_elements(assume_role_policy_std -> 'Statement') as s,\n jsonb_array_elements_text(s -> 'Principal' -> 'Service') as service,\n jsonb_array_elements_text(s -> 'Action') as action\n where\n arn in (select role_arn from iam_roles)\n and s ->> 'Effect' = 'Allow'\n and service = 'ec2.amazonaws.com'\n and action in ( 'srds-data:ExecuteStatement', 'rds-data:BatchExecuteStatement', '*:*')\n)\nselect\n i.arn as resource,\n i.og_account_id as og_account_id,\n i.og_resource_id as og_resource_id,\n case\n when p.arn is null then 'ok'\n else 'alarm'\n end status,\n case\n when p.arn is null then title || ' has no IAM role with destruction RDS permission.'\n else title || ' has IAM role with destruction RDS permission.'\n end as reason\n \n \nfrom\n aws_ec2_instance as i\n left join iam_roles as r on r.intance_arn = i.arn\n left join iam_role_with_permission as p on p.arn = r.role_arn;" PrimaryTable: aws_ec2_instance ListOfTables: - - aws_iam_role - - aws_ec2_instance + - aws_iam_role + - aws_ec2_instance Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_elastic_ip_hijacking_access.yaml b/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_elastic_ip_hijacking_access.yaml index aa4a623d3..34e15b31c 100755 --- a/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_elastic_ip_hijacking_access.yaml +++ b/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_elastic_ip_hijacking_access.yaml @@ -1,8 +1,6 @@ ID: aws_ec2_instance_no_iam_role_with_elastic_ip_hijacking_access Title: "EC2 instance IAM role should not allow elastic IP hijacking access." Description: "This control ensures that EC2 instance IAM role does not allow elastic IP hijacking access." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -84,9 +82,11 @@ Query: left join iam_role_with_permission as p on p.arn = r.role_arn; PrimaryTable: aws_ec2_instance ListOfTables: - - aws_ec2_instance - - iam_roles - - iam_role_with_permission + - aws_ec2_instance + - iam_roles + - iam_role_with_permission Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_management_level_access.yaml b/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_management_level_access.yaml index 7f10ada61..bb3577aca 100755 --- a/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_management_level_access.yaml +++ b/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_management_level_access.yaml @@ -1,8 +1,6 @@ ID: aws_ec2_instance_no_iam_role_with_management_level_access Title: "EC2 instance IAM role should not allow management level access" Description: "This control ensures that EC2 instance IAM role does not allow management level access." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -51,8 +49,10 @@ Query: left join iam_role_with_permission as p on p.arn = r.role_arn; PrimaryTable: aws_ec2_instance ListOfTables: - - aws_iam_role - - aws_ec2_instance + - aws_iam_role + - aws_ec2_instance Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_new_group_creation_with_attached_policy_access.yaml b/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_new_group_creation_with_attached_policy_access.yaml index 3c3e1c100..ef88bda67 100755 --- a/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_new_group_creation_with_attached_policy_access.yaml +++ b/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_new_group_creation_with_attached_policy_access.yaml @@ -1,8 +1,6 @@ ID: aws_ec2_instance_no_iam_role_with_new_group_creation_with_attached_policy_access Title: "EC2 instance IAM role should not allow new group creation with attached policy access" Description: "This control ensures that EC2 instance IAM role does not allow new group creation with attached policy access." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -49,8 +47,10 @@ Query: left join iam_role_with_permission as p on p.arn = r.role_arn; PrimaryTable: aws_ec2_instance ListOfTables: - - aws_iam_role - - aws_ec2_instance + - aws_iam_role + - aws_ec2_instance Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_new_role_creation_with_attached_policy_access.yaml b/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_new_role_creation_with_attached_policy_access.yaml index 3edee63a0..2f89fe5b8 100755 --- a/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_new_role_creation_with_attached_policy_access.yaml +++ b/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_new_role_creation_with_attached_policy_access.yaml @@ -1,8 +1,6 @@ ID: aws_ec2_instance_no_iam_role_with_new_role_creation_with_attached_policy_access Title: "EC2 instance IAM role should not allow new role creation with attached policy access" Description: "This control ensures that EC2 instance IAM role does not allow new role creation with attached policy access." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -49,8 +47,10 @@ Query: left join iam_role_with_permission as p on p.arn = r.role_arn; PrimaryTable: aws_ec2_instance ListOfTables: - - aws_iam_role - - aws_ec2_instance + - aws_iam_role + - aws_ec2_instance Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_org_write_access.yaml b/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_org_write_access.yaml index f6053bdba..f3f2a179c 100755 --- a/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_org_write_access.yaml +++ b/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_org_write_access.yaml @@ -1,8 +1,6 @@ ID: aws_ec2_instance_no_iam_role_with_org_write_access Title: "EC2 instance IAM role should not allow oraganization write access" Description: "This control ensures that EC2 instance IAM role does not allow oraganization write access." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -51,8 +49,10 @@ Query: left join iam_role_with_permission as p on p.arn = r.role_arn; PrimaryTable: aws_ec2_instance ListOfTables: - - aws_iam_role - - aws_ec2_instance + - aws_iam_role + - aws_ec2_instance Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_privilege_escalation_risk_access.yaml b/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_privilege_escalation_risk_access.yaml index 5260d58bb..d55d9e985 100755 --- a/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_privilege_escalation_risk_access.yaml +++ b/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_privilege_escalation_risk_access.yaml @@ -1,8 +1,6 @@ ID: aws_ec2_instance_no_iam_role_with_privilege_escalation_risk_access Title: "EC2 instance IAM role should not allow privilege escalation risk access" Description: "This control ensures that EC2 instance IAM role does not allow privilege escalation risk access." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -51,8 +49,10 @@ Query: left join iam_role_with_permission as p on p.arn = r.role_arn; PrimaryTable: aws_ec2_instance ListOfTables: - - aws_iam_role - - aws_ec2_instance + - aws_iam_role + - aws_ec2_instance Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_security_group_write_access.yaml b/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_security_group_write_access.yaml index e638676b1..0e2d0ce14 100755 --- a/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_security_group_write_access.yaml +++ b/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_security_group_write_access.yaml @@ -1,8 +1,6 @@ ID: aws_ec2_instance_no_iam_role_with_security_group_write_access Title: "EC2 instance IAM role should not allow security group write access" Description: "This control ensures that EC2 instance IAM roles do not allow security group write access." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -48,8 +46,10 @@ Query: left join iam_role_with_permission as p on p.arn = r.role_arn; PrimaryTable: aws_ec2_instance ListOfTables: - - aws_iam_role - - aws_ec2_instance + - aws_iam_role + - aws_ec2_instance Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_write_permission_on_critical_s3_configuration.yaml b/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_write_permission_on_critical_s3_configuration.yaml index 5cb829a8d..3e5b7e978 100755 --- a/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_write_permission_on_critical_s3_configuration.yaml +++ b/compliance/controls/aws/aws_ec2_instance_no_iam_role_with_write_permission_on_critical_s3_configuration.yaml @@ -1,8 +1,6 @@ ID: aws_ec2_instance_no_iam_role_with_write_permission_on_critical_s3_configuration Title: "EC2 instance IAM role should not allow write permission on critical s3 configuration" Description: "This control ensures that EC2 instance IAM roles do not allow write permission on critical s3 configuration." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -72,9 +70,11 @@ Query: left join iam_role_with_permission as p on p.arn = r.role_arn; PrimaryTable: aws_ec2_instance ListOfTables: - - aws_ec2_instance - - iam_roles - - iam_role_with_permission + - aws_ec2_instance + - iam_roles + - iam_role_with_permission Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ec2_instance_no_iam_with_write_level_access.yaml b/compliance/controls/aws/aws_ec2_instance_no_iam_with_write_level_access.yaml index 19eb7d59c..ccd698289 100755 --- a/compliance/controls/aws/aws_ec2_instance_no_iam_with_write_level_access.yaml +++ b/compliance/controls/aws/aws_ec2_instance_no_iam_with_write_level_access.yaml @@ -1,8 +1,6 @@ ID: aws_ec2_instance_no_iam_with_write_level_access Title: "EC2 instance IAM role should not allow write level access" Description: "This control ensures that EC2 instance IAM role does not allow write level access." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -107,44 +105,46 @@ Query: left join iam_role_with_permission as p on p.arn = r.role_arn; PrimaryTable: aws_ec2_instance ListOfTables: - - aws_ec2_instance - - aws_iam_role + - aws_ec2_instance + - aws_iam_role Parameters: [] Severity: critical Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/EC2 + - AWS/EC2 soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ec2_instance_no_launch_wizard_security_group.yaml b/compliance/controls/aws/aws_ec2_instance_no_launch_wizard_security_group.yaml index b3c92432e..797b59781 100755 --- a/compliance/controls/aws/aws_ec2_instance_no_launch_wizard_security_group.yaml +++ b/compliance/controls/aws/aws_ec2_instance_no_launch_wizard_security_group.yaml @@ -1,8 +1,6 @@ ID: aws_ec2_instance_no_launch_wizard_security_group Title: "EC2 instances should not be attached to 'launch wizard' security groups" Description: "Ensure EC2 instances provisioned in your AWS account are not associated with security groups that have their name prefixed with 'launch-wizard', in order to enforce using secure and custom security groups that exercise the principle of least privilege." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -32,7 +30,9 @@ Query: left join launch_wizard_sg_attached_instance as sg on i.arn = sg.arn; PrimaryTable: aws_ec2_instance ListOfTables: - - aws_ec2_instance + - aws_ec2_instance Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ec2_instance_not_older_than_180_days.yaml b/compliance/controls/aws/aws_ec2_instance_not_older_than_180_days.yaml index 105e52425..b9106df40 100755 --- a/compliance/controls/aws/aws_ec2_instance_not_older_than_180_days.yaml +++ b/compliance/controls/aws/aws_ec2_instance_not_older_than_180_days.yaml @@ -1,28 +1,14 @@ ID: aws_ec2_instance_not_older_than_180_days Title: "Ensure no AWS EC2 Instances are older than 180 days" Description: "\"Identify any running AWS EC2 instances older than 180 days." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - instance_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - launch_time, - case - when launch_time >= (current_date - interval '180 days') then 'ok' - else 'alarm' - end as status, - title || ' created ' || to_char(launch_time , 'DD-Mon-YYYY') || ' (' || extract(day from current_timestamp - launch_time) || ' days).' as reason - - - from - aws_ec2_instance; + QueryToExecute: "select\n instance_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n launch_time,\n case\n when launch_time >= (current_date - interval '180 days') then 'ok'\n else 'alarm'\n end as status,\n title || ' created ' || to_char(launch_time , 'DD-Mon-YYYY') || ' (' || extract(day from current_timestamp - launch_time) || ' days).' as reason\n \n \nfrom\n aws_ec2_instance;" PrimaryTable: aws_ec2_instance ListOfTables: - - aws_ec2_instance + - aws_ec2_instance Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ec2_instance_not_publicly_accessible.yaml b/compliance/controls/aws/aws_ec2_instance_not_publicly_accessible.yaml index 5fbb96834..25aab33da 100755 --- a/compliance/controls/aws/aws_ec2_instance_not_publicly_accessible.yaml +++ b/compliance/controls/aws/aws_ec2_instance_not_publicly_accessible.yaml @@ -1,66 +1,50 @@ ID: aws_ec2_instance_not_publicly_accessible Title: "EC2 instances should not have a public IP address" Description: "\"Manage access to the AWS Cloud by ensuring AWS Elastic Compute Cloud (AWS EC2) instances cannot be publicly accessed." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when public_ip_address is null then 'ok' - else 'alarm' - end as status, - case - when public_ip_address is null then instance_id || ' not publicly accessible.' - else instance_id || ' publicly accessible.' - end as reason - - , region, account_id - from - aws_ec2_instance; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when public_ip_address is null then 'ok'\n else 'alarm'\n end as status,\n case\n when public_ip_address is null then instance_id || ' not publicly accessible.'\n else instance_id || ' publicly accessible.'\n end as reason\n \n , region, account_id\nfrom\n aws_ec2_instance;\n" PrimaryTable: aws_ec2_instance ListOfTables: - - aws_ec2_instance + - aws_ec2_instance Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/EC2 + - AWS/EC2 soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ec2_instance_not_use_multiple_enis.yaml b/compliance/controls/aws/aws_ec2_instance_not_use_multiple_enis.yaml index 4891a53e2..4c3e9af09 100755 --- a/compliance/controls/aws/aws_ec2_instance_not_use_multiple_enis.yaml +++ b/compliance/controls/aws/aws_ec2_instance_not_use_multiple_enis.yaml @@ -1,40 +1,26 @@ ID: aws_ec2_instance_not_use_multiple_enis Title: "EC2 instances should not use multiple ENIs" Description: "This control checks whether an EC2 instance uses multiple Elastic Network Interfaces (ENIs) or Elastic Fabric Adapters (EFAs). This control passes if a single network adapter is used. The control includes an optional parameter list to identify the allowed ENIs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when jsonb_array_length(network_interfaces) = 1 then 'ok' - else 'alarm' - end status, - title || ' has ' || jsonb_array_length(network_interfaces) || ' ENI(s) attached.' - as reason - - , region, account_id - from - aws_ec2_instance; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when jsonb_array_length(network_interfaces) = 1 then 'ok'\n else 'alarm'\n end status,\n title || ' has ' || jsonb_array_length(network_interfaces) || ' ENI(s) attached.'\n as reason\n \n , region, account_id\nfrom\n aws_ec2_instance;\n" PrimaryTable: aws_ec2_instance ListOfTables: - - aws_ec2_instance + - aws_ec2_instance Parameters: [] Severity: low Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - network_security + - network_security foundational_security_item_id: - - ec2_17 + - ec2_17 plugin: - - aws + - aws service: - - AWS/EC2 + - AWS/EC2 +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ec2_instance_protected_by_backup_plan.yaml b/compliance/controls/aws/aws_ec2_instance_protected_by_backup_plan.yaml index 61f480f2d..34c699b2c 100755 --- a/compliance/controls/aws/aws_ec2_instance_protected_by_backup_plan.yaml +++ b/compliance/controls/aws/aws_ec2_instance_protected_by_backup_plan.yaml @@ -1,70 +1,45 @@ ID: aws_ec2_instance_protected_by_backup_plan Title: "EC2 instances should be protected by backup plan" Description: "Ensure that AWS Elastic Compute Cloud (AWS EC2) instances are protected by a backup plan. The rule is non-compliant if the AWS EC2 instance is not covered by a backup plan." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with backup_protected_instance as ( - select - resource_arn as arn - from - aws_backup_protected_resource as b - where - resource_type = 'EC2' - ) - select - i.arn as resource, - i.og_account_id as og_account_id, - i.og_resource_id as og_resource_id, - case - when b.arn is not null then 'ok' - else 'alarm' - end as status, - case - when b.arn is not null then i.title || ' is protected by backup plan.' - else i.title || ' is not protected by backup plan.' - end as reason - - , i.region, i.account_id - from - aws_ec2_instance as i - left join backup_protected_instance as b on i.arn = b.arn; + QueryToExecute: "with backup_protected_instance as (\n select\n resource_arn as arn\n from\n aws_backup_protected_resource as b\n where\n resource_type = 'EC2'\n)\nselect\n i.arn as resource,\n i.og_account_id as og_account_id,\n i.og_resource_id as og_resource_id,\n case\n when b.arn is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when b.arn is not null then i.title || ' is protected by backup plan.'\n else i.title || ' is not protected by backup plan.'\n end as reason\n \n , i.region, i.account_id\nfrom\n aws_ec2_instance as i\n left join backup_protected_instance as b on i.arn = b.arn;\n" PrimaryTable: aws_ec2_instance ListOfTables: - - aws_backup_protected_resource - - aws_ec2_instance + - aws_backup_protected_resource + - aws_ec2_instance Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" gxp_eu_annex_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/EC2 + - AWS/EC2 soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ec2_instance_publicly_accessible_iam_profile_attached.yaml b/compliance/controls/aws/aws_ec2_instance_publicly_accessible_iam_profile_attached.yaml index 0fddd1bff..ffc5069b2 100755 --- a/compliance/controls/aws/aws_ec2_instance_publicly_accessible_iam_profile_attached.yaml +++ b/compliance/controls/aws/aws_ec2_instance_publicly_accessible_iam_profile_attached.yaml @@ -1,32 +1,14 @@ ID: aws_ec2_instance_publicly_accessible_iam_profile_attached Title: "Public EC2 instances should have IAM profile attached" Description: "Ensure AWS Elastic Compute Cloud (AWS EC2) public instances have an Identity and Access Management (IAM) profile attached to them. This rule is non-compliant if no IAM profile is attached to a public AWS EC2 instance." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when iam_instance_profile_id is not null then 'ok' - else 'alarm' - end as status, - case - when iam_instance_profile_id is not null then title || ' IAM profile attached.' - else title || ' IAM profile not attached.' - end as reason - - - from - aws_ec2_instance - where - public_ip_address is not null; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when iam_instance_profile_id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when iam_instance_profile_id is not null then title || ' IAM profile attached.'\n else title || ' IAM profile not attached.'\n end as reason\n \n \nfrom\n aws_ec2_instance\nwhere\n public_ip_address is not null;" PrimaryTable: aws_ec2_instance ListOfTables: - - aws_ec2_instance + - aws_ec2_instance Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ec2_instance_ssm_managed.yaml b/compliance/controls/aws/aws_ec2_instance_ssm_managed.yaml index 4e904336e..6031bb644 100755 --- a/compliance/controls/aws/aws_ec2_instance_ssm_managed.yaml +++ b/compliance/controls/aws/aws_ec2_instance_ssm_managed.yaml @@ -1,70 +1,51 @@ ID: aws_ec2_instance_ssm_managed Title: "EC2 instances should be managed by AWS Systems Manager" Description: "An inventory of the software platforms and applications within the organization is possible by managing AWS Elastic Compute Cloud (AWS EC2) instances with AWS Systems Manager." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - i.arn as resource, - i.og_account_id as og_account_id, - i.og_resource_id as og_resource_id, - case - when i.instance_state = 'stopped' then 'info' - when m.instance_id is null then 'alarm' - else 'ok' - end as status, - case - when i.instance_state = 'stopped' then i.title || ' is in stopped state.' - when m.instance_id is null then i.title || ' not managed by AWS SSM.' - else i.title || ' managed by AWS SSM.' - end as reason - - , i.region, i.account_id - from - aws_ec2_instance i - left join aws_ssm_managed_instance m on m.instance_id = i.instance_id; + QueryToExecute: "select\n i.arn as resource,\n i.og_account_id as og_account_id,\n i.og_resource_id as og_resource_id,\n case\n when i.instance_state = 'stopped' then 'info'\n when m.instance_id is null then 'alarm'\n else 'ok'\n end as status,\n case\n when i.instance_state = 'stopped' then i.title || ' is in stopped state.'\n when m.instance_id is null then i.title || ' not managed by AWS SSM.'\n else i.title || ' managed by AWS SSM.'\n end as reason\n \n , i.region, i.account_id\nfrom\n aws_ec2_instance i\n left join aws_ssm_managed_instance m on m.instance_id = i.instance_id;\n" PrimaryTable: aws_ec2_instance ListOfTables: - - aws_ec2_instance - - aws_ssm_managed_instance + - aws_ec2_instance + - aws_ssm_managed_instance Parameters: [] Severity: low Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/SSM + - AWS/SSM soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ec2_instance_termination_protection_enabled.yaml b/compliance/controls/aws/aws_ec2_instance_termination_protection_enabled.yaml index ca6e6446a..43a75e977 100755 --- a/compliance/controls/aws/aws_ec2_instance_termination_protection_enabled.yaml +++ b/compliance/controls/aws/aws_ec2_instance_termination_protection_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_ec2_instance_termination_protection_enabled Title: "AWS EC2 instances should have termination protection enabled" Description: "This control checks whether termination protection is enabled for EC2 instances. The control fails if termination protection is not enabled for an EC2 instance." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_ec2_instance; PrimaryTable: aws_ec2_instance ListOfTables: - - aws_ec2_instance + - aws_ec2_instance Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ec2_instance_user_data_no_secrets.yaml b/compliance/controls/aws/aws_ec2_instance_user_data_no_secrets.yaml index e4d8d84de..8e2959733 100755 --- a/compliance/controls/aws/aws_ec2_instance_user_data_no_secrets.yaml +++ b/compliance/controls/aws/aws_ec2_instance_user_data_no_secrets.yaml @@ -1,32 +1,14 @@ ID: aws_ec2_instance_user_data_no_secrets Title: "EC2 instances user data should not have secrets" Description: "User data is a metadata field of an EC2 instance that allows custom code to run after the instance is launched. It contains code which is exposed to any entity which has the most basic access to EC2, even read-only configurations. It is recommended to not use secrets in user data." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when user_data like any (array ['%pass%', '%secret%','%token%','%key%']) - or user_data ~ '(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]' then 'alarm' - else 'ok' - end as status, - case - when user_data like any (array ['%pass%', '%secret%','%token%','%key%']) - or user_data ~ '(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]' then instance_id ||' potential secret found in user data.' - else instance_id || ' no secrets found in user data.' - end as reason - - - from - aws_ec2_instance; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when user_data like any (array ['%pass%', '%secret%','%token%','%key%'])\n or user_data ~ '(?=.*[a-z])(?=.*[A-Z])(?=.*\\d)(?=.*[@$!%*?&])[A-Za-z\\d@$!%*?&]' then 'alarm'\n else 'ok'\n end as status,\n case\n when user_data like any (array ['%pass%', '%secret%','%token%','%key%'])\n or user_data ~ '(?=.*[a-z])(?=.*[A-Z])(?=.*\\d)(?=.*[@$!%*?&])[A-Za-z\\d@$!%*?&]' then instance_id ||' potential secret found in user data.'\n else instance_id || ' no secrets found in user data.'\n end as reason\n \n \nfrom\n aws_ec2_instance;" PrimaryTable: aws_ec2_instance ListOfTables: - - aws_ec2_instance + - aws_ec2_instance Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ec2_instance_uses_imdsv2.yaml b/compliance/controls/aws/aws_ec2_instance_uses_imdsv2.yaml index ba1a24735..4cd4001e0 100755 --- a/compliance/controls/aws/aws_ec2_instance_uses_imdsv2.yaml +++ b/compliance/controls/aws/aws_ec2_instance_uses_imdsv2.yaml @@ -1,52 +1,36 @@ ID: aws_ec2_instance_uses_imdsv2 Title: "EC2 instances should use IMDSv2" Description: "Ensure the Instance Metadata Service Version 2 (IMDSv2) method is enabled to help protect access and control of AWS Elastic Compute Cloud (AWS EC2) instance metadata." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when metadata_options ->> 'HttpTokens' = 'optional' then 'alarm' - else 'ok' - end as status, - case - when metadata_options ->> 'HttpTokens' = 'optional' then title || ' not configured to use Instance Metadata Service Version 2 (IMDSv2).' - else title || ' configured to use Instance Metadata Service Version 2 (IMDSv2).' - end as reason - - , region, account_id - from - aws_ec2_instance; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when metadata_options ->> 'HttpTokens' = 'optional' then 'alarm'\n else 'ok'\n end as status,\n case\n when metadata_options ->> 'HttpTokens' = 'optional' then title || ' not configured to use Instance Metadata Service Version 2 (IMDSv2).'\n else title || ' configured to use Instance Metadata Service Version 2 (IMDSv2).'\n end as reason\n \n , region, account_id\nfrom\n aws_ec2_instance;\n" PrimaryTable: aws_ec2_instance ListOfTables: - - aws_ec2_instance + - aws_ec2_instance Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/EC2 + - AWS/EC2 +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ec2_instance_virtualization_type_no_paravirtual.yaml b/compliance/controls/aws/aws_ec2_instance_virtualization_type_no_paravirtual.yaml index 6b6509515..bcfd8b0ab 100755 --- a/compliance/controls/aws/aws_ec2_instance_virtualization_type_no_paravirtual.yaml +++ b/compliance/controls/aws/aws_ec2_instance_virtualization_type_no_paravirtual.yaml @@ -1,39 +1,26 @@ ID: aws_ec2_instance_virtualization_type_no_paravirtual Title: "Paravirtual EC2 instance types should not be used" Description: "This control checks whether the virtualization type of an EC2 instance is paravirtual. The control fails if the virtualizationType of the EC2 instance is set to paravirtual." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when virtualization_type = 'paravirtual' then 'alarm' - else 'ok' - end as status, - title || ' virtualization type is ' || virtualization_type || '.' as reason - - , region, account_id - from - aws_ec2_instance; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when virtualization_type = 'paravirtual' then 'alarm'\n else 'ok'\n end as status,\n title || ' virtualization type is ' || virtualization_type || '.' as reason\n \n , region, account_id\nfrom\n aws_ec2_instance;\n" PrimaryTable: aws_ec2_instance ListOfTables: - - aws_ec2_instance + - aws_ec2_instance Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - vulnerability_patch_and_version_management + - vulnerability_patch_and_version_management foundational_security_item_id: - - ec2_24 + - ec2_24 plugin: - - aws + - aws service: - - AWS/EC2 + - AWS/EC2 +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ec2_launch_template_not_publicly_accessible.yaml b/compliance/controls/aws/aws_ec2_launch_template_not_publicly_accessible.yaml index a78340799..6a734e278 100755 --- a/compliance/controls/aws/aws_ec2_launch_template_not_publicly_accessible.yaml +++ b/compliance/controls/aws/aws_ec2_launch_template_not_publicly_accessible.yaml @@ -1,61 +1,27 @@ ID: aws_ec2_launch_template_not_publicly_accessible Title: "AWS EC2 launch templates should not assign public IPs to network interfaces" Description: "This control checks if AWS EC2 launch templates are configured to assign public IP addresses to network interfaces upon launch. The control fails if an EC2 launch template is configured to assign a public IP address to network interfaces or if there is at least one network interface that has a public IP address." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with public_launch_templates as ( - select - i.tags ->> 'aws:ec2launchtemplate:id' as public_launch_template_id - from - aws_ec2_instance as i, - jsonb_array_elements(launch_template_data -> 'NetworkInterfaces') as nic - where - (nic -> 'AssociatePublicIpAddress')::bool - ), - launch_templates_associated_instance as ( - select - distinct tags ->> 'aws:ec2launchtemplate:id' as launch_template_id - from - aws_ec2_instance - ) - select - t.launch_template_id as resource, - t.og_account_id as og_account_id, - t.og_resource_id as og_resource_id, - case - when i.launch_template_id is null then 'skip' - when t.launch_template_id in ( select public_launch_template_id from public_launch_templates ) then 'alarm' - else 'ok' - end as status, - case - when i.launch_template_id is null then t.title || ' does not launch any instance.' - when t.launch_template_id in ( select public_launch_template_id from public_launch_templates ) then t.title || ' publicly accessible.' - else t.title || ' not publicly accessible.' - end as reason - - , t.region, t.account_id - from - aws_ec2_launch_template as t - left join launch_templates_associated_instance as i on i.launch_template_id = t.launch_template_id; + QueryToExecute: "with public_launch_templates as (\n select\n i.tags ->> 'aws:ec2launchtemplate:id' as public_launch_template_id\n from\n aws_ec2_instance as i,\n jsonb_array_elements(launch_template_data -> 'NetworkInterfaces') as nic\n where\n (nic -> 'AssociatePublicIpAddress')::bool\n),\nlaunch_templates_associated_instance as (\n select\n distinct tags ->> 'aws:ec2launchtemplate:id' as launch_template_id\n from\n aws_ec2_instance\n)\nselect\n t.launch_template_id as resource,\n t.og_account_id as og_account_id,\n t.og_resource_id as og_resource_id,\n case\n when i.launch_template_id is null then 'skip'\n when t.launch_template_id in ( select public_launch_template_id from public_launch_templates ) then 'alarm'\n else 'ok'\n end as status,\n case\n when i.launch_template_id is null then t.title || ' does not launch any instance.'\n when t.launch_template_id in ( select public_launch_template_id from public_launch_templates ) then t.title || ' publicly accessible.'\n else t.title || ' not publicly accessible.'\n end as reason\n \n , t.region, t.account_id\nfrom\n aws_ec2_launch_template as t\n left join launch_templates_associated_instance as i on i.launch_template_id = t.launch_template_id;\n" PrimaryTable: aws_ec2_launch_template ListOfTables: - - aws_ec2_instance - - aws_ec2_launch_template + - aws_ec2_instance + - aws_ec2_launch_template Parameters: [] Severity: high Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - resources_not_publicly_accessible + - resources_not_publicly_accessible foundational_security_item_id: - - ec2_25 + - ec2_25 plugin: - - aws + - aws service: - - AWS/EC2 + - AWS/EC2 +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ec2_network_interface_unused.yaml b/compliance/controls/aws/aws_ec2_network_interface_unused.yaml index 47affb91e..1f216dd4e 100755 --- a/compliance/controls/aws/aws_ec2_network_interface_unused.yaml +++ b/compliance/controls/aws/aws_ec2_network_interface_unused.yaml @@ -1,30 +1,14 @@ ID: aws_ec2_network_interface_unused Title: "Ensure unused ENIs are removed" Description: "Identify and delete any unused Amazon AWS Elastic Network Interfaces in order to adhere to best practices and to avoid reaching the service limit. An AWS Elastic Network Interface (ENI) is pronounced unused when is not attached anymore to an EC2 instance." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - network_interface_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when status = 'available' and attached_instance_id is null then 'alarm' - else 'ok' - end as status, - case - when status = 'available' and attached_instance_id is null then title || ' not in use.' - else title || ' in use.' - end as reason - - - from - aws_ec2_network_interface; + QueryToExecute: "select\n network_interface_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when status = 'available' and attached_instance_id is null then 'alarm'\n else 'ok'\n end as status,\n case\n when status = 'available' and attached_instance_id is null then title || ' not in use.'\n else title || ' in use.'\n end as reason\n \n \nfrom\n aws_ec2_network_interface;" PrimaryTable: aws_ec2_network_interface ListOfTables: - - aws_ec2_network_interface + - aws_ec2_network_interface Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ec2_stopped_instance_30_days.yaml b/compliance/controls/aws/aws_ec2_stopped_instance_30_days.yaml index d890cfab8..49aa1f73b 100755 --- a/compliance/controls/aws/aws_ec2_stopped_instance_30_days.yaml +++ b/compliance/controls/aws/aws_ec2_stopped_instance_30_days.yaml @@ -1,61 +1,44 @@ ID: aws_ec2_stopped_instance_30_days Title: "EC2 stopped instances should be removed in 30 days" Description: "Enable this rule to help with the baseline configuration of AWS Elastic Compute Cloud (AWS EC2) instances by checking whether AWS EC2 instances have been stopped for more than the allowed number of days, according to your organization's standards." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when instance_state not in ('stopped', 'stopping') then 'skip' - when state_transition_time <= (current_date - interval '30' day) then 'alarm' - else 'ok' - end as status, - case - when instance_state not in ('stopped', 'stopping') then title || ' is in ' || instance_state || ' state.' - else title || ' stopped since ' || to_char(state_transition_time , 'DD-Mon-YYYY') || ' (' || extract(day from current_timestamp - state_transition_time) || ' days).' - end as reason - - , region, account_id - from - aws_ec2_instance; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when instance_state not in ('stopped', 'stopping') then 'skip'\n when state_transition_time <= (current_date - interval '30' day) then 'alarm'\n else 'ok'\n end as status,\n case\n when instance_state not in ('stopped', 'stopping') then title || ' is in ' || instance_state || ' state.'\n else title || ' stopped since ' || to_char(state_transition_time , 'DD-Mon-YYYY') || ' (' || extract(day from current_timestamp - state_transition_time) || ' days).'\n end as reason\n \n , region, account_id\nfrom\n aws_ec2_instance;\n" PrimaryTable: aws_ec2_instance ListOfTables: - - aws_ec2_instance + - aws_ec2_instance Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/EC2 + - AWS/EC2 +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ec2_stopped_instance_90_days.yaml b/compliance/controls/aws/aws_ec2_stopped_instance_90_days.yaml index 438ab418e..fca4eb26c 100755 --- a/compliance/controls/aws/aws_ec2_stopped_instance_90_days.yaml +++ b/compliance/controls/aws/aws_ec2_stopped_instance_90_days.yaml @@ -1,8 +1,6 @@ ID: aws_ec2_stopped_instance_90_days Title: "Ensure instances stopped for over 90 days are removed" Description: "Enable this rule to help with the baseline configuration of Amazon Elastic Compute Cloud (Amazon EC2) instances by checking whether Amazon EC2 instances have been stopped for more than the allowed number of days, according to your organization's standards." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -23,7 +21,9 @@ Query: aws_ec2_instance; PrimaryTable: aws_ec2_instance ListOfTables: - - aws_ec2_instance + - aws_ec2_instance Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ec2_transit_gateway_auto_cross_account_attachment_disabled.yaml b/compliance/controls/aws/aws_ec2_transit_gateway_auto_cross_account_attachment_disabled.yaml index 4ff8085f6..1daab8221 100755 --- a/compliance/controls/aws/aws_ec2_transit_gateway_auto_cross_account_attachment_disabled.yaml +++ b/compliance/controls/aws/aws_ec2_transit_gateway_auto_cross_account_attachment_disabled.yaml @@ -1,42 +1,26 @@ ID: aws_ec2_transit_gateway_auto_cross_account_attachment_disabled Title: "EC2 transit gateways should have auto accept shared attachments disabled" Description: "Ensure transit gateways have auto accept shared attachments feature disabled. If this setting is disabled, then any VPC that attempts to attach to a transit gateway will need to request authorization, and the account that owns the transit gateway will need to accept the authorization." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - transit_gateway_arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when auto_accept_shared_attachments = 'enable' then 'alarm' - else 'ok' - end as status, - case - when auto_accept_shared_attachments = 'enable' then title || ' automatic shared account attachment enabled.' - else title || ' automatic shared account attachment disabled.' - end as reason - - , region, account_id - from - aws_ec2_transit_gateway; + QueryToExecute: "select\n transit_gateway_arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when auto_accept_shared_attachments = 'enable' then 'alarm'\n else 'ok'\n end as status,\n case\n when auto_accept_shared_attachments = 'enable' then title || ' automatic shared account attachment enabled.'\n else title || ' automatic shared account attachment disabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_ec2_transit_gateway;\n" PrimaryTable: aws_ec2_transit_gateway ListOfTables: - - aws_ec2_transit_gateway + - aws_ec2_transit_gateway Parameters: [] Severity: high Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - secure_network_configuration + - secure_network_configuration foundational_security_item_id: - - ec2_23 + - ec2_23 plugin: - - aws + - aws service: - - AWS/EC2 + - AWS/EC2 +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ecr_repository_image_scan_on_push_enabled.yaml b/compliance/controls/aws/aws_ecr_repository_image_scan_on_push_enabled.yaml index f7b3fbaec..f48ff5a56 100755 --- a/compliance/controls/aws/aws_ecr_repository_image_scan_on_push_enabled.yaml +++ b/compliance/controls/aws/aws_ecr_repository_image_scan_on_push_enabled.yaml @@ -1,42 +1,26 @@ ID: aws_ecr_repository_image_scan_on_push_enabled Title: "ECR repositories should have image scan on push enabled" Description: "Ensure AWS Elastic Container Registry (ECR) repositories have image scanning enabled. The rule is non-compliant if image scanning is not enabled for the ECR repository." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when image_scanning_configuration ->> 'ScanOnPush' = 'true' then 'ok' - else 'alarm' - end as status, - case - when image_scanning_configuration ->> 'ScanOnPush' = 'true' then title || ' scan on push enabled.' - else title || ' scan on push disabled.' - end as reason - - , region, account_id - from - aws_ecr_repository; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when image_scanning_configuration ->> 'ScanOnPush' = 'true' then 'ok'\n else 'alarm'\n end as status,\n case\n when image_scanning_configuration ->> 'ScanOnPush' = 'true' then title || ' scan on push enabled.'\n else title || ' scan on push disabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_ecr_repository;\n" PrimaryTable: aws_ecr_repository ListOfTables: - - aws_ecr_repository + - aws_ecr_repository Parameters: [] Severity: high Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - vulnerability_patch_and_version_management + - vulnerability_patch_and_version_management foundational_security_item_id: - - ecr_1 + - ecr_1 plugin: - - aws + - aws service: - - AWS/ECR + - AWS/ECR +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ecr_repository_lifecycle_policy_configured.yaml b/compliance/controls/aws/aws_ecr_repository_lifecycle_policy_configured.yaml index e10ac1112..928d031ba 100755 --- a/compliance/controls/aws/aws_ecr_repository_lifecycle_policy_configured.yaml +++ b/compliance/controls/aws/aws_ecr_repository_lifecycle_policy_configured.yaml @@ -1,42 +1,26 @@ ID: aws_ecr_repository_lifecycle_policy_configured Title: "ECR repositories should have lifecycle policies configured" Description: "This control checks if ECR repositories have lifecycle policy configured. This rule fails if ECR repository lifecycle policy is not enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when lifecycle_policy -> 'rules' is not null then 'ok' - else 'alarm' - end as status, - case - when lifecycle_policy -> 'rules' is not null then title || ' lifecycle policy configured.' - else title || ' lifecycle policy not configured.' - end as reason - - , region, account_id - from - aws_ecr_repository; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when lifecycle_policy -> 'rules' is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when lifecycle_policy -> 'rules' is not null then title || ' lifecycle policy configured.'\n else title || ' lifecycle policy not configured.'\n end as reason\n \n , region, account_id\nfrom\n aws_ecr_repository;\n" PrimaryTable: aws_ecr_repository ListOfTables: - - aws_ecr_repository + - aws_ecr_repository Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - resource_configuration + - resource_configuration foundational_security_item_id: - - ecr_3 + - ecr_3 plugin: - - aws + - aws service: - - AWS/ECR + - AWS/ECR +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ecr_repository_prohibit_public_access.yaml b/compliance/controls/aws/aws_ecr_repository_prohibit_public_access.yaml index d3f3d4e33..c3a6b564e 100755 --- a/compliance/controls/aws/aws_ecr_repository_prohibit_public_access.yaml +++ b/compliance/controls/aws/aws_ecr_repository_prohibit_public_access.yaml @@ -1,8 +1,6 @@ ID: aws_ecr_repository_prohibit_public_access Title: "ECR repositories should prohibit public access" Description: "Ensure there are no ECR repositories set as public." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -40,7 +38,9 @@ Query: resource, status, reason, r.region, r.account_id, r.tags, r._ctx, r.og_account_id, r.og_resource_id; PrimaryTable: aws_ecr_repository ListOfTables: - - aws_ecr_repository + - aws_ecr_repository Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ecr_repository_tag_immutability_enabled.yaml b/compliance/controls/aws/aws_ecr_repository_tag_immutability_enabled.yaml index 6992da47b..7147b3fa9 100755 --- a/compliance/controls/aws/aws_ecr_repository_tag_immutability_enabled.yaml +++ b/compliance/controls/aws/aws_ecr_repository_tag_immutability_enabled.yaml @@ -1,42 +1,26 @@ ID: aws_ecr_repository_tag_immutability_enabled Title: "ECR private repositories should have tag immutability configured" Description: "This control checks whether a private ECR repository has tag immutability enabled. This control fails if a private ECR repository has tag immutability disabled. This rule passes if tag immutability is enabled and has the value IMMUTABLE." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when image_tag_mutability = 'IMMUTABLE' then 'ok' - else 'alarm' - end as status, - case - when image_tag_mutability = 'IMMUTABLE' then title || ' tag immutability enabled.' - else title || ' tag immutability disabled.' - end as reason - - , region, account_id - from - aws_ecr_repository; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when image_tag_mutability = 'IMMUTABLE' then 'ok'\n else 'alarm'\n end as status,\n case\n when image_tag_mutability = 'IMMUTABLE' then title || ' tag immutability enabled.'\n else title || ' tag immutability disabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_ecr_repository;\n" PrimaryTable: aws_ecr_repository ListOfTables: - - aws_ecr_repository + - aws_ecr_repository Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - tagging + - tagging foundational_security_item_id: - - ecr_2 + - ecr_2 plugin: - - aws + - aws service: - - AWS/ECR + - AWS/ECR +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ecs_cluster_container_insights_enabled.yaml b/compliance/controls/aws/aws_ecs_cluster_container_insights_enabled.yaml index 54b12d389..d112c82c4 100755 --- a/compliance/controls/aws/aws_ecs_cluster_container_insights_enabled.yaml +++ b/compliance/controls/aws/aws_ecs_cluster_container_insights_enabled.yaml @@ -1,43 +1,26 @@ ID: aws_ecs_cluster_container_insights_enabled Title: "ECS clusters should have container insights enabled" Description: "This control checks if ECS clusters use Container Insights. This control fails if Container Insights are not set up for a cluster." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - cluster_arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when s ->> 'Name' = 'containerInsights' and s ->> 'Value' = 'enabled' then 'ok' - else 'alarm' - end as status, - case - when s ->> 'Name' = 'containerInsights' and s ->> 'Value' = 'enabled' then title || ' Container Insights enabled.' - else title || ' Container Insights disabled.' - end as reason - - , region, account_id - from - aws_ecs_cluster as c, - jsonb_array_elements(settings) as s; + QueryToExecute: "select\n cluster_arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when s ->> 'Name' = 'containerInsights' and s ->> 'Value' = 'enabled' then 'ok'\n else 'alarm'\n end as status,\n case\n when s ->> 'Name' = 'containerInsights' and s ->> 'Value' = 'enabled' then title || ' Container Insights enabled.'\n else title || ' Container Insights disabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_ecs_cluster as c,\n jsonb_array_elements(settings) as s;\n" PrimaryTable: aws_ecs_cluster ListOfTables: - - aws_ecs_cluster + - aws_ecs_cluster Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - logging + - logging foundational_security_item_id: - - ecs_12 + - ecs_12 plugin: - - aws + - aws service: - - AWS/ECS + - AWS/ECS +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ecs_cluster_container_instance_agent_connected.yaml b/compliance/controls/aws/aws_ecs_cluster_container_instance_agent_connected.yaml index 6ee8f5840..1dca79965 100755 --- a/compliance/controls/aws/aws_ecs_cluster_container_instance_agent_connected.yaml +++ b/compliance/controls/aws/aws_ecs_cluster_container_instance_agent_connected.yaml @@ -1,8 +1,6 @@ ID: aws_ecs_cluster_container_instance_agent_connected Title: "ECS cluster container instances should have connected agent" Description: "This control checks if ECS cluster container instances have connected agent. This control fails if the agent is not connected." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -33,8 +31,10 @@ Query: left join unconnected_agent_instance as i on c.cluster_arn = i.cluster_arn; PrimaryTable: aws_ecs_cluster ListOfTables: - - aws_ecs_cluster - - aws_ecs_container_instance + - aws_ecs_cluster + - aws_ecs_container_instance Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ecs_cluster_encryption_at_rest_enabled.yaml b/compliance/controls/aws/aws_ecs_cluster_encryption_at_rest_enabled.yaml index a505919fe..9291d27f4 100755 --- a/compliance/controls/aws/aws_ecs_cluster_encryption_at_rest_enabled.yaml +++ b/compliance/controls/aws/aws_ecs_cluster_encryption_at_rest_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_ecs_cluster_encryption_at_rest_enabled Title: "ECS clusters encryption at rest should be enabled" Description: "This control checks whether ECS Clustes have encryption at rest enabled. The check fails if encryption at rest is not enabled as sensitive data should be protected." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -38,10 +36,12 @@ Query: left join unencrypted_volumes as v on v.cluster_arn = c.cluster_arn; PrimaryTable: aws_ecs_cluster ListOfTables: - - aws_ecs_container_instance - - aws_ec2_instance - - aws_ebs_volume - - aws_ecs_cluster + - aws_ecs_container_instance + - aws_ec2_instance + - aws_ebs_volume + - aws_ecs_cluster Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ecs_cluster_no_active_services_count.yaml b/compliance/controls/aws/aws_ecs_cluster_no_active_services_count.yaml index ba05d5b62..a9e7e7ea4 100755 --- a/compliance/controls/aws/aws_ecs_cluster_no_active_services_count.yaml +++ b/compliance/controls/aws/aws_ecs_cluster_no_active_services_count.yaml @@ -1,8 +1,6 @@ ID: aws_ecs_cluster_no_active_services_count Title: "ECS cluster should be configured with active services" Description: "This control checks if ECS cluster have active services. This control fails if ECS cluster does not have any active services." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_ecs_cluster; PrimaryTable: aws_ecs_cluster ListOfTables: - - aws_ecs_cluster + - aws_ecs_cluster Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ecs_cluster_no_registered_container_instance.yaml b/compliance/controls/aws/aws_ecs_cluster_no_registered_container_instance.yaml index decec0430..3317e0e5a 100755 --- a/compliance/controls/aws/aws_ecs_cluster_no_registered_container_instance.yaml +++ b/compliance/controls/aws/aws_ecs_cluster_no_registered_container_instance.yaml @@ -1,8 +1,6 @@ ID: aws_ecs_cluster_no_registered_container_instance Title: "At least one instance should be registered with ECS cluster" Description: "This control ensures that at least one container instance is registered with an ECS cluster." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_ecs_cluster; PrimaryTable: aws_ecs_cluster ListOfTables: - - aws_ecs_cluster + - aws_ecs_cluster Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ecs_service_fargate_using_latest_platform_version.yaml b/compliance/controls/aws/aws_ecs_service_fargate_using_latest_platform_version.yaml index 5c72c8698..933b46773 100755 --- a/compliance/controls/aws/aws_ecs_service_fargate_using_latest_platform_version.yaml +++ b/compliance/controls/aws/aws_ecs_service_fargate_using_latest_platform_version.yaml @@ -1,44 +1,26 @@ ID: aws_ecs_service_fargate_using_latest_platform_version Title: "ECS fargate services should run on the latest fargate platform version" Description: "This control checks if AWS ECS Fargate services are running the latest Fargate platform version. This control fails if the platform version is not the latest." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when launch_type <> 'FARGATE' then 'skip' - when platform_version = 'LATEST' then 'ok' - else 'alarm' - end as status, - case - when launch_type <> 'FARGATE' then title || ' is ' || launch_type || ' service.' - when platform_version = 'LATEST' then title || ' running on the latest fargate platform version.' - else title || ' not running on the latest fargate platform version.' - end as reason - - , region, account_id - from - aws_ecs_service; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when launch_type <> 'FARGATE' then 'skip'\n when platform_version = 'LATEST' then 'ok'\n else 'alarm'\n end as status,\n case\n when launch_type <> 'FARGATE' then title || ' is ' || launch_type || ' service.'\n when platform_version = 'LATEST' then title || ' running on the latest fargate platform version.'\n else title || ' not running on the latest fargate platform version.'\n end as reason\n \n , region, account_id\nfrom\n aws_ecs_service;\n" PrimaryTable: aws_ecs_service ListOfTables: - - aws_ecs_service + - aws_ecs_service Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - vulnerability_patch_and_version_management + - vulnerability_patch_and_version_management foundational_security_item_id: - - ecs_10 + - ecs_10 plugin: - - aws + - aws service: - - AWS/ECS + - AWS/ECS +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ecs_service_load_balancer_attached.yaml b/compliance/controls/aws/aws_ecs_service_load_balancer_attached.yaml index 6353c5ee4..1e4e5886c 100755 --- a/compliance/controls/aws/aws_ecs_service_load_balancer_attached.yaml +++ b/compliance/controls/aws/aws_ecs_service_load_balancer_attached.yaml @@ -1,30 +1,14 @@ ID: aws_ecs_service_load_balancer_attached Title: "ECS services should be attached to a load balancer" Description: "ECS service can be configured to use Elastic Load Balancing to distribute traffic evenly across the tasks in your service. It is recommended to use Application Load Balancers for your AWS ECS services so that you can take advantage of these latest features, unless your service requires a feature that is only available with Network Load Balancers or Classic Load Balancers." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when jsonb_array_length(load_balancers) = 0 then 'alarm' - else 'ok' - end as status, - case - when jsonb_array_length(load_balancers) = 0 then title || ' has no load balancer attached.' - else title || ' has ' || jsonb_array_length(load_balancers) || ' load balancer(s) attached.' - end as reason - - - from - aws_ecs_service; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when jsonb_array_length(load_balancers) = 0 then 'alarm'\n else 'ok'\n end as status,\n case\n when jsonb_array_length(load_balancers) = 0 then title || ' has no load balancer attached.'\n else title || ' has ' || jsonb_array_length(load_balancers) || ' load balancer(s) attached.'\n end as reason\n \n \nfrom\n aws_ecs_service;" PrimaryTable: aws_ecs_service ListOfTables: - - aws_ecs_service + - aws_ecs_service Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ecs_service_not_publicly_accessible.yaml b/compliance/controls/aws/aws_ecs_service_not_publicly_accessible.yaml index deea3534a..658c7daaf 100755 --- a/compliance/controls/aws/aws_ecs_service_not_publicly_accessible.yaml +++ b/compliance/controls/aws/aws_ecs_service_not_publicly_accessible.yaml @@ -1,56 +1,27 @@ ID: aws_ecs_service_not_publicly_accessible Title: "AWS ECS services should not have public IP addresses assigned to them automatically" Description: "This control checks whether AWS ECS services are configured to automatically assign public IP addresses. This control fails if AssignPublicIP is enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with service_awsvpc_mode_task_definition as ( - select - a.service_name as service_name, - b.task_definition_arn as task_definition - from - aws_ecs_service as a - left join aws_ecs_task_definition as b on a.task_definition = b.task_definition_arn - where - b.network_mode = 'awsvpc' - ) - select - a.arn as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when b.service_name is null then 'skip' - when network_configuration -> 'AwsvpcConfiguration' ->> 'AssignPublicIp' = 'DISABLED' then 'ok' - else 'alarm' - end as status, - case - when b.service_name is null then a.title || ' task definition not host network mode.' - when network_configuration -> 'AwsvpcConfiguration' ->> 'AssignPublicIp' = 'DISABLED' then a.title || ' not publicly accessible.' - else a.title || ' publicly accessible.' - end as reason - - , region, account_id - from - aws_ecs_service as a - left join service_awsvpc_mode_task_definition as b on a.service_name = b.service_name; + QueryToExecute: "with service_awsvpc_mode_task_definition as (\n select\n a.service_name as service_name,\n b.task_definition_arn as task_definition\n from\n aws_ecs_service as a\n left join aws_ecs_task_definition as b on a.task_definition = b.task_definition_arn\n where\n b.network_mode = 'awsvpc'\n)\nselect\n a.arn as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when b.service_name is null then 'skip'\n when network_configuration -> 'AwsvpcConfiguration' ->> 'AssignPublicIp' = 'DISABLED' then 'ok'\n else 'alarm'\n end as status,\n case\n when b.service_name is null then a.title || ' task definition not host network mode.'\n when network_configuration -> 'AwsvpcConfiguration' ->> 'AssignPublicIp' = 'DISABLED' then a.title || ' not publicly accessible.'\n else a.title || ' publicly accessible.'\n end as reason\n \n , region, account_id\nfrom\n aws_ecs_service as a\n left join service_awsvpc_mode_task_definition as b on a.service_name = b.service_name;\n" PrimaryTable: aws_ecs_service ListOfTables: - - aws_ecs_service - - aws_ecs_task_definition + - aws_ecs_service + - aws_ecs_task_definition Parameters: [] Severity: high Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - resources_not_publicly_accessible + - resources_not_publicly_accessible foundational_security_item_id: - - ecs_2 + - ecs_2 plugin: - - aws + - aws service: - - AWS/ECS + - AWS/ECS +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ecs_task_definition_container_environment_no_secret.yaml b/compliance/controls/aws/aws_ecs_task_definition_container_environment_no_secret.yaml index fb7f3ed03..a25f6b6b2 100755 --- a/compliance/controls/aws/aws_ecs_task_definition_container_environment_no_secret.yaml +++ b/compliance/controls/aws/aws_ecs_task_definition_container_environment_no_secret.yaml @@ -1,70 +1,26 @@ ID: aws_ecs_task_definition_container_environment_no_secret Title: "ECS task definition containers should not have secrets passed as environment variables" Description: "This control checks if the key value of any variables in the environment parameter of container definitions includes AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, or ECS_ENGINE_AUTH_DATA. This control fails if a single environment variable in any container definition equals AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, or ECS_ENGINE_AUTH_DATA. This control does not cover environmental variables passed in from other locations such as AWS S3." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with definitions_with_secret_environment_variable as ( - select - distinct task_definition_arn as arn - from - aws_ecs_task_definition, - jsonb_array_elements(container_definitions) as c, - jsonb_array_elements( - case jsonb_typeof(c -> 'Environment') - when 'array' then (c -> 'Environment') - else null end - ) as s - where - s ->> 'Name' like any (array ['AWS_ACCESS_KEY_ID', 'AWS_SECRET_ACCESS_KEY','ECS_ENGINE_AUTH_DATA']) - UNION - select - distinct task_definition_arn as arn - from - aws_ecs_task_definition, - jsonb_array_elements(container_definitions) as c, - jsonb_array_elements( - case jsonb_typeof(c -> 'Secrets') - when 'array' then (c -> 'Secrets') - else null end - ) as s - where - s ->> 'Name' like any (array ['AWS_ACCESS_KEY_ID', 'AWS_SECRET_ACCESS_KEY','ECS_ENGINE_AUTH_DATA']) - ) - select - d.task_definition_arn as resource, - d.og_account_id as og_account_id, - d.og_resource_id as og_resource_id, - case - when e.arn is null then 'ok' - else 'alarm' - end as status, - case - when e.arn is null then d.title || ' container environment variables does not have secrets.' - else d.title || ' container environment variables have secrets.' - end as reason - - , region, account_id - from - aws_ecs_task_definition as d - left join definitions_with_secret_environment_variable as e on d.task_definition_arn = e.arn; + QueryToExecute: "with definitions_with_secret_environment_variable as (\n select\n distinct task_definition_arn as arn\n from\n aws_ecs_task_definition,\n jsonb_array_elements(container_definitions) as c,\n jsonb_array_elements(\n case jsonb_typeof(c -> 'Environment')\n when 'array' then (c -> 'Environment')\n else null end\n ) as s\n where\n s ->> 'Name' like any (array ['AWS_ACCESS_KEY_ID', 'AWS_SECRET_ACCESS_KEY','ECS_ENGINE_AUTH_DATA'])\n UNION\n select\n distinct task_definition_arn as arn\n from\n aws_ecs_task_definition,\n jsonb_array_elements(container_definitions) as c,\n jsonb_array_elements(\n case jsonb_typeof(c -> 'Secrets')\n when 'array' then (c -> 'Secrets')\n else null end\n ) as s\n where\n s ->> 'Name' like any (array ['AWS_ACCESS_KEY_ID', 'AWS_SECRET_ACCESS_KEY','ECS_ENGINE_AUTH_DATA'])\n)\nselect\n d.task_definition_arn as resource,\n d.og_account_id as og_account_id,\n d.og_resource_id as og_resource_id,\n case\n when e.arn is null then 'ok'\n else 'alarm'\n end as status,\n case\n when e.arn is null then d.title || ' container environment variables does not have secrets.'\n else d.title || ' container environment variables have secrets.'\n end as reason\n \n , region, account_id\nfrom\n aws_ecs_task_definition as d\n left join definitions_with_secret_environment_variable as e on d.task_definition_arn = e.arn;\n" PrimaryTable: aws_ecs_task_definition ListOfTables: - - aws_ecs_task_definition + - aws_ecs_task_definition Parameters: [] Severity: high Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - credentials_not_hard_coded + - credentials_not_hard_coded foundational_security_item_id: - - ecs_8 + - ecs_8 plugin: - - aws + - aws service: - - AWS/ECS + - AWS/ECS +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ecs_task_definition_container_non_privileged.yaml b/compliance/controls/aws/aws_ecs_task_definition_container_non_privileged.yaml index 97b987489..06e5d718b 100755 --- a/compliance/controls/aws/aws_ecs_task_definition_container_non_privileged.yaml +++ b/compliance/controls/aws/aws_ecs_task_definition_container_non_privileged.yaml @@ -1,52 +1,26 @@ ID: aws_ecs_task_definition_container_non_privileged Title: "ECS containers should run as non-privileged" Description: "This control checks if the privileged parameter in the container definition of AWS ECS Task Definitions is set to true. The control fails if this parameter is equal to true." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with privileged_container_definition as ( - select - distinct task_definition_arn as arn - from - aws_ecs_task_definition, - jsonb_array_elements(container_definitions) as c - where - c ->> 'Privileged' = 'true' - ) - select - d.task_definition_arn as resource, - d.og_account_id as og_account_id, - d.og_resource_id as og_resource_id, - case - when c.arn is null then 'ok' - else 'alarm' - end as status, - case - when c.arn is null then d.title || ' does not have elevated privileges.' - else d.title || ' has elevated privileges.' - end as reason - - , region, account_id - from - aws_ecs_task_definition as d - left join privileged_container_definition as c on d.task_definition_arn = c.arn; + QueryToExecute: "with privileged_container_definition as (\n select\n distinct task_definition_arn as arn\n from\n aws_ecs_task_definition,\n jsonb_array_elements(container_definitions) as c\n where\n c ->> 'Privileged' = 'true'\n)\nselect\n d.task_definition_arn as resource,\n d.og_account_id as og_account_id,\n d.og_resource_id as og_resource_id,\n case\n when c.arn is null then 'ok'\n else 'alarm'\n end as status,\n case\n when c.arn is null then d.title || ' does not have elevated privileges.'\n else d.title || ' has elevated privileges.'\n end as reason\n \n , region, account_id\nfrom\n aws_ecs_task_definition as d\n left join privileged_container_definition as c on d.task_definition_arn = c.arn;\n" PrimaryTable: aws_ecs_task_definition ListOfTables: - - aws_ecs_task_definition + - aws_ecs_task_definition Parameters: [] Severity: high Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - root_user_access_restrictions + - root_user_access_restrictions foundational_security_item_id: - - ecs_4 + - ecs_4 plugin: - - aws + - aws service: - - AWS/ECS + - AWS/ECS +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ecs_task_definition_container_readonly_root_filesystem.yaml b/compliance/controls/aws/aws_ecs_task_definition_container_readonly_root_filesystem.yaml index 82eecd318..442380ce7 100755 --- a/compliance/controls/aws/aws_ecs_task_definition_container_readonly_root_filesystem.yaml +++ b/compliance/controls/aws/aws_ecs_task_definition_container_readonly_root_filesystem.yaml @@ -1,52 +1,26 @@ ID: aws_ecs_task_definition_container_readonly_root_filesystem Title: "ECS containers should be limited to read-only access to root filesystems" Description: "This control checks if ECS containers are limited to read-only access to mounted root filesystems. This control fails if the ReadonlyRootFilesystem parameter in the container definition of ECS task definitions is set to false." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with privileged_container_definition as ( - select - distinct task_definition_arn as arn - from - aws_ecs_task_definition, - jsonb_array_elements(container_definitions) as c - where - c ->> 'ReadonlyRootFilesystem' = 'true' - ) - select - d.task_definition_arn as resource, - d.og_account_id as og_account_id, - d.og_resource_id as og_resource_id, - case - when c.arn is not null then 'ok' - else 'alarm' - end as status, - case - when c.arn is not null then d.title || ' containers limited to read-only access to root filesystems.' - else d.title || ' containers not limited to read-only access to root filesystems.' - end as reason - - , region, account_id - from - aws_ecs_task_definition as d - left join privileged_container_definition as c on d.task_definition_arn = c.arn; + QueryToExecute: "with privileged_container_definition as (\n select\n distinct task_definition_arn as arn\n from\n aws_ecs_task_definition,\n jsonb_array_elements(container_definitions) as c\n where\n c ->> 'ReadonlyRootFilesystem' = 'true'\n)\nselect\n d.task_definition_arn as resource,\n d.og_account_id as og_account_id,\n d.og_resource_id as og_resource_id,\n case\n when c.arn is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when c.arn is not null then d.title || ' containers limited to read-only access to root filesystems.'\n else d.title || ' containers not limited to read-only access to root filesystems.'\n end as reason\n \n , region, account_id\nfrom\n aws_ecs_task_definition as d\n left join privileged_container_definition as c on d.task_definition_arn = c.arn;\n" PrimaryTable: aws_ecs_task_definition ListOfTables: - - aws_ecs_task_definition + - aws_ecs_task_definition Parameters: [] Severity: high Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - secure_access_management + - secure_access_management foundational_security_item_id: - - ecs_5 + - ecs_5 plugin: - - aws + - aws service: - - AWS/ECS + - AWS/ECS +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ecs_task_definition_logging_enabled.yaml b/compliance/controls/aws/aws_ecs_task_definition_logging_enabled.yaml index b26cb416b..86117d563 100755 --- a/compliance/controls/aws/aws_ecs_task_definition_logging_enabled.yaml +++ b/compliance/controls/aws/aws_ecs_task_definition_logging_enabled.yaml @@ -1,40 +1,14 @@ ID: aws_ecs_task_definition_logging_enabled Title: "ECS task definitions should have logging enabled" Description: "Ensure logging is enabled for task definitions so that you can access your containerized application logs for debugging and auditing purposes. On top of centralized logging, these log drivers often include additional capabilities that are useful for operation." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - with task_definitions_logging_enabled as ( - select - distinct task_definition_arn as arn - from - aws_ecs_task_definition, - jsonb_array_elements(container_definitions) as c - where - c ->> 'LogConfiguration' is not null - ) - select - a.task_definition_arn as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when b.arn is not null then 'ok' - else 'alarm' - end as status, - case - when b.arn is not null then a.title || ' logging enabled.' - else a.title || ' logging disabled.' - end as reason - - - from - aws_ecs_task_definition as a - left join task_definitions_logging_enabled as b on a.task_definition_arn = b.arn; + QueryToExecute: "with task_definitions_logging_enabled as (\n select\n distinct task_definition_arn as arn\n from\n aws_ecs_task_definition,\n jsonb_array_elements(container_definitions) as c\n where\n c ->> 'LogConfiguration' is not null\n)\nselect\n a.task_definition_arn as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when b.arn is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when b.arn is not null then a.title || ' logging enabled.'\n else a.title || ' logging disabled.'\n end as reason\n \n \nfrom\n aws_ecs_task_definition as a\n left join task_definitions_logging_enabled as b on a.task_definition_arn = b.arn;" PrimaryTable: aws_ecs_task_definition ListOfTables: - - aws_ecs_task_definition + - aws_ecs_task_definition Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ecs_task_definition_no_host_pid_mode.yaml b/compliance/controls/aws/aws_ecs_task_definition_no_host_pid_mode.yaml index 6c86c3319..4d9349bb4 100755 --- a/compliance/controls/aws/aws_ecs_task_definition_no_host_pid_mode.yaml +++ b/compliance/controls/aws/aws_ecs_task_definition_no_host_pid_mode.yaml @@ -1,42 +1,26 @@ ID: aws_ecs_task_definition_no_host_pid_mode Title: "ECS task definitions should not share the host's process namespace" Description: "This control checks if AWS ECS task definitions are configured to share a host's process namespace with its containers. The control fails if the task definition shares the host's process namespace with the containers running on it." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - task_definition_arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when pid_mode = 'host' then 'alarm' - else 'ok' - end as status, - case - when pid_mode = 'host' then title || ' shares the host process namespace.' - else title || ' does not share the host process namespace.' - end as reason - - , region, account_id - from - aws_ecs_task_definition; + QueryToExecute: "select\n task_definition_arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when pid_mode = 'host' then 'alarm'\n else 'ok'\n end as status,\n case\n when pid_mode = 'host' then title || ' shares the host process namespace.'\n else title || ' does not share the host process namespace.'\n end as reason\n \n , region, account_id\nfrom\n aws_ecs_task_definition;\n" PrimaryTable: aws_ecs_task_definition ListOfTables: - - aws_ecs_task_definition + - aws_ecs_task_definition Parameters: [] Severity: high Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - resource_configuration + - resource_configuration foundational_security_item_id: - - ecs_3 + - ecs_3 plugin: - - aws + - aws service: - - AWS/ECS + - AWS/ECS +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ecs_task_definition_no_root_user.yaml b/compliance/controls/aws/aws_ecs_task_definition_no_root_user.yaml index 15c76fded..7c0f5524a 100755 --- a/compliance/controls/aws/aws_ecs_task_definition_no_root_user.yaml +++ b/compliance/controls/aws/aws_ecs_task_definition_no_root_user.yaml @@ -1,8 +1,6 @@ ID: aws_ecs_task_definition_no_root_user Title: "ECS task definitions should not use root user." Description: "This control checks if ECS task definitions have root user. This control fails if the ECS task definitions have root user." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -32,7 +30,9 @@ Query: left join root_user_task_definition as b on a.task_definition_arn = b.arn; PrimaryTable: aws_ecs_task_definition ListOfTables: - - aws_ecs_task_definition + - aws_ecs_task_definition Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ecs_task_definition_user_for_host_mode_check.yaml b/compliance/controls/aws/aws_ecs_task_definition_user_for_host_mode_check.yaml index e934c7f72..372abd2e0 100755 --- a/compliance/controls/aws/aws_ecs_task_definition_user_for_host_mode_check.yaml +++ b/compliance/controls/aws/aws_ecs_task_definition_user_for_host_mode_check.yaml @@ -1,76 +1,40 @@ ID: aws_ecs_task_definition_user_for_host_mode_check Title: "ECS task definition container definitions should be checked for host mode" Description: "Check if AWS Elastic Container Service (AWS ECS) task definition with host networking mode has 'privileged' or 'user' container definitions.The rule is non-compliant for task definitions with host network mode and container definitions of privileged" -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with host_network_task_definition as ( - select - distinct task_definition_arn as arn - from - aws_ecs_task_definition, - jsonb_array_elements(container_definitions) as c - where - network_mode = 'host' - and - (c ->> 'Privileged' is not null - and c ->> 'Privileged' <> 'false' - ) - and - ( c ->> 'User' is not null - and c ->> 'User' <> 'root' - ) - ) - select - a.task_definition_arn as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when a.network_mode is null or a.network_mode <> 'host' then 'skip' - when b.arn is not null then 'ok' - else 'alarm' - end as status, - case - when a.network_mode is null or a.network_mode <> 'host' then a.title || ' not host network mode.' - when b.arn is not null then a.title || ' have secure host network mode.' - else a.title || ' not have secure host network mode.' - end as reason - - , region, account_id - from - aws_ecs_task_definition as a - left join host_network_task_definition as b on a.task_definition_arn = b.arn; + QueryToExecute: "with host_network_task_definition as (\n select\n distinct task_definition_arn as arn\n from\n aws_ecs_task_definition,\n jsonb_array_elements(container_definitions) as c\n where\n network_mode = 'host'\n and\n (c ->> 'Privileged' is not null\n and c ->> 'Privileged' <> 'false'\n )\n and\n ( c ->> 'User' is not null\n and c ->> 'User' <> 'root'\n )\n)\nselect\n a.task_definition_arn as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when a.network_mode is null or a.network_mode <> 'host' then 'skip'\n when b.arn is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when a.network_mode is null or a.network_mode <> 'host' then a.title || ' not host network mode.'\n when b.arn is not null then a.title || ' have secure host network mode.'\n else a.title || ' not have secure host network mode.'\n end as reason\n \n , region, account_id\nfrom\n aws_ecs_task_definition as a\n left join host_network_task_definition as b on a.task_definition_arn = b.arn;\n" PrimaryTable: aws_ecs_task_definition ListOfTables: - - aws_ecs_task_definition + - aws_ecs_task_definition Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/ECS + - AWS/ECS +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_efs_access_point_enforce_root_directory.yaml b/compliance/controls/aws/aws_efs_access_point_enforce_root_directory.yaml index 3876e4bb4..7fd3b9fac 100755 --- a/compliance/controls/aws/aws_efs_access_point_enforce_root_directory.yaml +++ b/compliance/controls/aws/aws_efs_access_point_enforce_root_directory.yaml @@ -1,42 +1,26 @@ ID: aws_efs_access_point_enforce_root_directory Title: "EFS access points should enforce a root directory" Description: "This control checks if AWS EFS access points are configured to enforce a root directory. The control fails if the value of Path is set to / (the default root directory of the file system)." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - access_point_arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when root_directory ->> 'Path'= '/' then 'alarm' - else 'ok' - end as status, - case - when root_directory ->> 'Path'= '/' then title || ' not configured to enforce a root directory.' - else title || ' configured to enforce a root directory.' - end as reason - - , region, account_id - from - aws_efs_access_point; + QueryToExecute: "select\n access_point_arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when root_directory ->> 'Path'= '/' then 'alarm'\n else 'ok'\n end as status,\n case\n when root_directory ->> 'Path'= '/' then title || ' not configured to enforce a root directory.'\n else title || ' configured to enforce a root directory.'\n end as reason\n \n , region, account_id\nfrom\n aws_efs_access_point;\n" PrimaryTable: aws_efs_access_point ListOfTables: - - aws_efs_access_point + - aws_efs_access_point Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - secure_access_management + - secure_access_management foundational_security_item_id: - - efs_3 + - efs_3 plugin: - - aws + - aws service: - - AWS/EFS + - AWS/EFS +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_efs_access_point_enforce_user_identity.yaml b/compliance/controls/aws/aws_efs_access_point_enforce_user_identity.yaml index 1a020d64d..8d73b60ed 100755 --- a/compliance/controls/aws/aws_efs_access_point_enforce_user_identity.yaml +++ b/compliance/controls/aws/aws_efs_access_point_enforce_user_identity.yaml @@ -1,42 +1,26 @@ ID: aws_efs_access_point_enforce_user_identity Title: "EFS access points should enforce a user identity" Description: "This control checks whether AWS EFS access points are configured to enforce a user identity. This control fails if a POSIX user identity is not defined while creating the EFS access point." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - access_point_arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when posix_user is null then 'alarm' - else 'ok' - end as status, - case - when posix_user is null then title || ' does not enforce a user identity.' - else title || ' enforces a user identity.' - end as reason - - , region, account_id - from - aws_efs_access_point; + QueryToExecute: "select\n access_point_arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when posix_user is null then 'alarm'\n else 'ok'\n end as status,\n case\n when posix_user is null then title || ' does not enforce a user identity.'\n else title || ' enforces a user identity.'\n end as reason\n \n , region, account_id\nfrom\n aws_efs_access_point;\n" PrimaryTable: aws_efs_access_point ListOfTables: - - aws_efs_access_point + - aws_efs_access_point Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - secure_access_management + - secure_access_management foundational_security_item_id: - - efs_4 + - efs_4 plugin: - - aws + - aws service: - - AWS/EFS + - AWS/EFS +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_efs_file_system_encrypt_data_at_rest.yaml b/compliance/controls/aws/aws_efs_file_system_encrypt_data_at_rest.yaml index 153353ac4..9fe6882c6 100755 --- a/compliance/controls/aws/aws_efs_file_system_encrypt_data_at_rest.yaml +++ b/compliance/controls/aws/aws_efs_file_system_encrypt_data_at_rest.yaml @@ -1,48 +1,32 @@ ID: aws_efs_file_system_encrypt_data_at_rest Title: "EFS file system encryption at rest should be enabled" Description: "Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your AWS Elastic File System (EFS)." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when encrypted then 'ok' - else 'alarm' - end as status, - case - when encrypted then title || ' encrypted at rest.' - else title || ' not encrypted at rest.' - end as reason - - , region, account_id - from - aws_efs_file_system; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when encrypted then 'ok'\n else 'alarm'\n end as status,\n case\n when encrypted then title || ' encrypted at rest.'\n else title || ' not encrypted at rest.'\n end as reason\n \n , region, account_id\nfrom\n aws_efs_file_system;\n" PrimaryTable: aws_efs_file_system ListOfTables: - - aws_efs_file_system + - aws_efs_file_system Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - 2.4.1 + - 2.4.1 cis_level: - - "1" + - "1" cis_section_id: - - "2.4" + - "2.4" cis_type: - - manual + - manual cis_version: - - v1.5.0 + - v1.5.0 plugin: - - aws + - aws service: - - AWS/EFS + - AWS/EFS +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_efs_file_system_encrypted_with_cmk.yaml b/compliance/controls/aws/aws_efs_file_system_encrypted_with_cmk.yaml index 37539e5b8..3050cfe4f 100755 --- a/compliance/controls/aws/aws_efs_file_system_encrypted_with_cmk.yaml +++ b/compliance/controls/aws/aws_efs_file_system_encrypted_with_cmk.yaml @@ -1,54 +1,25 @@ ID: aws_efs_file_system_encrypted_with_cmk Title: "EFS file systems should be encrypted with CMK" Description: "Ensure AWS Elastic File Systems (AWS EFS) are encrypted using CMK. The rule is non-compliant if the EFS File System is not encrypted using CMK." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with encrypted_fs as ( - select - fs.arn as arn, - key_manager - from - aws_efs_file_system as fs - left join aws_kms_key as k on fs.kms_key_id = k.arn - where - enabled - ) - select - f.arn as resource, - f.og_account_id as og_account_id, - f.og_resource_id as og_resource_id, - case - when not encrypted then 'alarm' - when encrypted and e.key_manager = 'CUSTOMER' then 'ok' - else 'alarm' - end as status, - case - when not encrypted then title || ' not encrypted.' - when encrypted and e.key_manager = 'CUSTOMER' then title || ' encrypted with CMK.' - else title || ' not encrypted with CMK.' - end as reason - - , region, account_id - from - aws_efs_file_system as f - left join encrypted_fs as e on f.arn = e.arn; + QueryToExecute: "with encrypted_fs as (\n select\n fs.arn as arn,\n key_manager\n from\n aws_efs_file_system as fs\n left join aws_kms_key as k on fs.kms_key_id = k.arn\n where\n enabled\n)\nselect\n f.arn as resource,\n f.og_account_id as og_account_id,\n f.og_resource_id as og_resource_id,\n case\n when not encrypted then 'alarm'\n when encrypted and e.key_manager = 'CUSTOMER' then 'ok'\n else 'alarm'\n end as status,\n case\n when not encrypted then title || ' not encrypted.'\n when encrypted and e.key_manager = 'CUSTOMER' then title || ' encrypted with CMK.'\n else title || ' not encrypted with CMK.'\n end as reason\n \n , region, account_id\nfrom\n aws_efs_file_system as f\n left join encrypted_fs as e on f.arn = e.arn;\n" PrimaryTable: aws_efs_file_system ListOfTables: - - aws_efs_file_system - - aws_kms_key + - aws_efs_file_system + - aws_kms_key Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cisa_cyber_essentials: - - "true" + - "true" other_checks: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/EFS + - AWS/EFS +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_efs_file_system_enforces_ssl.yaml b/compliance/controls/aws/aws_efs_file_system_enforces_ssl.yaml index 28c9f87c1..03ddc903f 100755 --- a/compliance/controls/aws/aws_efs_file_system_enforces_ssl.yaml +++ b/compliance/controls/aws/aws_efs_file_system_enforces_ssl.yaml @@ -1,8 +1,6 @@ ID: aws_efs_file_system_enforces_ssl Title: "EFS file systems should enforce SSL" Description: "To help protect data in transit, ensure that your EFS file systems require requests to use Secure Socket Layer (SSL)." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -41,7 +39,9 @@ Query: left join ssl_ok as ok on ok.name = f.name; PrimaryTable: aws_efs_file_system ListOfTables: - - aws_efs_file_system + - aws_efs_file_system Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_efs_file_system_in_backup_plan.yaml b/compliance/controls/aws/aws_efs_file_system_in_backup_plan.yaml index 65591abe1..d3525d22c 100755 --- a/compliance/controls/aws/aws_efs_file_system_in_backup_plan.yaml +++ b/compliance/controls/aws/aws_efs_file_system_in_backup_plan.yaml @@ -1,30 +1,14 @@ ID: aws_efs_file_system_in_backup_plan Title: "EFS file systems should be in a backup plan" Description: "To help with data back-up processes, ensure your AWS Elastic File System (AWS EFS) file systems are a part of an AWS Backup plan." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when automatic_backups = 'enabled' then 'ok' - else 'alarm' - end as status, - case - when automatic_backups = 'enabled' then title || ' automatic backups enabled.' - else title || ' automatic backups not enabled.' - end as reason - - - from - aws_efs_file_system; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when automatic_backups = 'enabled' then 'ok'\n else 'alarm'\n end as status,\n case\n when automatic_backups = 'enabled' then title || ' automatic backups enabled.'\n else title || ' automatic backups not enabled.'\n end as reason\n \n \nfrom\n aws_efs_file_system;" PrimaryTable: aws_efs_file_system ListOfTables: - - aws_efs_file_system + - aws_efs_file_system Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_efs_file_system_protected_by_backup_plan.yaml b/compliance/controls/aws/aws_efs_file_system_protected_by_backup_plan.yaml index 5e74f0097..fd1f545b2 100755 --- a/compliance/controls/aws/aws_efs_file_system_protected_by_backup_plan.yaml +++ b/compliance/controls/aws/aws_efs_file_system_protected_by_backup_plan.yaml @@ -1,68 +1,43 @@ ID: aws_efs_file_system_protected_by_backup_plan Title: "EFS file systems should be protected by backup plan" Description: "Ensure that AWS Elastic File System (AWS EFS) File Systems are protected by a backup plan. The rule is non-compliant if the EFS File System is not covered by a backup plan." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with backup_protected_file_system as ( - select - resource_arn as arn - from - aws_backup_protected_resource as b - where - resource_type = 'EFS' - ) - select - f.arn as resource, - f.og_account_id as og_account_id, - f.og_resource_id as og_resource_id, - case - when b.arn is not null then 'ok' - else 'alarm' - end as status, - case - when b.arn is not null then f.title || ' is protected by backup plan.' - else f.title || ' is not protected by backup plan.' - end as reason - - , f.region, f.account_id - from - aws_efs_file_system as f - left join backup_protected_file_system as b on f.arn = b.arn; + QueryToExecute: "with backup_protected_file_system as (\n select\n resource_arn as arn\n from\n aws_backup_protected_resource as b\n where\n resource_type = 'EFS'\n)\nselect\n f.arn as resource,\n f.og_account_id as og_account_id,\n f.og_resource_id as og_resource_id,\n case\n when b.arn is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when b.arn is not null then f.title || ' is protected by backup plan.'\n else f.title || ' is not protected by backup plan.'\n end as reason\n \n , f.region, f.account_id\nfrom\n aws_efs_file_system as f\n left join backup_protected_file_system as b on f.arn = b.arn;\n" PrimaryTable: aws_efs_file_system ListOfTables: - - aws_backup_protected_resource - - aws_efs_file_system + - aws_backup_protected_resource + - aws_efs_file_system Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" gxp_eu_annex_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/EFS + - AWS/EFS soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_efs_file_system_restrict_public_access.yaml b/compliance/controls/aws/aws_efs_file_system_restrict_public_access.yaml index 7a42d01db..03e02f5f0 100755 --- a/compliance/controls/aws/aws_efs_file_system_restrict_public_access.yaml +++ b/compliance/controls/aws/aws_efs_file_system_restrict_public_access.yaml @@ -1,8 +1,6 @@ ID: aws_efs_file_system_restrict_public_access Title: "EFS file systems should restrict public access" Description: "Manage access to resources in the AWS Cloud by ensuring AWS EFS file systems cannot be publicly accessed." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -40,7 +38,9 @@ Query: left join wildcard_action_policies as p on p.arn = f.arn; PrimaryTable: aws_efs_file_system ListOfTables: - - aws_efs_file_system + - aws_efs_file_system Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_eks_cluster_control_plane_audit_logging_enabled.yaml b/compliance/controls/aws/aws_eks_cluster_control_plane_audit_logging_enabled.yaml index e375cfa89..82592503f 100755 --- a/compliance/controls/aws/aws_eks_cluster_control_plane_audit_logging_enabled.yaml +++ b/compliance/controls/aws/aws_eks_cluster_control_plane_audit_logging_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_eks_cluster_control_plane_audit_logging_enabled Title: "EKS clusters should have control plane audit logging enabled" Description: "AWS EKS clusters should have control plane audit logging enabled. These logs make it easy to secure and run clusters." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -37,7 +35,9 @@ Query: left join control_panel_audit_logging as l on l.arn = c.arn; PrimaryTable: aws_eks_cluster ListOfTables: - - aws_eks_cluster + - aws_eks_cluster Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_eks_cluster_endpoint_public_access_restricted.yaml b/compliance/controls/aws/aws_eks_cluster_endpoint_public_access_restricted.yaml index 9a39541ef..eaa5491e1 100755 --- a/compliance/controls/aws/aws_eks_cluster_endpoint_public_access_restricted.yaml +++ b/compliance/controls/aws/aws_eks_cluster_endpoint_public_access_restricted.yaml @@ -1,8 +1,6 @@ ID: aws_eks_cluster_endpoint_public_access_restricted Title: "EKS clusters endpoint public access should be restricted" Description: "EKS clusters endpoint with private access allows communication between your nodes and the API server stays within. This control is non-compliant if clusters endpoint public access is enabled as cluster API server is accessible from the internet." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -24,7 +22,9 @@ Query: aws_eks_cluster; PrimaryTable: aws_eks_cluster ListOfTables: - - aws_eks_cluster + - aws_eks_cluster Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_eks_cluster_endpoint_restrict_public_access.yaml b/compliance/controls/aws/aws_eks_cluster_endpoint_restrict_public_access.yaml index a78787561..a9bf13d5d 100755 --- a/compliance/controls/aws/aws_eks_cluster_endpoint_restrict_public_access.yaml +++ b/compliance/controls/aws/aws_eks_cluster_endpoint_restrict_public_access.yaml @@ -1,44 +1,28 @@ ID: aws_eks_cluster_endpoint_restrict_public_access Title: "EKS clusters endpoint should restrict public access" Description: "Ensure whether AWS Elastic Kubernetes Service (AWS EKS) endpoint is not publicly accessible. The rule is compliant if the endpoint is publicly accessible." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when resources_vpc_config ->> 'EndpointPublicAccess' = 'true' then 'alarm' - else 'ok' - end as status, - case - when resources_vpc_config ->> 'EndpointPublicAccess' = 'true' then title || ' endpoint publicly accessible.' - else title || ' endpoint not publicly accessible.' - end as reason - - , region, account_id - from - aws_eks_cluster; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when resources_vpc_config ->> 'EndpointPublicAccess' = 'true' then 'alarm'\n else 'ok'\n end as status,\n case\n when resources_vpc_config ->> 'EndpointPublicAccess' = 'true' then title || ' endpoint publicly accessible.'\n else title || ' endpoint not publicly accessible.'\n end as reason\n \n , region, account_id\nfrom\n aws_eks_cluster;\n" PrimaryTable: aws_eks_cluster ListOfTables: - - aws_eks_cluster + - aws_eks_cluster Parameters: [] Severity: low Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/EKS + - AWS/EKS +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_eks_cluster_no_default_vpc.yaml b/compliance/controls/aws/aws_eks_cluster_no_default_vpc.yaml index 80be7306d..d8bad739a 100755 --- a/compliance/controls/aws/aws_eks_cluster_no_default_vpc.yaml +++ b/compliance/controls/aws/aws_eks_cluster_no_default_vpc.yaml @@ -1,8 +1,6 @@ ID: aws_eks_cluster_no_default_vpc Title: "EKS clusters should not be configured within a default VPC" Description: "Ensure to configure a new VPC for your EKS cluster as default VPC comes with a default configuration that lacks the proper security controls. Your network should be well configured and should follow the least privilege principle, meaning only the necessary privileges are granted." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -32,8 +30,10 @@ Query: left join default_vpc_cluster as v on v.arn = c.arn; PrimaryTable: aws_eks_cluster ListOfTables: - - aws_eks_cluster - - aws_vpc + - aws_eks_cluster + - aws_vpc Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_eks_cluster_no_multiple_security_groups.yaml b/compliance/controls/aws/aws_eks_cluster_no_multiple_security_groups.yaml index 88939b954..b4cd08800 100755 --- a/compliance/controls/aws/aws_eks_cluster_no_multiple_security_groups.yaml +++ b/compliance/controls/aws/aws_eks_cluster_no_multiple_security_groups.yaml @@ -1,27 +1,14 @@ ID: aws_eks_cluster_no_multiple_security_groups Title: "EKS clusters should not use multiple security groups" Description: "This controls ensures that EKS clusters is not using multiple security groups." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when jsonb_array_length(resources_vpc_config -> 'SecurityGroupIds') > 1 then 'alarm' - else 'ok' - end as status, - title || ' has '|| jsonb_array_length(resources_vpc_config -> 'SecurityGroupIds') || ' security group(s).' as reason - - - from - aws_eks_cluster; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when jsonb_array_length(resources_vpc_config -> 'SecurityGroupIds') > 1 then 'alarm'\n else 'ok'\n end as status,\n title || ' has '|| jsonb_array_length(resources_vpc_config -> 'SecurityGroupIds') || ' security group(s).' as reason\n \n \nfrom\n aws_eks_cluster;" PrimaryTable: aws_eks_cluster ListOfTables: - - aws_eks_cluster + - aws_eks_cluster Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_eks_cluster_secrets_encrypted.yaml b/compliance/controls/aws/aws_eks_cluster_secrets_encrypted.yaml index fec201389..db8f8ecfb 100755 --- a/compliance/controls/aws/aws_eks_cluster_secrets_encrypted.yaml +++ b/compliance/controls/aws/aws_eks_cluster_secrets_encrypted.yaml @@ -1,58 +1,30 @@ ID: aws_eks_cluster_secrets_encrypted Title: "EKS clusters should be configured to have kubernetes secrets encrypted using KMS" Description: "Ensure that AWS Elastic Kubernetes Service clusters are configured to have Kubernetes secrets encrypted using AWS Key Management Service (KMS) keys." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with eks_secrets_encrypted as ( - select - distinct arn as arn - from - aws_eks_cluster, - jsonb_array_elements(encryption_config) as e - where - e -> 'Resources' @> '["secrets"]' - ) - select - a.arn as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when encryption_config is null then 'alarm' - when b.arn is not null then 'ok' - else 'alarm' - end as status, - case - when encryption_config is null then a.title || ' encryption not enabled.' - when b.arn is not null then a.title || ' encrypted with EKS secrets.' - else a.title || ' not encrypted with EKS secrets.' - end as reason - - , region, account_id - from - aws_eks_cluster as a - left join eks_secrets_encrypted as b on a.arn = b.arn; + QueryToExecute: "with eks_secrets_encrypted as (\n select\n distinct arn as arn\n from\n aws_eks_cluster,\n jsonb_array_elements(encryption_config) as e\n where\n e -> 'Resources' @> '[\"secrets\"]'\n)\nselect\n a.arn as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when encryption_config is null then 'alarm'\n when b.arn is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when encryption_config is null then a.title || ' encryption not enabled.'\n when b.arn is not null then a.title || ' encrypted with EKS secrets.'\n else a.title || ' not encrypted with EKS secrets.'\n end as reason\n \n , region, account_id\nfrom\n aws_eks_cluster as a\n left join eks_secrets_encrypted as b on a.arn = b.arn;\n" PrimaryTable: aws_eks_cluster ListOfTables: - - aws_eks_cluster + - aws_eks_cluster Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance gxp_eu_annex_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/EKS + - AWS/EKS +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_eks_cluster_with_latest_kubernetes_version.yaml b/compliance/controls/aws/aws_eks_cluster_with_latest_kubernetes_version.yaml index 249b35abb..325643138 100755 --- a/compliance/controls/aws/aws_eks_cluster_with_latest_kubernetes_version.yaml +++ b/compliance/controls/aws/aws_eks_cluster_with_latest_kubernetes_version.yaml @@ -1,43 +1,26 @@ ID: aws_eks_cluster_with_latest_kubernetes_version Title: "EKS clusters should run on a supported Kubernetes version" Description: "This control checks whether an AWS EKS cluster is running on a supported Kubernetes version. The control fails if the EKS cluster is running on an unsupported version. If your application doesn't require a specific version of Kubernetes, we recommend that you use the latest available Kubernetes version that's supported by EKS for your clusters." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - -- eks:oldestVersionSupported (Current oldest supported version is 1.19) - when (version)::decimal >= 1.19 then 'ok' - else 'alarm' - end as status, - case - when (version)::decimal >= 1.19 then title || ' runs on a supported kubernetes version.' - else title || ' does not run on a supported kubernetes version.' - end as reason - - , region, account_id - from - aws_eks_cluster; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n -- eks:oldestVersionSupported (Current oldest supported version is 1.19)\n when (version)::decimal >= 1.19 then 'ok'\n else 'alarm'\n end as status,\n case\n when (version)::decimal >= 1.19 then title || ' runs on a supported kubernetes version.'\n else title || ' does not run on a supported kubernetes version.'\n end as reason\n \n , region, account_id\nfrom\n aws_eks_cluster;\n" PrimaryTable: aws_eks_cluster ListOfTables: - - aws_eks_cluster + - aws_eks_cluster Parameters: [] Severity: high Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - vulnerability_patch_and_version_management + - vulnerability_patch_and_version_management foundational_security_item_id: - - eks_2 + - eks_2 plugin: - - aws + - aws service: - - AWS/EKS + - AWS/EKS +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_elastic_beanstalk_enhanced_health_reporting_enabled.yaml b/compliance/controls/aws/aws_elastic_beanstalk_enhanced_health_reporting_enabled.yaml index 3bebda397..602e8d2d9 100755 --- a/compliance/controls/aws/aws_elastic_beanstalk_enhanced_health_reporting_enabled.yaml +++ b/compliance/controls/aws/aws_elastic_beanstalk_enhanced_health_reporting_enabled.yaml @@ -1,46 +1,30 @@ ID: aws_elastic_beanstalk_enhanced_health_reporting_enabled Title: "Elastic Beanstalk enhanced health reporting should be enabled" Description: "AWS Elastic Beanstalk enhanced health reporting enables a more rapid response to changes in the health of the underlying infrastructure. These changes could result in a lack of availability of the application. Elastic Beanstalk enhanced health reporting provides a status descriptor to gauge the severity of the identified issues and identify possible causes to investigate." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - application_name as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when health_status is not null and health is not null then 'ok' - else 'alarm' - end as status, - case - when health_status is not null and health is not null then application_name || ' enhanced health check enabled.' - else application_name || ' enhanced health check disabled.' - end as reason - - , region, account_id - from - aws_elastic_beanstalk_environment; + QueryToExecute: "select\n application_name as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when health_status is not null and health is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when health_status is not null and health is not null then application_name || ' enhanced health check enabled.'\n else application_name || ' enhanced health check disabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_elastic_beanstalk_environment;\n" PrimaryTable: aws_elastic_beanstalk_environment ListOfTables: - - aws_elastic_beanstalk_environment + - aws_elastic_beanstalk_environment Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/ElasticBeanstalk + - AWS/ElasticBeanstalk +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_elastic_beanstalk_environment_logs_to_cloudwatch.yaml b/compliance/controls/aws/aws_elastic_beanstalk_environment_logs_to_cloudwatch.yaml index f3b20768a..c441dcb1c 100755 --- a/compliance/controls/aws/aws_elastic_beanstalk_environment_logs_to_cloudwatch.yaml +++ b/compliance/controls/aws/aws_elastic_beanstalk_environment_logs_to_cloudwatch.yaml @@ -1,8 +1,6 @@ ID: aws_elastic_beanstalk_environment_logs_to_cloudwatch Title: "Elastic Beanstalk should stream logs to CloudWatch" Description: "This control checks whether an Elastic Beanstalk environment is configured to send logs to CloudWatch Logs. The control fails if an Elastic Beanstalk environment isn't configured to send logs to CloudWatch Logs. Optionally, you can provide a custom value for the RetentionInDays parameter if you want the control to pass only if logs are retained for the specified number of days before expiration." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -36,7 +34,9 @@ Query: left join beanstalk_environment_logs_enabled as l on e.arn = l.arn; PrimaryTable: aws_elastic_beanstalk_environment ListOfTables: - - aws_elastic_beanstalk_environment + - aws_elastic_beanstalk_environment Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_elastic_beanstalk_environment_managed_updates_enabled.yaml b/compliance/controls/aws/aws_elastic_beanstalk_environment_managed_updates_enabled.yaml index 324276190..2357a092d 100755 --- a/compliance/controls/aws/aws_elastic_beanstalk_environment_managed_updates_enabled.yaml +++ b/compliance/controls/aws/aws_elastic_beanstalk_environment_managed_updates_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_elastic_beanstalk_environment_managed_updates_enabled Title: "Elastic Beanstalk environment should have managed updates enabled" Description: "This control checks whether managed platform updates in an AWS Elastic Beanstalk environment is enabled. The rule is COMPLIANT if the value for ManagedActionsEnabled is set to true. The rule is NON_COMPLIANT if the value for ManagedActionsEnabled is set to false, or if a parameter is provided and its value does not match the existing configurations." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -36,7 +34,9 @@ Query: left join beanstalk_environment_logs_enabled as l on e.arn = l.arn; PrimaryTable: aws_elastic_beanstalk_environment ListOfTables: - - aws_elastic_beanstalk_environment + - aws_elastic_beanstalk_environment Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_elasticache_cluster_auto_minor_version_upgrade_enabled.yaml b/compliance/controls/aws/aws_elasticache_cluster_auto_minor_version_upgrade_enabled.yaml index 6346d57a9..53dda3c19 100755 --- a/compliance/controls/aws/aws_elasticache_cluster_auto_minor_version_upgrade_enabled.yaml +++ b/compliance/controls/aws/aws_elasticache_cluster_auto_minor_version_upgrade_enabled.yaml @@ -1,42 +1,26 @@ ID: aws_elasticache_cluster_auto_minor_version_upgrade_enabled Title: "Minor version upgrades should be automatically applied to ElastiCache for Redis cache clusters" Description: "This control evaluates whether ElastiCache for Redis automatically applies minor version upgrades to cache clusters. This control fails if ElastiCache for Redis cache clusters do not have minor version upgrades automatically applied." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when auto_minor_version_upgrade then 'ok' - else 'alarm' - end as status, - case - when auto_minor_version_upgrade then title || ' automatic minor version upgrades enabled.' - else title || ' automatic minor version upgrades disabled.' - end as reason - - , region, account_id - from - aws_elasticache_cluster; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when auto_minor_version_upgrade then 'ok'\n else 'alarm'\n end as status,\n case\n when auto_minor_version_upgrade then title || ' automatic minor version upgrades enabled.'\n else title || ' automatic minor version upgrades disabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_elasticache_cluster;\n" PrimaryTable: aws_elasticache_cluster ListOfTables: - - aws_elasticache_cluster + - aws_elasticache_cluster Parameters: [] Severity: high Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - vulnerability_patch_and_version_management + - vulnerability_patch_and_version_management foundational_security_item_id: - - elasticache_2 + - elasticache_2 plugin: - - aws + - aws service: - - AWS/ElastiCache + - AWS/ElastiCache +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_elasticache_cluster_no_default_subnet_group.yaml b/compliance/controls/aws/aws_elasticache_cluster_no_default_subnet_group.yaml index 44b3bb9cf..e869090d4 100755 --- a/compliance/controls/aws/aws_elasticache_cluster_no_default_subnet_group.yaml +++ b/compliance/controls/aws/aws_elasticache_cluster_no_default_subnet_group.yaml @@ -1,42 +1,26 @@ ID: aws_elasticache_cluster_no_default_subnet_group Title: "ElastiCache clusters should not use the default subnet group" Description: "This control checks if ElastiCache clusters are configured with a custom subnet group. The control fails for an ElastiCache cluster if CacheSubnetGroupName has the value default." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when cache_subnet_group_name = 'default' then 'alarm' - else 'ok' - end as status, - case - when cache_subnet_group_name = 'default' then title || ' not configured with a custom subnet group.' - else title || ' configured with a custom subnet group.' - end as reason - - , region, account_id - from - aws_elasticache_cluster; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when cache_subnet_group_name = 'default' then 'alarm'\n else 'ok'\n end as status,\n case\n when cache_subnet_group_name = 'default' then title || ' not configured with a custom subnet group.'\n else title || ' configured with a custom subnet group.'\n end as reason\n \n , region, account_id\nfrom\n aws_elasticache_cluster;\n" PrimaryTable: aws_elasticache_cluster ListOfTables: - - aws_elasticache_cluster + - aws_elasticache_cluster Parameters: [] Severity: high Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - secure_network_configuration + - secure_network_configuration foundational_security_item_id: - - elasticache_7 + - elasticache_7 plugin: - - aws + - aws service: - - AWS/ElastiCache + - AWS/ElastiCache +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_elasticache_cluster_no_public_subnet.yaml b/compliance/controls/aws/aws_elasticache_cluster_no_public_subnet.yaml index 603e0d851..b22fc4b6c 100755 --- a/compliance/controls/aws/aws_elasticache_cluster_no_public_subnet.yaml +++ b/compliance/controls/aws/aws_elasticache_cluster_no_public_subnet.yaml @@ -1,8 +1,6 @@ ID: aws_elasticache_cluster_no_public_subnet Title: "ElastiCache clusters should not use public_subnet" Description: "This control checks if ElastiCache clusters are configured with public subnet as there is a risk of exposing sensitive data." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -85,10 +83,12 @@ Query: left join cluster_public_subnet as s on s.cache_subnet_group_name = c.cache_subnet_group_name; PrimaryTable: aws_elasticache_cluster ListOfTables: - - aws_vpc_route_table - - aws_vpc_subnet - - aws_elasticache_subnet_group - - aws_elasticache_cluster + - aws_vpc_route_table + - aws_vpc_subnet + - aws_elasticache_subnet_group + - aws_elasticache_cluster Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_elasticache_redis_cluster_automatic_backup_retention_15_days.yaml b/compliance/controls/aws/aws_elasticache_redis_cluster_automatic_backup_retention_15_days.yaml index a77fe6069..53fe1d612 100755 --- a/compliance/controls/aws/aws_elasticache_redis_cluster_automatic_backup_retention_15_days.yaml +++ b/compliance/controls/aws/aws_elasticache_redis_cluster_automatic_backup_retention_15_days.yaml @@ -1,8 +1,6 @@ ID: aws_elasticache_redis_cluster_automatic_backup_retention_15_days Title: "ElastiCache Redis cluster automatic backup should be enabled with retention period of 15 days or greater" Description: "When automatic backups are enabled, AWS ElastiCache creates a backup of the cluster on a daily basis. The backup can be retained for a number of days as specified by your organization. Automatic backups can help guard against data loss." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -24,45 +22,47 @@ Query: aws_elasticache_replication_group; PrimaryTable: aws_elasticache_replication_group ListOfTables: - - aws_elasticache_replication_group + - aws_elasticache_replication_group Parameters: [] Severity: low Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" gxp_eu_annex_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/ElastiCache + - AWS/ElastiCache soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_elasticache_replication_group_auto_failover_enabled.yaml b/compliance/controls/aws/aws_elasticache_replication_group_auto_failover_enabled.yaml index 8868c7226..1d615775d 100755 --- a/compliance/controls/aws/aws_elasticache_replication_group_auto_failover_enabled.yaml +++ b/compliance/controls/aws/aws_elasticache_replication_group_auto_failover_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_elasticache_replication_group_auto_failover_enabled Title: "ElastiCache for Redis replication groups should have automatic failover enabled" Description: "This control checks if ElastiCache for Redis replication groups have automatic failover enabled. This control fails if automatic failover isn't enabled for a Redis replication group." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -23,19 +21,21 @@ Query: aws_elasticache_replication_group; PrimaryTable: aws_elasticache_replication_group ListOfTables: - - aws_elasticache_replication_group + - aws_elasticache_replication_group Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - high_availability + - high_availability foundational_security_item_id: - - elasticache_3 + - elasticache_3 plugin: - - aws + - aws service: - - AWS/ElastiCache + - AWS/ElastiCache +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_elasticache_replication_group_encryption_at_rest_enabled.yaml b/compliance/controls/aws/aws_elasticache_replication_group_encryption_at_rest_enabled.yaml index f85a93e4c..09190c6c0 100755 --- a/compliance/controls/aws/aws_elasticache_replication_group_encryption_at_rest_enabled.yaml +++ b/compliance/controls/aws/aws_elasticache_replication_group_encryption_at_rest_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_elasticache_replication_group_encryption_at_rest_enabled Title: "ElastiCache for Redis replication groups should be encrypted at rest" Description: "This control checks if ElastiCache for Redis replication groups are encrypted at rest. This control fails if an ElastiCache for Redis replication group isn't encrypted at rest." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -23,19 +21,21 @@ Query: aws_elasticache_replication_group; PrimaryTable: aws_elasticache_replication_group ListOfTables: - - aws_elasticache_replication_group + - aws_elasticache_replication_group Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - encryption_of_data_at_rest + - encryption_of_data_at_rest foundational_security_item_id: - - elasticache_4 + - elasticache_4 plugin: - - aws + - aws service: - - AWS/ElastiCache + - AWS/ElastiCache +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_elasticache_replication_group_encryption_at_rest_enabled_with_kms_cmk.yaml b/compliance/controls/aws/aws_elasticache_replication_group_encryption_at_rest_enabled_with_kms_cmk.yaml index cb3f70b0d..7da3435df 100755 --- a/compliance/controls/aws/aws_elasticache_replication_group_encryption_at_rest_enabled_with_kms_cmk.yaml +++ b/compliance/controls/aws/aws_elasticache_replication_group_encryption_at_rest_enabled_with_kms_cmk.yaml @@ -1,60 +1,15 @@ ID: aws_elasticache_replication_group_encryption_at_rest_enabled_with_kms_cmk Title: "ElastiCache for Redis replication groups should be encrypted with CMK" Description: "Ensure ElastiCache for Redis replication group are encrypted using CMK. The rule is non-compliant if the ElastiCache for Redis replication group is not encrypted using CMK." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - with aws_elasticache_replication_groups as ( - select - arn, - at_rest_encryption_enabled, - title, - kms_key_id, - region, - account_id, - _ctx, - og_account_id, - og_resource_id - from - aws_elasticache_replication_group - order by - arn - ), - kms_keys as ( - select - k.arn, - k.region, - k.account_id, - k.enabled - from - aws_kms_key as k - ) - select - r.arn as resource, - r.og_account_id as og_account_id, - r.og_resource_id as og_resource_id, - case - when not at_rest_encryption_enabled then 'alarm' - when at_rest_encryption_enabled and kms_key_id is null then 'alarm' - when at_rest_encryption_enabled and kms_key_id is not null and k.enabled then 'ok' - else 'alarm' - end as status, - case - when not at_rest_encryption_enabled then r.title || ' encryption at rest disabled.' - when at_rest_encryption_enabled and kms_key_id is null then r.title || ' encryption at rest not enabled with CMK.' - when at_rest_encryption_enabled and kms_key_id is not null and k.enabled then r.title || ' encryption at rest enabled with CMK.' - else r.title || ' encryption at rest enabled with disabled CMK.' - end as reason - - from - aws_elasticache_replication_groups as r - left join kms_keys as k on k.arn = r.kms_key_id; + QueryToExecute: "with aws_elasticache_replication_groups as (\n select\n arn,\n at_rest_encryption_enabled,\n title,\n kms_key_id,\n region,\n account_id,\n _ctx,\n og_account_id,\n og_resource_id\n from\n aws_elasticache_replication_group\n order by\n arn\n),\nkms_keys as (\n select\n k.arn,\n k.region,\n k.account_id,\n k.enabled\n from\n aws_kms_key as k\n)\nselect\n r.arn as resource,\n r.og_account_id as og_account_id,\n r.og_resource_id as og_resource_id,\n case\n when not at_rest_encryption_enabled then 'alarm'\n when at_rest_encryption_enabled and kms_key_id is null then 'alarm'\n when at_rest_encryption_enabled and kms_key_id is not null and k.enabled then 'ok'\n else 'alarm'\n end as status,\n case\n when not at_rest_encryption_enabled then r.title || ' encryption at rest disabled.'\n when at_rest_encryption_enabled and kms_key_id is null then r.title || ' encryption at rest not enabled with CMK.'\n when at_rest_encryption_enabled and kms_key_id is not null and k.enabled then r.title || ' encryption at rest enabled with CMK.'\n else r.title || ' encryption at rest enabled with disabled CMK.'\n end as reason\n \nfrom\n aws_elasticache_replication_groups as r\n left join kms_keys as k on k.arn = r.kms_key_id;" PrimaryTable: aws_elasticache_replication_group ListOfTables: - - aws_elasticache_replication_group - - aws_kms_key + - aws_elasticache_replication_group + - aws_kms_key Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_elasticache_replication_group_encryption_in_transit_enabled.yaml b/compliance/controls/aws/aws_elasticache_replication_group_encryption_in_transit_enabled.yaml index 5ecfec777..cc550e8b5 100755 --- a/compliance/controls/aws/aws_elasticache_replication_group_encryption_in_transit_enabled.yaml +++ b/compliance/controls/aws/aws_elasticache_replication_group_encryption_in_transit_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_elasticache_replication_group_encryption_in_transit_enabled Title: "ElastiCache for Redis replication groups should be encrypted in transit" Description: "This control checks if ElastiCache for Redis replication groups are encrypted in transit. This control fails if an ElastiCache for Redis replication group isn't encrypted in transit." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -23,19 +21,21 @@ Query: aws_elasticache_replication_group; PrimaryTable: aws_elasticache_replication_group ListOfTables: - - aws_elasticache_replication_group + - aws_elasticache_replication_group Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - encryption_of_data_in_transit + - encryption_of_data_in_transit foundational_security_item_id: - - elasticache_5 + - elasticache_5 plugin: - - aws + - aws service: - - AWS/ElastiCache + - AWS/ElastiCache +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_elasticache_replication_group_redis_auth_enabled.yaml b/compliance/controls/aws/aws_elasticache_replication_group_redis_auth_enabled.yaml index c7b35f6df..3271da192 100755 --- a/compliance/controls/aws/aws_elasticache_replication_group_redis_auth_enabled.yaml +++ b/compliance/controls/aws/aws_elasticache_replication_group_redis_auth_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_elasticache_replication_group_redis_auth_enabled Title: "ElastiCache for Redis replication groups before version 6.0 should use Redis Auth" Description: "This control checks if ElastiCache for Redis replication groups has Redis Auth enabled. The control fails for an ElastiCache for Redis replication group if the Redis version of its nodes is below 6.0 and AuthToken isn't in use." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -33,20 +31,22 @@ Query: left join elasticache_cluster_node_version as v on eg.replication_group_id = v.replication_group_id; PrimaryTable: aws_elasticache_replication_group ListOfTables: - - aws_elasticache_cluster - - aws_elasticache_replication_group + - aws_elasticache_cluster + - aws_elasticache_replication_group Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - secure_access_management + - secure_access_management foundational_security_item_id: - - elasticache_6 + - elasticache_6 plugin: - - aws + - aws service: - - AWS/ElastiCache + - AWS/ElastiCache +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_elb_application_classic_lb_logging_enabled.yaml b/compliance/controls/aws/aws_elb_application_classic_lb_logging_enabled.yaml index 0cf458b78..c0518cba6 100755 --- a/compliance/controls/aws/aws_elb_application_classic_lb_logging_enabled.yaml +++ b/compliance/controls/aws/aws_elb_application_classic_lb_logging_enabled.yaml @@ -1,92 +1,53 @@ ID: aws_elb_application_classic_lb_logging_enabled Title: "ELB application and classic load balancer logging should be enabled" Description: "Elastic Load Balancing activity is a central point of communication within an environment." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - ( - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'aws_ec2_application_load_balancer' as og_table_name, - case - when load_balancer_attributes @> '[{"Key": "access_logs.s3.enabled", "Value": "true"}]' then 'ok' - else 'alarm' - end as status, - case - when load_balancer_attributes @> '[{"Key": "access_logs.s3.enabled", "Value": "true"}]' then title || ' logging enabled.' - else title || ' logging disabled.' - end as reason - - , region, account_id - from - aws_ec2_application_load_balancer - ) - union - ( - select - 'arn:' || partition || ':elasticloadbalancing:' || region || ':' || account_id || ':loadbalancer/' || title as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'aws_ec2_classic_load_balancer' as og_table_name, - case - when access_log_enabled = 'true' then 'ok' - else 'alarm' - end as status, - case - when access_log_enabled = 'true' then title || ' logging enabled.' - else title || ' logging disabled.' - end as reason - - , region, account_id - from - aws_ec2_classic_load_balancer - ); + QueryToExecute: "(\n select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'aws_ec2_application_load_balancer' as og_table_name,\n case\n when load_balancer_attributes @> '[{\"Key\": \"access_logs.s3.enabled\", \"Value\": \"true\"}]' then 'ok'\n else 'alarm'\n end as status,\n case\n when load_balancer_attributes @> '[{\"Key\": \"access_logs.s3.enabled\", \"Value\": \"true\"}]' then title || ' logging enabled.'\n else title || ' logging disabled.'\n end as reason\n \n , region, account_id\n from\n aws_ec2_application_load_balancer\n)\nunion\n(\n select\n 'arn:' || partition || ':elasticloadbalancing:' || region || ':' || account_id || ':loadbalancer/' || title as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'aws_ec2_classic_load_balancer' as og_table_name,\n case\n when access_log_enabled = 'true' then 'ok'\n else 'alarm'\n end as status,\n case\n when access_log_enabled = 'true' then title || ' logging enabled.'\n else title || ' logging disabled.'\n end as reason\n \n , region, account_id\n from\n aws_ec2_classic_load_balancer\n);\n" PrimaryTable: "" ListOfTables: - - aws_ec2_application_load_balancer - - aws_ec2_classic_load_balancer + - aws_ec2_application_load_balancer + - aws_ec2_classic_load_balancer Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gdpr: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/ELB + - AWS/ELB soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_elb_application_classic_network_lb_prohibit_public_access.yaml b/compliance/controls/aws/aws_elb_application_classic_network_lb_prohibit_public_access.yaml index d78400929..76c4db75d 100755 --- a/compliance/controls/aws/aws_elb_application_classic_network_lb_prohibit_public_access.yaml +++ b/compliance/controls/aws/aws_elb_application_classic_network_lb_prohibit_public_access.yaml @@ -1,8 +1,6 @@ ID: aws_elb_application_classic_network_lb_prohibit_public_access Title: "ELB load balancers should prohibit public access" Description: "An internet facing load balancer has a publicly resolvable DNS name, so it can route requests from clients over the internet to the EC2 instances that are registered with the load balancer." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -62,9 +60,11 @@ Query: all_lb_details; PrimaryTable: aws_ec2_application_load_balancer ListOfTables: - - aws_ec2_application_load_balancer - - aws_ec2_network_load_balancer - - aws_ec2_classic_load_balancer + - aws_ec2_application_load_balancer + - aws_ec2_network_load_balancer + - aws_ec2_classic_load_balancer Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_elb_application_gateway_network_lb_multiple_az_configured.yaml b/compliance/controls/aws/aws_elb_application_gateway_network_lb_multiple_az_configured.yaml index d0a9272f3..425f496d3 100755 --- a/compliance/controls/aws/aws_elb_application_gateway_network_lb_multiple_az_configured.yaml +++ b/compliance/controls/aws/aws_elb_application_gateway_network_lb_multiple_az_configured.yaml @@ -1,72 +1,28 @@ ID: aws_elb_application_gateway_network_lb_multiple_az_configured Title: "ELB application, network, and gateway load balancers should span multiple availability zones" Description: "This control checks whether an Elastic Load Balancer V2 (Application, Network, or Gateway Load Balancer) has registered instances from multiple Availability Zones. The control fails if an Elastic Load Balancer V2 has instances registered in fewer than two Availability Zones." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'aws_ec2_application_load_balancer' as og_table_name, - case - when jsonb_array_length(availability_zones) < 2 then 'alarm' - else 'ok' - end as status, - title || ' has ' || jsonb_array_length(availability_zones) || ' availability zone(s).' as reason - - , region, account_id - from - aws_ec2_application_load_balancer - union - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'aws_ec2_network_load_balancer' as og_table_name, - case - when jsonb_array_length(availability_zones) < 2 then 'alarm' - else 'ok' - end as status, - title || ' has ' || jsonb_array_length(availability_zones) || ' availability zone(s).' as reason - - , region, account_id - from - aws_ec2_network_load_balancer - union - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'aws_ec2_gateway_load_balancer' as og_table_name, - case - when jsonb_array_length(availability_zones) < 2 then 'alarm' - else 'ok' - end as status, - title || ' has ' || jsonb_array_length(availability_zones) || ' availability zone(s).' as reason - - , region, account_id - from - aws_ec2_gateway_load_balancer; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'aws_ec2_application_load_balancer' as og_table_name,\n case\n when jsonb_array_length(availability_zones) < 2 then 'alarm'\n else 'ok'\n end as status,\n title || ' has ' || jsonb_array_length(availability_zones) || ' availability zone(s).' as reason\n \n , region, account_id\nfrom\n aws_ec2_application_load_balancer\nunion\nselect\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'aws_ec2_network_load_balancer' as og_table_name,\n case\n when jsonb_array_length(availability_zones) < 2 then 'alarm'\n else 'ok'\n end as status,\n title || ' has ' || jsonb_array_length(availability_zones) || ' availability zone(s).' as reason\n \n , region, account_id\nfrom\n aws_ec2_network_load_balancer\nunion\nselect\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'aws_ec2_gateway_load_balancer' as og_table_name,\n case\n when jsonb_array_length(availability_zones) < 2 then 'alarm'\n else 'ok'\n end as status,\n title || ' has ' || jsonb_array_length(availability_zones) || ' availability zone(s).' as reason\n \n , region, account_id\nfrom\n aws_ec2_gateway_load_balancer;\n" PrimaryTable: "" ListOfTables: - - aws_ec2_application_load_balancer - - aws_ec2_gateway_load_balancer - - aws_ec2_network_load_balancer + - aws_ec2_application_load_balancer + - aws_ec2_gateway_load_balancer + - aws_ec2_network_load_balancer Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - high_availability + - high_availability foundational_security_item_id: - - elb_13 + - elb_13 plugin: - - aws + - aws service: - - AWS/ELB + - AWS/ELB +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_elb_application_lb_deletion_protection_enabled.yaml b/compliance/controls/aws/aws_elb_application_lb_deletion_protection_enabled.yaml index e31d34c16..6872d0499 100755 --- a/compliance/controls/aws/aws_elb_application_lb_deletion_protection_enabled.yaml +++ b/compliance/controls/aws/aws_elb_application_lb_deletion_protection_enabled.yaml @@ -1,58 +1,42 @@ ID: aws_elb_application_lb_deletion_protection_enabled Title: "ELB application load balancer deletion protection should be enabled" Description: "This rule ensures that Elastic Load Balancing has deletion protection enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when load_balancer_attributes @> '[{"Key": "deletion_protection.enabled", "Value": "true"}]' then 'ok' - else 'alarm' - end as status, - case - when load_balancer_attributes @> '[{"Key": "deletion_protection.enabled", "Value": "true"}]' then title || ' deletion protection enabled.' - else title || ' deletion protection disabled.' - end as reason - - , region, account_id - from - aws_ec2_application_load_balancer; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when load_balancer_attributes @> '[{\"Key\": \"deletion_protection.enabled\", \"Value\": \"true\"}]' then 'ok'\n else 'alarm'\n end as status,\n case\n when load_balancer_attributes @> '[{\"Key\": \"deletion_protection.enabled\", \"Value\": \"true\"}]' then title || ' deletion protection enabled.'\n else title || ' deletion protection disabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_ec2_application_load_balancer;\n" PrimaryTable: aws_ec2_application_load_balancer ListOfTables: - - aws_ec2_application_load_balancer + - aws_ec2_application_load_balancer Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/ELB + - AWS/ELB +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_elb_application_lb_desync_mitigation_mode.yaml b/compliance/controls/aws/aws_elb_application_lb_desync_mitigation_mode.yaml index 9f1edcc80..da4aa08fa 100755 --- a/compliance/controls/aws/aws_elb_application_lb_desync_mitigation_mode.yaml +++ b/compliance/controls/aws/aws_elb_application_lb_desync_mitigation_mode.yaml @@ -1,51 +1,26 @@ ID: aws_elb_application_lb_desync_mitigation_mode Title: "ELB application load balancers should be configured with defensive or strictest desync mitigation mode" Description: "This control checks whether an Application Load Balancer is configured with defensive or strictest desync mitigation mode. The control fails if an Application Load Balancer is not configured with defensive or strictest desync mitigation mode." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with app_lb_desync_mitigation_mode as ( - select - arn, - l ->> 'Key', - l ->> 'Value' as v - from - aws_ec2_application_load_balancer, - jsonb_array_elements(load_balancer_attributes) as l - where - l ->> 'Key' = 'routing.http.desync_mitigation_mode' - ) - select - a.arn as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when m.v = any(array['defensive', 'strictest']) then 'ok' - else 'alarm' - end as status, - title || ' has ' || m.v || ' desync mitigation mode.' as reason - - , region, account_id - from - aws_ec2_application_load_balancer as a - left join app_lb_desync_mitigation_mode as m on a.arn = m.arn; + QueryToExecute: "with app_lb_desync_mitigation_mode as (\n select\n arn,\n l ->> 'Key',\n l ->> 'Value' as v\n from\n aws_ec2_application_load_balancer,\n jsonb_array_elements(load_balancer_attributes) as l\n where\n l ->> 'Key' = 'routing.http.desync_mitigation_mode'\n)\nselect\n a.arn as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when m.v = any(array['defensive', 'strictest']) then 'ok'\n else 'alarm'\n end as status,\n title || ' has ' || m.v || ' desync mitigation mode.' as reason\n \n , region, account_id\nfrom\n aws_ec2_application_load_balancer as a\n left join app_lb_desync_mitigation_mode as m on a.arn = m.arn;\n" PrimaryTable: aws_ec2_application_load_balancer ListOfTables: - - aws_ec2_application_load_balancer + - aws_ec2_application_load_balancer Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - data_integrity + - data_integrity foundational_security_item_id: - - elb_12 + - elb_12 plugin: - - aws + - aws service: - - AWS/ELB + - AWS/ELB +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_elb_application_lb_drop_http_headers.yaml b/compliance/controls/aws/aws_elb_application_lb_drop_http_headers.yaml index 0c0c21850..98b8faa4f 100755 --- a/compliance/controls/aws/aws_elb_application_lb_drop_http_headers.yaml +++ b/compliance/controls/aws/aws_elb_application_lb_drop_http_headers.yaml @@ -1,56 +1,40 @@ ID: aws_elb_application_lb_drop_http_headers Title: "ELB application load balancers should be drop HTTP headers" Description: "Ensure that your Elastic Load Balancers (ELB) are configured to drop http headers." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when load_balancer_attributes @> '[{"Key": "routing.http.drop_invalid_header_fields.enabled", "Value": "true"}]' then 'ok' - else 'alarm' - end as status, - case - when load_balancer_attributes @> '[{"Key": "routing.http.drop_invalid_header_fields.enabled", "Value": "true"}]' then title || ' configured to drop http headers.' - else title || ' not configured to drop http headers.' - end as reason - - , region, account_id - from - aws_ec2_application_load_balancer; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when load_balancer_attributes @> '[{\"Key\": \"routing.http.drop_invalid_header_fields.enabled\", \"Value\": \"true\"}]' then 'ok'\n else 'alarm'\n end as status,\n case\n when load_balancer_attributes @> '[{\"Key\": \"routing.http.drop_invalid_header_fields.enabled\", \"Value\": \"true\"}]' then title || ' configured to drop http headers.'\n else title || ' not configured to drop http headers.'\n end as reason\n \n , region, account_id\nfrom\n aws_ec2_application_load_balancer;\n" PrimaryTable: aws_ec2_application_load_balancer ListOfTables: - - aws_ec2_application_load_balancer + - aws_ec2_application_load_balancer Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance fedramp_low_rev_4: - - "true" + - "true" gdpr: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/ELB + - AWS/ELB soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_elb_application_lb_redirect_http_request_to_https.yaml b/compliance/controls/aws/aws_elb_application_lb_redirect_http_request_to_https.yaml index b9fdc19f7..8427980bc 100755 --- a/compliance/controls/aws/aws_elb_application_lb_redirect_http_request_to_https.yaml +++ b/compliance/controls/aws/aws_elb_application_lb_redirect_http_request_to_https.yaml @@ -1,82 +1,51 @@ ID: aws_elb_application_lb_redirect_http_request_to_https Title: "ELB application load balancers should redirect HTTP requests to HTTPS" Description: "To help protect data in transit, ensure that your Application Load Balancer automatically redirects unencrypted HTTP requests to HTTPS." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with detailed_listeners as ( - select - arn, - load_balancer_arn, - protocol - from - aws_ec2_load_balancer_listener, - jsonb_array_elements(default_actions) as ac - where - split_part(arn,'/',2) = 'app' - and protocol = 'HTTP' - and ac ->> 'Type' = 'redirect' - and ac -> 'RedirectConfig' ->> 'Protocol' = 'HTTPS' - ) - select - a.arn as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when b.load_balancer_arn is null then 'alarm' - else 'ok' - end as status, - case - when b.load_balancer_arn is not null then a.title || ' associated with HTTP redirection.' - else a.title || ' not associated with HTTP redirection.' - end as reason - - , a.region, a.account_id - from - aws_ec2_application_load_balancer a - left join detailed_listeners b on a.arn = b.load_balancer_arn; + QueryToExecute: "with detailed_listeners as (\n select\n arn,\n load_balancer_arn,\n protocol\n from\n aws_ec2_load_balancer_listener,\n jsonb_array_elements(default_actions) as ac\n where\n split_part(arn,'/',2) = 'app'\n and protocol = 'HTTP'\n and ac ->> 'Type' = 'redirect'\n and ac -> 'RedirectConfig' ->> 'Protocol' = 'HTTPS'\n)\nselect\n a.arn as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when b.load_balancer_arn is null then 'alarm'\n else 'ok'\n end as status,\n case\n when b.load_balancer_arn is not null then a.title || ' associated with HTTP redirection.'\n else a.title || ' not associated with HTTP redirection.'\n end as reason\n \n , a.region, a.account_id\nfrom\n aws_ec2_application_load_balancer a\n left join detailed_listeners b on a.arn = b.load_balancer_arn;\n" PrimaryTable: aws_ec2_application_load_balancer ListOfTables: - - aws_ec2_application_load_balancer - - aws_ec2_load_balancer_listener + - aws_ec2_application_load_balancer + - aws_ec2_load_balancer_listener Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gdpr: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/ELB + - AWS/ELB soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_elb_application_lb_waf_enabled.yaml b/compliance/controls/aws/aws_elb_application_lb_waf_enabled.yaml index fa9e67f00..adc54f05c 100755 --- a/compliance/controls/aws/aws_elb_application_lb_waf_enabled.yaml +++ b/compliance/controls/aws/aws_elb_application_lb_waf_enabled.yaml @@ -1,58 +1,42 @@ ID: aws_elb_application_lb_waf_enabled Title: "ELB application load balancers should have Web Application Firewall (WAF) enabled" Description: "Ensure AWS WAF is enabled on Elastic Load Balancers (ELB) to help protect web applications." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when load_balancer_attributes @> '[{"Key":"waf.fail_open.enabled","Value":"true"}]' then 'ok' - else 'alarm' - end as status, - case - when load_balancer_attributes @> '[{"Key":"waf.fail_open.enabled","Value":"true"}]' then title || ' WAF enabled.' - else title || ' WAF disabled.' - end as reason - - , region, account_id - from - aws_ec2_application_load_balancer; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when load_balancer_attributes @> '[{\"Key\":\"waf.fail_open.enabled\",\"Value\":\"true\"}]' then 'ok'\n else 'alarm'\n end as status,\n case\n when load_balancer_attributes @> '[{\"Key\":\"waf.fail_open.enabled\",\"Value\":\"true\"}]' then title || ' WAF enabled.'\n else title || ' WAF disabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_ec2_application_load_balancer;\n" PrimaryTable: aws_ec2_application_load_balancer ListOfTables: - - aws_ec2_application_load_balancer + - aws_ec2_application_load_balancer Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/ELB + - AWS/ELB soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_elb_application_lb_with_outbound_rule.yaml b/compliance/controls/aws/aws_elb_application_lb_with_outbound_rule.yaml index b42416291..b6c20fcda 100755 --- a/compliance/controls/aws/aws_elb_application_lb_with_outbound_rule.yaml +++ b/compliance/controls/aws/aws_elb_application_lb_with_outbound_rule.yaml @@ -1,8 +1,6 @@ ID: aws_elb_application_lb_with_outbound_rule Title: "ELB application load balancers should have at least one outbound rule" Description: "Ensure application load balancers have at least one outbound rule in all the attached security groups. A security group without any outbound rule rejects all outgoing traffic. This means that all outgoing traffic originating from your cloud assets (instances, containers, etc.) will be dropped when it reaches the ELB layer." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -46,8 +44,10 @@ Query: left join application_lb_without_outbound as o on a.arn = o.arn; PrimaryTable: aws_ec2_application_load_balancer ListOfTables: - - aws_ec2_application_load_balancer - - aws_vpc_security_group_rule + - aws_ec2_application_load_balancer + - aws_vpc_security_group_rule Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_elb_application_network_lb_use_listeners.yaml b/compliance/controls/aws/aws_elb_application_network_lb_use_listeners.yaml index 1c362fc42..dc8e12e42 100755 --- a/compliance/controls/aws/aws_elb_application_network_lb_use_listeners.yaml +++ b/compliance/controls/aws/aws_elb_application_network_lb_use_listeners.yaml @@ -1,8 +1,6 @@ ID: aws_elb_application_network_lb_use_listeners Title: "ELB application and network load balancers should use listeners" Description: "Ensure that application and network load balancer must have one or more listeners. A listener is a process that checks for connection requests, using the protocol and port that you configure. The rules that you define for a listener determine how the load balancer routes requests to its registered targets." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -48,9 +46,11 @@ Query: left join aws_ec2_load_balancer_listener as l on lb.arn = l.load_balancer_arn; PrimaryTable: aws_ec2_network_load_balancer ListOfTables: - - aws_ec2_network_load_balancer - - aws_ec2_application_load_balancer - - aws_ec2_load_balancer_listener + - aws_ec2_network_load_balancer + - aws_ec2_application_load_balancer + - aws_ec2_load_balancer_listener Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_elb_application_network_lb_use_ssl_certificate.yaml b/compliance/controls/aws/aws_elb_application_network_lb_use_ssl_certificate.yaml index 4919854ad..ed5473147 100755 --- a/compliance/controls/aws/aws_elb_application_network_lb_use_ssl_certificate.yaml +++ b/compliance/controls/aws/aws_elb_application_network_lb_use_ssl_certificate.yaml @@ -1,8 +1,6 @@ ID: aws_elb_application_network_lb_use_ssl_certificate Title: "ELB application and network load balancers should only use SSL or HTTPS listeners" Description: "Ensure that Application Load Balancers and Network Load Balancers are configured to use certificates from AWS Certificate Manager (ACM). This rule is compliant if at least 1 load balancer is configured without a certificate from ACM." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -61,35 +59,37 @@ Query: left join listeners_without_certificate as b on a.arn = b.load_balancer_arn; PrimaryTable: "" ListOfTables: - - aws_ec2_application_load_balancer - - aws_ec2_load_balancer_listener - - aws_ec2_network_load_balancer + - aws_ec2_application_load_balancer + - aws_ec2_load_balancer_listener + - aws_ec2_network_load_balancer Parameters: [] Severity: low Tags: category: - - Compliance + - Compliance cisa_cyber_essentials: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" gxp_eu_annex_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/ELB + - AWS/ELB +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_elb_classic_lb_cross_zone_load_balancing_enabled.yaml b/compliance/controls/aws/aws_elb_classic_lb_cross_zone_load_balancing_enabled.yaml index 73b5366ee..5456f44a5 100755 --- a/compliance/controls/aws/aws_elb_classic_lb_cross_zone_load_balancing_enabled.yaml +++ b/compliance/controls/aws/aws_elb_classic_lb_cross_zone_load_balancing_enabled.yaml @@ -1,58 +1,42 @@ ID: aws_elb_classic_lb_cross_zone_load_balancing_enabled Title: "ELB classic load balancers should have cross-zone load balancing enabled" Description: "Enable cross-zone load balancing for your Elastic Load Balancers (ELBs) to help maintain adequate capacity and availability. The cross-zone load balancing reduces the need to maintain equivalent numbers of instances in each enabled availability zone." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when cross_zone_load_balancing_enabled then 'ok' - else 'alarm' - end as status, - case - when cross_zone_load_balancing_enabled then title || ' cross-zone load balancing enabled.' - else title || ' cross-zone load balancing disabled.' - end as reason - - , region, account_id - from - aws_ec2_classic_load_balancer; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when cross_zone_load_balancing_enabled then 'ok'\n else 'alarm'\n end as status,\n case\n when cross_zone_load_balancing_enabled then title || ' cross-zone load balancing enabled.'\n else title || ' cross-zone load balancing disabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_ec2_classic_load_balancer;\n" PrimaryTable: aws_ec2_classic_load_balancer ListOfTables: - - aws_ec2_classic_load_balancer + - aws_ec2_classic_load_balancer Parameters: [] Severity: low Tags: category: - - Compliance + - Compliance cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" gxp_eu_annex_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/ELB + - AWS/ELB +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_elb_classic_lb_desync_mitigation_mode.yaml b/compliance/controls/aws/aws_elb_classic_lb_desync_mitigation_mode.yaml index 4f1a63bf8..92ef5e94a 100755 --- a/compliance/controls/aws/aws_elb_classic_lb_desync_mitigation_mode.yaml +++ b/compliance/controls/aws/aws_elb_classic_lb_desync_mitigation_mode.yaml @@ -1,51 +1,26 @@ ID: aws_elb_classic_lb_desync_mitigation_mode Title: "ELB classic load balancers should be configured with defensive or strictest desync mitigation mode" Description: "This control checks whether a Classic Load Balancer is configured with defensive or strictest desync mitigation mode. This control will fail if the Classic Load Balancer is not configured with defensive or strictest desync mitigation mode." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with app_lb_desync_mitigation_mode as ( - select - arn, - a ->> 'Key', - a ->> 'Value' as v - from - aws_ec2_classic_load_balancer, - jsonb_array_elements(additional_attributes) as a - where - a ->> 'Key' = 'elb.http.desyncmitigationmode' - ) - select - c.arn as resource, - c.og_account_id as og_account_id, - c.og_resource_id as og_resource_id, - case - when m.v = any(array['defensive', 'strictest']) then 'ok' - else 'alarm' - end as status, - title || ' has ' || m.v || ' desync mitigation mode.' as reason - - , region, account_id - from - aws_ec2_classic_load_balancer as c - left join app_lb_desync_mitigation_mode as m on c.arn = m.arn; + QueryToExecute: "with app_lb_desync_mitigation_mode as (\n select\n arn,\n a ->> 'Key',\n a ->> 'Value' as v\n from\n aws_ec2_classic_load_balancer,\n jsonb_array_elements(additional_attributes) as a\n where\n a ->> 'Key' = 'elb.http.desyncmitigationmode'\n)\nselect\n c.arn as resource,\n c.og_account_id as og_account_id,\n c.og_resource_id as og_resource_id,\n case\n when m.v = any(array['defensive', 'strictest']) then 'ok'\n else 'alarm'\n end as status,\n title || ' has ' || m.v || ' desync mitigation mode.' as reason\n \n , region, account_id\nfrom\n aws_ec2_classic_load_balancer as c\n left join app_lb_desync_mitigation_mode as m on c.arn = m.arn;\n" PrimaryTable: aws_ec2_classic_load_balancer ListOfTables: - - aws_ec2_classic_load_balancer + - aws_ec2_classic_load_balancer Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - data_integrity + - data_integrity foundational_security_item_id: - - elb_14 + - elb_14 plugin: - - aws + - aws service: - - AWS/ELB + - AWS/ELB +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_elb_classic_lb_multiple_az_configured.yaml b/compliance/controls/aws/aws_elb_classic_lb_multiple_az_configured.yaml index 79d9a0fa0..af0579c9e 100755 --- a/compliance/controls/aws/aws_elb_classic_lb_multiple_az_configured.yaml +++ b/compliance/controls/aws/aws_elb_classic_lb_multiple_az_configured.yaml @@ -1,39 +1,26 @@ ID: aws_elb_classic_lb_multiple_az_configured Title: "ELB classic load balancers should span multiple availability zones" Description: "This control checks whether a Classic Load Balancer has been configured to span multiple Availability Zones. The control fails if the Classic Load Balancer does not span multiple Availability Zones." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when jsonb_array_length(availability_zones) < 2 then 'alarm' - else 'ok' - end as status, - title || ' has ' || jsonb_array_length(availability_zones) || ' availability zone(s).' as reason - - , region, account_id - from - aws_ec2_classic_load_balancer; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when jsonb_array_length(availability_zones) < 2 then 'alarm'\n else 'ok'\n end as status,\n title || ' has ' || jsonb_array_length(availability_zones) || ' availability zone(s).' as reason\n \n , region, account_id\nfrom\n aws_ec2_classic_load_balancer;\n" PrimaryTable: aws_ec2_classic_load_balancer ListOfTables: - - aws_ec2_classic_load_balancer + - aws_ec2_classic_load_balancer Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - high_availability + - high_availability foundational_security_item_id: - - elb_10 + - elb_10 plugin: - - aws + - aws service: - - AWS/ELB + - AWS/ELB +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_elb_classic_lb_no_registered_instance.yaml b/compliance/controls/aws/aws_elb_classic_lb_no_registered_instance.yaml index d5f225673..87e54f348 100755 --- a/compliance/controls/aws/aws_elb_classic_lb_no_registered_instance.yaml +++ b/compliance/controls/aws/aws_elb_classic_lb_no_registered_instance.yaml @@ -1,27 +1,14 @@ ID: aws_elb_classic_lb_no_registered_instance Title: "ELB classic load balancers should have at least one registered instance" Description: "This control checks whether an ELB classic load balancer has registered instances. The control fails if an ELB classic load balancer has zero instances registered." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when jsonb_array_length(instances) = 0 then 'alarm' - else 'ok' - end as status, - title || ' has ' || jsonb_array_length(instances) || ' instance(s) registered.' as reason - - - from - aws_ec2_classic_load_balancer; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when jsonb_array_length(instances) = 0 then 'alarm'\n else 'ok'\n end as status,\n title || ' has ' || jsonb_array_length(instances) || ' instance(s) registered.' as reason\n \n \nfrom\n aws_ec2_classic_load_balancer;" PrimaryTable: aws_ec2_classic_load_balancer ListOfTables: - - aws_ec2_classic_load_balancer + - aws_ec2_classic_load_balancer Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_elb_classic_lb_use_ssl_certificate.yaml b/compliance/controls/aws/aws_elb_classic_lb_use_ssl_certificate.yaml index 2e34d2024..22c818900 100755 --- a/compliance/controls/aws/aws_elb_classic_lb_use_ssl_certificate.yaml +++ b/compliance/controls/aws/aws_elb_classic_lb_use_ssl_certificate.yaml @@ -1,80 +1,50 @@ ID: aws_elb_classic_lb_use_ssl_certificate Title: "ELB classic load balancers should use SSL certificates" Description: "Because sensitive data can exist and to help protect data at transit, ensure encryption is enabled for your Elastic Load Balancing." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with detailed_classic_listeners as ( - select - name, - og_resource_id - from - aws_ec2_classic_load_balancer, - jsonb_array_elements(listener_descriptions) as listener_description - where - listener_description -> 'Listener' ->> 'Protocol' in ('HTTPS', 'SSL', 'TLS') - and listener_description -> 'Listener' ->> 'SSLCertificateId' like 'arn:aws:acm%' - ) - select - 'arn:' || a.partition || ':elasticloadbalancing:' || a.region || ':' || a.account_id || ':loadbalancer/' || a.name as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when a.listener_descriptions is null then 'skip' - when b.name is not null then 'alarm' - else 'ok' - end as status, - case - when a.listener_descriptions is null then a.title || ' has no listener.' - when b.name is not null then a.title || ' does not use certificates provided by ACM.' - else a.title || ' uses certificates provided by ACM.' - end as reason - - , region, account_id - from - aws_ec2_classic_load_balancer as a - left join detailed_classic_listeners as b on a.og_resource_id = b.og_resource_id; + QueryToExecute: "with detailed_classic_listeners as (\n select\n name,\n og_resource_id\n from\n aws_ec2_classic_load_balancer,\n jsonb_array_elements(listener_descriptions) as listener_description\n where\n listener_description -> 'Listener' ->> 'Protocol' in ('HTTPS', 'SSL', 'TLS')\n and listener_description -> 'Listener' ->> 'SSLCertificateId' like 'arn:aws:acm%'\n)\nselect\n 'arn:' || a.partition || ':elasticloadbalancing:' || a.region || ':' || a.account_id || ':loadbalancer/' || a.name as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when a.listener_descriptions is null then 'skip'\n when b.name is not null then 'alarm'\n else 'ok'\n end as status,\n case\n when a.listener_descriptions is null then a.title || ' has no listener.'\n when b.name is not null then a.title || ' does not use certificates provided by ACM.'\n else a.title || ' uses certificates provided by ACM.'\n end as reason\n \n , region, account_id\nfrom\n aws_ec2_classic_load_balancer as a\n left join detailed_classic_listeners as b on a.og_resource_id = b.og_resource_id;\n" PrimaryTable: aws_ec2_classic_load_balancer ListOfTables: - - aws_ec2_classic_load_balancer + - aws_ec2_classic_load_balancer Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gdpr: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/ELB + - AWS/ELB soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_elb_classic_lb_use_tls_https_listeners.yaml b/compliance/controls/aws/aws_elb_classic_lb_use_tls_https_listeners.yaml index 55b0bcd9f..87548bc08 100755 --- a/compliance/controls/aws/aws_elb_classic_lb_use_tls_https_listeners.yaml +++ b/compliance/controls/aws/aws_elb_classic_lb_use_tls_https_listeners.yaml @@ -1,68 +1,50 @@ ID: aws_elb_classic_lb_use_tls_https_listeners Title: "ELB classic load balancers should only use SSL or HTTPS listeners" Description: "Ensure that your Elastic Load Balancers (ELBs) are configured with SSL or HTTPS listeners. Because sensitive data can exist, enable encryption in transit to help protect that data." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - 'arn:' || partition || ':elasticloadbalancing:' || region || ':' || account_id || ':loadbalancer/' || title as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when listener_description -> 'Listener' ->> 'Protocol' in ('HTTPS', 'SSL', 'TLS') then 'ok' - else 'alarm' - end as status, - case - when listener_description -> 'Listener' ->> 'Protocol' = 'HTTPS' then title || ' configured with HTTPS protocol.' - when listener_description -> 'Listener' ->> 'Protocol' = 'SSL' then title || ' configured with TLS protocol.' - else title || ' configured with ' || (listener_description -> 'Listener' ->> 'Protocol') || ' protocol.' - end as reason - - , region, account_id - from - aws_ec2_classic_load_balancer, - jsonb_array_elements(listener_descriptions) as listener_description; + QueryToExecute: "select\n 'arn:' || partition || ':elasticloadbalancing:' || region || ':' || account_id || ':loadbalancer/' || title as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when listener_description -> 'Listener' ->> 'Protocol' in ('HTTPS', 'SSL', 'TLS') then 'ok'\n else 'alarm'\n end as status,\n case\n when listener_description -> 'Listener' ->> 'Protocol' = 'HTTPS' then title || ' configured with HTTPS protocol.'\n when listener_description -> 'Listener' ->> 'Protocol' = 'SSL' then title || ' configured with TLS protocol.'\n else title || ' configured with ' || (listener_description -> 'Listener' ->> 'Protocol') || ' protocol.'\n end as reason\n \n , region, account_id\nfrom\n aws_ec2_classic_load_balancer,\n jsonb_array_elements(listener_descriptions) as listener_description;\n" PrimaryTable: aws_ec2_classic_load_balancer ListOfTables: - - aws_ec2_classic_load_balancer + - aws_ec2_classic_load_balancer Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gdpr: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/ELB + - AWS/ELB soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_elb_classic_lb_with_inbound_rule.yaml b/compliance/controls/aws/aws_elb_classic_lb_with_inbound_rule.yaml index 76f91ac59..a9a98ad1b 100755 --- a/compliance/controls/aws/aws_elb_classic_lb_with_inbound_rule.yaml +++ b/compliance/controls/aws/aws_elb_classic_lb_with_inbound_rule.yaml @@ -1,8 +1,6 @@ ID: aws_elb_classic_lb_with_inbound_rule Title: "ELB classic load balancers should have at least one inbound rule" Description: "Ensure classic load balancer have at least one inbound rule in all the attached security groups." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -46,8 +44,10 @@ Query: left join classic_lb_without_inbound as i on c.arn = i.arn; PrimaryTable: aws_ec2_classic_load_balancer ListOfTables: - - aws_ec2_classic_load_balancer - - aws_vpc_security_group_rule + - aws_ec2_classic_load_balancer + - aws_vpc_security_group_rule Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_elb_classic_lb_with_outbound_rule.yaml b/compliance/controls/aws/aws_elb_classic_lb_with_outbound_rule.yaml index 6499b44f8..bf2f28235 100755 --- a/compliance/controls/aws/aws_elb_classic_lb_with_outbound_rule.yaml +++ b/compliance/controls/aws/aws_elb_classic_lb_with_outbound_rule.yaml @@ -1,8 +1,6 @@ ID: aws_elb_classic_lb_with_outbound_rule Title: "ELB classic load balancers should have at least one outbound rule" Description: "Ensure classic load balancers have at least one outbound rule in all the attached security groups. A security group without any outbound rule rejects all outgoing traffic. This means that all outgoing traffic originating from your cloud assets (instances, containers, etc.) will be dropped when it reaches the ELB layer." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -46,8 +44,10 @@ Query: left join classic_lb_without_outbound as o on c.arn = o.arn; PrimaryTable: aws_ec2_classic_load_balancer ListOfTables: - - aws_ec2_classic_load_balancer - - aws_vpc_security_group_rule + - aws_ec2_classic_load_balancer + - aws_vpc_security_group_rule Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_elb_listener_use_secure_ssl_cipher.yaml b/compliance/controls/aws/aws_elb_listener_use_secure_ssl_cipher.yaml index 8e047f93a..681435b55 100755 --- a/compliance/controls/aws/aws_elb_listener_use_secure_ssl_cipher.yaml +++ b/compliance/controls/aws/aws_elb_listener_use_secure_ssl_cipher.yaml @@ -1,8 +1,6 @@ ID: aws_elb_listener_use_secure_ssl_cipher Title: "ELB listeners should use secure SSL cipher" Description: "Ensure that ELB listeners do not have any insecure SSL ciphers. Using insecure and deprecated ciphers for your ELB Predefined Security Policy or Custom Security Policy could make the SSL connection between the client and the load balancer vulnerable to exploits." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_ec2_load_balancer_listener; PrimaryTable: aws_ec2_load_balancer_listener ListOfTables: - - aws_ec2_load_balancer_listener + - aws_ec2_load_balancer_listener Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_elb_network_lb_tls_listener_security_policy_configured.yaml b/compliance/controls/aws/aws_elb_network_lb_tls_listener_security_policy_configured.yaml index 4067cf22b..46392e414 100755 --- a/compliance/controls/aws/aws_elb_network_lb_tls_listener_security_policy_configured.yaml +++ b/compliance/controls/aws/aws_elb_network_lb_tls_listener_security_policy_configured.yaml @@ -1,8 +1,6 @@ ID: aws_elb_network_lb_tls_listener_security_policy_configured Title: "ELB network load balancers should have TLS listener security policy configured" Description: "Ensure that your Network Load Balancers (NLBs) are configured with a TLS listener security policy. Using insecure ciphers for your NLB Predefined or Custom Security Policy could make the TLS connection between the client and the load balancer vulnerable to exploits." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -46,8 +44,10 @@ Query: left join nwl_without_tls_listener as l on l.load_balancer_arn = lb.arn; PrimaryTable: aws_ec2_network_load_balancer ListOfTables: - - aws_ec2_load_balancer_listener - - aws_ec2_network_load_balancer + - aws_ec2_load_balancer_listener + - aws_ec2_network_load_balancer Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_elb_tls_listener_protocol_version.yaml b/compliance/controls/aws/aws_elb_tls_listener_protocol_version.yaml index bedc5e194..e9713522e 100755 --- a/compliance/controls/aws/aws_elb_tls_listener_protocol_version.yaml +++ b/compliance/controls/aws/aws_elb_tls_listener_protocol_version.yaml @@ -1,8 +1,6 @@ ID: aws_elb_tls_listener_protocol_version Title: "ELB listeners SSL/TLS protocol version should be checked" Description: "Using insecure ciphers for your ELB Predefined or Custom Security Policy, could make the SSL connection between the client and the load balancer vulnerable to exploits. TLS 1.0 was recommended to be disabled by PCI Council after June 30, 2016." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -24,7 +22,9 @@ Query: aws_ec2_load_balancer_listener; PrimaryTable: aws_ec2_load_balancer_listener ListOfTables: - - aws_ec2_load_balancer_listener + - aws_ec2_load_balancer_listener Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_emr_account_public_access_blocked.yaml b/compliance/controls/aws/aws_emr_account_public_access_blocked.yaml index e32dddd69..4a10b56ab 100755 --- a/compliance/controls/aws/aws_emr_account_public_access_blocked.yaml +++ b/compliance/controls/aws/aws_emr_account_public_access_blocked.yaml @@ -1,8 +1,6 @@ ID: aws_emr_account_public_access_blocked Title: "EMR public access should be blocked at account level" Description: "The block public access feature prevents a cluster in a public subnet from launching when any security group associated with the cluster has a rule that allows inbound traffic from IPv4 0.0.0.0/0 or IPv6 ::/0 (public access) on a port, unless the port has been specified as an exception - port 22 is an exception by default. This feature is enabled by default for each AWS Region in your AWS account and is not recommended to be turned off." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -37,7 +35,9 @@ Query: left join emr_port_configuration as p on p.region = c.region and p.account_id = c.account_id PrimaryTable: aws_emr_block_public_access_configuration ListOfTables: - - aws_emr_block_public_access_configuration + - aws_emr_block_public_access_configuration Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_emr_cluster_encryption_at_rest_with_sse_kms.yaml b/compliance/controls/aws/aws_emr_cluster_encryption_at_rest_with_sse_kms.yaml index f17b33917..dcdb558b8 100755 --- a/compliance/controls/aws/aws_emr_cluster_encryption_at_rest_with_sse_kms.yaml +++ b/compliance/controls/aws/aws_emr_cluster_encryption_at_rest_with_sse_kms.yaml @@ -1,8 +1,6 @@ ID: aws_emr_cluster_encryption_at_rest_with_sse_kms Title: "EMR clusters server side encryption (SSE KMS) enabled with KMS" Description: "This control checks whether EMR clusters server side encryption (SSE KMS) is enabled with KMS. The check fails if encryption at rest is not enabled with SSE-KMS." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -27,8 +25,10 @@ Query: left join aws_emr_security_configuration as s on c.security_configuration = s.name and s.region = s.region and s.account_id = c.account_id; PrimaryTable: aws_emr_cluster ListOfTables: - - aws_emr_cluster - - aws_emr_security_configuration + - aws_emr_cluster + - aws_emr_security_configuration Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_emr_cluster_kerberos_enabled.yaml b/compliance/controls/aws/aws_emr_cluster_kerberos_enabled.yaml index effcc0a57..756b30fa2 100755 --- a/compliance/controls/aws/aws_emr_cluster_kerberos_enabled.yaml +++ b/compliance/controls/aws/aws_emr_cluster_kerberos_enabled.yaml @@ -1,54 +1,38 @@ ID: aws_emr_cluster_kerberos_enabled Title: "EMR cluster Kerberos should be enabled" Description: "The access permissions and authorizations can be managed and incorporated with the principles of least privilege and separation of duties, by enabling Kerberos for AWS EMR clusters." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - cluster_arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when kerberos_attributes is null then 'alarm' - else 'ok' - end as status, - case - when kerberos_attributes is null then title || ' Kerberos not enabled.' - else title || ' Kerberos enabled.' - end as reason - - , region, account_id - from - aws_emr_cluster; + QueryToExecute: "select\n cluster_arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when kerberos_attributes is null then 'alarm'\n else 'ok'\n end as status,\n case\n when kerberos_attributes is null then title || ' Kerberos not enabled.'\n else title || ' Kerberos enabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_emr_cluster;\n" PrimaryTable: aws_emr_cluster ListOfTables: - - aws_emr_cluster + - aws_emr_cluster Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_csf: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/EMR + - AWS/EMR soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_emr_cluster_local_disk_encrypted_with_cmk.yaml b/compliance/controls/aws/aws_emr_cluster_local_disk_encrypted_with_cmk.yaml index 5c03c0d45..c71e2d3c9 100755 --- a/compliance/controls/aws/aws_emr_cluster_local_disk_encrypted_with_cmk.yaml +++ b/compliance/controls/aws/aws_emr_cluster_local_disk_encrypted_with_cmk.yaml @@ -1,8 +1,6 @@ ID: aws_emr_cluster_local_disk_encrypted_with_cmk Title: "EMR cluster local disks should be encrypted with CMK" Description: "Ensure EMR cluster local disk are encrypted using CMK. This control fails if an EMR cluster local disk isn't encrypted with CMK." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -31,8 +29,10 @@ Query: left join aws_emr_security_configuration as s on c.security_configuration = s.name and s.region = s.region and s.account_id = c.account_id; PrimaryTable: aws_emr_cluster ListOfTables: - - aws_emr_cluster - - aws_emr_security_configuration + - aws_emr_cluster + - aws_emr_security_configuration Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_emr_cluster_master_nodes_no_public_ip.yaml b/compliance/controls/aws/aws_emr_cluster_master_nodes_no_public_ip.yaml index 9cdf0ca82..12d741bb2 100755 --- a/compliance/controls/aws/aws_emr_cluster_master_nodes_no_public_ip.yaml +++ b/compliance/controls/aws/aws_emr_cluster_master_nodes_no_public_ip.yaml @@ -1,70 +1,51 @@ ID: aws_emr_cluster_master_nodes_no_public_ip Title: "EMR cluster master nodes should not have public IP addresses" Description: "Manage access to the AWS Cloud by ensuring AWS EMR cluster master nodes cannot be publicly accessed." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - c.cluster_arn as resource, - c.og_account_id as og_account_id, - c.og_resource_id as og_resource_id, - case - when c.status ->> 'State' not in ('RUNNING', 'WAITING') then 'skip' - when s.map_public_ip_on_launch then 'alarm' - else 'ok' - end as status, - case - when c.status ->> 'State' not in ('RUNNING', 'WAITING') then c.title || ' is in ' || (c.status ->> 'State') || ' state.' - when s.map_public_ip_on_launch then c.title || ' master nodes assigned with public IP.' - else c.title || ' master nodes not assigned with public IP.' - end as reason - - , c.region, c.account_id - from - aws_emr_cluster as c - left join aws_vpc_subnet as s on c.ec2_instance_attributes ->> 'Ec2SubnetId' = s.subnet_id; + QueryToExecute: "select\n c.cluster_arn as resource,\n c.og_account_id as og_account_id,\n c.og_resource_id as og_resource_id,\n case\n when c.status ->> 'State' not in ('RUNNING', 'WAITING') then 'skip'\n when s.map_public_ip_on_launch then 'alarm'\n else 'ok'\n end as status,\n case\n when c.status ->> 'State' not in ('RUNNING', 'WAITING') then c.title || ' is in ' || (c.status ->> 'State') || ' state.'\n when s.map_public_ip_on_launch then c.title || ' master nodes assigned with public IP.'\n else c.title || ' master nodes not assigned with public IP.'\n end as reason\n \n , c.region, c.account_id\nfrom\n aws_emr_cluster as c\n left join aws_vpc_subnet as s on c.ec2_instance_attributes ->> 'Ec2SubnetId' = s.subnet_id;\n" PrimaryTable: aws_emr_cluster ListOfTables: - - aws_emr_cluster - - aws_vpc_subnet + - aws_emr_cluster + - aws_vpc_subnet Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/EMR + - AWS/EMR soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_emr_cluster_security_configuration_enabled.yaml b/compliance/controls/aws/aws_emr_cluster_security_configuration_enabled.yaml index 5f2f5aa27..853a6b859 100755 --- a/compliance/controls/aws/aws_emr_cluster_security_configuration_enabled.yaml +++ b/compliance/controls/aws/aws_emr_cluster_security_configuration_enabled.yaml @@ -1,30 +1,14 @@ ID: aws_emr_cluster_security_configuration_enabled Title: "EMR clusters should have security configuration enabled" Description: "Ensure EMR cluster have security configuration enabled. This control fails if security configuration is not enabled for EMR cluster." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - cluster_arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when security_configuration is not null then 'ok' - else 'alarm' - end as status, - case - when security_configuration is not null then title || ' security configuration enabled.' - else title || ' security configuration disabled.' - end as reason - - - from - aws_emr_cluster; + QueryToExecute: "select\n cluster_arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when security_configuration is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when security_configuration is not null then title || ' security configuration enabled.'\n else title || ' security configuration disabled.'\n end as reason\n \n \nfrom\n aws_emr_cluster;" PrimaryTable: aws_emr_cluster ListOfTables: - - aws_emr_cluster + - aws_emr_cluster Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_es_domain_audit_logging_enabled.yaml b/compliance/controls/aws/aws_es_domain_audit_logging_enabled.yaml index fa5c18cfd..25502800a 100755 --- a/compliance/controls/aws/aws_es_domain_audit_logging_enabled.yaml +++ b/compliance/controls/aws/aws_es_domain_audit_logging_enabled.yaml @@ -1,46 +1,26 @@ ID: aws_es_domain_audit_logging_enabled Title: "Elasticsearch domains should have audit logging enabled" Description: "This control checks whether Elasticsearch domains have audit logging enabled. This control fails if an Elasticsearch domain does not have audit logging enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when - log_publishing_options -> 'AUDIT_LOGS' -> 'Enabled' = 'true' - and log_publishing_options -> 'AUDIT_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null then 'ok' - else 'alarm' - end as status, - case - when - log_publishing_options -> 'AUDIT_LOGS' -> 'Enabled' = 'true' - and log_publishing_options -> 'AUDIT_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null then title || ' audit logging enabled.' - else title || ' audit logging disabled.' - end as reason - - , region, account_id - from - aws_elasticsearch_domain; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when\n log_publishing_options -> 'AUDIT_LOGS' -> 'Enabled' = 'true'\n and log_publishing_options -> 'AUDIT_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when\n log_publishing_options -> 'AUDIT_LOGS' -> 'Enabled' = 'true'\n and log_publishing_options -> 'AUDIT_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null then title || ' audit logging enabled.'\n else title || ' audit logging disabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_elasticsearch_domain;\n" PrimaryTable: aws_elasticsearch_domain ListOfTables: - - aws_elasticsearch_domain + - aws_elasticsearch_domain Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - logging + - logging foundational_security_item_id: - - es_5 + - es_5 plugin: - - aws + - aws service: - - AWS/ES + - AWS/ES +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_es_domain_cognito_authentication_enabled.yaml b/compliance/controls/aws/aws_es_domain_cognito_authentication_enabled.yaml index 6b4ba5af1..6a051fbd2 100755 --- a/compliance/controls/aws/aws_es_domain_cognito_authentication_enabled.yaml +++ b/compliance/controls/aws/aws_es_domain_cognito_authentication_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_es_domain_cognito_authentication_enabled Title: "Elasticsearch domains should have cognito authentication enabled" Description: "AWS Elasticsearch service uses AWS Cognito to offer user name and password protection for Kibana. This control is non-compliant if AWS Cognito authentication is not enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_elasticsearch_domain; PrimaryTable: aws_elasticsearch_domain ListOfTables: - - aws_elasticsearch_domain + - aws_elasticsearch_domain Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_es_domain_data_nodes_min_3.yaml b/compliance/controls/aws/aws_es_domain_data_nodes_min_3.yaml index b71768279..97e89a216 100755 --- a/compliance/controls/aws/aws_es_domain_data_nodes_min_3.yaml +++ b/compliance/controls/aws/aws_es_domain_data_nodes_min_3.yaml @@ -1,45 +1,26 @@ ID: aws_es_domain_data_nodes_min_3 Title: "Elasticsearch domains should have at least three data nodes" Description: "This control checks whether Elasticsearch domains are configured with at least three data nodes and zoneAwarenessEnabled is true." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when elasticsearch_cluster_config ->> 'ZoneAwarenessEnabled' = 'false' then 'alarm' - when - elasticsearch_cluster_config ->> 'ZoneAwarenessEnabled' = 'true' - and (elasticsearch_cluster_config ->> 'InstanceCount')::integer >= 3 then 'ok' - else 'alarm' - end status, - case - when elasticsearch_cluster_config ->> 'ZoneAwarenessEnabled' = 'false' then title || ' zone awareness disabled.' - else title || ' has ' || (elasticsearch_cluster_config ->> 'InstanceCount') || ' data node(s).' - end as reason - - , region, account_id - from - aws_elasticsearch_domain; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when elasticsearch_cluster_config ->> 'ZoneAwarenessEnabled' = 'false' then 'alarm'\n when\n elasticsearch_cluster_config ->> 'ZoneAwarenessEnabled' = 'true'\n and (elasticsearch_cluster_config ->> 'InstanceCount')::integer >= 3 then 'ok'\n else 'alarm'\n end status,\n case\n when elasticsearch_cluster_config ->> 'ZoneAwarenessEnabled' = 'false' then title || ' zone awareness disabled.'\n else title || ' has ' || (elasticsearch_cluster_config ->> 'InstanceCount') || ' data node(s).'\n end as reason\n \n , region, account_id\nfrom\n aws_elasticsearch_domain;\n" PrimaryTable: aws_elasticsearch_domain ListOfTables: - - aws_elasticsearch_domain + - aws_elasticsearch_domain Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - high_availability + - high_availability foundational_security_item_id: - - es_6 + - es_6 plugin: - - aws + - aws service: - - AWS/ES + - AWS/ES +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_es_domain_dedicated_master_nodes_min_3.yaml b/compliance/controls/aws/aws_es_domain_dedicated_master_nodes_min_3.yaml index 1b019959c..b864fa0ba 100755 --- a/compliance/controls/aws/aws_es_domain_dedicated_master_nodes_min_3.yaml +++ b/compliance/controls/aws/aws_es_domain_dedicated_master_nodes_min_3.yaml @@ -1,45 +1,26 @@ ID: aws_es_domain_dedicated_master_nodes_min_3 Title: "Elasticsearch domains should be configured with at least three dedicated master nodes" Description: "This control checks whether Elasticsearch domains are configured with at least three dedicated master nodes. This control fails if the domain does not use dedicated master nodes. This control passes if Elasticsearch domains have five dedicated master nodes. However, using more than three master nodes might be unnecessary to mitigate the availability risk, and will result in additional cost." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when elasticsearch_cluster_config ->> 'DedicatedMasterEnabled' = 'false' then 'alarm' - when - elasticsearch_cluster_config ->> 'DedicatedMasterEnabled' = 'true' - and (elasticsearch_cluster_config ->> 'DedicatedMasterCount')::integer >= 3 then 'ok' - else 'alarm' - end status, - case - when elasticsearch_cluster_config ->> 'DedicatedMasterEnabled' = 'false' then title || ' dedicated master nodes disabled.' - else title || ' has ' || (elasticsearch_cluster_config ->> 'DedicatedMasterCount') || ' dedicated master node(s).' - end as reason - - , region, account_id - from - aws_elasticsearch_domain; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when elasticsearch_cluster_config ->> 'DedicatedMasterEnabled' = 'false' then 'alarm'\n when\n elasticsearch_cluster_config ->> 'DedicatedMasterEnabled' = 'true'\n and (elasticsearch_cluster_config ->> 'DedicatedMasterCount')::integer >= 3 then 'ok'\n else 'alarm'\n end status,\n case\n when elasticsearch_cluster_config ->> 'DedicatedMasterEnabled' = 'false' then title || ' dedicated master nodes disabled.'\n else title || ' has ' || (elasticsearch_cluster_config ->> 'DedicatedMasterCount') || ' dedicated master node(s).'\n end as reason\n \n , region, account_id\nfrom\n aws_elasticsearch_domain;\n" PrimaryTable: aws_elasticsearch_domain ListOfTables: - - aws_elasticsearch_domain + - aws_elasticsearch_domain Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - high_availability + - high_availability foundational_security_item_id: - - es_7 + - es_7 plugin: - - aws + - aws service: - - AWS/ES + - AWS/ES +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_es_domain_encrypted_using_tls_1_2.yaml b/compliance/controls/aws/aws_es_domain_encrypted_using_tls_1_2.yaml index b35a8fef1..bd80da540 100755 --- a/compliance/controls/aws/aws_es_domain_encrypted_using_tls_1_2.yaml +++ b/compliance/controls/aws/aws_es_domain_encrypted_using_tls_1_2.yaml @@ -1,42 +1,26 @@ ID: aws_es_domain_encrypted_using_tls_1_2 Title: "Connections to Elasticsearch domains should be encrypted using TLS 1.2" Description: "This control checks whether connections to Elasticsearch domains are required to use TLS 1.2. The check fails if the Elasticsearch domain TLSSecurityPolicy is not Policy-Min-TLS-1-2-2019-07." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when domain_endpoint_options ->> 'TLSSecurityPolicy' = 'Policy-Min-TLS-1-2-2019-07' then 'ok' - else 'alarm' - end status, - case - when domain_endpoint_options ->> 'TLSSecurityPolicy' = 'Policy-Min-TLS-1-2-2019-07' then title || ' encrypted using TLS 1.2.' - else title || ' not encrypted using TLS 1.2.' - end as reason - - , region, account_id - from - aws_elasticsearch_domain; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when domain_endpoint_options ->> 'TLSSecurityPolicy' = 'Policy-Min-TLS-1-2-2019-07' then 'ok'\n else 'alarm'\n end status,\n case\n when domain_endpoint_options ->> 'TLSSecurityPolicy' = 'Policy-Min-TLS-1-2-2019-07' then title || ' encrypted using TLS 1.2.'\n else title || ' not encrypted using TLS 1.2.'\n end as reason\n \n , region, account_id\nfrom\n aws_elasticsearch_domain;\n" PrimaryTable: aws_elasticsearch_domain ListOfTables: - - aws_elasticsearch_domain + - aws_elasticsearch_domain Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - encryption_of_data_in_transit + - encryption_of_data_in_transit foundational_security_item_id: - - es_8 + - es_8 plugin: - - aws + - aws service: - - AWS/ES + - AWS/ES +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_es_domain_encryption_at_rest_enabled.yaml b/compliance/controls/aws/aws_es_domain_encryption_at_rest_enabled.yaml index deb5ff683..1cd13170b 100755 --- a/compliance/controls/aws/aws_es_domain_encryption_at_rest_enabled.yaml +++ b/compliance/controls/aws/aws_es_domain_encryption_at_rest_enabled.yaml @@ -1,66 +1,50 @@ ID: aws_es_domain_encryption_at_rest_enabled Title: "ES domain encryption at rest should be enabled" Description: "Because sensitive data can exist and to help protect data at rest, ensure encryption is enabled for your AWS Elasticsearch Service (AWS ES) domains." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when encryption_at_rest_options ->> 'Enabled' = 'false' then 'alarm' - else 'ok' - end status, - case - when encryption_at_rest_options ->> 'Enabled' = 'false' then title || ' encryption at rest not enabled.' - else title || ' encryption at rest enabled.' - end reason - - , region, account_id - from - aws_elasticsearch_domain; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when encryption_at_rest_options ->> 'Enabled' = 'false' then 'alarm'\n else 'ok'\n end status,\n case\n when encryption_at_rest_options ->> 'Enabled' = 'false' then title || ' encryption at rest not enabled.'\n else title || ' encryption at rest enabled.'\n end reason\n \n , region, account_id\nfrom\n aws_elasticsearch_domain;\n" PrimaryTable: aws_elasticsearch_domain ListOfTables: - - aws_elasticsearch_domain + - aws_elasticsearch_domain Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cisa_cyber_essentials: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gdpr: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" gxp_eu_annex_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/ES + - AWS/ES soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_es_domain_error_logging_enabled.yaml b/compliance/controls/aws/aws_es_domain_error_logging_enabled.yaml index b7c907423..581b2b945 100755 --- a/compliance/controls/aws/aws_es_domain_error_logging_enabled.yaml +++ b/compliance/controls/aws/aws_es_domain_error_logging_enabled.yaml @@ -1,46 +1,26 @@ ID: aws_es_domain_error_logging_enabled Title: "Elasticsearch domain error logging to CloudWatch Logs should be enabled" Description: "This control checks whether Elasticsearch domains are configured to send error logs to CloudWatch Logs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when - log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'Enabled' = 'true' - and log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null then 'ok' - else 'alarm' - end as status, - case - when - log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'Enabled' = 'true' - and log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null then title || ' error logging enabled.' - else title || ' error logging disabled.' - end as reason - - , region, account_id - from - aws_elasticsearch_domain; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when\n log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'Enabled' = 'true'\n and log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when\n log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'Enabled' = 'true'\n and log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null then title || ' error logging enabled.'\n else title || ' error logging disabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_elasticsearch_domain;\n" PrimaryTable: aws_elasticsearch_domain ListOfTables: - - aws_elasticsearch_domain + - aws_elasticsearch_domain Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - logging + - logging foundational_security_item_id: - - es_4 + - es_4 plugin: - - aws + - aws service: - - AWS/ES + - AWS/ES +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_es_domain_in_vpc.yaml b/compliance/controls/aws/aws_es_domain_in_vpc.yaml index babe0f2c0..6a0701491 100755 --- a/compliance/controls/aws/aws_es_domain_in_vpc.yaml +++ b/compliance/controls/aws/aws_es_domain_in_vpc.yaml @@ -1,66 +1,50 @@ ID: aws_es_domain_in_vpc Title: "ES domains should be in a VPC" Description: "Manage access to the AWS Cloud by ensuring AWS Elasticsearch Service (AWS ES) Domains are within an AWS Virtual Private Cloud (AWS VPC)." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when vpc_options ->> 'VPCId' is null then 'alarm' - else 'ok' - end status, - case - when vpc_options ->> 'VPCId' is null then title || ' not in VPC.' - else title || ' in VPC ' || (vpc_options ->> 'VPCId') || '.' - end reason - - , region, account_id - from - aws_elasticsearch_domain; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when vpc_options ->> 'VPCId' is null then 'alarm'\n else 'ok'\n end status,\n case\n when vpc_options ->> 'VPCId' is null then title || ' not in VPC.'\n else title || ' in VPC ' || (vpc_options ->> 'VPCId') || '.'\n end reason\n \n , region, account_id\nfrom\n aws_elasticsearch_domain;\n" PrimaryTable: aws_elasticsearch_domain ListOfTables: - - aws_elasticsearch_domain + - aws_elasticsearch_domain Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/ES + - AWS/ES soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_es_domain_internal_user_database_enabled.yaml b/compliance/controls/aws/aws_es_domain_internal_user_database_enabled.yaml index a533ed588..5f4386ed8 100755 --- a/compliance/controls/aws/aws_es_domain_internal_user_database_enabled.yaml +++ b/compliance/controls/aws/aws_es_domain_internal_user_database_enabled.yaml @@ -1,30 +1,14 @@ ID: aws_es_domain_internal_user_database_enabled Title: "Elasticsearch domains should have internal user database enabled" Description: "Ensure Elasticsearch domains have internal user database enabled. This control is non-compliant if a domain's internal user database is not enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when advanced_security_options ->> 'InternalUserDatabaseEnabled' = 'true' then 'ok' - else 'alarm' - end as status, - case - when advanced_security_options ->> 'InternalUserDatabaseEnabled' = 'true' then title || ' internal user database enabled.' - else title || ' internal user database disabled.' - end as reason - - - from - aws_elasticsearch_domain; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when advanced_security_options ->> 'InternalUserDatabaseEnabled' = 'true' then 'ok'\n else 'alarm'\n end as status,\n case\n when advanced_security_options ->> 'InternalUserDatabaseEnabled' = 'true' then title || ' internal user database enabled.'\n else title || ' internal user database disabled.'\n end as reason\n \n \nfrom\n aws_elasticsearch_domain;" PrimaryTable: aws_elasticsearch_domain ListOfTables: - - aws_elasticsearch_domain + - aws_elasticsearch_domain Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_es_domain_logs_to_cloudwatch.yaml b/compliance/controls/aws/aws_es_domain_logs_to_cloudwatch.yaml index eb0b39133..b506ffa79 100755 --- a/compliance/controls/aws/aws_es_domain_logs_to_cloudwatch.yaml +++ b/compliance/controls/aws/aws_es_domain_logs_to_cloudwatch.yaml @@ -1,85 +1,46 @@ ID: aws_es_domain_logs_to_cloudwatch Title: "Elasticsearch domain should send logs to CloudWatch" Description: "Ensure that AWS OpenSearch Service (OpenSearch Service) domains are configured to send logs to AWS CloudWatch Logs. The rule is compliant if a log is enabled for an OpenSearch Service domain. This rule is non-compliant if logging is not configured." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when - ( log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'Enabled' = 'true' - and log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null - ) - and - ( log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'Enabled' = 'true' - and log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null - ) - and - ( log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'Enabled' = 'true' - and log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null - ) - then 'ok' - else 'alarm' - end as status, - case - when - ( log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'Enabled' = 'true' - and log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null - ) - and - ( log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'Enabled' = 'true' - and log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null - ) - and - ( log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'Enabled' = 'true' - and log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null - ) then title || ' logging enabled for search , index and error.' - else title || ' logging not enabled for all search, index and error.' - end as reason - - , region, account_id - from - aws_elasticsearch_domain; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when\n ( log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'Enabled' = 'true'\n and log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null\n )\n and\n ( log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'Enabled' = 'true'\n and log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null\n )\n and\n ( log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'Enabled' = 'true'\n and log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null\n )\n then 'ok'\n else 'alarm'\n end as status,\n case\n when\n ( log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'Enabled' = 'true'\n and log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null\n )\n and\n ( log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'Enabled' = 'true'\n and log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null\n )\n and\n ( log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'Enabled' = 'true'\n and log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null\n ) then title || ' logging enabled for search , index and error.'\n else title || ' logging not enabled for all search, index and error.'\n end as reason\n \n , region, account_id\nfrom\n aws_elasticsearch_domain;\n" PrimaryTable: aws_elasticsearch_domain ListOfTables: - - aws_elasticsearch_domain + - aws_elasticsearch_domain Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/ES + - AWS/ES soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_es_domain_node_to_node_encryption_enabled.yaml b/compliance/controls/aws/aws_es_domain_node_to_node_encryption_enabled.yaml index 3b88b6554..182d9444d 100755 --- a/compliance/controls/aws/aws_es_domain_node_to_node_encryption_enabled.yaml +++ b/compliance/controls/aws/aws_es_domain_node_to_node_encryption_enabled.yaml @@ -1,68 +1,50 @@ ID: aws_es_domain_node_to_node_encryption_enabled Title: "Elasticsearch domain node-to-node encryption should be enabled" Description: "Ensure node-to-node encryption for AWS Elasticsearch Service is enabled. Node-to-node encryption enables TLS 1.2 encryption for all communications within the AWS Virtual Private Cloud (AWS VPC)." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when region = any(array['af-south-1', 'eu-south-1', 'cn-north-1', 'cn-northwest-1']) then 'skip' - when not enabled then 'alarm' - else 'ok' - end as status, - case - when region = any(array['af-south-1', 'eu-south-1', 'cn-north-1', 'cn-northwest-1']) then title || ' node-to-node encryption not supported in ' || region || '.' - when not enabled then title || ' node-to-node encryption disabled.' - else title || ' node-to-node encryption enabled.' - end as reason - - , region, account_id - from - aws_elasticsearch_domain; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when region = any(array['af-south-1', 'eu-south-1', 'cn-north-1', 'cn-northwest-1']) then 'skip'\n when not enabled then 'alarm'\n else 'ok'\n end as status,\n case\n when region = any(array['af-south-1', 'eu-south-1', 'cn-north-1', 'cn-northwest-1']) then title || ' node-to-node encryption not supported in ' || region || '.'\n when not enabled then title || ' node-to-node encryption disabled.'\n else title || ' node-to-node encryption enabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_elasticsearch_domain;\n" PrimaryTable: aws_elasticsearch_domain ListOfTables: - - aws_elasticsearch_domain + - aws_elasticsearch_domain Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gdpr: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/ES + - AWS/ES soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_eventbridge_custom_bus_resource_based_policy_attached.yaml b/compliance/controls/aws/aws_eventbridge_custom_bus_resource_based_policy_attached.yaml index 8979064d0..95563794f 100755 --- a/compliance/controls/aws/aws_eventbridge_custom_bus_resource_based_policy_attached.yaml +++ b/compliance/controls/aws/aws_eventbridge_custom_bus_resource_based_policy_attached.yaml @@ -1,8 +1,6 @@ ID: aws_eventbridge_custom_bus_resource_based_policy_attached Title: "EventBridge custom event buses should have a resource-based policy attached" Description: "This control checks if an Amazon EventBridge custom event bus has a resource-based policy attached. This control fails if the custom event bus doesn't have a resource-based policy.." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -24,7 +22,9 @@ Query: aws_eventbridge_bus; PrimaryTable: aws_eventbridge_bus ListOfTables: - - aws_eventbridge_bus + - aws_eventbridge_bus Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_account_1.yaml b/compliance/controls/aws/aws_foundational_security_account_1.yaml index 3946b970e..5181bd376 100755 --- a/compliance/controls/aws/aws_foundational_security_account_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_account_1.yaml @@ -1,55 +1,15 @@ ID: aws_foundational_security_account_1 Title: "1 Security contact information should be provided for an AWS account" Description: "This control checks if an Amazon Web Services (AWS) account has security contact information. The control fails if security contact information is not provided for the account." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - with alternate_security_contact as ( - select - name, - account_id - from - aws_account_alternate_contact - where - contact_type = 'SECURITY' - ), - account as ( - select - arn, - partition, - title, - account_id, - _ctx - from - aws_account - ) - select - arn as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when a.partition = 'aws-us-gov' then 'info' - -- Name is a required field if setting a security contact - when c.name is not null then 'ok' - else 'alarm' - end as status, - case - when a.partition = 'aws-us-gov' then a.title || ' in GovCloud, manual verification required.' - when c.name is not null then a.title || ' has security contact ' || c.name || ' registered.' - else a.title || ' security contact not registered.' - end as reason - - from - account as a, - alternate_security_contact as c - where - c.account_id = a.account_id; + QueryToExecute: "with alternate_security_contact as (\n select\n name,\n account_id\n from\n aws_account_alternate_contact\n where\n contact_type = 'SECURITY'\n),\naccount as (\n select\n arn,\n partition,\n title,\n account_id,\n _ctx\n from\n aws_account\n)\nselect\n arn as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when a.partition = 'aws-us-gov' then 'info'\n -- Name is a required field if setting a security contact\n when c.name is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when a.partition = 'aws-us-gov' then a.title || ' in GovCloud, manual verification required.'\n when c.name is not null then a.title || ' has security contact ' || c.name || ' registered.'\n else a.title || ' security contact not registered.'\n end as reason\n \nfrom\n account as a,\n alternate_security_contact as c\nwhere\n c.account_id = a.account_id;" PrimaryTable: aws_account ListOfTables: - - aws_account_alternate_contact - - aws_account + - aws_account_alternate_contact + - aws_account Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_acm_1.yaml b/compliance/controls/aws/aws_foundational_security_acm_1.yaml index 0a797a09d..7441dad3b 100755 --- a/compliance/controls/aws/aws_foundational_security_acm_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_acm_1.yaml @@ -1,32 +1,14 @@ ID: aws_foundational_security_acm_1 Title: "1 Imported ACM certificates should be renewed after a specified time period" Description: "This control checks whether ACM certificates in your account are marked for expiration within 30 days. It checks both imported certificates and certificates provided by AWS Certificate Manager." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - certificate_arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when renewal_eligibility = 'INELIGIBLE' then 'skip' - when date(not_after) - date(current_date) >= 30 then 'ok' - else 'alarm' - end as status, - case - when renewal_eligibility = 'INELIGIBLE' then title || ' not eligible for renewal.' - else title || ' expires ' || to_char(not_after, 'DD-Mon-YYYY') || - ' (' || extract(day from not_after - current_date) || ' days).' - end as reason - - - from - aws_acm_certificate; + QueryToExecute: "select\n certificate_arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when renewal_eligibility = 'INELIGIBLE' then 'skip'\n when date(not_after) - date(current_date) >= 30 then 'ok'\n else 'alarm'\n end as status,\n case\n when renewal_eligibility = 'INELIGIBLE' then title || ' not eligible for renewal.'\n else title || ' expires ' || to_char(not_after, 'DD-Mon-YYYY') ||\n ' (' || extract(day from not_after - current_date) || ' days).'\n end as reason\n \n \nfrom\n aws_acm_certificate;" PrimaryTable: aws_acm_certificate ListOfTables: - - aws_acm_certificate + - aws_acm_certificate Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_acm_2.yaml b/compliance/controls/aws/aws_foundational_security_acm_2.yaml index a2da3e13a..b364dd1a3 100755 --- a/compliance/controls/aws/aws_foundational_security_acm_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_acm_2.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_acm_2 Title: "2 RSA certificates managed by ACM should use a key length of at least 2,048 bits" Description: "This control checks whether RSA certificates managed by AWS Certificate Manager use a key length of at least 2,048 bits. The control fails if the key length is smaller than 2,048 bits." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -24,7 +22,9 @@ Query: aws_acm_certificate; PrimaryTable: aws_acm_certificate ListOfTables: - - aws_acm_certificate + - aws_acm_certificate Parameters: [] Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_apigateway_1.yaml b/compliance/controls/aws/aws_foundational_security_apigateway_1.yaml index b827931e7..f6c803b48 100755 --- a/compliance/controls/aws/aws_foundational_security_apigateway_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_apigateway_1.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_apigateway_1 Title: "1 API Gateway REST and WebSocket API logging should be enabled" Description: "This control checks whether all stages of an Amazon API Gateway REST or WebSocket API have logging enabled. The control fails if logging is not enabled for all methods of a stage or if loggingLevel is neither ERROR nor INFO." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -47,8 +45,10 @@ Query: all_stages; PrimaryTable: aws_api_gateway_stage ListOfTables: - - aws_api_gateway_stage - - aws_api_gatewayv2_stage + - aws_api_gateway_stage + - aws_api_gatewayv2_stage Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_apigateway_2.yaml b/compliance/controls/aws/aws_foundational_security_apigateway_2.yaml index bccbcfe19..dd828ce3c 100755 --- a/compliance/controls/aws/aws_foundational_security_apigateway_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_apigateway_2.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_apigateway_2 Title: "2 API Gateway REST API stages should be configured to use SSL certificates for backend authentication" Description: "This control checks whether Amazon API Gateway REST API stages have SSL certificates configured. Backend systems use these certificates to authenticate that incoming requests are from API Gateway." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_api_gateway_stage; PrimaryTable: aws_api_gateway_stage ListOfTables: - - aws_api_gateway_stage + - aws_api_gateway_stage Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_apigateway_3.yaml b/compliance/controls/aws/aws_foundational_security_apigateway_3.yaml index 34e8f6b5a..e8420d91e 100755 --- a/compliance/controls/aws/aws_foundational_security_apigateway_3.yaml +++ b/compliance/controls/aws/aws_foundational_security_apigateway_3.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_apigateway_3 Title: "3 API Gateway REST API stages should have AWS X-Ray tracing enabled" Description: "This control checks whether AWS X-Ray active tracing is enabled for your Amazon API Gateway REST API stages." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_api_gateway_stage; PrimaryTable: aws_api_gateway_stage ListOfTables: - - aws_api_gateway_stage + - aws_api_gateway_stage Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_apigateway_4.yaml b/compliance/controls/aws/aws_foundational_security_apigateway_4.yaml index 35ff5c346..eefb38331 100755 --- a/compliance/controls/aws/aws_foundational_security_apigateway_4.yaml +++ b/compliance/controls/aws/aws_foundational_security_apigateway_4.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_apigateway_4 Title: "4 API Gateway should be associated with an AWS WAF web ACL" Description: "This control checks whether an API Gateway stage uses an AWS WAF web access control list (ACL). This control fails if an AWS WAF web ACL is not attached to a REST API Gateway stage." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_api_gateway_stage; PrimaryTable: aws_api_gateway_stage ListOfTables: - - aws_api_gateway_stage + - aws_api_gateway_stage Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_apigateway_5.yaml b/compliance/controls/aws/aws_foundational_security_apigateway_5.yaml index f7b89c778..4ba1b58ea 100755 --- a/compliance/controls/aws/aws_foundational_security_apigateway_5.yaml +++ b/compliance/controls/aws/aws_foundational_security_apigateway_5.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_apigateway_5 Title: "5 API Gateway REST API cache data should be encrypted at rest" Description: "This control checks whether all methods in API Gateway REST API stages that have cache enabled are encrypted. The control fails if any method in an API Gateway REST API stage is configured to cache and the cache is not encrypted." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,7 +23,9 @@ Query: aws_api_gateway_stage; PrimaryTable: aws_api_gateway_stage ListOfTables: - - aws_api_gateway_stage + - aws_api_gateway_stage Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_apigateway_8.yaml b/compliance/controls/aws/aws_foundational_security_apigateway_8.yaml index 937553a97..998b4b0c4 100755 --- a/compliance/controls/aws/aws_foundational_security_apigateway_8.yaml +++ b/compliance/controls/aws/aws_foundational_security_apigateway_8.yaml @@ -1,29 +1,14 @@ ID: aws_foundational_security_apigateway_8 Title: "8 API Gateway routes should specify an authorization type" Description: "This control checks if Amazon API Gateway routes have an authorization type. The control fails if the API Gateway route does not specify an authorization type." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':apigateway:' || region || '::/apis/' || api_id || '/routes/' || route_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when authorization_type is null then 'alarm' - else 'ok' - end as status, - case - when authorization_type is null then route_id || ' authorization type not configured.' - else route_id || ' authorization type ' || authorization_type || ' configured.' - end as reason - - from - aws_api_gatewayv2_route; + QueryToExecute: "select\n 'arn:' || partition || ':apigateway:' || region || '::/apis/' || api_id || '/routes/' || route_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when authorization_type is null then 'alarm'\n else 'ok'\n end as status,\n case\n when authorization_type is null then route_id || ' authorization type not configured.'\n else route_id || ' authorization type ' || authorization_type || ' configured.'\n end as reason\n \nfrom\n aws_api_gatewayv2_route;" PrimaryTable: aws_api_gatewayv2_route ListOfTables: - - aws_api_gatewayv2_route + - aws_api_gatewayv2_route Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_apigateway_9.yaml b/compliance/controls/aws/aws_foundational_security_apigateway_9.yaml index 49c8f87f8..4725e23e9 100755 --- a/compliance/controls/aws/aws_foundational_security_apigateway_9.yaml +++ b/compliance/controls/aws/aws_foundational_security_apigateway_9.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_apigateway_9 Title: "9 Access logging should be configured for API Gateway V2 Stages" Description: "This control checks if Amazon API Gateway V2 stages have access logging configured. This control fails if access log settings aren't defined." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_api_gatewayv2_stage; PrimaryTable: aws_api_gatewayv2_stage ListOfTables: - - aws_api_gatewayv2_stage + - aws_api_gatewayv2_stage Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_appsync_2.yaml b/compliance/controls/aws/aws_foundational_security_appsync_2.yaml index 08e450b28..9ac050afc 100755 --- a/compliance/controls/aws/aws_foundational_security_appsync_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_appsync_2.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_appsync_2 Title: "2 AWS AppSync should have field-level logging enabled" Description: "This control checks whether an AWS AppSync API has field-level logging turned on. The control fails if the field resolver log level is set to None. Unless you provide custom parameter values to indicate that a specific log type should be enabled, Security Hub produces a passed finding if the field resolver log level is either ERROR or ALL." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_appsync_graphql_api; PrimaryTable: aws_appsync_graphql_api ListOfTables: - - aws_appsync_graphql_api + - aws_appsync_graphql_api Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_athena_1.yaml b/compliance/controls/aws/aws_foundational_security_athena_1.yaml index a1025390e..0b08d76ea 100755 --- a/compliance/controls/aws/aws_foundational_security_athena_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_athena_1.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_athena_1 Title: "1 Athena workgroups should be encrypted at rest" Description: "This control checks if an Athena workgroup is encrypted at rest. The control fails if an Athena workgroup isn't encrypted at rest." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_athena_workgroup; PrimaryTable: aws_athena_workgroup ListOfTables: - - aws_athena_workgroup + - aws_athena_workgroup Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_autoscaling_1.yaml b/compliance/controls/aws/aws_foundational_security_autoscaling_1.yaml index 690207dca..342c54d41 100755 --- a/compliance/controls/aws/aws_foundational_security_autoscaling_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_autoscaling_1.yaml @@ -1,32 +1,14 @@ ID: aws_foundational_security_autoscaling_1 Title: "1 Auto Scaling groups associated with a load balancer should use load balancer health checks" Description: "This control checks whether your Auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks. This ensures that the group can determine an instance's health based on additional tests provided by the load balancer. Using Elastic Load Balancing health checks can help support the availability of applications that use EC2 Auto Scaling groups." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - autoscaling_group_arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when load_balancer_names is null and target_group_arns is null then 'alarm' - when health_check_type != 'ELB' then 'alarm' - else 'ok' - end as status, - case - when load_balancer_names is null and target_group_arns is null then title || ' not associated with a load balancer.' - when health_check_type != 'ELB' then title || ' does not use ELB health check.' - else title || ' uses ELB health check.' - end as reason - - - from - aws_ec2_autoscaling_group; + QueryToExecute: "select\n autoscaling_group_arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when load_balancer_names is null and target_group_arns is null then 'alarm'\n when health_check_type != 'ELB' then 'alarm'\n else 'ok'\n end as status,\n case\n when load_balancer_names is null and target_group_arns is null then title || ' not associated with a load balancer.'\n when health_check_type != 'ELB' then title || ' does not use ELB health check.'\n else title || ' uses ELB health check.'\n end as reason\n \n \nfrom\n aws_ec2_autoscaling_group;" PrimaryTable: aws_ec2_autoscaling_group ListOfTables: - - aws_ec2_autoscaling_group + - aws_ec2_autoscaling_group Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_autoscaling_2.yaml b/compliance/controls/aws/aws_foundational_security_autoscaling_2.yaml index 26a19f1f5..07b8fa7c1 100755 --- a/compliance/controls/aws/aws_foundational_security_autoscaling_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_autoscaling_2.yaml @@ -1,27 +1,14 @@ ID: aws_foundational_security_autoscaling_2 Title: "2 Amazon EC2 Auto Scaling group should cover multiple Availability Zones" Description: "This control checks whether an Auto Scaling group spans multiple Availability Zones. The control fails if an Auto Scaling group does not span multiple availability zones." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - autoscaling_group_arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when jsonb_array_length(availability_zones) > 1 then 'ok' - else 'alarm' - end as status, - title || ' has ' || jsonb_array_length(availability_zones) || ' availability zone(s).' as reason - - - from - aws_ec2_autoscaling_group; + QueryToExecute: "select\n autoscaling_group_arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when jsonb_array_length(availability_zones) > 1 then 'ok'\n else 'alarm'\n end as status,\n title || ' has ' || jsonb_array_length(availability_zones) || ' availability zone(s).' as reason\n \n \nfrom\n aws_ec2_autoscaling_group;" PrimaryTable: aws_ec2_autoscaling_group ListOfTables: - - aws_ec2_autoscaling_group + - aws_ec2_autoscaling_group Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_autoscaling_3.yaml b/compliance/controls/aws/aws_foundational_security_autoscaling_3.yaml index 7298199ee..70210384b 100755 --- a/compliance/controls/aws/aws_foundational_security_autoscaling_3.yaml +++ b/compliance/controls/aws/aws_foundational_security_autoscaling_3.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_autoscaling_3 Title: "3 Auto Scaling group should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)" Description: "This control checks whether IMDSv2 is enabled on all instances launched by Amazon EC2 Auto Scaling groups. The control fails if the Instance Metadata Service (IMDS) version is not included in the launch configuration or if both IMDSv1 and IMDSv2 are enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_ec2_launch_configuration; PrimaryTable: aws_ec2_launch_configuration ListOfTables: - - aws_ec2_launch_configuration + - aws_ec2_launch_configuration Parameters: [] Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_autoscaling_4.yaml b/compliance/controls/aws/aws_foundational_security_autoscaling_4.yaml index 14533c53e..9dab752ec 100755 --- a/compliance/controls/aws/aws_foundational_security_autoscaling_4.yaml +++ b/compliance/controls/aws/aws_foundational_security_autoscaling_4.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_autoscaling_4 Title: "4 Auto Scaling group launch configuration should not have metadata response hop limit greater than 1" Description: "This control checks the number of network hops that a metadata token can travel. The control fails if the metadata response hop limit is greater than 1." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -24,7 +22,9 @@ Query: aws_ec2_launch_configuration; PrimaryTable: aws_ec2_launch_configuration ListOfTables: - - aws_ec2_launch_configuration + - aws_ec2_launch_configuration Parameters: [] Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_autoscaling_5.yaml b/compliance/controls/aws/aws_foundational_security_autoscaling_5.yaml index 3203b249f..bfda9ca26 100755 --- a/compliance/controls/aws/aws_foundational_security_autoscaling_5.yaml +++ b/compliance/controls/aws/aws_foundational_security_autoscaling_5.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_autoscaling_5 Title: "5 Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses" Description: "This control checks whether an Auto Scaling groups associated launch configuration assigns a public IP address to the group's instances." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_ec2_launch_configuration; PrimaryTable: aws_ec2_launch_configuration ListOfTables: - - aws_ec2_launch_configuration + - aws_ec2_launch_configuration Parameters: [] Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_autoscaling_6.yaml b/compliance/controls/aws/aws_foundational_security_autoscaling_6.yaml index 3cbd5354a..4e988e6da 100755 --- a/compliance/controls/aws/aws_foundational_security_autoscaling_6.yaml +++ b/compliance/controls/aws/aws_foundational_security_autoscaling_6.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_autoscaling_6 Title: "6 Auto Scaling groups should use multiple instance types in multiple Availability Zones" Description: "This control checks whether an Amazon EC2 Auto Scaling group uses multiple instance types. The control fails if the Auto Scaling group has only one instance type defined." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -47,7 +45,9 @@ Query: left join distinct_instance_types_count as b on a.autoscaling_group_arn = b.autoscaling_group_arn; PrimaryTable: aws_ec2_autoscaling_group ListOfTables: - - aws_ec2_autoscaling_group + - aws_ec2_autoscaling_group Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_autoscaling_9.yaml b/compliance/controls/aws/aws_foundational_security_autoscaling_9.yaml index 65ae1e813..8443a9c09 100755 --- a/compliance/controls/aws/aws_foundational_security_autoscaling_9.yaml +++ b/compliance/controls/aws/aws_foundational_security_autoscaling_9.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_autoscaling_9 Title: "9 EC2 Auto Scaling groups should use EC2 launch templates" Description: "This control checks whether an Amazon EC2 Auto Scaling group is created from an EC2 launch template. This control fails if an Amazon EC2 Auto Scaling group is not created with a launch template or if a launch template is not specified in a mixed instances policy." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_ec2_autoscaling_group; PrimaryTable: aws_ec2_autoscaling_group ListOfTables: - - aws_ec2_autoscaling_group + - aws_ec2_autoscaling_group Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_backup_1.yaml b/compliance/controls/aws/aws_foundational_security_backup_1.yaml index fe56fcdf7..f322ccbcd 100755 --- a/compliance/controls/aws/aws_foundational_security_backup_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_backup_1.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_backup_1 Title: "1 AWS Backup recovery points should be encrypted at rest" Description: "This control checks if an AWS Backup recovery point is encrypted at rest. The control fails if the recovery point isn't encrypted at rest." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_backup_recovery_point; PrimaryTable: aws_backup_recovery_point ListOfTables: - - aws_backup_recovery_point + - aws_backup_recovery_point Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_cloudformation_1.yaml b/compliance/controls/aws/aws_foundational_security_cloudformation_1.yaml index 29df186e4..a4df31958 100755 --- a/compliance/controls/aws/aws_foundational_security_cloudformation_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_cloudformation_1.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_cloudformation_1 Title: "1 CloudFormation stacks should be integrated with Simple Notification Service (SNS)" Description: "This control checks whether an Amazon Simple Notification Service notification is integrated with a CloudFormation stack. The control fails for a CloudFormation stack if there is no SNS notification associated with it." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_cloudformation_stack; PrimaryTable: aws_cloudformation_stack ListOfTables: - - aws_cloudformation_stack + - aws_cloudformation_stack Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_cloudfront_1.yaml b/compliance/controls/aws/aws_foundational_security_cloudfront_1.yaml index 61ed90809..1698e195a 100755 --- a/compliance/controls/aws/aws_foundational_security_cloudfront_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_cloudfront_1.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_cloudfront_1 Title: "1 CloudFront distributions should have a default root object configured" Description: "This control checks whether an Amazon CloudFront distribution is configured to return a specific object that is the default root object. The control fails if the CloudFront distribution does not have a default root object configured." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_cloudfront_distribution; PrimaryTable: aws_cloudfront_distribution ListOfTables: - - aws_cloudfront_distribution + - aws_cloudfront_distribution Parameters: [] Severity: critical Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_cloudfront_10.yaml b/compliance/controls/aws/aws_foundational_security_cloudfront_10.yaml index c293763c4..28273ee97 100755 --- a/compliance/controls/aws/aws_foundational_security_cloudfront_10.yaml +++ b/compliance/controls/aws/aws_foundational_security_cloudfront_10.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_cloudfront_10 Title: "10 CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins" Description: "This control checks if Amazon CloudFront distributions are using deprecated SSL protocols for HTTPS communication between CloudFront edge locations and your custom origins. This control fails if a CloudFront distribution has a CustomOriginConfig where OriginSslProtocols includes SSLv3." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -33,7 +31,9 @@ Query: left join origin_ssl_protocols as o on b.arn = o.arn; PrimaryTable: aws_cloudfront_distribution ListOfTables: - - aws_cloudfront_distribution + - aws_cloudfront_distribution Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_cloudfront_12.yaml b/compliance/controls/aws/aws_foundational_security_cloudfront_12.yaml index e65274bc5..45b79d8a0 100755 --- a/compliance/controls/aws/aws_foundational_security_cloudfront_12.yaml +++ b/compliance/controls/aws/aws_foundational_security_cloudfront_12.yaml @@ -1,54 +1,15 @@ ID: aws_foundational_security_cloudfront_12 Title: "12 CloudFront distributions should not point to non-existent S3 origins" Description: "This control checks whether Amazon CloudFront distributions are pointing to non-existent Amazon S3 origins. The control fails for a CloudFront distribution if the origin is configured to point to a non-existent bucket. This control only applies to CloudFront distributions where an S3 bucket without static website hosting is the S3 origin." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - with distribution_with_non_existent_bucket as ( - select - distinct d.arn as arn, - to_jsonb(string_to_array((string_agg(split_part(o ->> 'Id', '.s3', 1), ',')),',')) as bucket_name_list - from - aws_cloudfront_distribution as d, - jsonb_array_elements(d.origins) as o - left join aws_s3_bucket as b on b.name = split_part(o ->> 'Id', '.s3', 1) - where - b.name is null - and o ->> 'DomainName' like '%.s3.%' - group by - d.arn - ) - select - distinct b.arn as resource, - d.og_account_id as og_account_id, - d.og_resource_id as og_resource_id, - case - when b.arn is null then 'ok' - else 'alarm' - end as status, - case - when b.arn is null then title || ' does not point to any non-existent S3 origins.' - when jsonb_array_length(b.bucket_name_list) > 0 - then title || - case - when jsonb_array_length(b.bucket_name_list) > 2 - then concat(' point to non-existent S3 origins ', b.bucket_name_list #>> '{0}', ', ', b.bucket_name_list #>> '{1}', ' and ' || (jsonb_array_length(b.bucket_name_list) - 2)::text || ' more.' ) - when jsonb_array_length(b.bucket_name_list) = 2 - then concat(' point to non-existent S3 origins ', b.bucket_name_list #>> '{0}', ' and ', b.bucket_name_list #>> '{1}', '.') - else concat(' point to non-existent S3 origin ', b.bucket_name_list #>> '{0}', '.') - end - end as reason - - - from - aws_cloudfront_distribution as d - left join distribution_with_non_existent_bucket as b on b.arn = d.arn; + QueryToExecute: "with distribution_with_non_existent_bucket as (\n select\n distinct d.arn as arn,\n to_jsonb(string_to_array((string_agg(split_part(o ->> 'Id', '.s3', 1), ',')),',')) as bucket_name_list\n from\n aws_cloudfront_distribution as d,\n jsonb_array_elements(d.origins) as o\n left join aws_s3_bucket as b on b.name = split_part(o ->> 'Id', '.s3', 1)\n where\n b.name is null\n and o ->> 'DomainName' like '%.s3.%'\n group by\n d.arn\n)\nselect\n distinct b.arn as resource,\nd.og_account_id as og_account_id,\nd.og_resource_id as og_resource_id,\n case\n when b.arn is null then 'ok'\n else 'alarm'\n end as status,\n case\n when b.arn is null then title || ' does not point to any non-existent S3 origins.'\n when jsonb_array_length(b.bucket_name_list) > 0\n then title ||\n case\n when jsonb_array_length(b.bucket_name_list) > 2\n then concat(' point to non-existent S3 origins ', b.bucket_name_list #>> '{0}', ', ', b.bucket_name_list #>> '{1}', ' and ' || (jsonb_array_length(b.bucket_name_list) - 2)::text || ' more.' )\n when jsonb_array_length(b.bucket_name_list) = 2\n then concat(' point to non-existent S3 origins ', b.bucket_name_list #>> '{0}', ' and ', b.bucket_name_list #>> '{1}', '.')\n else concat(' point to non-existent S3 origin ', b.bucket_name_list #>> '{0}', '.')\n end\n end as reason\n \n \nfrom\n aws_cloudfront_distribution as d\n left join distribution_with_non_existent_bucket as b on b.arn = d.arn;" PrimaryTable: aws_cloudfront_distribution ListOfTables: - - aws_cloudfront_distribution - - aws_s3_bucket + - aws_cloudfront_distribution + - aws_s3_bucket Parameters: [] Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_cloudfront_3.yaml b/compliance/controls/aws/aws_foundational_security_cloudfront_3.yaml index 13698f0cf..c844e78bc 100755 --- a/compliance/controls/aws/aws_foundational_security_cloudfront_3.yaml +++ b/compliance/controls/aws/aws_foundational_security_cloudfront_3.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_cloudfront_3 Title: "3 CloudFront distributions should require encryption in transit" Description: "This control checks whether an Amazon CloudFront distribution requires viewers to use HTTPS directly or whether it uses redirection. The control fails if ViewerProtocolPolicy is set to allow-all for defaultCacheBehavior or for cacheBehaviors." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -36,7 +34,9 @@ Query: left join data as d on b.arn = d.arn; PrimaryTable: aws_cloudfront_distribution ListOfTables: - - aws_cloudfront_distribution + - aws_cloudfront_distribution Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_cloudfront_4.yaml b/compliance/controls/aws/aws_foundational_security_cloudfront_4.yaml index 0b56d5d7d..d5925cb91 100755 --- a/compliance/controls/aws/aws_foundational_security_cloudfront_4.yaml +++ b/compliance/controls/aws/aws_foundational_security_cloudfront_4.yaml @@ -1,30 +1,14 @@ ID: aws_foundational_security_cloudfront_4 Title: "4 CloudFront distributions should have origin failover configured" Description: "This control checks whether an Amazon CloudFront distribution is configured with an origin group that has two or more origins. CloudFront origin failover can increase availability. Origin failover automatically redirects traffic to a secondary origin if the primary origin is unavailable or if it returns specific HTTP response status codes." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when origin_groups ->> 'Items' is not null then 'ok' - else 'alarm' - end as status, - case - when origin_groups ->> 'Items' is not null then title || ' origin group is configured.' - else title || ' origin group not configured.' - end as reason - - - from - aws_cloudfront_distribution; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when origin_groups ->> 'Items' is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when origin_groups ->> 'Items' is not null then title || ' origin group is configured.'\n else title || ' origin group not configured.'\n end as reason\n \n \nfrom\n aws_cloudfront_distribution;" PrimaryTable: aws_cloudfront_distribution ListOfTables: - - aws_cloudfront_distribution + - aws_cloudfront_distribution Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_cloudfront_5.yaml b/compliance/controls/aws/aws_foundational_security_cloudfront_5.yaml index 4d78d6fce..68ab12384 100755 --- a/compliance/controls/aws/aws_foundational_security_cloudfront_5.yaml +++ b/compliance/controls/aws/aws_foundational_security_cloudfront_5.yaml @@ -1,30 +1,14 @@ ID: aws_foundational_security_cloudfront_5 Title: "5 CloudFront distributions should have logging enabled" Description: "This control checks whether server access logging is enabled on CloudFront distributions. The control fails if access logging is not enabled for a distribution." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when logging ->> 'Enabled' = 'true' then 'ok' - else 'alarm' - end as status, - case - when logging ->> 'Enabled' = 'true' then title || ' logging enabled.' - else title || ' logging disabled.' - end as reason - - - from - aws_cloudfront_distribution; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when logging ->> 'Enabled' = 'true' then 'ok'\n else 'alarm'\n end as status,\n case\n when logging ->> 'Enabled' = 'true' then title || ' logging enabled.'\n else title || ' logging disabled.'\n end as reason\n \n \nfrom\n aws_cloudfront_distribution;" PrimaryTable: aws_cloudfront_distribution ListOfTables: - - aws_cloudfront_distribution + - aws_cloudfront_distribution Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_cloudfront_6.yaml b/compliance/controls/aws/aws_foundational_security_cloudfront_6.yaml index fddd590bd..087591b8b 100755 --- a/compliance/controls/aws/aws_foundational_security_cloudfront_6.yaml +++ b/compliance/controls/aws/aws_foundational_security_cloudfront_6.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_cloudfront_6 Title: "6 CloudFront distributions should have AWS WAF enabled" Description: "This control checks whether CloudFront distributions are associated with either AWS WAF or AWS WAFv2 web ACLs. The control fails if the distribution is not associated with a web ACL." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_cloudfront_distribution; PrimaryTable: aws_cloudfront_distribution ListOfTables: - - aws_cloudfront_distribution + - aws_cloudfront_distribution Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_cloudfront_7.yaml b/compliance/controls/aws/aws_foundational_security_cloudfront_7.yaml index 6ad4caf7c..4d59730ec 100755 --- a/compliance/controls/aws/aws_foundational_security_cloudfront_7.yaml +++ b/compliance/controls/aws/aws_foundational_security_cloudfront_7.yaml @@ -1,30 +1,14 @@ ID: aws_foundational_security_cloudfront_7 Title: "7 CloudFront distributions should use custom SSL/TLS certificates" Description: "This control checks whether CloudFront distributions are using the default SSL/TLS certificate CloudFront provides. This control passes if the CloudFront distribution uses a custom SSL/TLS certificate. This control fails if the CloudFront distribution uses the default SSL/TLS certificate." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when viewer_certificate ->> 'ACMCertificateArn' is not null and viewer_certificate ->> 'Certificate' is not null then 'ok' - else 'alarm' - end as status, - case - when viewer_certificate ->> 'ACMCertificateArn' is not null and viewer_certificate ->> 'Certificate' is not null then title || ' uses custom SSL certificate.' - else title || ' does not use custom SSL certificate.' - end as reason - - - from - aws_cloudfront_distribution; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when viewer_certificate ->> 'ACMCertificateArn' is not null and viewer_certificate ->> 'Certificate' is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when viewer_certificate ->> 'ACMCertificateArn' is not null and viewer_certificate ->> 'Certificate' is not null then title || ' uses custom SSL certificate.'\n else title || ' does not use custom SSL certificate.'\n end as reason\n \n \nfrom\n aws_cloudfront_distribution;" PrimaryTable: aws_cloudfront_distribution ListOfTables: - - aws_cloudfront_distribution + - aws_cloudfront_distribution Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_cloudfront_8.yaml b/compliance/controls/aws/aws_foundational_security_cloudfront_8.yaml index f9535ca86..e4eae65c1 100755 --- a/compliance/controls/aws/aws_foundational_security_cloudfront_8.yaml +++ b/compliance/controls/aws/aws_foundational_security_cloudfront_8.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_cloudfront_8 Title: "8 CloudFront distributions should use SNI to serve HTTPS requests" Description: "This control checks if Amazon CloudFront distributions are using a custom SSL/TLS certificate and are configured to use SNI to serve HTTPS requests. This control fails if a custom SSL/TLS certificate is associated but the SSL/TLS support method is a dedicated IP address." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_cloudfront_distribution; PrimaryTable: aws_cloudfront_distribution ListOfTables: - - aws_cloudfront_distribution + - aws_cloudfront_distribution Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_cloudtrail_1.yaml b/compliance/controls/aws/aws_foundational_security_cloudtrail_1.yaml index c23b7ceb8..3970a16e0 100755 --- a/compliance/controls/aws/aws_foundational_security_cloudtrail_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_cloudtrail_1.yaml @@ -1,59 +1,15 @@ ID: aws_foundational_security_cloudtrail_1 Title: "1 CloudTrail should be enabled and configured with at least one multi-Region trail" Description: "This control checks that there is at least one multi-Region CloudTrail trail." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - with multi_region_trails as ( - select - account_id, - count(account_id) as num_multregion_trails - from - aws_cloudtrail_trail - where - is_multi_region_trail and region = home_region - and is_logging - group by - account_id, - is_multi_region_trail - ), organization_trails as ( - select - is_organization_trail, - is_logging, - is_multi_region_trail, - account_id - from - aws_cloudtrail_trail - where - is_organization_trail - ) - select - distinct a.arn as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when coalesce(num_multregion_trails, 0) >= 1 then 'ok' - when o.is_organization_trail and o.is_logging and o.is_multi_region_trail then 'ok' - when o.is_organization_trail and o.is_multi_region_trail and o.is_logging is null then 'info' - else 'alarm' - end as status, - case - when coalesce(num_multregion_trails, 0) >= 1 then a.title || ' has ' || coalesce(num_multregion_trails, 0) || ' multi-region trail(s).' - when o.is_organization_trail and o.is_logging and o.is_multi_region_trail then a.title || ' has multi-region trail(s).' - when o.is_organization_trail and o.is_multi_region_trail and o.is_logging is null then a.title || ' has organization trail, check organization account for cloudtrail logging status.' - else a.title || ' does not have multi-region trail(s).' - end as reason - - from - aws_account as a - left join multi_region_trails as b on a.account_id = b.account_id - left join organization_trails as o on a.account_id = o.account_id; + QueryToExecute: "with multi_region_trails as (\n select\n account_id,\n count(account_id) as num_multregion_trails\n from\n aws_cloudtrail_trail\n where\n is_multi_region_trail and region = home_region\n and is_logging\n group by\n account_id,\n is_multi_region_trail\n), organization_trails as (\n select\n is_organization_trail,\n is_logging,\n is_multi_region_trail,\n account_id\n from\n aws_cloudtrail_trail\n where\n is_organization_trail\n)\nselect\n distinct a.arn as resource,\na.og_account_id as og_account_id,\na.og_resource_id as og_resource_id,\n case\n when coalesce(num_multregion_trails, 0) >= 1 then 'ok'\n when o.is_organization_trail and o.is_logging and o.is_multi_region_trail then 'ok'\n when o.is_organization_trail and o.is_multi_region_trail and o.is_logging is null then 'info'\n else 'alarm'\n end as status,\n case\n when coalesce(num_multregion_trails, 0) >= 1 then a.title || ' has ' || coalesce(num_multregion_trails, 0) || ' multi-region trail(s).'\n when o.is_organization_trail and o.is_logging and o.is_multi_region_trail then a.title || ' has multi-region trail(s).'\n when o.is_organization_trail and o.is_multi_region_trail and o.is_logging is null then a.title || ' has organization trail, check organization account for cloudtrail logging status.'\n else a.title || ' does not have multi-region trail(s).'\n end as reason\n \nfrom\n aws_account as a\n left join multi_region_trails as b on a.account_id = b.account_id\n left join organization_trails as o on a.account_id = o.account_id;" PrimaryTable: aws_cloudtrail_trail ListOfTables: - - aws_cloudtrail_trail - - aws_account + - aws_cloudtrail_trail + - aws_account Parameters: [] Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_cloudtrail_2.yaml b/compliance/controls/aws/aws_foundational_security_cloudtrail_2.yaml index e5089b524..ceaa898c4 100755 --- a/compliance/controls/aws/aws_foundational_security_cloudtrail_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_cloudtrail_2.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_cloudtrail_2 Title: "2 CloudTrail should have encryption at rest enabled" Description: "This control checks whether CloudTrail is configured to use the server-side encryption (SSE) AWS Key Management Service customer master key (CMK) encryption. The check passes if the KmsKeyId is defined." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -24,7 +22,9 @@ Query: region = home_region; PrimaryTable: aws_cloudtrail_trail ListOfTables: - - aws_cloudtrail_trail + - aws_cloudtrail_trail Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_cloudtrail_4.yaml b/compliance/controls/aws/aws_foundational_security_cloudtrail_4.yaml index 5f6b8262b..4cfdb5723 100755 --- a/compliance/controls/aws/aws_foundational_security_cloudtrail_4.yaml +++ b/compliance/controls/aws/aws_foundational_security_cloudtrail_4.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_cloudtrail_4 Title: "4 Ensure CloudTrail log file validation is enabled" Description: "This control checks whether log file integrity validation is enabled on a CloudTrail trail. CloudTrail log file validation creates a digitally signed digest file that contains a hash of each log that CloudTrail writes to Amazon S3. You can use these digest files to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -24,7 +22,9 @@ Query: region = home_region; PrimaryTable: aws_cloudtrail_trail ListOfTables: - - aws_cloudtrail_trail + - aws_cloudtrail_trail Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_cloudtrail_5.yaml b/compliance/controls/aws/aws_foundational_security_cloudtrail_5.yaml index 929985697..0d2e83b16 100755 --- a/compliance/controls/aws/aws_foundational_security_cloudtrail_5.yaml +++ b/compliance/controls/aws/aws_foundational_security_cloudtrail_5.yaml @@ -1,32 +1,14 @@ ID: aws_foundational_security_cloudtrail_5 Title: "5 Ensure CloudTrail trails are integrated with Amazon CloudWatch Logs" Description: "This control checks whether CloudTrail trails are configured to send logs to CloudWatch Logs. The control fails if the CloudWatchLogsLogGroupArn property of the trail is empty." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when log_group_arn != 'null' and ((latest_delivery_time) > current_date - 1) then 'ok' - else 'alarm' - end as status, - case - when log_group_arn != 'null' and ((latest_delivery_time) > current_date - 1) then title || ' integrated with CloudWatch logs.' - else title || ' not integrated with CloudWatch logs.' - end as reason - - - from - aws_cloudtrail_trail - where - region = home_region; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when log_group_arn != 'null' and ((latest_delivery_time) > current_date - 1) then 'ok'\n else 'alarm'\n end as status,\n case\n when log_group_arn != 'null' and ((latest_delivery_time) > current_date - 1) then title || ' integrated with CloudWatch logs.'\n else title || ' not integrated with CloudWatch logs.'\n end as reason\n \n \nfrom\n aws_cloudtrail_trail\nwhere\n region = home_region;" PrimaryTable: aws_cloudtrail_trail ListOfTables: - - aws_cloudtrail_trail + - aws_cloudtrail_trail Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_codebuild_1.yaml b/compliance/controls/aws/aws_foundational_security_codebuild_1.yaml index 4b79c2a4e..ddb407954 100755 --- a/compliance/controls/aws/aws_foundational_security_codebuild_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_codebuild_1.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_codebuild_1 Title: "1 CodeBuild Bitbucket source repository URLs should not contain sensitive credentials" Description: "Authentication credentials should never be stored or transmitted in clear text or appear in the repository URL. Instead of personal access tokens or user name and password, you should use OAuth to grant authorization for accessing GitHub or Bitbucket repositories. Using personal access tokens or a user name and password could expose your credentials to unintended data exposure and unauthorized access." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -26,8 +24,10 @@ Query: left join aws_codebuild_source_credential as c on (p.region = c.region and p.source ->> 'Type' = c.server_type); PrimaryTable: aws_codebuild_project ListOfTables: - - aws_codebuild_project - - aws_codebuild_source_credential + - aws_codebuild_project + - aws_codebuild_source_credential Parameters: [] Severity: critical Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_codebuild_2.yaml b/compliance/controls/aws/aws_foundational_security_codebuild_2.yaml index 88f24e99d..3787d68ea 100755 --- a/compliance/controls/aws/aws_foundational_security_codebuild_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_codebuild_2.yaml @@ -1,42 +1,14 @@ ID: aws_foundational_security_codebuild_2 Title: "2 CodeBuild project environment variables should not contain clear text credentials" Description: "This control checks whether the project contains the environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. Authentication credentials AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY should never be stored in clear text, as this could lead to unintended data exposure and unauthorized access." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - with invalid_key_name as ( - select - distinct arn, - name - from - aws_codebuild_project, - jsonb_array_elements(environment -> 'EnvironmentVariables') as env - where - env ->> 'Name' ilike any(array['%AWS_ACCESS_KEY_ID%', '%AWS_SECRET_ACCESS_KEY%', '%PASSWORD%']) - and env ->> 'Type' = 'PLAINTEXT' - ) - select - a.arn as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when b.arn is null then 'ok' - else 'alarm' - end as status, - case - when b.arn is null then a.title || ' has no plaintext environment variables with sensitive AWS values.' - else a.title || ' has plaintext environment variables with sensitive AWS values.' - end as reason - - - from - aws_codebuild_project as a - left join invalid_key_name b on a.arn = b.arn; + QueryToExecute: "with invalid_key_name as (\n select\n distinct arn,\n name\n from\n aws_codebuild_project,\n jsonb_array_elements(environment -> 'EnvironmentVariables') as env\n where\n env ->> 'Name' ilike any(array['%AWS_ACCESS_KEY_ID%', '%AWS_SECRET_ACCESS_KEY%', '%PASSWORD%'])\n and env ->> 'Type' = 'PLAINTEXT'\n)\nselect\n a.arn as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when b.arn is null then 'ok'\n else 'alarm'\n end as status,\n case\n when b.arn is null then a.title || ' has no plaintext environment variables with sensitive AWS values.'\n else a.title || ' has plaintext environment variables with sensitive AWS values.'\n end as reason\n \n \nfrom\n aws_codebuild_project as a\n left join invalid_key_name b on a.arn = b.arn;" PrimaryTable: aws_codebuild_project ListOfTables: - - aws_codebuild_project + - aws_codebuild_project Parameters: [] Severity: critical Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_codebuild_3.yaml b/compliance/controls/aws/aws_foundational_security_codebuild_3.yaml index 85f42cacc..088331134 100755 --- a/compliance/controls/aws/aws_foundational_security_codebuild_3.yaml +++ b/compliance/controls/aws/aws_foundational_security_codebuild_3.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_codebuild_3 Title: "3 CodeBuild S3 logs should be encrypted" Description: "This control checks if Amazon S3 logs for an AWS CodeBuild project are encrypted. The control fails if encryption is deactivated for S3 logs for a CodeBuild project." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_codebuild_project; PrimaryTable: aws_codebuild_project ListOfTables: - - aws_codebuild_project + - aws_codebuild_project Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_codebuild_4.yaml b/compliance/controls/aws/aws_foundational_security_codebuild_4.yaml index 35752609e..209ebdc24 100755 --- a/compliance/controls/aws/aws_foundational_security_codebuild_4.yaml +++ b/compliance/controls/aws/aws_foundational_security_codebuild_4.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_codebuild_4 Title: "4 CodeBuild project environments should have a logging configuration" Description: "This control checks whether a CodeBuild project environment has at least one log option, either to S3 or CloudWatch logs enabled. This control fails if a CodeBuild project environment does not have at least one log option enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_codebuild_project; PrimaryTable: aws_codebuild_project ListOfTables: - - aws_codebuild_project + - aws_codebuild_project Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_codebuild_5.yaml b/compliance/controls/aws/aws_foundational_security_codebuild_5.yaml index 24e336d51..00220d54b 100755 --- a/compliance/controls/aws/aws_foundational_security_codebuild_5.yaml +++ b/compliance/controls/aws/aws_foundational_security_codebuild_5.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_codebuild_5 Title: "5 CodeBuild project environments should not have privileged mode enabled" Description: "This control checks if an AWS CodeBuild project environment has privileged mode enabled. This control fails when an AWS CodeBuild project environment has privileged mode enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_codebuild_project; PrimaryTable: aws_codebuild_project ListOfTables: - - aws_codebuild_project + - aws_codebuild_project Parameters: [] Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_config_1.yaml b/compliance/controls/aws/aws_foundational_security_config_1.yaml index baf281b6a..82e75c31c 100755 --- a/compliance/controls/aws/aws_foundational_security_config_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_config_1.yaml @@ -1,71 +1,15 @@ ID: aws_foundational_security_config_1 Title: "1 AWS Config should be enabled" Description: "This control checks whether AWS Config is enabled in the account for the local Region and is recording all resources. The AWS Config service performs configuration management of supported AWS resources in your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items, and any configuration changes between resources." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - -- pgFormatter-ignore - -- Get count for any region with all matching criteria - with global_recorders as ( - select - count(*) as global_config_recorders - from - aws_config_configuration_recorder - where - recording_group -> 'IncludeGlobalResourceTypes' = 'true' - and recording_group -> 'AllSupported' = 'true' - and status ->> 'Recording' = 'true' - and status ->> 'LastStatus' = 'SUCCESS' - ) - select - 'arn:aws::' || a.region || ':' || a.account_id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - -- When any of the region satisfies with above CTE - -- In left join of table, regions now having - -- 'Recording' and 'LastStatus' matching criteria can be considered as OK - when - g.global_config_recorders >= 1 - and status ->> 'Recording' = 'true' - and status ->> 'LastStatus' = 'SUCCESS' - then 'ok' - -- Skip any regions that are disabled in the account. - when a.opt_in_status = 'not-opted-in' then 'skip' - else 'alarm' - end as status, - -- Below cases are for citing respective reasons for control state - case - when a.opt_in_status = 'not-opted-in' then a.region || ' region is disabled.' - else - case - when recording_group -> 'IncludeGlobalResourceTypes' = 'true' then a.region || ' IncludeGlobalResourceTypes enabled,' - else a.region || ' IncludeGlobalResourceTypes disabled,' - end || - case - when recording_group -> 'AllSupported' = 'true' then ' AllSupported enabled,' - else ' AllSupported disabled,' - end || - case - when status ->> 'Recording' = 'true' then ' Recording enabled' - else ' Recording disabled' - end || - case - when status ->> 'LastStatus' = 'SUCCESS' then ' and LastStatus is SUCCESS.' - else ' and LastStatus is not SUCCESS.' - end - end as reason - - from - global_recorders as g, - aws_region as a - left join aws_config_configuration_recorder as r on r.account_id = a.account_id and r.region = a.name; + QueryToExecute: "-- pgFormatter-ignore\n-- Get count for any region with all matching criteria\nwith global_recorders as (\n select\n count(*) as global_config_recorders\n from\n aws_config_configuration_recorder\n where\n recording_group -> 'IncludeGlobalResourceTypes' = 'true'\n and recording_group -> 'AllSupported' = 'true'\n and status ->> 'Recording' = 'true'\n and status ->> 'LastStatus' = 'SUCCESS'\n)\nselect\n 'arn:aws::' || a.region || ':' || a.account_id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n -- When any of the region satisfies with above CTE\n -- In left join of table, regions now having\n -- 'Recording' and 'LastStatus' matching criteria can be considered as OK\n when\n g.global_config_recorders >= 1\n and status ->> 'Recording' = 'true'\n and status ->> 'LastStatus' = 'SUCCESS'\n then 'ok'\n -- Skip any regions that are disabled in the account.\n when a.opt_in_status = 'not-opted-in' then 'skip'\n else 'alarm'\n end as status,\n -- Below cases are for citing respective reasons for control state\n case\n when a.opt_in_status = 'not-opted-in' then a.region || ' region is disabled.'\n else\n case\n when recording_group -> 'IncludeGlobalResourceTypes' = 'true' then a.region || ' IncludeGlobalResourceTypes enabled,'\n else a.region || ' IncludeGlobalResourceTypes disabled,'\n end ||\n case\n when recording_group -> 'AllSupported' = 'true' then ' AllSupported enabled,'\n else ' AllSupported disabled,'\n end ||\n case\n when status ->> 'Recording' = 'true' then ' Recording enabled'\n else ' Recording disabled'\n end ||\n case\n when status ->> 'LastStatus' = 'SUCCESS' then ' and LastStatus is SUCCESS.'\n else ' and LastStatus is not SUCCESS.'\n end\n end as reason\n \nfrom\n global_recorders as g,\n aws_region as a\n left join aws_config_configuration_recorder as r on r.account_id = a.account_id and r.region = a.name;" PrimaryTable: aws_config_configuration_recorder ListOfTables: - - aws_config_configuration_recorder - - aws_region + - aws_config_configuration_recorder + - aws_region Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_dms_1.yaml b/compliance/controls/aws/aws_foundational_security_dms_1.yaml index b3a5ef69d..a789844e5 100755 --- a/compliance/controls/aws/aws_foundational_security_dms_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_dms_1.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_dms_1 Title: "1 AWS Database Migration Service replication instances should not be public" Description: "This control checks whether AWS DMS replication instances are public. To do this, it examines the value of the PubliclyAccessible field. A private replication instance has a private IP address that you cannot access outside of the replication network. A replication instance should have a private IP address when the source and target databases are in the same network. The network must also be connected to the replication instance's VPC using a VPN, AWS Direct Connect, or VPC peering. To learn more about public and private replication instances, see Public and private replication instances in the AWS Database Migration Service User Guide." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_dms_replication_instance; PrimaryTable: aws_dms_replication_instance ListOfTables: - - aws_dms_replication_instance + - aws_dms_replication_instance Parameters: [] Severity: critical Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_dms_6.yaml b/compliance/controls/aws/aws_foundational_security_dms_6.yaml index 9cc961b67..9cf164aad 100755 --- a/compliance/controls/aws/aws_foundational_security_dms_6.yaml +++ b/compliance/controls/aws/aws_foundational_security_dms_6.yaml @@ -1,30 +1,14 @@ ID: aws_foundational_security_dms_6 Title: "6 DMS replication instances should have automatic minor version upgrade enabled" Description: "This control checks if automatic minor version upgrade is enabled for an AWS DMS replication instance. The control fails if automatic minor version upgrade isn't enabled for a DMS replication instance." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when auto_minor_version_upgrade then 'ok' - else 'alarm' - end as status, - case - when auto_minor_version_upgrade then title || ' automatic minor version upgrade enabled.' - else title || ' automatic minor version upgrade disabled.' - end as reason - - - from - aws_dms_replication_instance; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when auto_minor_version_upgrade then 'ok'\n else 'alarm'\n end as status,\n case\n when auto_minor_version_upgrade then title || ' automatic minor version upgrade enabled.'\n else title || ' automatic minor version upgrade disabled.'\n end as reason\n \n \nfrom\n aws_dms_replication_instance;" PrimaryTable: aws_dms_replication_instance ListOfTables: - - aws_dms_replication_instance + - aws_dms_replication_instance Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_dms_8.yaml b/compliance/controls/aws/aws_foundational_security_dms_8.yaml index 8a311a626..4a38f2b5b 100755 --- a/compliance/controls/aws/aws_foundational_security_dms_8.yaml +++ b/compliance/controls/aws/aws_foundational_security_dms_8.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_dms_8 Title: "8 DMS replication tasks for the source database should have logging enabled" Description: "This control checks whether logging is enabled with the minimum severity level of LOGGER_SEVERITY_DEFAULT for DMS replication tasks SOURCE_CAPTURE and SOURCE_UNLOAD. The control fails if logging isn't enabled for these tasks or if the minimum severity level is less than LOGGER_SEVERITY_DEFAULT." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -35,7 +33,9 @@ Query: left join replication_task_logging as l on l.arn = t.arn; PrimaryTable: aws_dms_replication_task ListOfTables: - - aws_dms_replication_task + - aws_dms_replication_task Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_dms_9.yaml b/compliance/controls/aws/aws_foundational_security_dms_9.yaml index 4a2f71015..dc9f52065 100755 --- a/compliance/controls/aws/aws_foundational_security_dms_9.yaml +++ b/compliance/controls/aws/aws_foundational_security_dms_9.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_dms_9 Title: "9 DMS endpoints should use SSL" Description: "This control checks whether an AWS DMS endpoint uses an SSL connection. The control fails if the endpoint doesn't use SSL." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_dms_endpoint; PrimaryTable: aws_dms_endpoint ListOfTables: - - aws_dms_endpoint + - aws_dms_endpoint Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_docdb_1.yaml b/compliance/controls/aws/aws_foundational_security_docdb_1.yaml index 8cbbcc14f..edabcc91c 100755 --- a/compliance/controls/aws/aws_foundational_security_docdb_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_docdb_1.yaml @@ -1,30 +1,14 @@ ID: aws_foundational_security_docdb_1 Title: "1 Amazon DocumentDB clusters should be encrypted at rest" Description: "This control checks whether an Amazon DocumentDB cluster is encrypted at rest. The control fails if an Amazon DocumentDB cluster isn't encrypted at rest." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when storage_encrypted then 'ok' - else 'alarm' - end as status, - case - when storage_encrypted then title || ' encrypted at rest.' - else title || ' not encrypted at rest.' - end as reason - - - from - aws_docdb_cluster; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when storage_encrypted then 'ok'\n else 'alarm'\n end as status,\n case\n when storage_encrypted then title || ' encrypted at rest.'\n else title || ' not encrypted at rest.'\n end as reason\n \n \nfrom\n aws_docdb_cluster;" PrimaryTable: aws_docdb_cluster ListOfTables: - - aws_docdb_cluster + - aws_docdb_cluster Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_docdb_2.yaml b/compliance/controls/aws/aws_foundational_security_docdb_2.yaml index 952ab7f8e..7e9eed639 100755 --- a/compliance/controls/aws/aws_foundational_security_docdb_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_docdb_2.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_docdb_2 Title: "2 Amazon DocumentDB clusters should have an adequate backup retention period" Description: "This control checks whether an Amazon DocumentDB cluster has a backup retention period greater than or equal to 7 days. The control fails if the backup retention period is less than 7 days." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -19,7 +17,9 @@ Query: aws_docdb_cluster; PrimaryTable: aws_docdb_cluster ListOfTables: - - aws_docdb_cluster + - aws_docdb_cluster Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_docdb_4.yaml b/compliance/controls/aws/aws_foundational_security_docdb_4.yaml index 7b09ebadc..e16888ad7 100755 --- a/compliance/controls/aws/aws_foundational_security_docdb_4.yaml +++ b/compliance/controls/aws/aws_foundational_security_docdb_4.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_docdb_4 Title: "4 Amazon DocumentDB clusters should publish audit logs to CloudWatch Logs" Description: "This control checks whether an Amazon DocumentDB cluster publishes audit logs to Amazon CloudWatch Logs. The control fails if the cluster doesn't publish audit logs to CloudWatch Logs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -24,7 +22,9 @@ Query: aws_docdb_cluster_instance; PrimaryTable: aws_docdb_cluster_instance ListOfTables: - - aws_docdb_cluster_instance + - aws_docdb_cluster_instance Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_docdb_5.yaml b/compliance/controls/aws/aws_foundational_security_docdb_5.yaml index ab84f244a..87f762c9e 100755 --- a/compliance/controls/aws/aws_foundational_security_docdb_5.yaml +++ b/compliance/controls/aws/aws_foundational_security_docdb_5.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_docdb_5 Title: "5 Amazon DocumentDB clusters should have deletion protection enabled" Description: "This control checks whether an Amazon DocumentDB cluster has deletion protection enabled. The control fails if the cluster doesn't have deletion protection enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_docdb_cluster; PrimaryTable: aws_docdb_cluster ListOfTables: - - aws_docdb_cluster + - aws_docdb_cluster Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_dynamodb_1.yaml b/compliance/controls/aws/aws_foundational_security_dynamodb_1.yaml index f8cd851ea..d7446c0d9 100755 --- a/compliance/controls/aws/aws_foundational_security_dynamodb_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_dynamodb_1.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_dynamodb_1 Title: "1 DynamoDB tables should automatically scale capacity with demand" Description: "This control checks whether an Amazon DynamoDB table can scale its read and write capacity as needed. This control passes if the table uses either on-demand capacity mode or provisioned mode with auto scaling configured. Scaling capacity with demand avoids throttling exceptions, which helps to maintain availability of your applications." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -35,8 +33,10 @@ Query: left join table_with_autocaling as t on concat('table/', d.name) = t.resource_id; PrimaryTable: aws_dynamodb_table ListOfTables: - - aws_appautoscaling_target - - aws_dynamodb_table + - aws_appautoscaling_target + - aws_dynamodb_table Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_dynamodb_2.yaml b/compliance/controls/aws/aws_foundational_security_dynamodb_2.yaml index 6b51cbb3a..750666ec8 100755 --- a/compliance/controls/aws/aws_foundational_security_dynamodb_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_dynamodb_2.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_dynamodb_2 Title: "2 DynamoDB tables should have point-in-time recovery enabled" Description: "This control checks whether point-in-time recovery (PITR) is enabled for an Amazon DynamoDB table. Backups help you to recover more quickly from a security incident. They also strengthen the resilience of your systems. DynamoDB point-in-time recovery automates backups for DynamoDB tables. It reduces the time to recover from accidental delete or write operations. DynamoDB tables that have PITR enabled can be restored to any point in time in the last 35 days." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_dynamodb_table; PrimaryTable: aws_dynamodb_table ListOfTables: - - aws_dynamodb_table + - aws_dynamodb_table Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_dynamodb_3.yaml b/compliance/controls/aws/aws_foundational_security_dynamodb_3.yaml index c0ab0a9fd..cb86f555b 100755 --- a/compliance/controls/aws/aws_foundational_security_dynamodb_3.yaml +++ b/compliance/controls/aws/aws_foundational_security_dynamodb_3.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_dynamodb_3 Title: "3 DynamoDB Accelerator (DAX) clusters should be encrypted at rest" Description: "This control checks whether a DAX cluster is encrypted at rest. Encrypting data at rest reduces the risk of data stored on disk being accessed by a user not authenticated to AWS. The encryption adds another set of access controls to limit the ability of unauthorized users to access to the data. For example, API permissions are required to decrypt the data before it can be read." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_dax_cluster; PrimaryTable: aws_dax_cluster ListOfTables: - - aws_dax_cluster + - aws_dax_cluster Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_dynamodb_6.yaml b/compliance/controls/aws/aws_foundational_security_dynamodb_6.yaml index 60d89a6b0..8bd5c7092 100755 --- a/compliance/controls/aws/aws_foundational_security_dynamodb_6.yaml +++ b/compliance/controls/aws/aws_foundational_security_dynamodb_6.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_dynamodb_6 Title: "6 DynamoDB tables should have deletion protection enabled" Description: "This control checks whether an Amazon DynamoDB table has deletion protection enabled. The control fails if a DynamoDB table doesn't have deletion protection enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_dynamodb_table; PrimaryTable: aws_dynamodb_table ListOfTables: - - aws_dynamodb_table + - aws_dynamodb_table Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_ec2_1.yaml b/compliance/controls/aws/aws_foundational_security_ec2_1.yaml index 8d4b66eed..865c66799 100755 --- a/compliance/controls/aws/aws_foundational_security_ec2_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_ec2_1.yaml @@ -1,30 +1,14 @@ ID: aws_foundational_security_ec2_1 Title: "1 Amazon EBS snapshots should not be public, determined by the ability to be restorable by anyone" Description: "Amazon EBS snapshots should not be public, determined by the ability to be restorable by anyone. EBS snapshots are used to back up the data on your EBS volumes to Amazon S3 at a specific point in time. You can use the snapshots to restore previous states of EBS volumes. It is rarely acceptable to share a snapshot with the public. Typically the decision to share a snapshot publicly was made in error or without a complete understanding of the implications. This check helps ensure that all such sharing was fully planned and intentional." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - 'arn:' || partition || ':ec2:' || region || ':' || account_id || ':snapshot/' || snapshot_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when create_volume_permissions @> '[{"Group": "all", "UserId": null}]' then 'alarm' - else 'ok' - end as status, - case - when create_volume_permissions @> '[{"Group": "all", "UserId": null}]' then title || ' is publicly restorable.' - else title || ' is not publicly restorable.' - end as reason - - - from - aws_ebs_snapshot; + QueryToExecute: "select\n 'arn:' || partition || ':ec2:' || region || ':' || account_id || ':snapshot/' || snapshot_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when create_volume_permissions @> '[{\"Group\": \"all\", \"UserId\": null}]' then 'alarm'\n else 'ok'\n end as status,\n case\n when create_volume_permissions @> '[{\"Group\": \"all\", \"UserId\": null}]' then title || ' is publicly restorable.'\n else title || ' is not publicly restorable.'\n end as reason\n \n \nfrom\n aws_ebs_snapshot;\n" PrimaryTable: aws_ebs_snapshot ListOfTables: - - aws_ebs_snapshot + - aws_ebs_snapshot Parameters: [] Severity: critical Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_ec2_15.yaml b/compliance/controls/aws/aws_foundational_security_ec2_15.yaml index 625802325..e158e1a19 100755 --- a/compliance/controls/aws/aws_foundational_security_ec2_15.yaml +++ b/compliance/controls/aws/aws_foundational_security_ec2_15.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_ec2_15 Title: "15 EC2 subnets should not automatically assign public IP addresses" Description: "This control checks whether the assignment of public IPs in Amazon Virtual Private Cloud (Amazon VPC) subnets have MapPublicIpOnLaunch set to FALSE. The control passes if the flag is set to FALSE." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_vpc_subnet; PrimaryTable: aws_vpc_subnet ListOfTables: - - aws_vpc_subnet + - aws_vpc_subnet Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_ec2_16.yaml b/compliance/controls/aws/aws_foundational_security_ec2_16.yaml index 1b632ef1b..e129502f1 100755 --- a/compliance/controls/aws/aws_foundational_security_ec2_16.yaml +++ b/compliance/controls/aws/aws_foundational_security_ec2_16.yaml @@ -1,30 +1,14 @@ ID: aws_foundational_security_ec2_16 Title: "16 Unused network access control lists should be removed" Description: "This control checks whether there are any unused network access control lists (ACLs). The control checks the item configuration of the resource AWS::EC2::NetworkAcl and determines the relationships of the network ACL." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - network_acl_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when jsonb_array_length(associations) >= 1 then 'ok' - else 'alarm' - end status, - case - when jsonb_array_length(associations) >= 1 then title || ' associated with subnet.' - else title || ' not associated with subnet.' - end reason - - - from - aws_vpc_network_acl; + QueryToExecute: "select\n network_acl_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when jsonb_array_length(associations) >= 1 then 'ok'\n else 'alarm'\n end status,\n case\n when jsonb_array_length(associations) >= 1 then title || ' associated with subnet.'\n else title || ' not associated with subnet.'\n end reason\n \n \nfrom\n aws_vpc_network_acl;" PrimaryTable: aws_vpc_network_acl ListOfTables: - - aws_vpc_network_acl + - aws_vpc_network_acl Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_ec2_17.yaml b/compliance/controls/aws/aws_foundational_security_ec2_17.yaml index e6548e558..19eab595a 100755 --- a/compliance/controls/aws/aws_foundational_security_ec2_17.yaml +++ b/compliance/controls/aws/aws_foundational_security_ec2_17.yaml @@ -1,28 +1,14 @@ ID: aws_foundational_security_ec2_17 Title: "17 EC2 instances should not use multiple ENIs" Description: "This control checks whether an EC2 instance uses multiple Elastic Network Interfaces (ENIs) or Elastic Fabric Adapters (EFAs). This control passes if a single network adapter is used. The control includes an optional parameter list to identify the allowed ENIs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when jsonb_array_length(network_interfaces) = 1 then 'ok' - else 'alarm' - end status, - title || ' has ' || jsonb_array_length(network_interfaces) || ' ENI(s) attached.' - as reason - - - from - aws_ec2_instance; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when jsonb_array_length(network_interfaces) = 1 then 'ok'\n else 'alarm'\n end status,\n title || ' has ' || jsonb_array_length(network_interfaces) || ' ENI(s) attached.'\n as reason\n \n \nfrom\n aws_ec2_instance;" PrimaryTable: aws_ec2_instance ListOfTables: - - aws_ec2_instance + - aws_ec2_instance Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_ec2_18.yaml b/compliance/controls/aws/aws_foundational_security_ec2_18.yaml index da574c7b1..7bbe41fe4 100755 --- a/compliance/controls/aws/aws_foundational_security_ec2_18.yaml +++ b/compliance/controls/aws/aws_foundational_security_ec2_18.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_ec2_18 Title: "18 Security groups should only allow unrestricted incoming traffic for authorized ports" Description: "This control checks whether the security groups that are in use allow unrestricted incoming traffic. Optionally the rule checks whether the port numbers are listed in the authorizedTcpPorts parameter. The default values for authorizedTcpPorts are 80 and 443." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -36,8 +34,10 @@ Query: left join ingress_unauthorized_ports on ingress_unauthorized_ports.group_id = sg.group_id; PrimaryTable: aws_vpc_security_group ListOfTables: - - aws_vpc_security_group_rule - - aws_vpc_security_group + - aws_vpc_security_group_rule + - aws_vpc_security_group Parameters: [] Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_ec2_19.yaml b/compliance/controls/aws/aws_foundational_security_ec2_19.yaml index f0561f3c0..ebb6224be 100755 --- a/compliance/controls/aws/aws_foundational_security_ec2_19.yaml +++ b/compliance/controls/aws/aws_foundational_security_ec2_19.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_ec2_19 Title: "19 Security groups should not allow unrestricted access to ports with high risk" Description: "This control checks whether unrestricted incoming traffic for the security groups is accessible to the specified ports that have the highest risk. This control passes when none of the rules in a security group allow ingress traffic from 0.0.0.0/0 for those ports." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -116,8 +114,10 @@ Query: left join ingress_ssh_rules on ingress_ssh_rules.group_id = sg.group_id; PrimaryTable: aws_vpc_security_group ListOfTables: - - aws_vpc_security_group_rule - - aws_vpc_security_group + - aws_vpc_security_group_rule + - aws_vpc_security_group Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_ec2_2.yaml b/compliance/controls/aws/aws_foundational_security_ec2_2.yaml index 3afbb573e..f183726b1 100755 --- a/compliance/controls/aws/aws_foundational_security_ec2_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_ec2_2.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_ec2_2 Title: "2 VPC default security groups should not allow inbound or outbound traffic" Description: "This control checks that the default security group of a VPC does not allow inbound or outbound traffic. The rules for the default security group allow all outbound and inbound traffic from network interfaces (and their associated instances) that are assigned to the same security group." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -29,7 +27,9 @@ Query: group_name = 'default'; PrimaryTable: aws_vpc_security_group ListOfTables: - - aws_vpc_security_group + - aws_vpc_security_group Parameters: [] Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_ec2_20.yaml b/compliance/controls/aws/aws_foundational_security_ec2_20.yaml index 33ec7d653..c10b797e7 100755 --- a/compliance/controls/aws/aws_foundational_security_ec2_20.yaml +++ b/compliance/controls/aws/aws_foundational_security_ec2_20.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_ec2_20 Title: "20 Both VPN tunnels for an AWS Site-to-Site VPN connection should be up" Description: "This control checks that both VPN tunnels provided by AWS Site-to-Site VPN are in UP status. The control fails if one or both tunnels are in DOWN status." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -34,7 +32,9 @@ Query: left join filter_data as b on a.arn = b.arn; PrimaryTable: aws_vpc_vpn_connection ListOfTables: - - aws_vpc_vpn_connection + - aws_vpc_vpn_connection Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_ec2_23.yaml b/compliance/controls/aws/aws_foundational_security_ec2_23.yaml index 824e4d4d9..fa27e8f00 100755 --- a/compliance/controls/aws/aws_foundational_security_ec2_23.yaml +++ b/compliance/controls/aws/aws_foundational_security_ec2_23.yaml @@ -1,30 +1,14 @@ ID: aws_foundational_security_ec2_23 Title: "23 EC2 Transit Gateways should not automatically accept VPC attachment requests" Description: "This control checks if EC2 Transit Gateways are automatically accepting shared VPC attachments. This control fails for a Transit Gateway that automatically accepts shared VPC attachment requests." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - transit_gateway_arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when auto_accept_shared_attachments = 'enable' then 'alarm' - else 'ok' - end as status, - case - when auto_accept_shared_attachments = 'enable' then title || ' automatic shared account attachment enabled.' - else title || ' automatic shared account attachment disabled.' - end as reason - - - from - aws_ec2_transit_gateway; + QueryToExecute: "select\n transit_gateway_arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when auto_accept_shared_attachments = 'enable' then 'alarm'\n else 'ok'\n end as status,\n case\n when auto_accept_shared_attachments = 'enable' then title || ' automatic shared account attachment enabled.'\n else title || ' automatic shared account attachment disabled.'\n end as reason\n \n \nfrom\n aws_ec2_transit_gateway;" PrimaryTable: aws_ec2_transit_gateway ListOfTables: - - aws_ec2_transit_gateway + - aws_ec2_transit_gateway Parameters: [] Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_ec2_24.yaml b/compliance/controls/aws/aws_foundational_security_ec2_24.yaml index 56561610a..8a79ca631 100755 --- a/compliance/controls/aws/aws_foundational_security_ec2_24.yaml +++ b/compliance/controls/aws/aws_foundational_security_ec2_24.yaml @@ -1,27 +1,14 @@ ID: aws_foundational_security_ec2_24 Title: "24 Paravirtual EC2 instance types should not be used" Description: "This control checks whether the virtualization type of an EC2 instance is paravirtual. The control fails if the virtualizationType of the EC2 instance is set to paravirtual." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when virtualization_type = 'paravirtual' then 'alarm' - else 'ok' - end as status, - title || ' virtualization type is ' || virtualization_type || '.' as reason - - - from - aws_ec2_instance; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when virtualization_type = 'paravirtual' then 'alarm'\n else 'ok'\n end as status,\n title || ' virtualization type is ' || virtualization_type || '.' as reason\n \n \nfrom\n aws_ec2_instance;" PrimaryTable: aws_ec2_instance ListOfTables: - - aws_ec2_instance + - aws_ec2_instance Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_ec2_3.yaml b/compliance/controls/aws/aws_foundational_security_ec2_3.yaml index ab5aaa72e..53fd14331 100755 --- a/compliance/controls/aws/aws_foundational_security_ec2_3.yaml +++ b/compliance/controls/aws/aws_foundational_security_ec2_3.yaml @@ -1,32 +1,14 @@ ID: aws_foundational_security_ec2_3 Title: "3 Attached EBS volumes should be encrypted at rest" Description: "This control checks whether the EBS volumes that are in an attached state are encrypted. To pass this check, EBS volumes must be in use and encrypted. If the EBS volume is not attached, then it is not subject to this check." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when state != 'in-use' then 'skip' - when encrypted then 'ok' - else 'alarm' - end as status, - case - when state != 'in-use' then volume_id || ' not attached.' - when encrypted then volume_id || ' encrypted.' - else volume_id || ' not encrypted.' - end as reason - - - from - aws_ebs_volume; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when state != 'in-use' then 'skip'\n when encrypted then 'ok'\n else 'alarm'\n end as status,\n case\n when state != 'in-use' then volume_id || ' not attached.'\n when encrypted then volume_id || ' encrypted.'\n else volume_id || ' not encrypted.'\n end as reason\n \n \nfrom\n aws_ebs_volume;" PrimaryTable: aws_ebs_volume ListOfTables: - - aws_ebs_volume + - aws_ebs_volume Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_ec2_4.yaml b/compliance/controls/aws/aws_foundational_security_ec2_4.yaml index 48b9e6f28..e272a79bc 100755 --- a/compliance/controls/aws/aws_foundational_security_ec2_4.yaml +++ b/compliance/controls/aws/aws_foundational_security_ec2_4.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_ec2_4 Title: "4 Stopped EC2 instances should be removed after a specified time period" Description: "This control checks whether any EC2 instances have been stopped for more than the allowed number of days. An EC2 instance fails this check if it is stopped for longer than the maximum allowed time period, which by default is 30 days." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -23,7 +21,9 @@ Query: aws_ec2_instance; PrimaryTable: aws_ec2_instance ListOfTables: - - aws_ec2_instance + - aws_ec2_instance Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_ec2_51.yaml b/compliance/controls/aws/aws_foundational_security_ec2_51.yaml index 729e561b7..56c5be6a5 100755 --- a/compliance/controls/aws/aws_foundational_security_ec2_51.yaml +++ b/compliance/controls/aws/aws_foundational_security_ec2_51.yaml @@ -1,30 +1,14 @@ ID: aws_foundational_security_ec2_51 Title: "51 EC2 Client VPN endpoints should have client connection logging enabled" Description: "This control checks whether an AWS Client VPN endpoint has client connection logging enabled. The control fails if the endpoint doesn't have client connection logging enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - client_vpn_endpoint_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when (connection_log_options ->> 'Enabled')::bool then 'ok' - else 'alarm' - end as status, - case - when (connection_log_options ->> 'Enabled')::bool then title || ' client connection logging enabled.' - else title || ' client connection logging disabled.' - end as reason - - - from - aws_ec2_client_vpn_endpoint; + QueryToExecute: "select\n client_vpn_endpoint_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when (connection_log_options ->> 'Enabled')::bool then 'ok'\n else 'alarm'\n end as status,\n case\n when (connection_log_options ->> 'Enabled')::bool then title || ' client connection logging enabled.'\n else title || ' client connection logging disabled.'\n end as reason\n \n \nfrom\n aws_ec2_client_vpn_endpoint;" PrimaryTable: aws_ec2_client_vpn_endpoint ListOfTables: - - aws_ec2_client_vpn_endpoint + - aws_ec2_client_vpn_endpoint Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_ec2_7.yaml b/compliance/controls/aws/aws_foundational_security_ec2_7.yaml index 2242b9ac3..98c1bd2d1 100755 --- a/compliance/controls/aws/aws_foundational_security_ec2_7.yaml +++ b/compliance/controls/aws/aws_foundational_security_ec2_7.yaml @@ -1,29 +1,14 @@ ID: aws_foundational_security_ec2_7 Title: "7 EBS default encryption should be enabled" Description: "This control checks whether account-level encryption is enabled by default for Amazon Elastic Block Store(Amazon EBS). The control fails if the account level encryption is not enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || '::' || region || ':' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when not default_ebs_encryption_enabled then 'alarm' - else 'ok' - end as status, - case - when not default_ebs_encryption_enabled then region || ' default EBS encryption disabled.' - else region || ' default EBS encryption enabled.' - end as reason - - from - aws_ec2_regional_settings; + QueryToExecute: "select\n 'arn:' || partition || '::' || region || ':' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when not default_ebs_encryption_enabled then 'alarm'\n else 'ok'\n end as status,\n case\n when not default_ebs_encryption_enabled then region || ' default EBS encryption disabled.'\n else region || ' default EBS encryption enabled.'\n end as reason\n \nfrom\n aws_ec2_regional_settings;" PrimaryTable: aws_ec2_regional_settings ListOfTables: - - aws_ec2_regional_settings + - aws_ec2_regional_settings Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_ec2_8.yaml b/compliance/controls/aws/aws_foundational_security_ec2_8.yaml index 89303e77d..c0d445c86 100755 --- a/compliance/controls/aws/aws_foundational_security_ec2_8.yaml +++ b/compliance/controls/aws/aws_foundational_security_ec2_8.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_ec2_8 Title: "8 EC2 instances should use IMDSv2" Description: "This control checks whether your EC2 instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The control passes if HttpTokens is set to required for IMDSv2. The control fails if HttpTokens is set to optional." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_ec2_instance; PrimaryTable: aws_ec2_instance ListOfTables: - - aws_ec2_instance + - aws_ec2_instance Parameters: [] Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_ec2_9.yaml b/compliance/controls/aws/aws_foundational_security_ec2_9.yaml index 10f60aca2..115a0465f 100755 --- a/compliance/controls/aws/aws_foundational_security_ec2_9.yaml +++ b/compliance/controls/aws/aws_foundational_security_ec2_9.yaml @@ -1,30 +1,14 @@ ID: aws_foundational_security_ec2_9 Title: "9 EC2 instances should not have a public IP address" Description: "This control checks whether EC2 instances have a public IP address. The control fails if the publicIp field is present in the EC2 instance configuration item. This control applies to IPv4 addresses only." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when public_ip_address is null then 'ok' - else 'alarm' - end as status, - case - when public_ip_address is null then instance_id || ' not publicly accessible.' - else instance_id || ' publicly accessible.' - end as reason - - - from - aws_ec2_instance; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when public_ip_address is null then 'ok'\n else 'alarm'\n end as status,\n case\n when public_ip_address is null then instance_id || ' not publicly accessible.'\n else instance_id || ' publicly accessible.'\n end as reason\n \n \nfrom\n aws_ec2_instance;" PrimaryTable: aws_ec2_instance ListOfTables: - - aws_ec2_instance + - aws_ec2_instance Parameters: [] Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_ecr_1.yaml b/compliance/controls/aws/aws_foundational_security_ecr_1.yaml index 269b73e2a..d1b77c5bc 100755 --- a/compliance/controls/aws/aws_foundational_security_ecr_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_ecr_1.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_ecr_1 Title: "1 ECR private repositories should have image scanning configured" Description: "This control checks whether a private ECR repository has image scanning configured. This control fails if a private ECR repository doesn't have image scanning configured." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -34,8 +32,10 @@ Query: left join check_enhanced_scanning as s on s.registry_id = r.account_id and s.region = r.region; PrimaryTable: aws_ecr_repository ListOfTables: - - aws_ecr_registry_scanning_configuration - - aws_ecr_repository + - aws_ecr_registry_scanning_configuration + - aws_ecr_repository Parameters: [] Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_ecr_2.yaml b/compliance/controls/aws/aws_foundational_security_ecr_2.yaml index 1b4a24534..d67c39c6a 100755 --- a/compliance/controls/aws/aws_foundational_security_ecr_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_ecr_2.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_ecr_2 Title: "2 ECR private repositories should have tag immutability configured" Description: "This control checks whether a private ECR repository has tag immutability enabled. This control fails if a private ECR repository has tag immutability disabled. This rule passes if tag immutability is enabled and has the value IMMUTABLE." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_ecr_repository; PrimaryTable: aws_ecr_repository ListOfTables: - - aws_ecr_repository + - aws_ecr_repository Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_ecr_3.yaml b/compliance/controls/aws/aws_foundational_security_ecr_3.yaml index 051c32e08..0087991dd 100755 --- a/compliance/controls/aws/aws_foundational_security_ecr_3.yaml +++ b/compliance/controls/aws/aws_foundational_security_ecr_3.yaml @@ -1,30 +1,14 @@ ID: aws_foundational_security_ecr_3 Title: "3 ECR repositories should have at least one lifecycle policy configured" Description: "This control checks whether an Amazon ECR repository has at least one lifecycle policy configured. This control fails if an ECR repository does not have any lifecycle policies configured." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when lifecycle_policy -> 'rules' is not null then 'ok' - else 'alarm' - end as status, - case - when lifecycle_policy -> 'rules' is not null then title || ' lifecycle policy configured.' - else title || ' lifecycle policy not configured.' - end as reason - - - from - aws_ecr_repository; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when lifecycle_policy -> 'rules' is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when lifecycle_policy -> 'rules' is not null then title || ' lifecycle policy configured.'\n else title || ' lifecycle policy not configured.'\n end as reason\n \n \nfrom\n aws_ecr_repository;" PrimaryTable: aws_ecr_repository ListOfTables: - - aws_ecr_repository + - aws_ecr_repository Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_ecs_1.yaml b/compliance/controls/aws/aws_foundational_security_ecs_1.yaml index 67a0a1885..be764d1d1 100755 --- a/compliance/controls/aws/aws_foundational_security_ecs_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_ecs_1.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_ecs_1 Title: "1 Amazon ECS task definitions should have secure networking modes and user definitions" Description: "This control checks whether an Amazon ECS task definition that has host networking mode also has 'privileged' or 'user' container definitions. The control fails for task definitions that have host network mode and container definitions where privileged" -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -42,7 +40,9 @@ Query: left join host_network_task_definition as b on a.task_definition_arn = b.arn; PrimaryTable: aws_ecs_task_definition ListOfTables: - - aws_ecs_task_definition + - aws_ecs_task_definition Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_ecs_10.yaml b/compliance/controls/aws/aws_foundational_security_ecs_10.yaml index da4c869f9..2abdc2365 100755 --- a/compliance/controls/aws/aws_foundational_security_ecs_10.yaml +++ b/compliance/controls/aws/aws_foundational_security_ecs_10.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_ecs_10 Title: "10 Fargate services should run on the latest Fargate platform version" Description: "This control checks if Amazon ECS Fargate services are running the latest Fargate platform version. This control fails if the platform version is not the latest." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -24,7 +22,9 @@ Query: aws_ecs_service; PrimaryTable: aws_ecs_service ListOfTables: - - aws_ecs_service + - aws_ecs_service Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_ecs_12.yaml b/compliance/controls/aws/aws_foundational_security_ecs_12.yaml index b92fc2aaa..38c7d2576 100755 --- a/compliance/controls/aws/aws_foundational_security_ecs_12.yaml +++ b/compliance/controls/aws/aws_foundational_security_ecs_12.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_ecs_12 Title: "12 ECS clusters should have Container Insights enabled" Description: "This control checks if ECS clusters use Container Insights. This control fails if Container Insights are not set up for a cluster." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -23,7 +21,9 @@ Query: jsonb_array_elements(settings) as s; PrimaryTable: aws_ecs_cluster ListOfTables: - - aws_ecs_cluster + - aws_ecs_cluster Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_ecs_2.yaml b/compliance/controls/aws/aws_foundational_security_ecs_2.yaml index 2ffa9ad05..153f9d82a 100755 --- a/compliance/controls/aws/aws_foundational_security_ecs_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_ecs_2.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_ecs_2 Title: "2 Amazon ECS services should not have public IP addresses assigned to them automatically" Description: "This control checks whether Amazon ECS services are configured to automatically assign public IP addresses. This control fails if AssignPublicIP is ENABLED. This control passes if AssignPublicIP is DISABLED." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -35,8 +33,10 @@ Query: left join service_awsvpc_mode_task_definition as b on a.service_name = b.service_name; PrimaryTable: aws_ecs_service ListOfTables: - - aws_ecs_service - - aws_ecs_task_definition + - aws_ecs_service + - aws_ecs_task_definition Parameters: [] Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_ecs_3.yaml b/compliance/controls/aws/aws_foundational_security_ecs_3.yaml index fc8e3df82..ad2882a8d 100755 --- a/compliance/controls/aws/aws_foundational_security_ecs_3.yaml +++ b/compliance/controls/aws/aws_foundational_security_ecs_3.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_ecs_3 Title: "3 ECS task definitions should not share the host's process namespace" Description: "This control checks if Amazon ECS task definitions are configured to share a host’s process namespace with its containers. The control fails if the task definition shares the host's process namespace with the containers running on it." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_ecs_task_definition; PrimaryTable: aws_ecs_task_definition ListOfTables: - - aws_ecs_task_definition + - aws_ecs_task_definition Parameters: [] Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_ecs_4.yaml b/compliance/controls/aws/aws_foundational_security_ecs_4.yaml index b3b5a8807..29460909a 100755 --- a/compliance/controls/aws/aws_foundational_security_ecs_4.yaml +++ b/compliance/controls/aws/aws_foundational_security_ecs_4.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_ecs_4 Title: "4 ECS containers should run as non-privileged" Description: "This control checks if the privileged parameter in the container definition of Amazon ECS Task Definitions is set to true. The control fails if this parameter is equal to true." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -32,7 +30,9 @@ Query: left join privileged_container_definition as c on d.task_definition_arn = c.arn; PrimaryTable: aws_ecs_task_definition ListOfTables: - - aws_ecs_task_definition + - aws_ecs_task_definition Parameters: [] Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_ecs_5.yaml b/compliance/controls/aws/aws_foundational_security_ecs_5.yaml index bcd92af7c..73d95c9d8 100755 --- a/compliance/controls/aws/aws_foundational_security_ecs_5.yaml +++ b/compliance/controls/aws/aws_foundational_security_ecs_5.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_ecs_5 Title: "5 ECS containers should be limited to read-only access to root filesystems" Description: "This control checks if ECS containers are limited to read-only access to mounted root filesystems. This control fails if the ReadonlyRootFilesystem parameter in the container definition of ECS task definitions is set to false." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -32,7 +30,9 @@ Query: left join privileged_container_definition as c on d.task_definition_arn = c.arn; PrimaryTable: aws_ecs_task_definition ListOfTables: - - aws_ecs_task_definition + - aws_ecs_task_definition Parameters: [] Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_ecs_8.yaml b/compliance/controls/aws/aws_foundational_security_ecs_8.yaml index 70ec2201a..dc9f7828c 100755 --- a/compliance/controls/aws/aws_foundational_security_ecs_8.yaml +++ b/compliance/controls/aws/aws_foundational_security_ecs_8.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_ecs_8 Title: "8 Secrets should not be passed as container environment variables" Description: "This control checks if the key value of any variables in the environment parameter of container definitions includes AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, or ECS_ENGINE_AUTH_DATA. This control fails if a single environment variable in any container definition equals AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, or ECS_ENGINE_AUTH_DATA. This control does not cover environmental variables passed in from other locations such as Amazon S3." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -39,7 +37,9 @@ Query: left join definitions_with_secret_environment_variable as e on d.task_definition_arn = e.arn; PrimaryTable: aws_ecs_task_definition ListOfTables: - - aws_ecs_task_definition + - aws_ecs_task_definition Parameters: [] Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_ecs_9.yaml b/compliance/controls/aws/aws_foundational_security_ecs_9.yaml index fee8a0ecd..1d643e259 100755 --- a/compliance/controls/aws/aws_foundational_security_ecs_9.yaml +++ b/compliance/controls/aws/aws_foundational_security_ecs_9.yaml @@ -1,40 +1,14 @@ ID: aws_foundational_security_ecs_9 Title: "9 ECS task definitions should have a logging configuration" Description: "This control checks if the latest active Amazon ECS task definition has a logging configuration specified. The control fails if the task definition doesn't have the logConfiguration property defined or if the value for logDriver is null in at least one container definition." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - with task_definitions_logging_enabled as ( - select - distinct task_definition_arn as arn - from - aws_ecs_task_definition, - jsonb_array_elements(container_definitions) as c - where - c ->> 'LogConfiguration' is not null - ) - select - a.task_definition_arn as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when b.arn is not null then 'ok' - else 'alarm' - end as status, - case - when b.arn is not null then a.title || ' logging enabled.' - else a.title || ' logging disabled.' - end as reason - - - from - aws_ecs_task_definition as a - left join task_definitions_logging_enabled as b on a.task_definition_arn = b.arn; + QueryToExecute: "with task_definitions_logging_enabled as (\n select\n distinct task_definition_arn as arn\n from\n aws_ecs_task_definition,\n jsonb_array_elements(container_definitions) as c\n where\n c ->> 'LogConfiguration' is not null\n)\nselect\n a.task_definition_arn as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when b.arn is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when b.arn is not null then a.title || ' logging enabled.'\n else a.title || ' logging disabled.'\n end as reason\n \n \nfrom\n aws_ecs_task_definition as a\n left join task_definitions_logging_enabled as b on a.task_definition_arn = b.arn;" PrimaryTable: aws_ecs_task_definition ListOfTables: - - aws_ecs_task_definition + - aws_ecs_task_definition Parameters: [] Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_efs_1.yaml b/compliance/controls/aws/aws_foundational_security_efs_1.yaml index 883232b69..111a8c721 100755 --- a/compliance/controls/aws/aws_foundational_security_efs_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_efs_1.yaml @@ -1,30 +1,14 @@ ID: aws_foundational_security_efs_1 Title: "1 Amazon EFS should be configured to encrypt file data at rest using AWS KMS" Description: "This control checks whether Amazon Elastic File System is configured to encrypt the file data using AWS KMS." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when encrypted then 'ok' - else 'alarm' - end as status, - case - when encrypted then title || ' encrypted at rest.' - else title || ' not encrypted at rest.' - end as reason - - - from - aws_efs_file_system; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when encrypted then 'ok'\n else 'alarm'\n end as status,\n case\n when encrypted then title || ' encrypted at rest.'\n else title || ' not encrypted at rest.'\n end as reason\n \n \nfrom\n aws_efs_file_system;" PrimaryTable: aws_efs_file_system ListOfTables: - - aws_efs_file_system + - aws_efs_file_system Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_efs_2.yaml b/compliance/controls/aws/aws_foundational_security_efs_2.yaml index f7cd34879..ee59f869a 100755 --- a/compliance/controls/aws/aws_foundational_security_efs_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_efs_2.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_efs_2 Title: "2 Amazon EFS volumes should be in backup plans" Description: "This control checks whether Amazon Elastic File System (Amazon EFS) file systems are added to the backup plans in AWS Backup. The control fails if Amazon EFS file systems are not included in the backup plans." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_efs_file_system; PrimaryTable: aws_efs_file_system ListOfTables: - - aws_efs_file_system + - aws_efs_file_system Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_efs_3.yaml b/compliance/controls/aws/aws_foundational_security_efs_3.yaml index 4862d1086..4f0582ae4 100755 --- a/compliance/controls/aws/aws_foundational_security_efs_3.yaml +++ b/compliance/controls/aws/aws_foundational_security_efs_3.yaml @@ -1,30 +1,14 @@ ID: aws_foundational_security_efs_3 Title: "3 EFS access points should enforce a root directory" Description: "This control checks if Amazon EFS access points are configured to enforce a root directory. The control fails if the value of Path is set to / (the default root directory of the file system)." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - access_point_arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when root_directory ->> 'Path'= '/' then 'alarm' - else 'ok' - end as status, - case - when root_directory ->> 'Path'= '/' then title || ' not configured to enforce a root directory.' - else title || ' configured to enforce a root directory.' - end as reason - - - from - aws_efs_access_point; + QueryToExecute: "select\n access_point_arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when root_directory ->> 'Path'= '/' then 'alarm'\n else 'ok'\n end as status,\n case\n when root_directory ->> 'Path'= '/' then title || ' not configured to enforce a root directory.'\n else title || ' configured to enforce a root directory.'\n end as reason\n \n \nfrom\n aws_efs_access_point;" PrimaryTable: aws_efs_access_point ListOfTables: - - aws_efs_access_point + - aws_efs_access_point Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_efs_4.yaml b/compliance/controls/aws/aws_foundational_security_efs_4.yaml index 2120784c6..08515ad9e 100755 --- a/compliance/controls/aws/aws_foundational_security_efs_4.yaml +++ b/compliance/controls/aws/aws_foundational_security_efs_4.yaml @@ -1,30 +1,14 @@ ID: aws_foundational_security_efs_4 Title: "4 EFS access points should enforce a user identity" Description: "This control checks whether Amazon EFS access points are configured to enforce a user identity. This control fails if a POSIX user identity is not defined while creating the EFS access point." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - access_point_arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when posix_user is null then 'alarm' - else 'ok' - end as status, - case - when posix_user is null then title || ' does not enforce a user identity.' - else title || ' enforces a user identity.' - end as reason - - - from - aws_efs_access_point; + QueryToExecute: "select\n access_point_arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when posix_user is null then 'alarm'\n else 'ok'\n end as status,\n case\n when posix_user is null then title || ' does not enforce a user identity.'\n else title || ' enforces a user identity.'\n end as reason\n \n \nfrom\n aws_efs_access_point;" PrimaryTable: aws_efs_access_point ListOfTables: - - aws_efs_access_point + - aws_efs_access_point Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_eks_1.yaml b/compliance/controls/aws/aws_foundational_security_eks_1.yaml index 8bc828320..1ec3b6912 100755 --- a/compliance/controls/aws/aws_foundational_security_eks_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_eks_1.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_eks_1 Title: "1 EKS cluster endpoints should not be publicly accessible" Description: "This control checks whether an Amazon EKS cluster endpoint is publicly accessible. The control fails if an EKS cluster has an endpoint that is publicly accessible." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_eks_cluster; PrimaryTable: aws_eks_cluster ListOfTables: - - aws_eks_cluster + - aws_eks_cluster Parameters: [] Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_eks_2.yaml b/compliance/controls/aws/aws_foundational_security_eks_2.yaml index 82ea97963..3092d9be8 100755 --- a/compliance/controls/aws/aws_foundational_security_eks_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_eks_2.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_eks_2 Title: "2 EKS clusters should run on a supported Kubernetes version" Description: "This control checks whether an Amazon EKS cluster is running on a supported Kubernetes version. The control fails if the EKS cluster is running on an unsupported version. If your application doesn't require a specific version of Kubernetes, we recommend that you use the latest available Kubernetes version that's supported by EKS for your clusters." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -23,7 +21,9 @@ Query: aws_eks_cluster; PrimaryTable: aws_eks_cluster ListOfTables: - - aws_eks_cluster + - aws_eks_cluster Parameters: [] Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_eks_8.yaml b/compliance/controls/aws/aws_foundational_security_eks_8.yaml index 345565619..ae9afced3 100755 --- a/compliance/controls/aws/aws_foundational_security_eks_8.yaml +++ b/compliance/controls/aws/aws_foundational_security_eks_8.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_eks_8 Title: "8 EKS clusters should have audit logging enabled" Description: "This control checks whether an Amazon EKS cluster has audit logging enabled. The control fails if audit logging isn't enabled for the cluster." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -37,7 +35,9 @@ Query: left join control_panel_audit_logging as l on l.arn = c.arn; PrimaryTable: aws_eks_cluster ListOfTables: - - aws_eks_cluster + - aws_eks_cluster Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_elasticache_1.yaml b/compliance/controls/aws/aws_foundational_security_elasticache_1.yaml index 60b88d71a..ef790cf20 100755 --- a/compliance/controls/aws/aws_foundational_security_elasticache_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_elasticache_1.yaml @@ -1,30 +1,14 @@ ID: aws_foundational_security_elasticache_1 Title: "1 ElastiCache for Redis clusters should have automatic backups scheduled" Description: "This control evaluates if Amazon ElastiCache for Redis clusters have automatic backup scheduled. The control fails if the SnapshotRetentionLimit for the Redis cluster is less than 1." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when snapshot_retention_limit < 15 then 'alarm' - else 'ok' - end as status, - case - when snapshot_retention_limit = 0 then title || ' automatic backups not enabled.' - when snapshot_retention_limit < 15 then title || ' automatic backup retention period is less than 15 days.' - else title || ' automatic backup retention period is more than 15 days.' - end as reason - - from - aws_elasticache_replication_group; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when snapshot_retention_limit < 15 then 'alarm'\n else 'ok'\n end as status,\n case\n when snapshot_retention_limit = 0 then title || ' automatic backups not enabled.'\n when snapshot_retention_limit < 15 then title || ' automatic backup retention period is less than 15 days.'\n else title || ' automatic backup retention period is more than 15 days.'\n end as reason\n \nfrom\n aws_elasticache_replication_group;" PrimaryTable: aws_elasticache_replication_group ListOfTables: - - aws_elasticache_replication_group + - aws_elasticache_replication_group Parameters: [] Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_elasticache_2.yaml b/compliance/controls/aws/aws_foundational_security_elasticache_2.yaml index 0363503ea..adbd55a84 100755 --- a/compliance/controls/aws/aws_foundational_security_elasticache_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_elasticache_2.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_elasticache_2 Title: "2 Minor version upgrades should be automatically applied to ElastiCache for Redis cache clusters" Description: "This control evaluates whether ElastiCache for Redis automatically applies minor version upgrades to cache clusters. This control fails if ElastiCache for Redis cache clusters do not have minor version upgrades automatically applied." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_elasticache_cluster; PrimaryTable: aws_elasticache_cluster ListOfTables: - - aws_elasticache_cluster + - aws_elasticache_cluster Parameters: [] Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_elasticache_3.yaml b/compliance/controls/aws/aws_foundational_security_elasticache_3.yaml index 4fa122d35..ce654466e 100755 --- a/compliance/controls/aws/aws_foundational_security_elasticache_3.yaml +++ b/compliance/controls/aws/aws_foundational_security_elasticache_3.yaml @@ -1,29 +1,14 @@ ID: aws_foundational_security_elasticache_3 Title: "3 ElastiCache for Redis replication groups should have automatic failover enabled" Description: "This control checks if ElastiCache for Redis replication groups have automatic failover enabled. This control fails if automatic failover isn't enabled for a Redis replication group." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when automatic_failover = 'enabled' then 'ok' - else 'alarm' - end as status, - case - when automatic_failover = 'enabled' then title || ' automatic failover enabled.' - else title || ' automatic failover disabled.' - end as reason - - from - aws_elasticache_replication_group; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when automatic_failover = 'enabled' then 'ok'\n else 'alarm'\n end as status,\n case\n when automatic_failover = 'enabled' then title || ' automatic failover enabled.'\n else title || ' automatic failover disabled.'\n end as reason\n \nfrom\n aws_elasticache_replication_group;" PrimaryTable: aws_elasticache_replication_group ListOfTables: - - aws_elasticache_replication_group + - aws_elasticache_replication_group Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_elasticache_4.yaml b/compliance/controls/aws/aws_foundational_security_elasticache_4.yaml index 92ecb3cb3..86ad9418f 100755 --- a/compliance/controls/aws/aws_foundational_security_elasticache_4.yaml +++ b/compliance/controls/aws/aws_foundational_security_elasticache_4.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_elasticache_4 Title: "4 ElastiCache for Redis replication groups should be encrypted at rest" Description: "This control checks if ElastiCache for Redis replication groups are encrypted at rest. This control fails if an ElastiCache for Redis replication group isn't encrypted at rest." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_elasticache_replication_group; PrimaryTable: aws_elasticache_replication_group ListOfTables: - - aws_elasticache_replication_group + - aws_elasticache_replication_group Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_elasticache_5.yaml b/compliance/controls/aws/aws_foundational_security_elasticache_5.yaml index 36669cb0e..dab441f0e 100755 --- a/compliance/controls/aws/aws_foundational_security_elasticache_5.yaml +++ b/compliance/controls/aws/aws_foundational_security_elasticache_5.yaml @@ -1,29 +1,14 @@ ID: aws_foundational_security_elasticache_5 Title: "5 ElastiCache for Redis replication groups should be encrypted in transit" Description: "This control checks if ElastiCache for Redis replication groups are encrypted in transit. This control fails if an ElastiCache for Redis replication group isn't encrypted in transit." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when transit_encryption_enabled then 'ok' - else 'alarm' - end as status, - case - when transit_encryption_enabled then title || ' encryption in transit enabled.' - else title || ' encryption in transit disabled.' - end as reason - - from - aws_elasticache_replication_group; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when transit_encryption_enabled then 'ok'\n else 'alarm'\n end as status,\n case\n when transit_encryption_enabled then title || ' encryption in transit enabled.'\n else title || ' encryption in transit disabled.'\n end as reason\n \nfrom\n aws_elasticache_replication_group;" PrimaryTable: aws_elasticache_replication_group ListOfTables: - - aws_elasticache_replication_group + - aws_elasticache_replication_group Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_elasticache_6.yaml b/compliance/controls/aws/aws_foundational_security_elasticache_6.yaml index b8ae432f8..03e44109f 100755 --- a/compliance/controls/aws/aws_foundational_security_elasticache_6.yaml +++ b/compliance/controls/aws/aws_foundational_security_elasticache_6.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_elasticache_6 Title: "6 ElastiCache for Redis replication groups before version 6.0 should use Redis AUTH" Description: "This control checks if ElastiCache for Redis replication groups have Redis AUTH enabled. The control fails for an ElastiCache for Redis replication group if the Redis version of its nodes is below 6.0 and AuthToken isn't in use." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -32,8 +30,10 @@ Query: left join elasticache_cluster_node_version as v on eg.replication_group_id = v.replication_group_id; PrimaryTable: aws_elasticache_replication_group ListOfTables: - - aws_elasticache_cluster - - aws_elasticache_replication_group + - aws_elasticache_cluster + - aws_elasticache_replication_group Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_elasticache_7.yaml b/compliance/controls/aws/aws_foundational_security_elasticache_7.yaml index e6be7ad5e..d296b5dc9 100755 --- a/compliance/controls/aws/aws_foundational_security_elasticache_7.yaml +++ b/compliance/controls/aws/aws_foundational_security_elasticache_7.yaml @@ -1,30 +1,14 @@ ID: aws_foundational_security_elasticache_7 Title: "7 ElastiCache clusters should not use the default subnet group" Description: "This control checks if ElastiCache clusters are configured with a custom subnet group. The control fails for an ElastiCache cluster if CacheSubnetGroupName has the value default." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when cache_subnet_group_name = 'default' then 'alarm' - else 'ok' - end as status, - case - when cache_subnet_group_name = 'default' then title || ' not configured with a custom subnet group.' - else title || ' configured with a custom subnet group.' - end as reason - - - from - aws_elasticache_cluster; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when cache_subnet_group_name = 'default' then 'alarm'\n else 'ok'\n end as status,\n case\n when cache_subnet_group_name = 'default' then title || ' not configured with a custom subnet group.'\n else title || ' configured with a custom subnet group.'\n end as reason\n \n \nfrom\n aws_elasticache_cluster;" PrimaryTable: aws_elasticache_cluster ListOfTables: - - aws_elasticache_cluster + - aws_elasticache_cluster Parameters: [] Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_elasticbeanstalk_1.yaml b/compliance/controls/aws/aws_foundational_security_elasticbeanstalk_1.yaml index 8792081df..e18a54126 100755 --- a/compliance/controls/aws/aws_foundational_security_elasticbeanstalk_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_elasticbeanstalk_1.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_elasticbeanstalk_1 Title: "1 Elastic Beanstalk environments should have enhanced health reporting enabled" Description: "This control checks whether enhanced health reporting is enabled for your AWS Elastic Beanstalk environments.Elastic Beanstalk enhanced health reporting enables a more rapid response to changes in the health of the underlying infrastructure. These changes could result in a lack of availability of the application." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_elastic_beanstalk_environment; PrimaryTable: aws_elastic_beanstalk_environment ListOfTables: - - aws_elastic_beanstalk_environment + - aws_elastic_beanstalk_environment Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_elasticbeanstalk_3.yaml b/compliance/controls/aws/aws_foundational_security_elasticbeanstalk_3.yaml index 7b9b62b2d..568da6bee 100755 --- a/compliance/controls/aws/aws_foundational_security_elasticbeanstalk_3.yaml +++ b/compliance/controls/aws/aws_foundational_security_elasticbeanstalk_3.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_elasticbeanstalk_3 Title: "3 Elastic Beanstalk should stream logs to CloudWatch" Description: "This control checks whether an Elastic Beanstalk environment is configured to send logs to CloudWatch Logs. The control fails if an Elastic Beanstalk environment isn't configured to send logs to CloudWatch Logs. Optionally, you can provide a custom value for the RetentionInDays parameter if you want the control to pass only if logs are retained for the specified number of days before expiration." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -36,7 +34,9 @@ Query: left join beanstalk_environment_logs_enabled as l on e.arn = l.arn; PrimaryTable: aws_elastic_beanstalk_environment ListOfTables: - - aws_elastic_beanstalk_environment + - aws_elastic_beanstalk_environment Parameters: [] Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_elb_1.yaml b/compliance/controls/aws/aws_foundational_security_elb_1.yaml index f01f9d22c..4024ecf8b 100755 --- a/compliance/controls/aws/aws_foundational_security_elb_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_elb_1.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_elb_1 Title: "1 Application Load Balancer should be configured to redirect all HTTP requests to HTTPS" Description: "This control checks whether HTTP to HTTPS redirection is configured on all HTTP listeners of Application Load Balancers. The control fails if any of the HTTP listeners of Application Load Balancers do not have HTTP to HTTPS redirection configured." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -37,8 +35,10 @@ Query: left join detailed_listeners b on a.arn = b.load_balancer_arn; PrimaryTable: aws_ec2_application_load_balancer ListOfTables: - - aws_ec2_load_balancer_listener - - aws_ec2_application_load_balancer + - aws_ec2_load_balancer_listener + - aws_ec2_application_load_balancer Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_elb_10.yaml b/compliance/controls/aws/aws_foundational_security_elb_10.yaml index bdc4b01e7..052d6bd9d 100755 --- a/compliance/controls/aws/aws_foundational_security_elb_10.yaml +++ b/compliance/controls/aws/aws_foundational_security_elb_10.yaml @@ -1,27 +1,14 @@ ID: aws_foundational_security_elb_10 Title: "10 Classic Load Balancers should span multiple Availability Zones" Description: "This control checks whether a Classic Load Balancer has been configured to span multiple Availability Zones. The control fails if the Classic Load Balancer does not span multiple Availability Zones." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when jsonb_array_length(availability_zones) < 2 then 'alarm' - else 'ok' - end as status, - title || ' has ' || jsonb_array_length(availability_zones) || ' availability zone(s).' as reason - - - from - aws_ec2_classic_load_balancer; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when jsonb_array_length(availability_zones) < 2 then 'alarm'\n else 'ok'\n end as status,\n title || ' has ' || jsonb_array_length(availability_zones) || ' availability zone(s).' as reason\n \n \nfrom\n aws_ec2_classic_load_balancer;" PrimaryTable: aws_ec2_classic_load_balancer ListOfTables: - - aws_ec2_classic_load_balancer + - aws_ec2_classic_load_balancer Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_elb_12.yaml b/compliance/controls/aws/aws_foundational_security_elb_12.yaml index 9def27555..a4bdf38a9 100755 --- a/compliance/controls/aws/aws_foundational_security_elb_12.yaml +++ b/compliance/controls/aws/aws_foundational_security_elb_12.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_elb_12 Title: "12 Application Load Balancers should be configured with defensive or strictest desync mitigation mode" Description: "This control checks whether an Application Load Balancer is configured with defensive or strictest desync mitigation mode. The control fails if an Application Load Balancer is not configured with defensive or strictest desync mitigation mode." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -31,7 +29,9 @@ Query: left join app_lb_desync_mitigation_mode as m on a.arn = m.arn; PrimaryTable: aws_ec2_application_load_balancer ListOfTables: - - aws_ec2_application_load_balancer + - aws_ec2_application_load_balancer Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_elb_14.yaml b/compliance/controls/aws/aws_foundational_security_elb_14.yaml index ebea660bf..e2f574a7d 100755 --- a/compliance/controls/aws/aws_foundational_security_elb_14.yaml +++ b/compliance/controls/aws/aws_foundational_security_elb_14.yaml @@ -1,39 +1,14 @@ ID: aws_foundational_security_elb_14 Title: "14 Classic Load Balancers should be configured with defensive or strictest desync mitigation mode" Description: "This control checks whether a Classic Load Balancer is configured with defensive or strictest desync mitigation mode. This control will fail if the Classic Load Balancer is not configured with defensive or strictest desync mitigation mode." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - with app_lb_desync_mitigation_mode as ( - select - arn, - a ->> 'Key', - a ->> 'Value' as v - from - aws_ec2_classic_load_balancer, - jsonb_array_elements(additional_attributes) as a - where - a ->> 'Key' = 'elb.http.desyncmitigationmode' - ) - select - c.arn as resource, - c.og_account_id as og_account_id, - c.og_resource_id as og_resource_id, - case - when m.v = any(array['defensive', 'strictest']) then 'ok' - else 'alarm' - end as status, - title || ' has ' || m.v || ' desync mitigation mode.' as reason - - - from - aws_ec2_classic_load_balancer as c - left join app_lb_desync_mitigation_mode as m on c.arn = m.arn; + QueryToExecute: "with app_lb_desync_mitigation_mode as (\n select\n arn,\n a ->> 'Key',\n a ->> 'Value' as v\n from\n aws_ec2_classic_load_balancer,\n jsonb_array_elements(additional_attributes) as a\n where\n a ->> 'Key' = 'elb.http.desyncmitigationmode'\n)\nselect\n c.arn as resource,\n c.og_account_id as og_account_id,\n c.og_resource_id as og_resource_id,\n case\n when m.v = any(array['defensive', 'strictest']) then 'ok'\n else 'alarm'\n end as status,\n title || ' has ' || m.v || ' desync mitigation mode.' as reason\n \n \nfrom\n aws_ec2_classic_load_balancer as c\n left join app_lb_desync_mitigation_mode as m on c.arn = m.arn;" PrimaryTable: aws_ec2_classic_load_balancer ListOfTables: - - aws_ec2_classic_load_balancer + - aws_ec2_classic_load_balancer Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_elb_2.yaml b/compliance/controls/aws/aws_foundational_security_elb_2.yaml index e69a973be..3d2f04e3a 100755 --- a/compliance/controls/aws/aws_foundational_security_elb_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_elb_2.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_elb_2 Title: "2 Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate Manager" Description: "This control checks whether the Classic Load Balancer uses HTTPS/SSL certificates provided by AWS Certificate Manager (ACM). The control fails if the Classic Load Balancer configured with HTTPS/SSL listener does not use a certificate provided by ACM." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -35,7 +33,9 @@ Query: left join detailed_classic_listeners as b on a.name = b.name; PrimaryTable: aws_ec2_classic_load_balancer ListOfTables: - - aws_ec2_classic_load_balancer + - aws_ec2_classic_load_balancer Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_elb_4.yaml b/compliance/controls/aws/aws_foundational_security_elb_4.yaml index 4a3d90813..76d0ab651 100755 --- a/compliance/controls/aws/aws_foundational_security_elb_4.yaml +++ b/compliance/controls/aws/aws_foundational_security_elb_4.yaml @@ -1,30 +1,14 @@ ID: aws_foundational_security_elb_4 Title: "4 Application load balancers should be configured to drop HTTP headers" Description: "This control evaluates AWS Application Load Balancers (ALB) to ensure they are configured to drop invalid HTTP headers. The control fails if the value of routing.http.drop_invalid_header_fields.enabled is set to false. By default, ALBs are not configured to drop invalid HTTP header values. Removing these header values prevents HTTP desync attacks." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when load_balancer_attributes @> '[{"Key": "routing.http.drop_invalid_header_fields.enabled", "Value": "true"}]' then 'ok' - else 'alarm' - end as status, - case - when load_balancer_attributes @> '[{"Key": "routing.http.drop_invalid_header_fields.enabled", "Value": "true"}]' then title || ' configured to drop http headers.' - else title || ' not configured to drop http headers.' - end as reason - - - from - aws_ec2_application_load_balancer; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when load_balancer_attributes @> '[{\"Key\": \"routing.http.drop_invalid_header_fields.enabled\", \"Value\": \"true\"}]' then 'ok'\n else 'alarm'\n end as status,\n case\n when load_balancer_attributes @> '[{\"Key\": \"routing.http.drop_invalid_header_fields.enabled\", \"Value\": \"true\"}]' then title || ' configured to drop http headers.'\n else title || ' not configured to drop http headers.'\n end as reason\n \n \nfrom\n aws_ec2_application_load_balancer;" PrimaryTable: aws_ec2_application_load_balancer ListOfTables: - - aws_ec2_application_load_balancer + - aws_ec2_application_load_balancer Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_elb_6.yaml b/compliance/controls/aws/aws_foundational_security_elb_6.yaml index 89dfd20ec..251110aa5 100755 --- a/compliance/controls/aws/aws_foundational_security_elb_6.yaml +++ b/compliance/controls/aws/aws_foundational_security_elb_6.yaml @@ -1,30 +1,14 @@ ID: aws_foundational_security_elb_6 Title: "6 Application Load Balancer deletion protection should be enabled" Description: "This control checks whether an Application Load Balancer has deletion protection enabled. The control fails if deletion protection is not configured. Enable deletion protection to protect your Application Load Balancer from deletion." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when load_balancer_attributes @> '[{"Key": "deletion_protection.enabled", "Value": "true"}]' then 'ok' - else 'alarm' - end as status, - case - when load_balancer_attributes @> '[{"Key": "deletion_protection.enabled", "Value": "true"}]' then title || ' deletion protection enabled.' - else title || ' deletion protection disabled.' - end as reason - - - from - aws_ec2_application_load_balancer; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when load_balancer_attributes @> '[{\"Key\": \"deletion_protection.enabled\", \"Value\": \"true\"}]' then 'ok'\n else 'alarm'\n end as status,\n case\n when load_balancer_attributes @> '[{\"Key\": \"deletion_protection.enabled\", \"Value\": \"true\"}]' then title || ' deletion protection enabled.'\n else title || ' deletion protection disabled.'\n end as reason\n \n \nfrom\n aws_ec2_application_load_balancer;" PrimaryTable: aws_ec2_application_load_balancer ListOfTables: - - aws_ec2_application_load_balancer + - aws_ec2_application_load_balancer Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_elb_7.yaml b/compliance/controls/aws/aws_foundational_security_elb_7.yaml index b55e12298..ac683fe6e 100755 --- a/compliance/controls/aws/aws_foundational_security_elb_7.yaml +++ b/compliance/controls/aws/aws_foundational_security_elb_7.yaml @@ -1,30 +1,14 @@ ID: aws_foundational_security_elb_7 Title: "7 Classic Load Balancers should have connection draining enabled" Description: "This control checks whether Classic Load Balancers have connection draining enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when connection_draining_enabled then 'ok' - else 'alarm' - end as status, - case - when connection_draining_enabled then title || ' connection draining enabled.' - else title || ' connection draining disabled.' - end as reason - - - from - aws_ec2_classic_load_balancer; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when connection_draining_enabled then 'ok'\n else 'alarm'\n end as status,\n case\n when connection_draining_enabled then title || ' connection draining enabled.'\n else title || ' connection draining disabled.'\n end as reason\n \n \nfrom\n aws_ec2_classic_load_balancer;" PrimaryTable: aws_ec2_classic_load_balancer ListOfTables: - - aws_ec2_classic_load_balancer + - aws_ec2_classic_load_balancer Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_elb_9.yaml b/compliance/controls/aws/aws_foundational_security_elb_9.yaml index bc43eae08..88321642a 100755 --- a/compliance/controls/aws/aws_foundational_security_elb_9.yaml +++ b/compliance/controls/aws/aws_foundational_security_elb_9.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_elb_9 Title: "9 Classic Load Balancers should have cross-zone load balancing enabled" Description: "This control checks if cross-zone load balancing is enabled for the Classic Load Balancers (CLBs). This control fails if cross-zone load balancing is not enabled for a CLB." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_ec2_classic_load_balancer; PrimaryTable: aws_ec2_classic_load_balancer ListOfTables: - - aws_ec2_classic_load_balancer + - aws_ec2_classic_load_balancer Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_emr_1.yaml b/compliance/controls/aws/aws_foundational_security_emr_1.yaml index 90579fc95..01276c940 100755 --- a/compliance/controls/aws/aws_foundational_security_emr_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_emr_1.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_emr_1 Title: "1 Amazon EMR cluster primary nodes should not have public IP addresses" Description: "This control checks whether master nodes on Amazon EMR clusters have public IP addresses. The control fails if the master node has public IP addresses that are associated with any of its instances. Public IP addresses are designated in the PublicIp field of the NetworkInterfaces configuration for the instance. This control only checks Amazon EMR clusters that are in a RUNNING or WAITING state." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: left join aws_vpc_subnet as s on c.ec2_instance_attributes ->> 'Ec2SubnetId' = s.subnet_id; PrimaryTable: aws_emr_cluster ListOfTables: - - aws_emr_cluster - - aws_vpc_subnet + - aws_emr_cluster + - aws_vpc_subnet Parameters: [] Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_emr_2.yaml b/compliance/controls/aws/aws_foundational_security_emr_2.yaml index 31635327b..b4687de6a 100755 --- a/compliance/controls/aws/aws_foundational_security_emr_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_emr_2.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_emr_2 Title: "2 Amazon EMR block public access setting should be enabled" Description: "This control checks whether your account is configured with Amazon EMR block public access. The control fails if the block public access setting isn't enabled or if any port other than port 22 is allowed." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -37,7 +35,9 @@ Query: left join emr_port_configuration as p on p.region = c.region and p.account_id = c.account_id PrimaryTable: aws_emr_block_public_access_configuration ListOfTables: - - aws_emr_block_public_access_configuration + - aws_emr_block_public_access_configuration Parameters: [] Severity: critical Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_es_1.yaml b/compliance/controls/aws/aws_foundational_security_es_1.yaml index 51b87be48..6d9483e58 100755 --- a/compliance/controls/aws/aws_foundational_security_es_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_es_1.yaml @@ -1,30 +1,14 @@ ID: aws_foundational_security_es_1 Title: "1 Elasticsearch domains should have encryption at-rest enabled" Description: "This control checks whether Amazon Elasticsearch Service (Amazon ES) domains have encryption at rest configuration enabled. The check fails if encryption at rest is not enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when encryption_at_rest_options ->> 'Enabled' = 'false' then 'alarm' - else 'ok' - end status, - case - when encryption_at_rest_options ->> 'Enabled' = 'false' then title || ' encryption at rest not enabled.' - else title || ' encryption at rest enabled.' - end reason - - - from - aws_elasticsearch_domain; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when encryption_at_rest_options ->> 'Enabled' = 'false' then 'alarm'\n else 'ok'\n end status,\n case\n when encryption_at_rest_options ->> 'Enabled' = 'false' then title || ' encryption at rest not enabled.'\n else title || ' encryption at rest enabled.'\n end reason\n \n \nfrom\n aws_elasticsearch_domain;" PrimaryTable: aws_elasticsearch_domain ListOfTables: - - aws_elasticsearch_domain + - aws_elasticsearch_domain Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_es_2.yaml b/compliance/controls/aws/aws_foundational_security_es_2.yaml index 246045adf..24ff78f7d 100755 --- a/compliance/controls/aws/aws_foundational_security_es_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_es_2.yaml @@ -1,30 +1,14 @@ ID: aws_foundational_security_es_2 Title: "2 Elasticsearch domains should not be publicly accessible" Description: "This control checks whether Amazon Elasticsearch Service domains are in a VPC. It does not evaluate the VPC subnet routing configuration to determine public access. You should ensure that Amazon ES domains are not attached to public subnets." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when vpc_options ->> 'VPCId' is null then 'alarm' - else 'ok' - end status, - case - when vpc_options ->> 'VPCId' is null then title || ' not in VPC.' - else title || ' in VPC ' || (vpc_options ->> 'VPCId') || '.' - end reason - - - from - aws_elasticsearch_domain; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when vpc_options ->> 'VPCId' is null then 'alarm'\n else 'ok'\n end status,\n case\n when vpc_options ->> 'VPCId' is null then title || ' not in VPC.'\n else title || ' in VPC ' || (vpc_options ->> 'VPCId') || '.'\n end reason\n \n \nfrom\n aws_elasticsearch_domain;" PrimaryTable: aws_elasticsearch_domain ListOfTables: - - aws_elasticsearch_domain + - aws_elasticsearch_domain Parameters: [] Severity: critical Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_es_3.yaml b/compliance/controls/aws/aws_foundational_security_es_3.yaml index 12bad98ae..00617b79d 100755 --- a/compliance/controls/aws/aws_foundational_security_es_3.yaml +++ b/compliance/controls/aws/aws_foundational_security_es_3.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_es_3 Title: "3 Amazon Elasticsearch Service domains should encrypt data sent between nodes" Description: "This control checks whether Amazon ES domains have node-to-node encryption enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -24,7 +22,9 @@ Query: aws_elasticsearch_domain; PrimaryTable: aws_elasticsearch_domain ListOfTables: - - aws_elasticsearch_domain + - aws_elasticsearch_domain Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_es_4.yaml b/compliance/controls/aws/aws_foundational_security_es_4.yaml index 611d5ac97..2a4d3096d 100755 --- a/compliance/controls/aws/aws_foundational_security_es_4.yaml +++ b/compliance/controls/aws/aws_foundational_security_es_4.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_es_4 Title: "4 Elasticsearch domain error logging to CloudWatch Logs should be enabled" Description: "This control checks whether Elasticsearch domains are configured to send error logs to CloudWatch Logs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -26,7 +24,9 @@ Query: aws_elasticsearch_domain; PrimaryTable: aws_elasticsearch_domain ListOfTables: - - aws_elasticsearch_domain + - aws_elasticsearch_domain Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_es_5.yaml b/compliance/controls/aws/aws_foundational_security_es_5.yaml index 64c386cdb..488912bde 100755 --- a/compliance/controls/aws/aws_foundational_security_es_5.yaml +++ b/compliance/controls/aws/aws_foundational_security_es_5.yaml @@ -1,34 +1,14 @@ ID: aws_foundational_security_es_5 Title: "5 Elasticsearch domains should have audit logging enabled" Description: "This control checks whether Elasticsearch domains have audit logging enabled. This control fails if an Elasticsearch domain does not have audit logging enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when - log_publishing_options -> 'AUDIT_LOGS' -> 'Enabled' = 'true' - and log_publishing_options -> 'AUDIT_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null then 'ok' - else 'alarm' - end as status, - case - when - log_publishing_options -> 'AUDIT_LOGS' -> 'Enabled' = 'true' - and log_publishing_options -> 'AUDIT_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null then title || ' audit logging enabled.' - else title || ' audit logging disabled.' - end as reason - - - from - aws_elasticsearch_domain; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when\n log_publishing_options -> 'AUDIT_LOGS' -> 'Enabled' = 'true'\n and log_publishing_options -> 'AUDIT_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when\n log_publishing_options -> 'AUDIT_LOGS' -> 'Enabled' = 'true'\n and log_publishing_options -> 'AUDIT_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null then title || ' audit logging enabled.'\n else title || ' audit logging disabled.'\n end as reason\n \n \nfrom\n aws_elasticsearch_domain;" PrimaryTable: aws_elasticsearch_domain ListOfTables: - - aws_elasticsearch_domain + - aws_elasticsearch_domain Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_es_6.yaml b/compliance/controls/aws/aws_foundational_security_es_6.yaml index 40b374ac4..01868db80 100755 --- a/compliance/controls/aws/aws_foundational_security_es_6.yaml +++ b/compliance/controls/aws/aws_foundational_security_es_6.yaml @@ -1,33 +1,14 @@ ID: aws_foundational_security_es_6 Title: "6 Elasticsearch domains should have at least three data nodes" Description: "This control checks whether Elasticsearch domains are configured with at least three data nodes and zoneAwarenessEnabled is true." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when elasticsearch_cluster_config ->> 'ZoneAwarenessEnabled' = 'false' then 'alarm' - when - elasticsearch_cluster_config ->> 'ZoneAwarenessEnabled' = 'true' - and (elasticsearch_cluster_config ->> 'InstanceCount')::integer >= 3 then 'ok' - else 'alarm' - end status, - case - when elasticsearch_cluster_config ->> 'ZoneAwarenessEnabled' = 'false' then title || ' zone awareness disabled.' - else title || ' has ' || (elasticsearch_cluster_config ->> 'InstanceCount') || ' data node(s).' - end as reason - - - from - aws_elasticsearch_domain; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when elasticsearch_cluster_config ->> 'ZoneAwarenessEnabled' = 'false' then 'alarm'\n when\n elasticsearch_cluster_config ->> 'ZoneAwarenessEnabled' = 'true'\n and (elasticsearch_cluster_config ->> 'InstanceCount')::integer >= 3 then 'ok'\n else 'alarm'\n end status,\n case\n when elasticsearch_cluster_config ->> 'ZoneAwarenessEnabled' = 'false' then title || ' zone awareness disabled.'\n else title || ' has ' || (elasticsearch_cluster_config ->> 'InstanceCount') || ' data node(s).'\n end as reason\n \n \nfrom\n aws_elasticsearch_domain;" PrimaryTable: aws_elasticsearch_domain ListOfTables: - - aws_elasticsearch_domain + - aws_elasticsearch_domain Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_es_7.yaml b/compliance/controls/aws/aws_foundational_security_es_7.yaml index cca3b42e9..b80e8aa3f 100755 --- a/compliance/controls/aws/aws_foundational_security_es_7.yaml +++ b/compliance/controls/aws/aws_foundational_security_es_7.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_es_7 Title: "7 Elasticsearch domains should be configured with at least three dedicated master nodes" Description: "This control checks whether Elasticsearch domains are configured with at least three dedicated master nodes. This control fails if the domain does not use dedicated master nodes. This control passes if Elasticsearch domains have five dedicated master nodes. However, using more than three master nodes might be unnecessary to mitigate the availability risk, and will result in additional cost." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,7 +23,9 @@ Query: aws_elasticsearch_domain; PrimaryTable: aws_elasticsearch_domain ListOfTables: - - aws_elasticsearch_domain + - aws_elasticsearch_domain Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_es_8.yaml b/compliance/controls/aws/aws_foundational_security_es_8.yaml index e0d5550c9..39d01b0b9 100755 --- a/compliance/controls/aws/aws_foundational_security_es_8.yaml +++ b/compliance/controls/aws/aws_foundational_security_es_8.yaml @@ -1,30 +1,14 @@ ID: aws_foundational_security_es_8 Title: "8 Connections to Elasticsearch domains should be encrypted using TLS 1.2" Description: "This control checks whether connections to Elasticsearch domains are required to use TLS 1.2. The check fails if the Elasticsearch domain TLSSecurityPolicy is not Policy-Min-TLS-1-2-2019-07." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when domain_endpoint_options ->> 'TLSSecurityPolicy' = 'Policy-Min-TLS-1-2-2019-07' then 'ok' - else 'alarm' - end status, - case - when domain_endpoint_options ->> 'TLSSecurityPolicy' = 'Policy-Min-TLS-1-2-2019-07' then title || ' encrypted using TLS 1.2.' - else title || ' not encrypted using TLS 1.2.' - end as reason - - - from - aws_elasticsearch_domain; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when domain_endpoint_options ->> 'TLSSecurityPolicy' = 'Policy-Min-TLS-1-2-2019-07' then 'ok'\n else 'alarm'\n end status,\n case\n when domain_endpoint_options ->> 'TLSSecurityPolicy' = 'Policy-Min-TLS-1-2-2019-07' then title || ' encrypted using TLS 1.2.'\n else title || ' not encrypted using TLS 1.2.'\n end as reason\n \n \nfrom\n aws_elasticsearch_domain;" PrimaryTable: aws_elasticsearch_domain ListOfTables: - - aws_elasticsearch_domain + - aws_elasticsearch_domain Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_eventbridge_3.yaml b/compliance/controls/aws/aws_foundational_security_eventbridge_3.yaml index 1967f11d0..56feceb33 100755 --- a/compliance/controls/aws/aws_foundational_security_eventbridge_3.yaml +++ b/compliance/controls/aws/aws_foundational_security_eventbridge_3.yaml @@ -1,32 +1,14 @@ ID: aws_foundational_security_eventbridge_3 Title: "3 EventBridge custom event buses should have a resource-based policy attached" Description: "This control checks if an Amazon EventBridge custom event bus has a resource-based policy attached. This control fails if the custom event bus doesn't have a resource-based policy." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when name = 'default' then 'skip' - when policy_std is not null then 'ok' - else 'alarm' - end as status, - case - when name = 'default' then title || ' is default event bus.' - when policy_std is not null then title || ' has resource based policy attached.' - else title || ' does not have resource based policy attached.' - end as reason - - - from - aws_eventbridge_bus; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when name = 'default' then 'skip'\n when policy_std is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when name = 'default' then title || ' is default event bus.'\n when policy_std is not null then title || ' has resource based policy attached.'\n else title || ' does not have resource based policy attached.'\n end as reason\n \n \nfrom\n aws_eventbridge_bus;" PrimaryTable: aws_eventbridge_bus ListOfTables: - - aws_eventbridge_bus + - aws_eventbridge_bus Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_fsx_1.yaml b/compliance/controls/aws/aws_foundational_security_fsx_1.yaml index 3d3849beb..5663ca8a4 100755 --- a/compliance/controls/aws/aws_foundational_security_fsx_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_fsx_1.yaml @@ -1,34 +1,14 @@ ID: aws_foundational_security_fsx_1 Title: "1 FSx for OpenZFS file systems should be configured to copy tags to backups and volumes" Description: "This control checks if an Amazon FSx for OpenZFS file system is configured to copy tags to backups and volumes. The control fails if the OpenZFS file system isn't configured to copy tags to backups and volumes." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when file_system_type <> 'OPENZFS' then 'skip' - when (open_zfs_configuration ->> 'CopyTagsToBackups')::bool and (open_zfs_configuration ->> 'CopyTagsToVolumes')::bool then 'ok' - else 'alarm' - end as status, - case - when file_system_type <> 'OPENZFS' then title || ' is of ' || file_system_type || ' type file system.' - when (open_zfs_configuration ->> 'CopyTagsToBackups')::bool and (open_zfs_configuration ->> 'CopyTagsToVolumes')::bool then title || ' copy tags to backup and volume enabled.' - when (open_zfs_configuration ->> 'CopyTagsToBackups')::bool then title || ' copy tags to backup enabled but disabled for volume.' - when (open_zfs_configuration ->> 'CopyTagsToVolumes')::bool then title || ' copy tags to volume enabled but disabled for backup.' - else title || ' copy tags to backup and volume disabled.' - end as reason - - - from - aws_fsx_file_system; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when file_system_type <> 'OPENZFS' then 'skip'\n when (open_zfs_configuration ->> 'CopyTagsToBackups')::bool and (open_zfs_configuration ->> 'CopyTagsToVolumes')::bool then 'ok'\n else 'alarm'\n end as status,\n case\n when file_system_type <> 'OPENZFS' then title || ' is of ' || file_system_type || ' type file system.'\n when (open_zfs_configuration ->> 'CopyTagsToBackups')::bool and (open_zfs_configuration ->> 'CopyTagsToVolumes')::bool then title || ' copy tags to backup and volume enabled.'\n when (open_zfs_configuration ->> 'CopyTagsToBackups')::bool then title || ' copy tags to backup enabled but disabled for volume.'\n when (open_zfs_configuration ->> 'CopyTagsToVolumes')::bool then title || ' copy tags to volume enabled but disabled for backup.'\n else title || ' copy tags to backup and volume disabled.'\n end as reason\n \n \nfrom\n aws_fsx_file_system;" PrimaryTable: aws_fsx_file_system ListOfTables: - - aws_fsx_file_system + - aws_fsx_file_system Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_iam_1.yaml b/compliance/controls/aws/aws_foundational_security_iam_1.yaml index e16f2ddfb..2cdebabbe 100755 --- a/compliance/controls/aws/aws_foundational_security_iam_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_iam_1.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_iam_1 Title: "1 IAM policies should not allow full '*' administrative privileges" Description: "This control checks whether the default version of IAM policies (also known as customer managed policies) has administrator access that includes a statement with 'Effect': 'Allow' with 'Action': '*' over 'Resource': '*'. The control only checks the customer managed policies that you create. It does not check inline and AWS managed policies." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -43,7 +41,9 @@ Query: not p.is_aws_managed; PrimaryTable: aws_iam_policy ListOfTables: - - aws_iam_policy + - aws_iam_policy Parameters: [] Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_iam_2.yaml b/compliance/controls/aws/aws_foundational_security_iam_2.yaml index cd167a5aa..9cb6c776a 100755 --- a/compliance/controls/aws/aws_foundational_security_iam_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_iam_2.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_iam_2 Title: "2 IAM users should not have IAM policies attached" Description: "This control checks that none of your IAM users have policies attached. Instead, IAM users must inherit permissions from IAM groups or roles." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -20,7 +18,9 @@ Query: aws_iam_user; PrimaryTable: aws_iam_user ListOfTables: - - aws_iam_user + - aws_iam_user Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_iam_21.yaml b/compliance/controls/aws/aws_foundational_security_iam_21.yaml index 14fb5c89c..6d204d874 100755 --- a/compliance/controls/aws/aws_foundational_security_iam_21.yaml +++ b/compliance/controls/aws/aws_foundational_security_iam_21.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_iam_21 Title: "21 IAM customer managed policies that you create should not allow wildcard actions for services" Description: "This control checks whether the IAM identity-based policies that you create have Allow statements that use the * wildcard to grant permissions for all actions on any service. The control fails if any policy statement includes 'Effect': 'Allow' with 'Action': 'Service:*'." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -43,7 +41,9 @@ Query: not p.is_aws_managed; PrimaryTable: aws_iam_policy ListOfTables: - - aws_iam_policy + - aws_iam_policy Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_iam_3.yaml b/compliance/controls/aws/aws_foundational_security_iam_3.yaml index 5a0276dde..f1bdf1cc5 100755 --- a/compliance/controls/aws/aws_foundational_security_iam_3.yaml +++ b/compliance/controls/aws/aws_foundational_security_iam_3.yaml @@ -1,28 +1,14 @@ ID: aws_foundational_security_iam_3 Title: "3 IAM users' access keys should be rotated every 90 days or less" Description: "This control checks whether the active access keys are rotated within 90 days." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':iam::' || account_id || ':user/' || user_name || '/accesskey/' || access_key_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when create_date <= (current_date - interval '90' day) then 'alarm' - else 'ok' - end status, - user_name || ' ' || access_key_id || ' created ' || to_char(create_date , 'DD-Mon-YYYY') || - ' (' || extract(day from current_timestamp - create_date) || ' days).' - as reason - - from - aws_iam_access_key; + QueryToExecute: "select\n 'arn:' || partition || ':iam::' || account_id || ':user/' || user_name || '/accesskey/' || access_key_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when create_date <= (current_date - interval '90' day) then 'alarm'\n else 'ok'\n end status,\n user_name || ' ' || access_key_id || ' created ' || to_char(create_date , 'DD-Mon-YYYY') ||\n ' (' || extract(day from current_timestamp - create_date) || ' days).'\n as reason\n \nfrom\n aws_iam_access_key;" PrimaryTable: aws_iam_access_key ListOfTables: - - aws_iam_access_key + - aws_iam_access_key Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_iam_4.yaml b/compliance/controls/aws/aws_foundational_security_iam_4.yaml index 6f74a09ae..dfb45921a 100755 --- a/compliance/controls/aws/aws_foundational_security_iam_4.yaml +++ b/compliance/controls/aws/aws_foundational_security_iam_4.yaml @@ -1,29 +1,14 @@ ID: aws_foundational_security_iam_4 Title: "4 IAM root user access key should not exist" Description: "This control checks whether the root user access key is present. The root account is the most privileged user in an AWS account. AWS access keys provide programmatic access to a given account." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when account_access_keys_present > 0 then 'alarm' - else 'ok' - end status, - case - when account_access_keys_present > 0 then 'Root user access keys exist.' - else 'No root user access keys exist.' - end reason - - from - aws_iam_account_summary; + QueryToExecute: "select\n 'arn:' || partition || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when account_access_keys_present > 0 then 'alarm'\n else 'ok'\n end status,\n case\n when account_access_keys_present > 0 then 'Root user access keys exist.'\n else 'No root user access keys exist.'\n end reason\n \nfrom\n aws_iam_account_summary;" PrimaryTable: aws_iam_account_summary ListOfTables: - - aws_iam_account_summary + - aws_iam_account_summary Parameters: [] Severity: critical Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_iam_5.yaml b/compliance/controls/aws/aws_foundational_security_iam_5.yaml index 35e258eae..baf6b47d7 100755 --- a/compliance/controls/aws/aws_foundational_security_iam_5.yaml +++ b/compliance/controls/aws/aws_foundational_security_iam_5.yaml @@ -1,30 +1,14 @@ ID: aws_foundational_security_iam_5 Title: "5 MFA should be enabled for all IAM users that have a console password" Description: "This control checks whether AWS multi-factor authentication (MFA) is enabled for all IAM users that use a console password." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - user_arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when password_enabled and not mfa_active then 'alarm' - else 'ok' - end as status, - case - when not password_enabled then user_name || ' password login disabled.' - when password_enabled and not mfa_active then user_name || ' password login enabled but no MFA device configured.' - else user_name || ' password login enabled and MFA device configured.' - end as reason - - from - aws_iam_credential_report; + QueryToExecute: "select\n user_arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when password_enabled and not mfa_active then 'alarm'\n else 'ok'\n end as status,\n case\n when not password_enabled then user_name || ' password login disabled.'\n when password_enabled and not mfa_active then user_name || ' password login enabled but no MFA device configured.'\n else user_name || ' password login enabled and MFA device configured.'\n end as reason\n \nfrom\n aws_iam_credential_report;" PrimaryTable: aws_iam_credential_report ListOfTables: - - aws_iam_credential_report + - aws_iam_credential_report Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_iam_8.yaml b/compliance/controls/aws/aws_foundational_security_iam_8.yaml index 7fbea0dff..8c5a606d5 100755 --- a/compliance/controls/aws/aws_foundational_security_iam_8.yaml +++ b/compliance/controls/aws/aws_foundational_security_iam_8.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_iam_8 Title: "8 Unused IAM user credentials should be removed" Description: "This control checks whether your IAM users have passwords or active access keys that have not been used for 90 days." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -57,7 +55,9 @@ Query: aws_iam_credential_report; PrimaryTable: aws_iam_credential_report ListOfTables: - - aws_iam_credential_report + - aws_iam_credential_report Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_kinesis_1.yaml b/compliance/controls/aws/aws_foundational_security_kinesis_1.yaml index d376363d5..38699a6e4 100755 --- a/compliance/controls/aws/aws_foundational_security_kinesis_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_kinesis_1.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_kinesis_1 Title: "1 Kinesis Data Streams should be encrypted at rest" Description: "This control checks if Kinesis Data Streams are encrypted at rest with server-side encryption. This control fails if a Kinesis stream is not encrypted at rest with server-side encryption." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_kinesis_stream; PrimaryTable: aws_kinesis_stream ListOfTables: - - aws_kinesis_stream + - aws_kinesis_stream Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_kms_1.yaml b/compliance/controls/aws/aws_foundational_security_kms_1.yaml index 7692ae483..0d3f90354 100755 --- a/compliance/controls/aws/aws_foundational_security_kms_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_kms_1.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_kms_1 Title: "1 IAM customer managed policies should not allow decryption actions on all KMS keys" Description: "Checks whether the default version of IAM customer managed policies allow principals to use the AWS KMS decryption actions on all resources. This control uses Zelkova, an automated reasoning engine, to validate and warn you about policies that may grant broad access to your secrets across AWS accounts. This control fails if the kms:Decrypt or kms:ReEncryptFrom actions are allowed on all KMS keys. The control evaluates both attached and unattached customer managed policies. It does not check inline policies or AWS managed policies." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -37,7 +35,9 @@ Query: not is_aws_managed; PrimaryTable: aws_iam_policy ListOfTables: - - aws_iam_policy + - aws_iam_policy Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_kms_3.yaml b/compliance/controls/aws/aws_foundational_security_kms_3.yaml index c1c75786b..6b84173bf 100755 --- a/compliance/controls/aws/aws_foundational_security_kms_3.yaml +++ b/compliance/controls/aws/aws_foundational_security_kms_3.yaml @@ -1,32 +1,14 @@ ID: aws_foundational_security_kms_3 Title: "3 AWS KMS keys should not be unintentionally deleted" Description: "This control checks whether AWS KMS customer managed keys (CMK) are scheduled for deletion. The control fails if a CMK is scheduled for deletion. CMKs cannot be recovered once deleted. Data encrypted under a KMS CMK is also permanently unrecoverable if the CMK is deleted. If meaningful data has been encrypted under a CMK scheduled for deletion,consider decrypting the data or re-encrypting the data under a new CMK unless you are intentionally performing a cryptographic erasure." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when key_state = 'PendingDeletion' then 'alarm' - else 'ok' - end as status, - case - when key_state = 'PendingDeletion' then title || ' scheduled for deletion and will be deleted in ' || extract(day from deletion_date - current_timestamp) || ' day(s).' - else title || ' not scheduled for deletion.' - end as reason - - - from - aws_kms_key - where - key_manager = 'CUSTOMER'; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when key_state = 'PendingDeletion' then 'alarm'\n else 'ok'\n end as status,\n case\n when key_state = 'PendingDeletion' then title || ' scheduled for deletion and will be deleted in ' || extract(day from deletion_date - current_timestamp) || ' day(s).'\n else title || ' not scheduled for deletion.'\n end as reason\n \n \nfrom\n aws_kms_key\nwhere\n key_manager = 'CUSTOMER';" PrimaryTable: aws_kms_key ListOfTables: - - aws_kms_key + - aws_kms_key Parameters: [] Severity: critical Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_lambda_1.yaml b/compliance/controls/aws/aws_foundational_security_lambda_1.yaml index c5ae8c8cc..df55df383 100755 --- a/compliance/controls/aws/aws_foundational_security_lambda_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_lambda_1.yaml @@ -1,48 +1,14 @@ ID: aws_foundational_security_lambda_1 Title: "1 Lambda function policies should prohibit public access" Description: "This control checks whether the Lambda function resource-based policy prohibits public access outside of your account. The Lambda function should not be publicly accessible, as this may allow unintended access to your code stored in the function." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - with wildcard_action_policies as ( - select - arn, - count(*) as statements_num - from - aws_lambda_function, - jsonb_array_elements(policy_std -> 'Statement') as s - where - s ->> 'Effect' = 'Allow' - and ( - ( s -> 'Principal' -> 'AWS') = '["*"]' - or s ->> 'Principal' = '*' - ) - group by - arn - ) - select - f.arn as resource, - f.og_account_id as og_account_id, - f.og_resource_id as og_resource_id, - case - when p.arn is null then 'ok' - else 'alarm' - end as status, - case - when p.arn is null then title || ' does not allow public access.' - else title || ' contains ' || coalesce(p.statements_num,0) || - ' statements that allows public access.' - end as reason - - - from - aws_lambda_function as f - left join wildcard_action_policies as p on p.arn = f.arn; + QueryToExecute: "with wildcard_action_policies as (\n select\n arn,\n count(*) as statements_num\n from\n aws_lambda_function,\n jsonb_array_elements(policy_std -> 'Statement') as s\n where\n s ->> 'Effect' = 'Allow'\n and (\n ( s -> 'Principal' -> 'AWS') = '[\"*\"]'\n or s ->> 'Principal' = '*'\n )\n group by\n arn\n)\nselect\n f.arn as resource,\n f.og_account_id as og_account_id,\n f.og_resource_id as og_resource_id,\n case\n when p.arn is null then 'ok'\n else 'alarm'\n end as status,\n case\n when p.arn is null then title || ' does not allow public access.'\n else title || ' contains ' || coalesce(p.statements_num,0) ||\n ' statements that allows public access.'\n end as reason\n \n \nfrom\n aws_lambda_function as f\n left join wildcard_action_policies as p on p.arn = f.arn;" PrimaryTable: aws_lambda_function ListOfTables: - - aws_lambda_function + - aws_lambda_function Parameters: [] Severity: critical Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_lambda_2.yaml b/compliance/controls/aws/aws_foundational_security_lambda_2.yaml index ae4861c9a..f0f3317b5 100755 --- a/compliance/controls/aws/aws_foundational_security_lambda_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_lambda_2.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_lambda_2 Title: "2 Lambda functions should use supported runtimes" Description: "This control checks that the Lambda function settings for runtimes match the expected values set for the latest runtimes for each supported language. This control checks for the following runtimes: nodejs20.x, nodejs18.x, nodejs16.x, python3.12, python3.11, python3.10, python3.9, python3.8, ruby3.3, ruby3.2, java21, java17, java11, java8.al2, dotnet8, dotnet6" -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -26,7 +24,9 @@ Query: aws_lambda_function; PrimaryTable: aws_lambda_function ListOfTables: - - aws_lambda_function + - aws_lambda_function Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_msk_1.yaml b/compliance/controls/aws/aws_foundational_security_msk_1.yaml index 4c5c1c811..7ad382a22 100755 --- a/compliance/controls/aws/aws_foundational_security_msk_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_msk_1.yaml @@ -1,30 +1,14 @@ ID: aws_foundational_security_msk_1 Title: "1 MSK clusters should be encrypted in transit among broker nodes" Description: "This controls checks if an Amazon MSK cluster is encrypted in transit with HTTPS (TLS) among the broker nodes of the cluster. The control fails if plain text communication is enabled for a cluster broker node connection." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when provisioned -> 'EncryptionInfo' -> 'EncryptionInTransit' ->> 'ClientBroker' = 'TLS' then 'ok' - else 'alarm' - end as status, - case - when provisioned -> 'EncryptionInfo' -> 'EncryptionInTransit' ->> 'ClientBroker' = 'TLS' then title || ' encryption in transit enabled with TLS.' - else title || ' encryption in transit enabled with plaintext.' - end as reason - - - from - aws_msk_cluster; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when provisioned -> 'EncryptionInfo' -> 'EncryptionInTransit' ->> 'ClientBroker' = 'TLS' then 'ok'\n else 'alarm'\n end as status,\n case\n when provisioned -> 'EncryptionInfo' -> 'EncryptionInTransit' ->> 'ClientBroker' = 'TLS' then title || ' encryption in transit enabled with TLS.'\n else title || ' encryption in transit enabled with plaintext.'\n end as reason\n \n \nfrom\n aws_msk_cluster;" PrimaryTable: aws_msk_cluster ListOfTables: - - aws_msk_cluster + - aws_msk_cluster Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_neptune_1.yaml b/compliance/controls/aws/aws_foundational_security_neptune_1.yaml index 8c9bb32b9..f5834a75c 100755 --- a/compliance/controls/aws/aws_foundational_security_neptune_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_neptune_1.yaml @@ -1,30 +1,14 @@ ID: aws_foundational_security_neptune_1 Title: "1 Neptune DB clusters should be encrypted at rest" Description: "This control checks whether a Neptune DB cluster is encrypted at rest. The control fails if a Neptune DB cluster isn't encrypted at rest." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when storage_encrypted then 'ok' - else 'alarm' - end as status, - case - when storage_encrypted then title || ' encrypted at rest.' - else title || ' not encrypted at rest.' - end as reason - - - from - aws_neptune_db_cluster; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when storage_encrypted then 'ok'\n else 'alarm'\n end as status,\n case\n when storage_encrypted then title || ' encrypted at rest.'\n else title || ' not encrypted at rest.'\n end as reason\n \n \nfrom\n aws_neptune_db_cluster;" PrimaryTable: aws_neptune_db_cluster ListOfTables: - - aws_neptune_db_cluster + - aws_neptune_db_cluster Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_neptune_2.yaml b/compliance/controls/aws/aws_foundational_security_neptune_2.yaml index 4a204500c..2d3dda233 100755 --- a/compliance/controls/aws/aws_foundational_security_neptune_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_neptune_2.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_neptune_2 Title: "2 Neptune DB clusters should publish audit logs to CloudWatch Logs" Description: "This control checks whether a Neptune DB cluster publishes audit logs to Amazon CloudWatch Logs. The control fails if a Neptune DB cluster doesn't publish audit logs to CloudWatch Logs. EnableCloudWatchLogsExport should be set to Audit." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -23,7 +21,9 @@ Query: aws_neptune_db_cluster; PrimaryTable: aws_neptune_db_cluster ListOfTables: - - aws_neptune_db_cluster + - aws_neptune_db_cluster Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_neptune_3.yaml b/compliance/controls/aws/aws_foundational_security_neptune_3.yaml index 42e544e5d..7278ce430 100755 --- a/compliance/controls/aws/aws_foundational_security_neptune_3.yaml +++ b/compliance/controls/aws/aws_foundational_security_neptune_3.yaml @@ -1,30 +1,14 @@ ID: aws_foundational_security_neptune_3 Title: "3 Neptune DB cluster snapshots should not be public" Description: "This control checks whether a Neptune manual DB cluster snapshot is public. The control fails if a Neptune manual DB cluster snapshot is public." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - db_cluster_snapshot_arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when cluster_snapshot -> 'AttributeValues' = '["all"]' then 'alarm' - else 'ok' - end status, - case - when cluster_snapshot -> 'AttributeValues' = '["all"]' then title || ' publicly accessible.' - else title || ' not publicly accessible.' - end reason - - from - aws_neptune_db_cluster_snapshot, - jsonb_array_elements(db_cluster_snapshot_attributes) as cluster_snapshot; + QueryToExecute: "select\n db_cluster_snapshot_arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when cluster_snapshot -> 'AttributeValues' = '[\"all\"]' then 'alarm'\n else 'ok'\n end status,\n case\n when cluster_snapshot -> 'AttributeValues' = '[\"all\"]' then title || ' publicly accessible.'\n else title || ' not publicly accessible.'\n end reason\n \nfrom\n aws_neptune_db_cluster_snapshot,\n jsonb_array_elements(db_cluster_snapshot_attributes) as cluster_snapshot;" PrimaryTable: aws_neptune_db_cluster_snapshot ListOfTables: - - aws_neptune_db_cluster_snapshot + - aws_neptune_db_cluster_snapshot Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_neptune_4.yaml b/compliance/controls/aws/aws_foundational_security_neptune_4.yaml index d39f551de..6d67b1801 100755 --- a/compliance/controls/aws/aws_foundational_security_neptune_4.yaml +++ b/compliance/controls/aws/aws_foundational_security_neptune_4.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_neptune_4 Title: "4 Neptune DB clusters should have deletion protection enabled" Description: "This control checks if a Neptune DB cluster has deletion protection enabled. The control fails if a Neptune DB cluster doesn't have deletion protection enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_neptune_db_cluster; PrimaryTable: aws_neptune_db_cluster ListOfTables: - - aws_neptune_db_cluster + - aws_neptune_db_cluster Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_neptune_5.yaml b/compliance/controls/aws/aws_foundational_security_neptune_5.yaml index 80d013b92..ada63c35d 100755 --- a/compliance/controls/aws/aws_foundational_security_neptune_5.yaml +++ b/compliance/controls/aws/aws_foundational_security_neptune_5.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_neptune_5 Title: "5 Neptune DB clusters should have automated backups enabled" Description: "This control checks whether a Neptune DB cluster has automated backups enabled, and a backup retention period greater than or equal to 7 days. The control fails if backups aren't enabled for the Neptune DB cluster, or if the retention period is less than 7 days." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_neptune_db_cluster; PrimaryTable: aws_neptune_db_cluster ListOfTables: - - aws_neptune_db_cluster + - aws_neptune_db_cluster Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_neptune_6.yaml b/compliance/controls/aws/aws_foundational_security_neptune_6.yaml index f1e8e02a4..62b6f1d76 100755 --- a/compliance/controls/aws/aws_foundational_security_neptune_6.yaml +++ b/compliance/controls/aws/aws_foundational_security_neptune_6.yaml @@ -1,29 +1,14 @@ ID: aws_foundational_security_neptune_6 Title: "6 Neptune DB cluster snapshots should be encrypted at rest" Description: "This control checks whether a Neptune DB cluster snapshot is encrypted at rest. The control fails if a Neptune DB cluster isn't encrypted at rest." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - db_cluster_snapshot_arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when storage_encrypted then 'ok' - else 'alarm' - end as status, - case - when storage_encrypted then title || ' encrypted at rest.' - else title || ' not encrypted at rest.' - end as reason - - from - aws_neptune_db_cluster_snapshot; + QueryToExecute: "select\n db_cluster_snapshot_arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when storage_encrypted then 'ok'\n else 'alarm'\n end as status,\n case\n when storage_encrypted then title || ' encrypted at rest.'\n else title || ' not encrypted at rest.'\n end as reason\n \nfrom\n aws_neptune_db_cluster_snapshot;" PrimaryTable: aws_neptune_db_cluster_snapshot ListOfTables: - - aws_neptune_db_cluster_snapshot + - aws_neptune_db_cluster_snapshot Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_neptune_7.yaml b/compliance/controls/aws/aws_foundational_security_neptune_7.yaml index e212ba026..f29eccb39 100755 --- a/compliance/controls/aws/aws_foundational_security_neptune_7.yaml +++ b/compliance/controls/aws/aws_foundational_security_neptune_7.yaml @@ -1,30 +1,14 @@ ID: aws_foundational_security_neptune_7 Title: "7 Neptune DB clusters should have IAM database authentication enabled" Description: "This control checks if a Neptune DB cluster has IAM database authentication enabled. The control fails if IAM database authentication isn't enabled for a Neptune DB cluster." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when iam_database_authentication_enabled then 'ok' - else 'alarm' - end as status, - case - when iam_database_authentication_enabled then title || ' IAM authentication enabled.' - else title || ' IAM authentication disabled.' - end as reason - - - from - aws_neptune_db_cluster; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when iam_database_authentication_enabled then 'ok'\n else 'alarm'\n end as status,\n case\n when iam_database_authentication_enabled then title || ' IAM authentication enabled.'\n else title || ' IAM authentication disabled.'\n end as reason\n \n \nfrom\n aws_neptune_db_cluster;" PrimaryTable: aws_neptune_db_cluster ListOfTables: - - aws_neptune_db_cluster + - aws_neptune_db_cluster Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_neptune_8.yaml b/compliance/controls/aws/aws_foundational_security_neptune_8.yaml index e9f48eaa0..463c37983 100755 --- a/compliance/controls/aws/aws_foundational_security_neptune_8.yaml +++ b/compliance/controls/aws/aws_foundational_security_neptune_8.yaml @@ -1,30 +1,14 @@ ID: aws_foundational_security_neptune_8 Title: "8 Neptune DB clusters should be configured to copy tags to snapshots" Description: "This control checks if a Neptune DB cluster is configured to copy all tags to snapshots when the snapshots are created. The control fails if a Neptune DB cluster isn't configured to copy tags to snapshots." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when copy_tags_to_snapshot then 'ok' - else 'alarm' - end as status, - case - when copy_tags_to_snapshot then title || ' copy tags to snapshot enabled.' - else title || ' copy tags to snapshot disabled.' - end as reason - - - from - aws_neptune_db_cluster; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when copy_tags_to_snapshot then 'ok'\n else 'alarm'\n end as status,\n case\n when copy_tags_to_snapshot then title || ' copy tags to snapshot enabled.'\n else title || ' copy tags to snapshot disabled.'\n end as reason\n \n \nfrom\n aws_neptune_db_cluster;" PrimaryTable: aws_neptune_db_cluster ListOfTables: - - aws_neptune_db_cluster + - aws_neptune_db_cluster Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_networkfirewall_2.yaml b/compliance/controls/aws/aws_foundational_security_networkfirewall_2.yaml index ae3016b6a..d8ce2cee0 100755 --- a/compliance/controls/aws/aws_foundational_security_networkfirewall_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_networkfirewall_2.yaml @@ -1,30 +1,14 @@ ID: aws_foundational_security_networkfirewall_2 Title: "2 Network Firewall logging should be enabled" Description: "This control checks whether logging is enabled for an AWS Network Firewall firewall. The control fails if logging isn't enabled for at least one log type or if the logging destination doesn't exist." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when jsonb_array_length(logging_configuration) > 0 then 'ok' - else 'alarm' - end status, - case - when jsonb_array_length(logging_configuration) > 0 then title || ' logging enabled.' - else title || ' logging disabled.' - end reason - - - from - aws_networkfirewall_firewall; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when jsonb_array_length(logging_configuration) > 0 then 'ok'\n else 'alarm'\n end status,\n case\n when jsonb_array_length(logging_configuration) > 0 then title || ' logging enabled.'\n else title || ' logging disabled.'\n end reason\n \n \nfrom\n aws_networkfirewall_firewall;" PrimaryTable: aws_networkfirewall_firewall ListOfTables: - - aws_networkfirewall_firewall + - aws_networkfirewall_firewall Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_networkfirewall_3.yaml b/compliance/controls/aws/aws_foundational_security_networkfirewall_3.yaml index 35c27d67c..0c9ecc8d5 100755 --- a/compliance/controls/aws/aws_foundational_security_networkfirewall_3.yaml +++ b/compliance/controls/aws/aws_foundational_security_networkfirewall_3.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_networkfirewall_3 Title: "3 Network Firewall policies should have at least one rule group associated" Description: "This control checks whether a Network Firewall policy has any stateful or stateless rule groups associated. The control fails if stateless or stateful rule groups are not assigned." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -24,7 +22,9 @@ Query: aws_networkfirewall_firewall_policy; PrimaryTable: aws_networkfirewall_firewall_policy ListOfTables: - - aws_networkfirewall_firewall_policy + - aws_networkfirewall_firewall_policy Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_networkfirewall_4.yaml b/compliance/controls/aws/aws_foundational_security_networkfirewall_4.yaml index 58b4f3f64..9a55e90dd 100755 --- a/compliance/controls/aws/aws_foundational_security_networkfirewall_4.yaml +++ b/compliance/controls/aws/aws_foundational_security_networkfirewall_4.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_networkfirewall_4 Title: "4 The default stateless action for Network Firewall policies should be drop or forward for full packets" Description: "A firewall policy defines how your firewall monitors and handles traffic in Amazon VPC. You configure stateless and stateful rule groups to filter packets and traffic flows. Defaulting to Pass can allow unintended traffic." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -24,7 +22,9 @@ Query: aws_networkfirewall_firewall_policy; PrimaryTable: aws_networkfirewall_firewall_policy ListOfTables: - - aws_networkfirewall_firewall_policy + - aws_networkfirewall_firewall_policy Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_networkfirewall_5.yaml b/compliance/controls/aws/aws_foundational_security_networkfirewall_5.yaml index 8b65756f6..ba52fbe02 100755 --- a/compliance/controls/aws/aws_foundational_security_networkfirewall_5.yaml +++ b/compliance/controls/aws/aws_foundational_security_networkfirewall_5.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_networkfirewall_5 Title: "5 The default stateless action for Network Firewall policies should be drop or forward for fragmented packets" Description: "This control checks whether the default stateless action for fragmented packets for a Network Firewall policy is drop or forward. The control passes if Drop or Forward is selected, and fails if Pass is selected." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -24,7 +22,9 @@ Query: aws_networkfirewall_firewall_policy; PrimaryTable: aws_networkfirewall_firewall_policy ListOfTables: - - aws_networkfirewall_firewall_policy + - aws_networkfirewall_firewall_policy Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_networkfirewall_6.yaml b/compliance/controls/aws/aws_foundational_security_networkfirewall_6.yaml index f441b2551..071d35ed3 100755 --- a/compliance/controls/aws/aws_foundational_security_networkfirewall_6.yaml +++ b/compliance/controls/aws/aws_foundational_security_networkfirewall_6.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_networkfirewall_6 Title: "6 Stateless network firewall rule group should not be empty" Description: "A rule group contains rules that define how your firewall processes traffic in your VPC. An empty stateless rule group when present in a firewall policy might give the impression that the rule group will process traffic. However, when the stateless rule group is empty, it does not process traffic." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -23,7 +21,9 @@ Query: aws_networkfirewall_rule_group; PrimaryTable: aws_networkfirewall_rule_group ListOfTables: - - aws_networkfirewall_rule_group + - aws_networkfirewall_rule_group Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_networkfirewall_9.yaml b/compliance/controls/aws/aws_foundational_security_networkfirewall_9.yaml index f73d08f78..d9c9c34cc 100755 --- a/compliance/controls/aws/aws_foundational_security_networkfirewall_9.yaml +++ b/compliance/controls/aws/aws_foundational_security_networkfirewall_9.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_networkfirewall_9 Title: "9 Network Firewall firewalls should have deletion protection enabled" Description: "This control checks whether an AWS Network Firewall firewall has deletion protection enabled. The control fails if deletion protection isn't enabled for a firewall." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_networkfirewall_firewall; PrimaryTable: aws_networkfirewall_firewall ListOfTables: - - aws_networkfirewall_firewall + - aws_networkfirewall_firewall Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_opensearch_1.yaml b/compliance/controls/aws/aws_foundational_security_opensearch_1.yaml index 3ec2b7837..7da541144 100755 --- a/compliance/controls/aws/aws_foundational_security_opensearch_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_opensearch_1.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_opensearch_1 Title: "1 OpenSearch domains should have encryption at rest enabled" Description: "This control checks whether OpenSearch domains have encryption-at-rest configuration enabled. The check fails if encryption at rest is not enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_opensearch_domain; PrimaryTable: aws_opensearch_domain ListOfTables: - - aws_opensearch_domain + - aws_opensearch_domain Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_opensearch_10.yaml b/compliance/controls/aws/aws_foundational_security_opensearch_10.yaml index 02fbc341c..ca3a2e5b8 100755 --- a/compliance/controls/aws/aws_foundational_security_opensearch_10.yaml +++ b/compliance/controls/aws/aws_foundational_security_opensearch_10.yaml @@ -1,30 +1,14 @@ ID: aws_foundational_security_opensearch_10 Title: "10 OpenSearch domains should have the latest software update installed" Description: "This control checks whether an Amazon OpenSearch Service domain has the latest software update installed. The control fails if a software update is available but not installed for the domain." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when service_software_options ->> 'UpdateAvailable' = 'false' then 'ok' - else 'alarm' - end status, - case - when service_software_options ->> 'UpdateAvailable' = 'false' then title || ' updated with latest service software version.' - else title || ' not updated with latest service software version.' - end reason - - - from - aws_opensearch_domain; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when service_software_options ->> 'UpdateAvailable' = 'false' then 'ok'\n else 'alarm'\n end status,\n case\n when service_software_options ->> 'UpdateAvailable' = 'false' then title || ' updated with latest service software version.'\n else title || ' not updated with latest service software version.'\n end reason\n \n \nfrom\n aws_opensearch_domain;" PrimaryTable: aws_opensearch_domain ListOfTables: - - aws_opensearch_domain + - aws_opensearch_domain Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_opensearch_2.yaml b/compliance/controls/aws/aws_foundational_security_opensearch_2.yaml index 4966a2226..cc7cdc728 100755 --- a/compliance/controls/aws/aws_foundational_security_opensearch_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_opensearch_2.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_opensearch_2 Title: "2 OpenSearch domains should not be publicly accessible" Description: "This control checks whether OpenSearch domains are in a VPC. It does not evaluate the VPC subnet routing configuration to determine public access." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -44,8 +42,10 @@ Query: left join opensearch_domain_with_public_subnet as p on d.arn = p.arn; PrimaryTable: aws_opensearch_domain ListOfTables: - - aws_vpc_route_table - - aws_opensearch_domain + - aws_vpc_route_table + - aws_opensearch_domain Parameters: [] Severity: critical Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_opensearch_3.yaml b/compliance/controls/aws/aws_foundational_security_opensearch_3.yaml index f9e0a27ef..9f14afd93 100755 --- a/compliance/controls/aws/aws_foundational_security_opensearch_3.yaml +++ b/compliance/controls/aws/aws_foundational_security_opensearch_3.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_opensearch_3 Title: "3 OpenSearch domains should encrypt data sent between nodes" Description: "This control checks whether OpenSearch domains have node-to-node encryption enabled. This control fails if node-to-node encryption is disabled on the domain." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -24,7 +22,9 @@ Query: aws_opensearch_domain; PrimaryTable: aws_opensearch_domain ListOfTables: - - aws_opensearch_domain + - aws_opensearch_domain Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_opensearch_4.yaml b/compliance/controls/aws/aws_foundational_security_opensearch_4.yaml index e0786835e..d03f4351f 100755 --- a/compliance/controls/aws/aws_foundational_security_opensearch_4.yaml +++ b/compliance/controls/aws/aws_foundational_security_opensearch_4.yaml @@ -1,71 +1,14 @@ ID: aws_foundational_security_opensearch_4 Title: "4 OpenSearch domain error logging to CloudWatch Logs should be enabled" Description: "This control checks whether OpenSearch domains are configured to send error logs to CloudWatch Logs. This control fails if error logging to CloudWatch is not enabled for a domain." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when log_publishing_options is null then 'alarm' - when - ( log_publishing_options -> 'AUDIT_LOGS' is null - or log_publishing_options -> 'AUDIT_LOGS' -> 'Enabled' = 'false' - or (log_publishing_options -> 'AUDIT_LOGS' -> 'Enabled' = 'true' and log_publishing_options -> 'AUDIT_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null) - ) - and - ( log_publishing_options -> 'INDEX_SLOW_LOGS' is null - or log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'Enabled' = 'false' - or (log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'Enabled' = 'true' and log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null) - ) - and - ( log_publishing_options -> 'SEARCH_SLOW_LOGS' is null - or log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'Enabled' = 'false' - or (log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'Enabled' = 'true' and log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null) - ) - and - ( log_publishing_options -> 'ES_APPLICATION_LOGS' is null - or log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'Enabled' = 'false' - or (log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'Enabled' = 'true' and log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null) - ) - then 'ok' - else 'alarm' - end as status, - case - when log_publishing_options is null then title || ' logging not enabled.' - when - ( log_publishing_options -> 'AUDIT_LOGS' is null - or log_publishing_options -> 'AUDIT_LOGS' -> 'Enabled' = 'false' - or (log_publishing_options -> 'AUDIT_LOGS' -> 'Enabled' = 'true' and log_publishing_options -> 'AUDIT_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null) - ) - and - ( log_publishing_options -> 'INDEX_SLOW_LOGS' is null - or log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'Enabled' = 'false' - or (log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'Enabled' = 'true' and log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null) - ) - and - ( log_publishing_options -> 'SEARCH_SLOW_LOGS' is null - or log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'Enabled' = 'false' - or (log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'Enabled' = 'true' and log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null) - ) - and - ( log_publishing_options -> 'ES_APPLICATION_LOGS' is null - or log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'Enabled' = 'false' - or (log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'Enabled' = 'true' and log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null) - ) then title || ' send logs to AWS CloudWatch.' - else title || ' does not send logs to AWS CloudWatch.' - end as reason - - - from - aws_opensearch_domain; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when log_publishing_options is null then 'alarm'\n when\n ( log_publishing_options -> 'AUDIT_LOGS' is null\n or log_publishing_options -> 'AUDIT_LOGS' -> 'Enabled' = 'false'\n or (log_publishing_options -> 'AUDIT_LOGS' -> 'Enabled' = 'true' and log_publishing_options -> 'AUDIT_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null)\n )\n and\n ( log_publishing_options -> 'INDEX_SLOW_LOGS' is null\n or log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'Enabled' = 'false'\n or (log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'Enabled' = 'true' and log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null)\n )\n and\n ( log_publishing_options -> 'SEARCH_SLOW_LOGS' is null\n or log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'Enabled' = 'false'\n or (log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'Enabled' = 'true' and log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null)\n )\n and\n ( log_publishing_options -> 'ES_APPLICATION_LOGS' is null\n or log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'Enabled' = 'false'\n or (log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'Enabled' = 'true' and log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null)\n )\n then 'ok'\n else 'alarm'\n end as status,\n case\n when log_publishing_options is null then title || ' logging not enabled.'\n when\n ( log_publishing_options -> 'AUDIT_LOGS' is null\n or log_publishing_options -> 'AUDIT_LOGS' -> 'Enabled' = 'false'\n or (log_publishing_options -> 'AUDIT_LOGS' -> 'Enabled' = 'true' and log_publishing_options -> 'AUDIT_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null)\n )\n and\n ( log_publishing_options -> 'INDEX_SLOW_LOGS' is null\n or log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'Enabled' = 'false'\n or (log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'Enabled' = 'true' and log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null)\n )\n and\n ( log_publishing_options -> 'SEARCH_SLOW_LOGS' is null\n or log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'Enabled' = 'false'\n or (log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'Enabled' = 'true' and log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null)\n )\n and\n ( log_publishing_options -> 'ES_APPLICATION_LOGS' is null\n or log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'Enabled' = 'false'\n or (log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'Enabled' = 'true' and log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null)\n ) then title || ' send logs to AWS CloudWatch.'\n else title || ' does not send logs to AWS CloudWatch.'\n end as reason\n \n \nfrom\n aws_opensearch_domain;" PrimaryTable: aws_opensearch_domain ListOfTables: - - aws_opensearch_domain + - aws_opensearch_domain Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_opensearch_5.yaml b/compliance/controls/aws/aws_foundational_security_opensearch_5.yaml index 758f208f9..96fe0dd5e 100755 --- a/compliance/controls/aws/aws_foundational_security_opensearch_5.yaml +++ b/compliance/controls/aws/aws_foundational_security_opensearch_5.yaml @@ -1,30 +1,14 @@ ID: aws_foundational_security_opensearch_5 Title: "5 OpenSearch domains should have audit logging enabled" Description: "This control checks whether OpenSearch domains have audit logging enabled. This control fails if an OpenSearch domain does not have audit logging enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when log_publishing_options -> 'AUDIT_LOGS' ->> 'Enabled' = 'true' then 'ok' - else 'ok' - end as status, - case - when log_publishing_options -> 'AUDIT_LOGS' ->> 'Enabled' = 'true' then title || ' audit logging enabled.' - else title || ' audit logging disabled.' - end as reason - - - from - aws_opensearch_domain; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when log_publishing_options -> 'AUDIT_LOGS' ->> 'Enabled' = 'true' then 'ok'\n else 'ok'\n end as status,\n case\n when log_publishing_options -> 'AUDIT_LOGS' ->> 'Enabled' = 'true' then title || ' audit logging enabled.'\n else title || ' audit logging disabled.'\n end as reason\n \n \nfrom\n aws_opensearch_domain;" PrimaryTable: aws_opensearch_domain ListOfTables: - - aws_opensearch_domain + - aws_opensearch_domain Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_opensearch_6.yaml b/compliance/controls/aws/aws_foundational_security_opensearch_6.yaml index e6c97866e..fb2f3f5c6 100755 --- a/compliance/controls/aws/aws_foundational_security_opensearch_6.yaml +++ b/compliance/controls/aws/aws_foundational_security_opensearch_6.yaml @@ -1,31 +1,14 @@ ID: aws_foundational_security_opensearch_6 Title: "6 OpenSearch domains should have at least three data nodes" Description: "This control checks whether OpenSearch domains are configured with at least three data nodes and zoneAwarenessEnabled is true. This control fails for an OpenSearch domain if instanceCount is less than 3 or zoneAwarenessEnabled is false." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when cluster_config ->> 'ZoneAwarenessEnabled' = 'true' and cluster_config ->> 'InstanceCount' > '2' then 'ok' - else 'alarm' - end as status, - case - when cluster_config ->> 'ZoneAwarenessEnabled' = 'true' and cluster_config ->> 'InstanceCount' > '2' then title || ' zone awareness is ' - || case when cluster_config ->> 'ZoneAwarenessEnabled' = 'true' then 'enabled' else 'disabled' end || ' with ' || (cluster_config ->> 'InstanceCount') || ' data node(s) configued.' - else title || ' zone awareness is ' || case when cluster_config ->> 'ZoneAwarenessEnabled' = 'true' then 'enabled' else 'disabled' end || ' with ' || (cluster_config ->> 'InstanceCount') || ' data node(s) configued.' - end as reason - - - from - aws_opensearch_domain; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when cluster_config ->> 'ZoneAwarenessEnabled' = 'true' and cluster_config ->> 'InstanceCount' > '2' then 'ok'\n else 'alarm'\n end as status,\n case\n when cluster_config ->> 'ZoneAwarenessEnabled' = 'true' and cluster_config ->> 'InstanceCount' > '2' then title || ' zone awareness is '\n || case when cluster_config ->> 'ZoneAwarenessEnabled' = 'true' then 'enabled' else 'disabled' end || ' with ' || (cluster_config ->> 'InstanceCount') || ' data node(s) configued.'\n else title || ' zone awareness is ' || case when cluster_config ->> 'ZoneAwarenessEnabled' = 'true' then 'enabled' else 'disabled' end || ' with ' || (cluster_config ->> 'InstanceCount') || ' data node(s) configued.'\n end as reason\n \n \nfrom\n aws_opensearch_domain;" PrimaryTable: aws_opensearch_domain ListOfTables: - - aws_opensearch_domain + - aws_opensearch_domain Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_opensearch_7.yaml b/compliance/controls/aws/aws_foundational_security_opensearch_7.yaml index 92a884d46..812d21e1a 100755 --- a/compliance/controls/aws/aws_foundational_security_opensearch_7.yaml +++ b/compliance/controls/aws/aws_foundational_security_opensearch_7.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_opensearch_7 Title: "7 OpenSearch domains should have fine-grained access control enabled" Description: "This control checks whether OpenSearch domains have fine-grained access control enabled. The control fails if the fine-grained access control is not enabled. Fine-grained access control requires advanced-security-optionsin the OpenSearch parameter update-domain-config to be enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_opensearch_domain; PrimaryTable: aws_opensearch_domain ListOfTables: - - aws_opensearch_domain + - aws_opensearch_domain Parameters: [] Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_opensearch_8.yaml b/compliance/controls/aws/aws_foundational_security_opensearch_8.yaml index adf84fb07..d823d4e55 100755 --- a/compliance/controls/aws/aws_foundational_security_opensearch_8.yaml +++ b/compliance/controls/aws/aws_foundational_security_opensearch_8.yaml @@ -1,30 +1,14 @@ ID: aws_foundational_security_opensearch_8 Title: "8 Connections to OpenSearch domains should be encrypted using TLS 1.2" Description: "This control checks whether connections to OpenSearch domains are required to use TLS 1.2. The check fails if the OpenSearch domain TLSSecurityPolicy is not Policy-Min-TLS-1-2-2019-07." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when (domain_endpoint_options ->> 'EnforceHTTPS' = 'false') or (domain_endpoint_options ->> 'EnforceHTTPS' = 'true' and domain_endpoint_options ->> 'TLSSecurityPolicy' not in ('tlsPolicies')) then 'alarm' - else 'ok' - end status, - case - when (domain_endpoint_options ->> 'EnforceHTTPS' = 'false') or (domain_endpoint_options ->> 'EnforceHTTPS' = 'true' and domain_endpoint_options ->> 'TLSSecurityPolicy' not in ('tlsPolicies')) then title || ' does not use HTTPS.' - else title || ' uses HTTPS.' - end as reason - - - from - aws_opensearch_domain; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when (domain_endpoint_options ->> 'EnforceHTTPS' = 'false') or (domain_endpoint_options ->> 'EnforceHTTPS' = 'true' and domain_endpoint_options ->> 'TLSSecurityPolicy' not in ('tlsPolicies')) then 'alarm'\n else 'ok'\n end status,\n case\n when (domain_endpoint_options ->> 'EnforceHTTPS' = 'false') or (domain_endpoint_options ->> 'EnforceHTTPS' = 'true' and domain_endpoint_options ->> 'TLSSecurityPolicy' not in ('tlsPolicies')) then title || ' does not use HTTPS.'\n else title || ' uses HTTPS.'\n end as reason\n \n \nfrom\n aws_opensearch_domain;" PrimaryTable: aws_opensearch_domain ListOfTables: - - aws_opensearch_domain + - aws_opensearch_domain Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_pca_1.yaml b/compliance/controls/aws/aws_foundational_security_pca_1.yaml index 886cb6454..55c3f0c5d 100755 --- a/compliance/controls/aws/aws_foundational_security_pca_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_pca_1.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_pca_1 Title: "1 AWS Private CA root certificate authority should be disabled" Description: "This control checks if AWS Private CA has a root certificate authority (CA) that is disabled. The control fails if the root CA is enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -24,7 +22,9 @@ Query: aws_acmpca_certificate_authority; PrimaryTable: aws_acmpca_certificate_authority ListOfTables: - - aws_acmpca_certificate_authority + - aws_acmpca_certificate_authority Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_rds_10.yaml b/compliance/controls/aws/aws_foundational_security_rds_10.yaml index 79258c96c..2178b6794 100755 --- a/compliance/controls/aws/aws_foundational_security_rds_10.yaml +++ b/compliance/controls/aws/aws_foundational_security_rds_10.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_rds_10 Title: "10 IAM authentication should be configured for RDS instances" Description: "This control checks whether an RDS DB instance has IAM database authentication enabled IAM database authentication allows authentication to database instances with an authentication token instead of a password. Network traffic to and from the database is encrypted using SSL." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_rds_db_instance; PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_rds_db_instance + - aws_rds_db_instance Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_rds_11.yaml b/compliance/controls/aws/aws_foundational_security_rds_11.yaml index 7c83c7ff9..318b32fbf 100755 --- a/compliance/controls/aws/aws_foundational_security_rds_11.yaml +++ b/compliance/controls/aws/aws_foundational_security_rds_11.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_rds_11 Title: "11 RDS instances should have automatic backups enabled" Description: "This control checks whether Amazon Relational Database Service instances have automated backups enabled and the backup retention period is greater than or equal to seven days. The control fails if backups are not enabled, and if the retention period is less than 7 days." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_rds_db_instance; PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_rds_db_instance + - aws_rds_db_instance Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_rds_12.yaml b/compliance/controls/aws/aws_foundational_security_rds_12.yaml index 63ed0e0fb..f4c5f3602 100755 --- a/compliance/controls/aws/aws_foundational_security_rds_12.yaml +++ b/compliance/controls/aws/aws_foundational_security_rds_12.yaml @@ -1,30 +1,14 @@ ID: aws_foundational_security_rds_12 Title: "12 IAM authentication should be configured for RDS clusters" Description: "This control checks whether an RDS DB cluster has IAM database authentication enabled. IAM database authentication allows for password-free authentication to database instances. The authentication uses an authentication token. Network traffic to and from the database is encrypted using SSL." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when iam_database_authentication_enabled then 'ok' - else 'alarm' - end as status, - case - when iam_database_authentication_enabled then title || ' IAM authentication enabled.' - else title || ' IAM authentication not enabled.' - end as reason - - - from - aws_rds_db_cluster; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when iam_database_authentication_enabled then 'ok'\n else 'alarm'\n end as status,\n case\n when iam_database_authentication_enabled then title || ' IAM authentication enabled.'\n else title || ' IAM authentication not enabled.'\n end as reason\n \n \nfrom\n aws_rds_db_cluster;" PrimaryTable: aws_rds_db_cluster ListOfTables: - - aws_rds_db_cluster + - aws_rds_db_cluster Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_rds_13.yaml b/compliance/controls/aws/aws_foundational_security_rds_13.yaml index 0e77b1eac..a328015f3 100755 --- a/compliance/controls/aws/aws_foundational_security_rds_13.yaml +++ b/compliance/controls/aws/aws_foundational_security_rds_13.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_rds_13 Title: "13 RDS automatic minor version upgrades should be enabled" Description: "This control checks whether automatic minor version upgrades are enabled for the RDS database instance. Enabling automatic minor version upgrades ensures that the latest minor version updates to the relational database management system (RDBMS) are installed. These upgrades might include security patches and bug fixes. Keeping up to date with patch installation is an important step in securing systems." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_rds_db_instance; PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_rds_db_instance + - aws_rds_db_instance Parameters: [] Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_rds_14.yaml b/compliance/controls/aws/aws_foundational_security_rds_14.yaml index 7aebf3051..e9071b759 100755 --- a/compliance/controls/aws/aws_foundational_security_rds_14.yaml +++ b/compliance/controls/aws/aws_foundational_security_rds_14.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_rds_14 Title: "14 Amazon Aurora clusters should have backtracking enabled" Description: "This control checks whether Amazon Aurora clusters have backtracking enabled. Backups help you to recover more quickly from a security incident. They also strengthens the resilience of your systems. Aurora backtracking reduces the time to recover a database to a point in time. It does not require a database restore to so." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -24,7 +22,9 @@ Query: aws_rds_db_cluster; PrimaryTable: aws_rds_db_cluster ListOfTables: - - aws_rds_db_cluster + - aws_rds_db_cluster Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_rds_15.yaml b/compliance/controls/aws/aws_foundational_security_rds_15.yaml index 627a75cb3..27e03c066 100755 --- a/compliance/controls/aws/aws_foundational_security_rds_15.yaml +++ b/compliance/controls/aws/aws_foundational_security_rds_15.yaml @@ -1,30 +1,14 @@ ID: aws_foundational_security_rds_15 Title: "15 RDS DB clusters should be configured for multiple Availability Zones" Description: "This control checks whether high availability is enabled for your RDS DB clusters. RDS DB clusters should be configured for multiple Availability Zones to ensure availability of the data that is stored." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when multi_az then 'ok' - else 'alarm' - end as status, - case - when multi_az then title || ' Multi-AZ enabled.' - else title || ' Multi-AZ disabled.' - end as reason - - - from - aws_rds_db_cluster; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when multi_az then 'ok'\n else 'alarm'\n end as status,\n case\n when multi_az then title || ' Multi-AZ enabled.'\n else title || ' Multi-AZ disabled.'\n end as reason\n \n \nfrom\n aws_rds_db_cluster;" PrimaryTable: aws_rds_db_cluster ListOfTables: - - aws_rds_db_cluster + - aws_rds_db_cluster Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_rds_16.yaml b/compliance/controls/aws/aws_foundational_security_rds_16.yaml index 3b5ef57fe..53f6e13a1 100755 --- a/compliance/controls/aws/aws_foundational_security_rds_16.yaml +++ b/compliance/controls/aws/aws_foundational_security_rds_16.yaml @@ -1,30 +1,14 @@ ID: aws_foundational_security_rds_16 Title: "16 RDS DB clusters should be configured to copy tags to snapshots" Description: "This control checks whether RDS DB clusters are configured to copy all tags to snapshots when the snapshots are created." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when copy_tags_to_snapshot then 'ok' - else 'alarm' - end as status, - case - when copy_tags_to_snapshot then title || ' copy tags to snapshot enabled.' - else title || ' copy tags to snapshot disabled.' - end as reason - - - from - aws_rds_db_cluster; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when copy_tags_to_snapshot then 'ok'\n else 'alarm'\n end as status,\n case\n when copy_tags_to_snapshot then title || ' copy tags to snapshot enabled.'\n else title || ' copy tags to snapshot disabled.'\n end as reason\n \n \nfrom\n aws_rds_db_cluster;" PrimaryTable: aws_rds_db_cluster ListOfTables: - - aws_rds_db_cluster + - aws_rds_db_cluster Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_rds_17.yaml b/compliance/controls/aws/aws_foundational_security_rds_17.yaml index 82e3282f2..070c78e20 100755 --- a/compliance/controls/aws/aws_foundational_security_rds_17.yaml +++ b/compliance/controls/aws/aws_foundational_security_rds_17.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_rds_17 Title: "17 RDS DB instances should be configured to copy tags to snapshots" Description: "This control checks whether RDS DB instances are configured to copy all tags to snapshots when the snapshots are created." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_rds_db_instance; PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_rds_db_instance + - aws_rds_db_instance Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_rds_18.yaml b/compliance/controls/aws/aws_foundational_security_rds_18.yaml index f07a6e369..d623cab9c 100755 --- a/compliance/controls/aws/aws_foundational_security_rds_18.yaml +++ b/compliance/controls/aws/aws_foundational_security_rds_18.yaml @@ -1,30 +1,14 @@ ID: aws_foundational_security_rds_18 Title: "18 RDS instances should be deployed in a VPC" Description: "This control checks whether an RDS instance is deployed in a VPC (EC2-VPC)." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when vpc_id is null then 'alarm' - else 'ok' - end as status, - case - when vpc_id is null then title || ' is not in VPC.' - else title || ' is in VPC ' || vpc_id || '.' - end as reason - - - from - aws_rds_db_instance; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when vpc_id is null then 'alarm'\n else 'ok'\n end as status,\n case\n when vpc_id is null then title || ' is not in VPC.'\n else title || ' is in VPC ' || vpc_id || '.'\n end as reason\n \n \nfrom\n aws_rds_db_instance;" PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_rds_db_instance + - aws_rds_db_instance Parameters: [] Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_rds_19.yaml b/compliance/controls/aws/aws_foundational_security_rds_19.yaml index 01e9ab82b..4e59df998 100755 --- a/compliance/controls/aws/aws_foundational_security_rds_19.yaml +++ b/compliance/controls/aws/aws_foundational_security_rds_19.yaml @@ -1,31 +1,14 @@ ID: aws_foundational_security_rds_19 Title: "19 Existing RDS event notification subscriptions should be configured for critical cluster events." Description: "This control checks whether an Amazon RDS event subscription exists that has notifications enabled for the following source type, event category key-value pairs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when source_type <> 'db-cluster' then 'skip' - when source_type = 'db-cluster' and enabled and event_categories_list @> '["failure", "maintenance"]' then 'ok' - else 'alarm' - end as status, - case - when source_type <> 'db-cluster' then cust_subscription_id || ' event subscription of ' || source_type || ' type.' - when source_type = 'db-cluster' and enabled and event_categories_list @> '["failure", "maintenance"]' then cust_subscription_id || ' event subscription enabled for critical db cluster events.' - else cust_subscription_id || ' event subscription missing critical db cluster events.' - end as reason - - from - aws_rds_db_event_subscription; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when source_type <> 'db-cluster' then 'skip'\n when source_type = 'db-cluster' and enabled and event_categories_list @> '[\"failure\", \"maintenance\"]' then 'ok'\n else 'alarm'\n end as status,\n case\n when source_type <> 'db-cluster' then cust_subscription_id || ' event subscription of ' || source_type || ' type.'\n when source_type = 'db-cluster' and enabled and event_categories_list @> '[\"failure\", \"maintenance\"]' then cust_subscription_id || ' event subscription enabled for critical db cluster events.'\n else cust_subscription_id || ' event subscription missing critical db cluster events.'\n end as reason\n \nfrom\n aws_rds_db_event_subscription;" PrimaryTable: aws_rds_db_event_subscription ListOfTables: - - aws_rds_db_event_subscription + - aws_rds_db_event_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_rds_2.yaml b/compliance/controls/aws/aws_foundational_security_rds_2.yaml index 451c0d0ed..056ed7c39 100755 --- a/compliance/controls/aws/aws_foundational_security_rds_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_rds_2.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_rds_2 Title: "2 RDS DB instances should prohibit public access, determined by the PubliclyAccessible configuration" Description: "This control checks whether Amazon RDS instances are publicly accessible by evaluating the PubliclyAccessible field in the instance configuration item. Neptune DB instances and Amazon DocumentDB clusters do not have the PubliclyAccessible flag and cannot be evaluated. However, this control can still generate findings for these resources. You can suppress these findings." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_rds_db_instance; PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_rds_db_instance + - aws_rds_db_instance Parameters: [] Severity: critical Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_rds_20.yaml b/compliance/controls/aws/aws_foundational_security_rds_20.yaml index 65be04a48..1c4566132 100755 --- a/compliance/controls/aws/aws_foundational_security_rds_20.yaml +++ b/compliance/controls/aws/aws_foundational_security_rds_20.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_rds_20 Title: "20 Existing RDS event notification subscriptions should be configured for critical database instance events" Description: "This control checks whether an Amazon RDS event subscription exists with notifications enabled for the following source type, event category key-value pairs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -24,7 +22,9 @@ Query: aws_rds_db_event_subscription; PrimaryTable: aws_rds_db_event_subscription ListOfTables: - - aws_rds_db_event_subscription + - aws_rds_db_event_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_rds_21.yaml b/compliance/controls/aws/aws_foundational_security_rds_21.yaml index 8fd515d64..79b84dc77 100755 --- a/compliance/controls/aws/aws_foundational_security_rds_21.yaml +++ b/compliance/controls/aws/aws_foundational_security_rds_21.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_rds_21 Title: "21 An RDS event notifications subscription should be configured for critical database parameter group events" Description: "This control checks whether an Amazon RDS event subscription exists with notifications enabled for the following source type, event category key-value pairs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -24,7 +22,9 @@ Query: aws_rds_db_event_subscription; PrimaryTable: aws_rds_db_event_subscription ListOfTables: - - aws_rds_db_event_subscription + - aws_rds_db_event_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_rds_22.yaml b/compliance/controls/aws/aws_foundational_security_rds_22.yaml index d9b911377..47c56d49e 100755 --- a/compliance/controls/aws/aws_foundational_security_rds_22.yaml +++ b/compliance/controls/aws/aws_foundational_security_rds_22.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_rds_22 Title: "22 An RDS event notifications subscription should be configured for critical database security group events" Description: "This control checks whether an Amazon RDS event subscription exists with notifications enabled for the following source type, event category key-value pairs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -24,7 +22,9 @@ Query: aws_rds_db_event_subscription; PrimaryTable: aws_rds_db_event_subscription ListOfTables: - - aws_rds_db_event_subscription + - aws_rds_db_event_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_rds_24.yaml b/compliance/controls/aws/aws_foundational_security_rds_24.yaml index 0fce6636a..03a0cadde 100755 --- a/compliance/controls/aws/aws_foundational_security_rds_24.yaml +++ b/compliance/controls/aws/aws_foundational_security_rds_24.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_rds_24 Title: "24 RDS database clusters should use a custom administrator username" Description: "This control checks whether an Amazon RDS database cluster has changed the admin username from its default value. This rule will fail if the admin username is set to the default value." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_rds_db_cluster; PrimaryTable: aws_rds_db_cluster ListOfTables: - - aws_rds_db_cluster + - aws_rds_db_cluster Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_rds_25.yaml b/compliance/controls/aws/aws_foundational_security_rds_25.yaml index 101a262d0..a4d5de045 100755 --- a/compliance/controls/aws/aws_foundational_security_rds_25.yaml +++ b/compliance/controls/aws/aws_foundational_security_rds_25.yaml @@ -1,29 +1,14 @@ ID: aws_foundational_security_rds_25 Title: "25 RDS database instances should use a custom administrator username" Description: "This control checks whether you've changed the administrative username for Amazon Relational Database Service (Amazon RDS) database instances from the default value. The control fails if the administrative username is set to the default value." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when master_user_name in ('admin','postgres') then 'alarm' - else 'ok' - end status, - case - when master_user_name in ('admin', 'postgres') then title || ' using default master user name.' - else title || ' not using default master user name.' - end reason - - from - aws_rds_db_instance; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when master_user_name in ('admin','postgres') then 'alarm'\n else 'ok'\n end status,\n case\n when master_user_name in ('admin', 'postgres') then title || ' using default master user name.'\n else title || ' not using default master user name.'\n end reason\n \nfrom\n aws_rds_db_instance;" PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_rds_db_instance + - aws_rds_db_instance Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_rds_27.yaml b/compliance/controls/aws/aws_foundational_security_rds_27.yaml index 13a0b396e..832819a9d 100755 --- a/compliance/controls/aws/aws_foundational_security_rds_27.yaml +++ b/compliance/controls/aws/aws_foundational_security_rds_27.yaml @@ -1,30 +1,14 @@ ID: aws_foundational_security_rds_27 Title: "27 RDS DB clusters should be encrypted at rest" Description: "This control checks if an RDS DB cluster is encrypted at rest. The control fails if an RDS DB cluster isn't encrypted at rest." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when storage_encrypted then 'ok' - else 'alarm' - end as status, - case - when storage_encrypted then title || ' encrypted at rest.' - else title || ' not encrypted at rest.' - end as reason - - - from - aws_rds_db_cluster; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when storage_encrypted then 'ok'\n else 'alarm'\n end as status,\n case\n when storage_encrypted then title || ' encrypted at rest.'\n else title || ' not encrypted at rest.'\n end as reason\n \n \nfrom\n aws_rds_db_cluster;" PrimaryTable: aws_rds_db_cluster ListOfTables: - - aws_rds_db_cluster + - aws_rds_db_cluster Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_rds_3.yaml b/compliance/controls/aws/aws_foundational_security_rds_3.yaml index 3b6264286..81fe71b77 100755 --- a/compliance/controls/aws/aws_foundational_security_rds_3.yaml +++ b/compliance/controls/aws/aws_foundational_security_rds_3.yaml @@ -1,30 +1,14 @@ ID: aws_foundational_security_rds_3 Title: "3 RDS DB instances should have encryption at rest enabled" Description: "This control checks whether storage encryption is enabled for your Amazon RDS DB instances. This control is intended for RDS DB instances. However, it can also generate findings for Aurora DB instances, Neptune DB instances, and Amazon DocumentDB clusters. If these findings are not useful, then you can suppress them." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when storage_encrypted then 'ok' - else 'alarm' - end as status, - case - when storage_encrypted then title || ' encrypted at rest.' - else title || ' not encrypted at rest.' - end as reason - - - from - aws_rds_db_instance; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when storage_encrypted then 'ok'\n else 'alarm'\n end as status,\n case\n when storage_encrypted then title || ' encrypted at rest.'\n else title || ' not encrypted at rest.'\n end as reason\n \n \nfrom\n aws_rds_db_instance;" PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_rds_db_instance + - aws_rds_db_instance Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_rds_34.yaml b/compliance/controls/aws/aws_foundational_security_rds_34.yaml index ab6a89d38..4faa86393 100755 --- a/compliance/controls/aws/aws_foundational_security_rds_34.yaml +++ b/compliance/controls/aws/aws_foundational_security_rds_34.yaml @@ -1,32 +1,14 @@ ID: aws_foundational_security_rds_34 Title: "34 Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs" Description: "This control checks whether an Amazon Aurora MySQL DB cluster is configured to publish audit logs to Amazon CloudWatch Logs. The control fails if the cluster isn't configured to publish audit logs to CloudWatch Logs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when engine not ilike '%aurora-mysql%' then 'skip' - when enabled_cloudwatch_logs_exports @> '["audit"]' then 'ok' - else 'alarm' - end as status, - case - when engine not ilike '%aurora-mysql%' then title || ' is not Aurora MySQL-compatible edition.' - when enabled_cloudwatch_logs_exports @> '["audit"]' then title || ' audit logging enabled.' - else title || ' audit logging disabled.' - end as reason - - - from - aws_rds_db_cluster; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when engine not ilike '%aurora-mysql%' then 'skip'\n when enabled_cloudwatch_logs_exports @> '[\"audit\"]' then 'ok'\n else 'alarm'\n end as status,\n case\n when engine not ilike '%aurora-mysql%' then title || ' is not Aurora MySQL-compatible edition.'\n when enabled_cloudwatch_logs_exports @> '[\"audit\"]' then title || ' audit logging enabled.'\n else title || ' audit logging disabled.'\n end as reason\n \n \nfrom\n aws_rds_db_cluster;" PrimaryTable: aws_rds_db_cluster ListOfTables: - - aws_rds_db_cluster + - aws_rds_db_cluster Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_rds_35.yaml b/compliance/controls/aws/aws_foundational_security_rds_35.yaml index 7e14ac0e1..6e8c21c8b 100755 --- a/compliance/controls/aws/aws_foundational_security_rds_35.yaml +++ b/compliance/controls/aws/aws_foundational_security_rds_35.yaml @@ -1,30 +1,14 @@ ID: aws_foundational_security_rds_35 Title: "35 RDS DB clusters should have automatic minor version upgrade enabled" Description: "This control checks if automatic minor version upgrade is enabled for an Amazon RDS database cluster. The control fails if automatic minor version upgrade isn't enabled for an RDS cluster." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when auto_minor_version_upgrade then 'ok' - else 'alarm' - end as status, - case - when auto_minor_version_upgrade then title || ' automatic minor version upgrades enabled.' - else title || ' automatic minor version upgrades disabled.' - end as reason - - - from - aws_rds_db_cluster; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when auto_minor_version_upgrade then 'ok'\n else 'alarm'\n end as status,\n case\n when auto_minor_version_upgrade then title || ' automatic minor version upgrades enabled.'\n else title || ' automatic minor version upgrades disabled.'\n end as reason\n \n \nfrom\n aws_rds_db_cluster;" PrimaryTable: aws_rds_db_cluster ListOfTables: - - aws_rds_db_cluster + - aws_rds_db_cluster Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_rds_5.yaml b/compliance/controls/aws/aws_foundational_security_rds_5.yaml index ecf9961c2..a4b99adc3 100755 --- a/compliance/controls/aws/aws_foundational_security_rds_5.yaml +++ b/compliance/controls/aws/aws_foundational_security_rds_5.yaml @@ -1,32 +1,14 @@ ID: aws_foundational_security_rds_5 Title: "5 RDS DB instances should be configured with multiple Availability Zones" Description: "This control checks whether high availability is enabled for your RDS DB instances. RDS DB instances should be configured for multiple Availability Zones (AZs). This ensures the availability of the data stored. Multi-AZ deployments allow for automated failover if there is an issue with Availability Zone availability and during regular RDS maintenance." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when engine ilike any (array ['%aurora-mysql%', '%aurora-postgres%']) then 'skip' - when multi_az then 'ok' - else 'alarm' - end as status, - case - when engine ilike any (array ['%aurora-mysql%', '%aurora-postgres%']) then title || ' cluster instance.' - when multi_az then title || ' Multi-AZ enabled.' - else title || ' Multi-AZ disabled.' - end as reason - - - from - aws_rds_db_instance; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when engine ilike any (array ['%aurora-mysql%', '%aurora-postgres%']) then 'skip'\n when multi_az then 'ok'\n else 'alarm'\n end as status,\n case\n when engine ilike any (array ['%aurora-mysql%', '%aurora-postgres%']) then title || ' cluster instance.'\n when multi_az then title || ' Multi-AZ enabled.'\n else title || ' Multi-AZ disabled.'\n end as reason\n \n \nfrom\n aws_rds_db_instance;" PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_rds_db_instance + - aws_rds_db_instance Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_rds_7.yaml b/compliance/controls/aws/aws_foundational_security_rds_7.yaml index 245694e2f..f4b41d1f4 100755 --- a/compliance/controls/aws/aws_foundational_security_rds_7.yaml +++ b/compliance/controls/aws/aws_foundational_security_rds_7.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_rds_7 Title: "7 RDS clusters should have deletion protection enabled" Description: "This control checks whether RDS clusters have deletion protection enabled. This control is intended for RDS DB instances. However, it can also generate findings for Aurora DB instances, Neptune DB instances, and Amazon DocumentDB clusters. If these findings are not useful,then you can suppress them." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_rds_db_cluster; PrimaryTable: aws_rds_db_cluster ListOfTables: - - aws_rds_db_cluster + - aws_rds_db_cluster Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_rds_8.yaml b/compliance/controls/aws/aws_foundational_security_rds_8.yaml index f5cba8c0e..c66708aa1 100755 --- a/compliance/controls/aws/aws_foundational_security_rds_8.yaml +++ b/compliance/controls/aws/aws_foundational_security_rds_8.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_rds_8 Title: "8 RDS DB instances should have deletion protection enabled" Description: "This control checks whether your RDS DB instances that use one of the listed database engines have deletion protection enabled. DatabaseEngines: mariadb,mysql,oracle-ee,oracle-se2,oracle-se1,oracle-se,postgres,sqlserver-ee,sqlserver-se,sqlserver-ex,sqlserver-web." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -24,7 +22,9 @@ Query: aws_rds_db_instance; PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_rds_db_instance + - aws_rds_db_instance Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_rds_9.yaml b/compliance/controls/aws/aws_foundational_security_rds_9.yaml index c5149bd29..aa70c8079 100755 --- a/compliance/controls/aws/aws_foundational_security_rds_9.yaml +++ b/compliance/controls/aws/aws_foundational_security_rds_9.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_rds_9 Title: "9 RDS DB instances should publish logs to CloudWatch Logs" Description: "This control checks whether the logs of Amazon RDS are enabled and sent to CloudWatch Logs. RDS databases should have relevant logs enabled. Database logging provides detailed records of requests made to RDS. Database logs can assist with security and access audits and can help to diagnose availability issues." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -37,7 +35,9 @@ Query: aws_rds_db_instance; PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_rds_db_instance + - aws_rds_db_instance Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_redshift_1.yaml b/compliance/controls/aws/aws_foundational_security_redshift_1.yaml index 3bfb7e0c1..5b7e5f661 100755 --- a/compliance/controls/aws/aws_foundational_security_redshift_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_redshift_1.yaml @@ -1,31 +1,14 @@ ID: aws_foundational_security_redshift_1 Title: "1 Amazon Redshift clusters should prohibit public access" Description: "This control checks whether Amazon Redshift clusters are publicly accessible. It evaluates the PubliclyAccessible field in the cluster configuration item. The PubliclyAccessible attribute of the Amazon Redshift cluster configuration indicates whether the cluster is publicly accessible. When the cluster is configured with PubliclyAccessible set to true, it is an Internet-facing instance that has a publicly resolvable DNS name, which resolves to a public IP address. When the cluster is not publicly accessible, it is an internal instance with a DNS name that resolves to a private IP address. Unless you intend for your cluster to be publicly accessible, the cluster should not be configured with PubliclyAccessible set to true." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - cluster_namespace_arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when publicly_accessible then 'alarm' - else 'ok' - end status, - case - when publicly_accessible then title || ' publicly accessible.' - else title || ' not publicly accessible.' - end reason - - - - from - aws_redshift_cluster; + QueryToExecute: "select\n cluster_namespace_arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when publicly_accessible then 'alarm'\n else 'ok'\n end status,\n case\n when publicly_accessible then title || ' publicly accessible.'\n else title || ' not publicly accessible.'\n end reason\n\n \n \nfrom\n aws_redshift_cluster;" PrimaryTable: aws_redshift_cluster ListOfTables: - - aws_redshift_cluster + - aws_redshift_cluster Parameters: [] Severity: critical Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_redshift_10.yaml b/compliance/controls/aws/aws_foundational_security_redshift_10.yaml index bf5339dbe..62952175d 100755 --- a/compliance/controls/aws/aws_foundational_security_redshift_10.yaml +++ b/compliance/controls/aws/aws_foundational_security_redshift_10.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_redshift_10 Title: "10 Redshift clusters should be encrypted at rest" Description: "This control checks if Amazon Redshift clusters are encrypted at rest. The control fails if a Redshift cluster isn't encrypted at rest or if the encryption key is different from the provided key in the rule parameter." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_redshift_cluster; PrimaryTable: aws_redshift_cluster ListOfTables: - - aws_redshift_cluster + - aws_redshift_cluster Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_redshift_2.yaml b/compliance/controls/aws/aws_foundational_security_redshift_2.yaml index ff4b47bcd..9bebc8ca4 100755 --- a/compliance/controls/aws/aws_foundational_security_redshift_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_redshift_2.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_redshift_2 Title: "2 Connections to Amazon Redshift clusters should be encrypted in transit" Description: "This control checks whether connections to Amazon Redshift clusters are required to use encryption in transit. The check fails if the Amazon Redshift cluster parameter require_SSL is not set to 1. TLS can be used to help prevent potential attackers from using person-in-the-middle or similar attacks to eavesdrop on or manipulate network traffic. Only encrypted connections over TLS should be allowed. Encrypting data in transit can affect performance. You should test your application with this feature to understand the performance profile and the impact of TLS." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -35,8 +33,10 @@ Query: jsonb_array_elements(cluster_parameter_groups) as cpg; PrimaryTable: aws_redshift_cluster ListOfTables: - - aws_redshift_parameter_group - - aws_redshift_cluster + - aws_redshift_parameter_group + - aws_redshift_cluster Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_redshift_3.yaml b/compliance/controls/aws/aws_foundational_security_redshift_3.yaml index 666b1041e..c191c6fc6 100755 --- a/compliance/controls/aws/aws_foundational_security_redshift_3.yaml +++ b/compliance/controls/aws/aws_foundational_security_redshift_3.yaml @@ -1,30 +1,14 @@ ID: aws_foundational_security_redshift_3 Title: "3 Amazon Redshift clusters should have automatic snapshots enabled" Description: "This control checks whether Amazon Redshift clusters have automated snapshots enabled. It also checks whether the snapshot retention period is greater than or equal to seven." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when automated_snapshot_retention_period >= 7 then 'ok' - else 'alarm' - end as status, - case - when automated_snapshot_retention_period >= 7 then title || ' automatic snapshots enabled with retention period greater than equals 7 days.' - else title || ' automatic snapshots enabled with retention period less than 7 days.' - end as reason - - - from - aws_redshift_cluster; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when automated_snapshot_retention_period >= 7 then 'ok'\n else 'alarm'\n end as status,\n case\n when automated_snapshot_retention_period >= 7 then title || ' automatic snapshots enabled with retention period greater than equals 7 days.'\n else title || ' automatic snapshots enabled with retention period less than 7 days.'\n end as reason\n \n \nfrom\n aws_redshift_cluster;" PrimaryTable: aws_redshift_cluster ListOfTables: - - aws_redshift_cluster + - aws_redshift_cluster Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_redshift_4.yaml b/compliance/controls/aws/aws_foundational_security_redshift_4.yaml index e8e598bb9..d6088e8ad 100755 --- a/compliance/controls/aws/aws_foundational_security_redshift_4.yaml +++ b/compliance/controls/aws/aws_foundational_security_redshift_4.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_redshift_4 Title: "4 Amazon Redshift clusters should have audit logging enabled" Description: "This control checks whether an Amazon Redshift cluster has audit logging enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_redshift_cluster; PrimaryTable: aws_redshift_cluster ListOfTables: - - aws_redshift_cluster + - aws_redshift_cluster Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_redshift_6.yaml b/compliance/controls/aws/aws_foundational_security_redshift_6.yaml index 3806ef8a1..1a0f80c5f 100755 --- a/compliance/controls/aws/aws_foundational_security_redshift_6.yaml +++ b/compliance/controls/aws/aws_foundational_security_redshift_6.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_redshift_6 Title: "6 Amazon Redshift should have automatic upgrades to major versions enabled" Description: "This control checks whether automatic major version upgrades are enabled for the Amazon Redshift cluster." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_redshift_cluster; PrimaryTable: aws_redshift_cluster ListOfTables: - - aws_redshift_cluster + - aws_redshift_cluster Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_redshift_7.yaml b/compliance/controls/aws/aws_foundational_security_redshift_7.yaml index f183f2e8f..9b42a2908 100755 --- a/compliance/controls/aws/aws_foundational_security_redshift_7.yaml +++ b/compliance/controls/aws/aws_foundational_security_redshift_7.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_redshift_7 Title: "7 Amazon Redshift clusters should use enhanced VPC routing" Description: "This control checks whether an Amazon Redshift cluster has EnhancedVpcRouting enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_redshift_cluster; PrimaryTable: aws_redshift_cluster ListOfTables: - - aws_redshift_cluster + - aws_redshift_cluster Parameters: [] Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_redshift_8.yaml b/compliance/controls/aws/aws_foundational_security_redshift_8.yaml index 78e77b4d5..5149cc847 100755 --- a/compliance/controls/aws/aws_foundational_security_redshift_8.yaml +++ b/compliance/controls/aws/aws_foundational_security_redshift_8.yaml @@ -1,30 +1,14 @@ ID: aws_foundational_security_redshift_8 Title: "8 Amazon Redshift clusters should not use the default Admin username" Description: "This control checks whether a Amazon Redshift cluster has changed the admin username from its default value. This control will fail if the admin username for a Redshift cluster is set to awsuser." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when master_username = 'awsuser' then 'alarm' - else 'ok' - end as status, - case - when master_username = 'awsuser' then title || ' using default master user name.' - else title || ' not using default master user name.' - end as reason - - - from - aws_redshift_cluster; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when master_username = 'awsuser' then 'alarm'\n else 'ok'\n end as status,\n case\n when master_username = 'awsuser' then title || ' using default master user name.'\n else title || ' not using default master user name.'\n end as reason\n \n \nfrom\n aws_redshift_cluster;" PrimaryTable: aws_redshift_cluster ListOfTables: - - aws_redshift_cluster + - aws_redshift_cluster Parameters: [] Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_redshift_9.yaml b/compliance/controls/aws/aws_foundational_security_redshift_9.yaml index a7385a4bd..00b042700 100755 --- a/compliance/controls/aws/aws_foundational_security_redshift_9.yaml +++ b/compliance/controls/aws/aws_foundational_security_redshift_9.yaml @@ -1,30 +1,14 @@ ID: aws_foundational_security_redshift_9 Title: "9 Redshift clusters should not use the default database name" Description: "This control checks whether an Amazon Redshift cluster has changed the database name from its default value. The control will fail if the database name for a Redshift cluster is set to dev." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when db_name = 'dev' then 'alarm' - else 'ok' - end as status, - case - when db_name = 'dev' then title || ' using default database name.' - else title || ' not using default database name.' - end as reason - - - from - aws_redshift_cluster; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when db_name = 'dev' then 'alarm'\n else 'ok'\n end as status,\n case\n when db_name = 'dev' then title || ' using default database name.'\n else title || ' not using default database name.'\n end as reason\n \n \nfrom\n aws_redshift_cluster;" PrimaryTable: aws_redshift_cluster ListOfTables: - - aws_redshift_cluster + - aws_redshift_cluster Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_route53_2.yaml b/compliance/controls/aws/aws_foundational_security_route53_2.yaml index 59f087a03..07f42090e 100755 --- a/compliance/controls/aws/aws_foundational_security_route53_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_route53_2.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_route53_2 Title: "2 Route 53 public hosted zones should log DNS queries" Description: "This control checks if DNS query logging is enabled for an Amazon Route 53 public hosted zone. The control fails if DNS query logging isn't enabled for a Route 53 public hosted zone." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -24,7 +22,9 @@ Query: aws_route53_zone; PrimaryTable: aws_route53_zone ListOfTables: - - aws_route53_zone + - aws_route53_zone Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_s3_1.yaml b/compliance/controls/aws/aws_foundational_security_s3_1.yaml index d77b04bcf..863d3cd60 100755 --- a/compliance/controls/aws/aws_foundational_security_s3_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_s3_1.yaml @@ -1,43 +1,14 @@ ID: aws_foundational_security_s3_1 Title: "1 S3 Block Public Access setting should be enabled" Description: "This control checks whether the following Amazon S3 public access block settings are configured at the account level" -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - 'arn' || ':' || 'aws' || ':::' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when block_public_acls - and block_public_policy - and ignore_public_acls - and restrict_public_buckets - then 'ok' - else 'alarm' - end as status, - case - when block_public_acls - and block_public_policy - and ignore_public_acls - and restrict_public_buckets - then 'Account level public access blocks enabled.' - else 'Account level public access blocks not enabled for: ' || - concat_ws(', ', - case when not (block_public_acls ) then 'block_public_acls' end, - case when not (block_public_policy) then 'block_public_policy' end, - case when not (ignore_public_acls ) then 'ignore_public_acls' end, - case when not (restrict_public_buckets) then 'restrict_public_buckets' end - ) || '.' - end as reason - - from - aws_s3_account_settings; + QueryToExecute: "select\n 'arn' || ':' || 'aws' || ':::' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when block_public_acls\n and block_public_policy\n and ignore_public_acls\n and restrict_public_buckets\n then 'ok'\n else 'alarm'\n end as status,\n case\n when block_public_acls\n and block_public_policy\n and ignore_public_acls\n and restrict_public_buckets\n then 'Account level public access blocks enabled.'\n else 'Account level public access blocks not enabled for: ' ||\n concat_ws(', ',\n case when not (block_public_acls ) then 'block_public_acls' end,\n case when not (block_public_policy) then 'block_public_policy' end,\n case when not (ignore_public_acls ) then 'ignore_public_acls' end,\n case when not (restrict_public_buckets) then 'restrict_public_buckets' end\n ) || '.'\n end as reason\n \nfrom\n aws_s3_account_settings;\n" PrimaryTable: aws_s3_account_settings ListOfTables: - - aws_s3_account_settings + - aws_s3_account_settings Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_s3_10.yaml b/compliance/controls/aws/aws_foundational_security_s3_10.yaml index 30b255de5..52859af5c 100755 --- a/compliance/controls/aws/aws_foundational_security_s3_10.yaml +++ b/compliance/controls/aws/aws_foundational_security_s3_10.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_s3_10 Title: "10 S3 buckets with versioning enabled should have lifecycle policies configured" Description: "This control checks if Amazon Simple Storage Service (Amazon S3) version enabled buckets have lifecycle policy configured. This rule fails if Amazon S3 lifecycle policy is not enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -34,7 +32,9 @@ Query: left join lifecycle_rules_enabled as r on r.arn = b.arn; PrimaryTable: aws_s3_bucket ListOfTables: - - aws_s3_bucket + - aws_s3_bucket Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_s3_11.yaml b/compliance/controls/aws/aws_foundational_security_s3_11.yaml index 7d54496b3..c5138318d 100755 --- a/compliance/controls/aws/aws_foundational_security_s3_11.yaml +++ b/compliance/controls/aws/aws_foundational_security_s3_11.yaml @@ -1,38 +1,14 @@ ID: aws_foundational_security_s3_11 Title: "11 S3 buckets should have event notifications enabled" Description: "This control checks whether S3 Event Notifications are enabled on an Amazon S3 bucket. This control fails if S3 Event Notifications are not enabled on a bucket." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when - event_notification_configuration ->> 'EventBridgeConfiguration' is null - and event_notification_configuration ->> 'LambdaFunctionConfigurations' is null - and event_notification_configuration ->> 'QueueConfigurations' is null - and event_notification_configuration ->> 'TopicConfigurations' is null then 'alarm' - else 'ok' - end as status, - case - when - event_notification_configuration ->> 'EventBridgeConfiguration' is null - and event_notification_configuration ->> 'LambdaFunctionConfigurations' is null - and event_notification_configuration ->> 'QueueConfigurations' is null - and event_notification_configuration ->> 'TopicConfigurations' is null then title || ' event notifications disabled.' - else title || ' event notifications enabled.' - end as reason - - - from - aws_s3_bucket; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when\n event_notification_configuration ->> 'EventBridgeConfiguration' is null\n and event_notification_configuration ->> 'LambdaFunctionConfigurations' is null\n and event_notification_configuration ->> 'QueueConfigurations' is null\n and event_notification_configuration ->> 'TopicConfigurations' is null then 'alarm'\n else 'ok'\n end as status,\n case\n when\n event_notification_configuration ->> 'EventBridgeConfiguration' is null\n and event_notification_configuration ->> 'LambdaFunctionConfigurations' is null\n and event_notification_configuration ->> 'QueueConfigurations' is null\n and event_notification_configuration ->> 'TopicConfigurations' is null then title || ' event notifications disabled.'\n else title || ' event notifications enabled.'\n end as reason\n \n \nfrom\n aws_s3_bucket;" PrimaryTable: aws_s3_bucket ListOfTables: - - aws_s3_bucket + - aws_s3_bucket Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_s3_12.yaml b/compliance/controls/aws/aws_foundational_security_s3_12.yaml index c80de9d9f..4d5991807 100755 --- a/compliance/controls/aws/aws_foundational_security_s3_12.yaml +++ b/compliance/controls/aws/aws_foundational_security_s3_12.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_s3_12 Title: "12 S3 access control lists (ACLs) should not be used to manage user access to buckets" Description: "This control checks whether Amazon S3 buckets provide user permissions via ACLs. The control fails if ACLs are configured for managing user access on S3 buckets." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -61,7 +59,9 @@ Query: bucket_acl_checks; PrimaryTable: aws_s3_bucket ListOfTables: - - aws_s3_bucket + - aws_s3_bucket Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_s3_13.yaml b/compliance/controls/aws/aws_foundational_security_s3_13.yaml index 9ba71f680..8a6e1645f 100755 --- a/compliance/controls/aws/aws_foundational_security_s3_13.yaml +++ b/compliance/controls/aws/aws_foundational_security_s3_13.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_s3_13 Title: "13 S3 buckets should have lifecycle policies configured" Description: "This control checks if a lifecycle policy is configured for an Amazon S3 bucket. This control fails if a lifecycle policy is not configured for an S3 bucket." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -32,7 +30,9 @@ Query: left join lifecycle_rules_enabled as r on r.arn = b.arn; PrimaryTable: aws_s3_bucket ListOfTables: - - aws_s3_bucket + - aws_s3_bucket Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_s3_19.yaml b/compliance/controls/aws/aws_foundational_security_s3_19.yaml index dca39e52f..25038f150 100755 --- a/compliance/controls/aws/aws_foundational_security_s3_19.yaml +++ b/compliance/controls/aws/aws_foundational_security_s3_19.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_s3_19 Title: "19 S3 access points should have block public access settings enabled" Description: "This control checks whether an Amazon S3 access point has block public access settings enabled. The control fails if block public access settings aren't enabled for the access point." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -32,12 +30,14 @@ Query: case when not restrict_public_buckets then 'restrict_public_buckets' end ) || '.' end as reason - + from aws_s3_access_point; PrimaryTable: aws_s3_access_point ListOfTables: - - aws_s3_access_point + - aws_s3_access_point Parameters: [] Severity: critical Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_s3_5.yaml b/compliance/controls/aws/aws_foundational_security_s3_5.yaml index bb2e0c064..e9d05a4ca 100755 --- a/compliance/controls/aws/aws_foundational_security_s3_5.yaml +++ b/compliance/controls/aws/aws_foundational_security_s3_5.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_s3_5 Title: "5 S3 buckets should require requests to use Secure Socket Layer" Description: "This control checks whether S3 buckets have policies that require requests to use Secure Socket Layer (SSL). S3 buckets should have policies that require all requests (Action: S3:*)to only accept transmission of data over HTTPS in the S3 resource policy, indicated by the condition key aws:SecureTransport." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -42,7 +40,9 @@ Query: left join ssl_ok as ok on ok.name = b.name; PrimaryTable: aws_s3_bucket ListOfTables: - - aws_s3_bucket + - aws_s3_bucket Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_s3_6.yaml b/compliance/controls/aws/aws_foundational_security_s3_6.yaml index 148d941be..733925374 100755 --- a/compliance/controls/aws/aws_foundational_security_s3_6.yaml +++ b/compliance/controls/aws/aws_foundational_security_s3_6.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_s3_6 Title: "6 Amazon S3 permissions granted to other AWS accounts in bucket policies should be restricted" Description: "This control checks whether the S3 bucket policy prevents principals from other AWS accounts from performing denied actions on resources in the S3 bucket." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -46,7 +44,9 @@ Query: left join cross_account_buckets b on a.arn = b.arn; PrimaryTable: aws_s3_bucket ListOfTables: - - aws_s3_bucket + - aws_s3_bucket Parameters: [] Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_s3_8.yaml b/compliance/controls/aws/aws_foundational_security_s3_8.yaml index d40a183ca..41ed62746 100755 --- a/compliance/controls/aws/aws_foundational_security_s3_8.yaml +++ b/compliance/controls/aws/aws_foundational_security_s3_8.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_s3_8 Title: "8 S3 Block Public Access setting should be enabled at the bucket level" Description: "This control checks whether S3 buckets have bucket-level public access blocks applied." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -36,7 +34,9 @@ Query: aws_s3_bucket; PrimaryTable: aws_s3_bucket ListOfTables: - - aws_s3_bucket + - aws_s3_bucket Parameters: [] Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_s3_9.yaml b/compliance/controls/aws/aws_foundational_security_s3_9.yaml index 80da36ab1..70a5bfa4c 100755 --- a/compliance/controls/aws/aws_foundational_security_s3_9.yaml +++ b/compliance/controls/aws/aws_foundational_security_s3_9.yaml @@ -1,30 +1,14 @@ ID: aws_foundational_security_s3_9 Title: "9 S3 bucket server access logging should be enabled" Description: "When logging is enabled, Amazon S3 delivers access logs for a source bucket to a chosen target bucket. The target bucket must be in the same AWS Region as the source bucket and must not have a default retention period configuration." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when logging -> 'TargetBucket' is null then 'alarm' - else 'ok' - end as status, - case - when logging -> 'TargetBucket' is null then title || ' logging disabled.' - else title || ' logging enabled.' - end as reason - - - from - aws_s3_bucket; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when logging -> 'TargetBucket' is null then 'alarm'\n else 'ok'\n end as status,\n case\n when logging -> 'TargetBucket' is null then title || ' logging disabled.'\n else title || ' logging enabled.'\n end as reason\n \n \nfrom\n aws_s3_bucket;" PrimaryTable: aws_s3_bucket ListOfTables: - - aws_s3_bucket + - aws_s3_bucket Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_sagemaker_1.yaml b/compliance/controls/aws/aws_foundational_security_sagemaker_1.yaml index 3949847d8..e390b98ef 100755 --- a/compliance/controls/aws/aws_foundational_security_sagemaker_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_sagemaker_1.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_sagemaker_1 Title: "1 SageMaker notebook instances should not have direct internet access" Description: "This control checks whether direct internet access is disabled for an SageMaker notebook instance. To do this, it checks whether the DirectInternetAccess field is disabled for the notebook instance. If you configure your SageMaker instance without a VPC, then by default direct internet access is enabled on your instance. You should configure your instance with a VPC and change the default setting to Disable — Access the internet through a VPC." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_sagemaker_notebook_instance; PrimaryTable: aws_sagemaker_notebook_instance ListOfTables: - - aws_sagemaker_notebook_instance + - aws_sagemaker_notebook_instance Parameters: [] Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_sagemaker_2.yaml b/compliance/controls/aws/aws_foundational_security_sagemaker_2.yaml index 2e776082f..78b9fc640 100755 --- a/compliance/controls/aws/aws_foundational_security_sagemaker_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_sagemaker_2.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_sagemaker_2 Title: "2 SageMaker notebook instances should be launched in a custom VPC" Description: "This control checks if an Amazon SageMaker notebook instance is launched within a custom virtual private cloud (VPC). This control fails if a SageMaker notebook instance is not launched within a custom VPC or if it is launched in the SageMaker service VPC." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_sagemaker_notebook_instance; PrimaryTable: aws_sagemaker_notebook_instance ListOfTables: - - aws_sagemaker_notebook_instance + - aws_sagemaker_notebook_instance Parameters: [] Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_sagemaker_3.yaml b/compliance/controls/aws/aws_foundational_security_sagemaker_3.yaml index 1d156ec95..00e352cf8 100755 --- a/compliance/controls/aws/aws_foundational_security_sagemaker_3.yaml +++ b/compliance/controls/aws/aws_foundational_security_sagemaker_3.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_sagemaker_3 Title: "3 Users should not have root access to SageMaker notebook instances" Description: "This control checks whether root access is turned on for an Amazon SageMaker notebook instance. The control fails if root access is turned on for a SageMaker notebook instance." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_sagemaker_notebook_instance; PrimaryTable: aws_sagemaker_notebook_instance ListOfTables: - - aws_sagemaker_notebook_instance + - aws_sagemaker_notebook_instance Parameters: [] Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_secretsmanager_1.yaml b/compliance/controls/aws/aws_foundational_security_secretsmanager_1.yaml index 31747f91c..830106237 100755 --- a/compliance/controls/aws/aws_foundational_security_secretsmanager_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_secretsmanager_1.yaml @@ -1,30 +1,14 @@ ID: aws_foundational_security_secretsmanager_1 Title: "1 Secrets Manager secrets should have automatic rotation enabled" Description: "This control checks whether a secret stored in AWS Secrets Manager is configured with automatic rotation. Secrets Manager helps you improve the security posture of your organization. Secrets include database credentials, passwords, and third-party API keys. You can use Secrets Manager to store secrets centrally, encrypt secrets automatically, control access to secrets, and rotate secrets safely and automatically." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when rotation_rules is null then 'alarm' - else 'ok' - end as status, - case - when rotation_rules is null then title || ' automatic rotation not enabled.' - else title || ' automatic rotation enabled.' - end as reason - - - from - aws_secretsmanager_secret; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when rotation_rules is null then 'alarm'\n else 'ok'\n end as status,\n case\n when rotation_rules is null then title || ' automatic rotation not enabled.'\n else title || ' automatic rotation enabled.'\n end as reason\n \n \nfrom\n aws_secretsmanager_secret;" PrimaryTable: aws_secretsmanager_secret ListOfTables: - - aws_secretsmanager_secret + - aws_secretsmanager_secret Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_secretsmanager_2.yaml b/compliance/controls/aws/aws_foundational_security_secretsmanager_2.yaml index 29c6f696b..e0fae19b6 100755 --- a/compliance/controls/aws/aws_foundational_security_secretsmanager_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_secretsmanager_2.yaml @@ -1,42 +1,14 @@ ID: aws_foundational_security_secretsmanager_2 Title: "2 Secrets Manager secrets configured with automatic rotation should rotate successfully" Description: "This control checks whether an AWS Secrets Manager secret rotated successfully based on the rotation schedule. The control fails if RotationOccurringAsScheduled is false. The control does not evaluate secrets that do not have rotation configured." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when primary_region is not null and region != primary_region then 'skip' -- Replica secret - when rotation_rules is null then 'alarm' -- Rotation not enabled - when last_rotated_date is null - and (date(current_date) - date(created_date)) <= (rotation_rules -> 'AutomaticallyAfterDays')::integer then 'ok' -- New secret not due for rotation yet - when last_rotated_date is null - and (date(current_date) - date(created_date)) > (rotation_rules -> 'AutomaticallyAfterDays')::integer then 'alarm' -- New secret overdue for rotation - when last_rotated_date is not null - and (date(current_date) - date(last_rotated_date)) > (rotation_rules -> 'AutomaticallyAfterDays')::integer then 'alarm' -- Secret has been rotated before but is overdue for another rotation - end as status, - case - when primary_region is not null and region != primary_region then title || ' is a replica.' - when rotation_rules is null then title || ' rotation not enabled.' - when last_rotated_date is null - and (date(current_date) - date(created_date)) <= (rotation_rules -> 'AutomaticallyAfterDays')::integer then title || ' scheduled for rotation.' - when last_rotated_date is null - and (date(current_date) - date(created_date)) > (rotation_rules -> 'AutomaticallyAfterDays')::integer then title || ' not rotated as per schedule.' - when last_rotated_date is not null - and (date(current_date) - date(last_rotated_date)) > (rotation_rules -> 'AutomaticallyAfterDays')::integer then title || ' not rotated as per schedule.' - end as reason - - - from - aws_secretsmanager_secret; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when primary_region is not null and region != primary_region then 'skip' -- Replica secret\n when rotation_rules is null then 'alarm' -- Rotation not enabled\n when last_rotated_date is null\n and (date(current_date) - date(created_date)) <= (rotation_rules -> 'AutomaticallyAfterDays')::integer then 'ok' -- New secret not due for rotation yet\n when last_rotated_date is null\n and (date(current_date) - date(created_date)) > (rotation_rules -> 'AutomaticallyAfterDays')::integer then 'alarm' -- New secret overdue for rotation\n when last_rotated_date is not null\n and (date(current_date) - date(last_rotated_date)) > (rotation_rules -> 'AutomaticallyAfterDays')::integer then 'alarm' -- Secret has been rotated before but is overdue for another rotation\n end as status,\n case\n when primary_region is not null and region != primary_region then title || ' is a replica.'\n when rotation_rules is null then title || ' rotation not enabled.'\n when last_rotated_date is null\n and (date(current_date) - date(created_date)) <= (rotation_rules -> 'AutomaticallyAfterDays')::integer then title || ' scheduled for rotation.'\n when last_rotated_date is null\n and (date(current_date) - date(created_date)) > (rotation_rules -> 'AutomaticallyAfterDays')::integer then title || ' not rotated as per schedule.'\n when last_rotated_date is not null\n and (date(current_date) - date(last_rotated_date)) > (rotation_rules -> 'AutomaticallyAfterDays')::integer then title || ' not rotated as per schedule.'\n end as reason\n \n \nfrom\n aws_secretsmanager_secret;" PrimaryTable: aws_secretsmanager_secret ListOfTables: - - aws_secretsmanager_secret + - aws_secretsmanager_secret Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_secretsmanager_3.yaml b/compliance/controls/aws/aws_foundational_security_secretsmanager_3.yaml index 7f07c0f5e..08f964fa8 100755 --- a/compliance/controls/aws/aws_foundational_security_secretsmanager_3.yaml +++ b/compliance/controls/aws/aws_foundational_security_secretsmanager_3.yaml @@ -1,32 +1,14 @@ ID: aws_foundational_security_secretsmanager_3 Title: "3 Remove unused Secrets Manager secrets" Description: "This control checks whether an AWS Secrets Manager secret has been accessed within the specified time frame. The control fails if a secret is unused beyond the specified time frame. Unless you provide a custom parameter value for the access period, Security Hub uses a default value of 90 days" -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when last_accessed_date is null then 'alarm' - when date(current_date) - date(last_accessed_date) <= 90 then 'ok' - else 'alarm' - end as status, - case - when last_accessed_date is null then title || ' never accessed.' - else - title || ' last used ' || extract(day from current_timestamp - last_accessed_date) || ' day(s) ago.' - end as reason - - - from - aws_secretsmanager_secret; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when last_accessed_date is null then 'alarm'\n when date(current_date) - date(last_accessed_date) <= 90 then 'ok'\n else 'alarm'\n end as status,\n case\n when last_accessed_date is null then title || ' never accessed.'\n else\n title || ' last used ' || extract(day from current_timestamp - last_accessed_date) || ' day(s) ago.'\n end as reason\n \n \nfrom\n aws_secretsmanager_secret;" PrimaryTable: aws_secretsmanager_secret ListOfTables: - - aws_secretsmanager_secret + - aws_secretsmanager_secret Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_secretsmanager_4.yaml b/compliance/controls/aws/aws_foundational_security_secretsmanager_4.yaml index c896df701..9da1cb1fb 100755 --- a/compliance/controls/aws/aws_foundational_security_secretsmanager_4.yaml +++ b/compliance/controls/aws/aws_foundational_security_secretsmanager_4.yaml @@ -1,30 +1,14 @@ ID: aws_foundational_security_secretsmanager_4 Title: "4 Secrets Manager secrets should be rotated within a specified number of days" Description: "This control checks whether your secrets have been rotated at least once within 90 days. Rotating secrets can help you to reduce the risk of an unauthorized use of your secrets in your AWS account. Examples include database credentials, passwords, third-party API keys, and even arbitrary text. If you do not change your secrets for a long period of time, the secrets are more likely to be compromised." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when rotation_rules is not null and rotation_lambda_arn is not null then 'ok' - else 'alarm' - end as status, - case - when rotation_rules is not null and rotation_lambda_arn is not null then title || ' scheduled for rotation using Lambda function.' - else title || ' automatic rotation using Lambda function disabled.' - end as reason - - - from - aws_secretsmanager_secret; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when rotation_rules is not null and rotation_lambda_arn is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when rotation_rules is not null and rotation_lambda_arn is not null then title || ' scheduled for rotation using Lambda function.'\n else title || ' automatic rotation using Lambda function disabled.'\n end as reason\n \n \nfrom\n aws_secretsmanager_secret;" PrimaryTable: aws_secretsmanager_secret ListOfTables: - - aws_secretsmanager_secret + - aws_secretsmanager_secret Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_sfn_1.yaml b/compliance/controls/aws/aws_foundational_security_sfn_1.yaml index b12fcb37d..3d5df7306 100755 --- a/compliance/controls/aws/aws_foundational_security_sfn_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_sfn_1.yaml @@ -1,30 +1,14 @@ ID: aws_foundational_security_sfn_1 Title: "1 Step Functions state machines should have logging turned on" Description: "This controls checks whether an AWS Step Functions state machine has logging turned on. The control fails if a state machine doesn't have logging turned on. If you provide a custom value for the logLevel parameter, the control passes only if the state machine has the specified logging level turned on." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when logging_configuration ->> 'Level' = 'OFF' then 'alarm' - else 'ok' - end as status, - case - when logging_configuration ->> 'Level' = 'OFF' then title || ' loggging disabled.' - else title || ' loggging enabled.' - end as reason - - - from - aws_sfn_state_machine; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when logging_configuration ->> 'Level' = 'OFF' then 'alarm'\n else 'ok'\n end as status,\n case\n when logging_configuration ->> 'Level' = 'OFF' then title || ' loggging disabled.'\n else title || ' loggging enabled.'\n end as reason\n \n \nfrom\n aws_sfn_state_machine;" PrimaryTable: aws_sfn_state_machine ListOfTables: - - aws_sfn_state_machine + - aws_sfn_state_machine Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_sns_1.yaml b/compliance/controls/aws/aws_foundational_security_sns_1.yaml index 401a5f3c2..982707cce 100755 --- a/compliance/controls/aws/aws_foundational_security_sns_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_sns_1.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_sns_1 Title: "1 SNS topics should be encrypted at rest using AWS KMS" Description: "This control checks whether an SNS topic is encrypted at rest using AWS KMS." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_sns_topic; PrimaryTable: aws_sns_topic ListOfTables: - - aws_sns_topic + - aws_sns_topic Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_sns_2.yaml b/compliance/controls/aws/aws_foundational_security_sns_2.yaml index 37aae6cb8..feb348c66 100755 --- a/compliance/controls/aws/aws_foundational_security_sns_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_sns_2.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_sns_2 Title: "2 Logging of delivery status should be enabled for notification messages sent to a topic" Description: "This control checks whether logging is enabled for the delivery status of notification messages sent to an Amazon SNS topic for the endpoints. This control fails if the delivery status notification for messages is not enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -30,7 +28,9 @@ Query: aws_sns_topic; PrimaryTable: aws_sns_topic ListOfTables: - - aws_sns_topic + - aws_sns_topic Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_sqs_1.yaml b/compliance/controls/aws/aws_foundational_security_sqs_1.yaml index 7250f1b4d..5d8ac27bf 100755 --- a/compliance/controls/aws/aws_foundational_security_sqs_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_sqs_1.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_sqs_1 Title: "1 Amazon SQS queues should be encrypted at rest" Description: "This control checks whether Amazon SQS queues are encrypted at rest." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -24,7 +22,9 @@ Query: aws_sqs_queue; PrimaryTable: aws_sqs_queue ListOfTables: - - aws_sqs_queue + - aws_sqs_queue Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_ssm_1.yaml b/compliance/controls/aws/aws_foundational_security_ssm_1.yaml index c9d74f17a..171c5733e 100755 --- a/compliance/controls/aws/aws_foundational_security_ssm_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_ssm_1.yaml @@ -1,34 +1,15 @@ ID: aws_foundational_security_ssm_1 Title: "1 EC2 instances should be managed by AWS Systems Manager" Description: "This control checks whether the EC2 instances in your account are managed by AWS Systems Manager. Systems Manager is an AWS service that you can use to view and control your AWS infrastructure. To help you to maintain security and compliance, Systems Manager scans your managed instances. A managed instance is a machine that is configured for use with Systems Manager. Systems Manager then reports or takes corrective action on any policy violations that it detects. Systems Manager also helps you to configure and maintain your managed instances." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - i.arn as resource, - i.og_account_id as og_account_id, - i.og_resource_id as og_resource_id, - case - when i.instance_state = 'stopped' then 'info' - when m.instance_id is null then 'alarm' - else 'ok' - end as status, - case - when i.instance_state = 'stopped' then i.title || ' is in stopped state.' - when m.instance_id is null then i.title || ' not managed by AWS SSM.' - else i.title || ' managed by AWS SSM.' - end as reason - - - from - aws_ec2_instance i - left join aws_ssm_managed_instance m on m.instance_id = i.instance_id; + QueryToExecute: "select\n i.arn as resource,\n i.og_account_id as og_account_id,\n i.og_resource_id as og_resource_id,\n case\n when i.instance_state = 'stopped' then 'info'\n when m.instance_id is null then 'alarm'\n else 'ok'\n end as status,\n case\n when i.instance_state = 'stopped' then i.title || ' is in stopped state.'\n when m.instance_id is null then i.title || ' not managed by AWS SSM.'\n else i.title || ' managed by AWS SSM.'\n end as reason\n \n \nfrom\n aws_ec2_instance i\n left join aws_ssm_managed_instance m on m.instance_id = i.instance_id;" PrimaryTable: aws_ec2_instance ListOfTables: - - aws_ec2_instance - - aws_ssm_managed_instance + - aws_ec2_instance + - aws_ssm_managed_instance Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_ssm_2.yaml b/compliance/controls/aws/aws_foundational_security_ssm_2.yaml index 766369377..fb5bc977e 100755 --- a/compliance/controls/aws/aws_foundational_security_ssm_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_ssm_2.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_ssm_2 Title: "2 All EC2 instances managed by Systems Manager should be compliant with patching requirements" Description: "This control checks whether the compliance status of the Amazon EC2 Systems Manager patch compliance is COMPLIANT or non compliant after the patch installation on the instance. It only checks instances that are managed by Systems Manager Patch Manager." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -28,8 +26,10 @@ Query: and c.compliance_type = 'Patch'; PrimaryTable: aws_ssm_managed_instance ListOfTables: - - aws_ssm_managed_instance - - aws_ssm_managed_instance_compliance + - aws_ssm_managed_instance + - aws_ssm_managed_instance_compliance Parameters: [] Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_ssm_3.yaml b/compliance/controls/aws/aws_foundational_security_ssm_3.yaml index 958f17e0c..2b9781faa 100755 --- a/compliance/controls/aws/aws_foundational_security_ssm_3.yaml +++ b/compliance/controls/aws/aws_foundational_security_ssm_3.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_ssm_3 Title: "3 Instances managed by Systems Manager should have an association compliance status of COMPLIANT" Description: "This control checks whether the status of the AWS Systems Manager association compliance is COMPLIANT or non compliant after the association is run on an instance. The control passes if the association compliance status is COMPLIANT." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -26,8 +24,10 @@ Query: and c.compliance_type = 'Association'; PrimaryTable: aws_ssm_managed_instance ListOfTables: - - aws_ssm_managed_instance - - aws_ssm_managed_instance_compliance + - aws_ssm_managed_instance + - aws_ssm_managed_instance_compliance Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_ssm_4.yaml b/compliance/controls/aws/aws_foundational_security_ssm_4.yaml index 304901b4d..7bbb54e4d 100755 --- a/compliance/controls/aws/aws_foundational_security_ssm_4.yaml +++ b/compliance/controls/aws/aws_foundational_security_ssm_4.yaml @@ -1,32 +1,14 @@ ID: aws_foundational_security_ssm_4 Title: "4 SSM documents should not be public" Description: "This control checks whether AWS Systems Manager documents that are owned by the account are public. This control fails if SSM documents with the owner Self are public." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || ':ssm:' || region || ':' || account_id || ':document/' || name as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when account_ids :: jsonb ? 'all' then 'alarm' - else 'ok' - end as status, - case - when account_ids :: jsonb ? 'all' then title || ' publicly accesible.' - else title || ' not publicly accesible.' - end as reason - - - from - aws_ssm_document - where - owner_type = 'Self'; + QueryToExecute: "select\n 'arn:' || partition || ':ssm:' || region || ':' || account_id || ':document/' || name as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when account_ids :: jsonb ? 'all' then 'alarm'\n else 'ok'\n end as status,\n case\n when account_ids :: jsonb ? 'all' then title || ' publicly accesible.'\n else title || ' not publicly accesible.'\n end as reason\n \n \nfrom\n aws_ssm_document\nwhere\n owner_type = 'Self';" PrimaryTable: aws_ssm_document ListOfTables: - - aws_ssm_document + - aws_ssm_document Parameters: [] Severity: critical Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_waf_1.yaml b/compliance/controls/aws/aws_foundational_security_waf_1.yaml index 17bb05a9d..cd7d9b032 100755 --- a/compliance/controls/aws/aws_foundational_security_waf_1.yaml +++ b/compliance/controls/aws/aws_foundational_security_waf_1.yaml @@ -1,30 +1,14 @@ ID: aws_foundational_security_waf_1 Title: "1 AWS WAF Classic Global Web ACL logging should be enabled" Description: "This control checks whether logging is enabled for an AWS WAF global web ACL. This control fails if logging is not enabled for the web ACL." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when logging_configuration is null then 'alarm' - else 'ok' - end as status, - case - when logging_configuration is null then title || ' logging disabled.' - else title || ' logging enabled.' - end as reason - - - from - aws_waf_web_acl; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when logging_configuration is null then 'alarm'\n else 'ok'\n end as status,\n case\n when logging_configuration is null then title || ' logging disabled.'\n else title || ' logging enabled.'\n end as reason\n \n \nfrom\n aws_waf_web_acl;" PrimaryTable: aws_waf_web_acl ListOfTables: - - aws_waf_web_acl + - aws_waf_web_acl Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_waf_10.yaml b/compliance/controls/aws/aws_foundational_security_waf_10.yaml index 5caece3cf..93f1d221f 100755 --- a/compliance/controls/aws/aws_foundational_security_waf_10.yaml +++ b/compliance/controls/aws/aws_foundational_security_waf_10.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_waf_10 Title: "10 AWS WAF web ACLs should have at least one rule or rule group" Description: "This control checks whether a WAFV2 web access control list (web ACL) contains at least one WAF rule or WAF rule group. The control fails if a web ACL does not contain any WAF rules or rule groups." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -35,7 +33,9 @@ Query: left join rule_group_count as c on c.arn = a.arn; PrimaryTable: aws_wafv2_web_acl ListOfTables: - - aws_wafv2_web_acl + - aws_wafv2_web_acl Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_waf_12.yaml b/compliance/controls/aws/aws_foundational_security_waf_12.yaml index f946ded02..a3cae7419 100755 --- a/compliance/controls/aws/aws_foundational_security_waf_12.yaml +++ b/compliance/controls/aws/aws_foundational_security_waf_12.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_waf_12 Title: "12 AWS WAF rules should have CloudWatch metrics enabled" Description: "This control checks whether an AWS WAF rule or rule group has Amazon CloudWatch metrics enabled. The control fails if the rule or rule group doesn't have CloudWatch metrics enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_wafv2_rule_group; PrimaryTable: aws_wafv2_rule_group ListOfTables: - - aws_wafv2_rule_group + - aws_wafv2_rule_group Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_waf_2.yaml b/compliance/controls/aws/aws_foundational_security_waf_2.yaml index 3c8f2c719..607b4bee5 100755 --- a/compliance/controls/aws/aws_foundational_security_waf_2.yaml +++ b/compliance/controls/aws/aws_foundational_security_waf_2.yaml @@ -1,29 +1,14 @@ ID: aws_foundational_security_waf_2 Title: "2 AWS WAF Classic Regional rules should have at least one condition" Description: "This control checks whether an AWS WAF Regional rule has at least one condition. The control fails if no conditions are present within a rule." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - rule_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when predicates is null or jsonb_array_length(predicates) = 0 then 'alarm' - else 'ok' - end as status, - case - when predicates is null or jsonb_array_length(predicates) = 0 then title || ' has no attached conditions.' - else title || ' has ' || jsonb_array_length(predicates) || ' condition(s) attached.' - end as reason - - from - aws_wafregional_rule; + QueryToExecute: "select\n rule_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when predicates is null or jsonb_array_length(predicates) = 0 then 'alarm'\n else 'ok'\n end as status,\n case\n when predicates is null or jsonb_array_length(predicates) = 0 then title || ' has no attached conditions.'\n else title || ' has ' || jsonb_array_length(predicates) || ' condition(s) attached.'\n end as reason\n \nfrom\n aws_wafregional_rule;" PrimaryTable: aws_wafregional_rule ListOfTables: - - aws_wafregional_rule + - aws_wafregional_rule Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_waf_3.yaml b/compliance/controls/aws/aws_foundational_security_waf_3.yaml index cc91377da..38a1a6293 100755 --- a/compliance/controls/aws/aws_foundational_security_waf_3.yaml +++ b/compliance/controls/aws/aws_foundational_security_waf_3.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_waf_3 Title: "3 AWS WAF Classic Regional rule groups should have at least one rule" Description: "This control checks whether an AWS WAF Regional rule group has at least one rule. The control fails if no rules are present within a rule group." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_wafregional_rule_group; PrimaryTable: aws_wafregional_rule_group ListOfTables: - - aws_wafregional_rule_group + - aws_wafregional_rule_group Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_waf_4.yaml b/compliance/controls/aws/aws_foundational_security_waf_4.yaml index da7f350a6..2dd88e1f0 100755 --- a/compliance/controls/aws/aws_foundational_security_waf_4.yaml +++ b/compliance/controls/aws/aws_foundational_security_waf_4.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_waf_4 Title: "4 AWS WAF Classic Regional web ACLs should have at least one rule or rule group" Description: "This control checks whether an AWS WAF Classic Regional web ACL contains any WAF rules or WAF rule groups. This control fails if a web ACL does not contain any WAF rules or rule groups." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_wafregional_web_acl; PrimaryTable: aws_wafregional_web_acl ListOfTables: - - aws_wafregional_web_acl + - aws_wafregional_web_acl Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_waf_6.yaml b/compliance/controls/aws/aws_foundational_security_waf_6.yaml index 0bb47074f..fe15da01a 100755 --- a/compliance/controls/aws/aws_foundational_security_waf_6.yaml +++ b/compliance/controls/aws/aws_foundational_security_waf_6.yaml @@ -1,30 +1,14 @@ ID: aws_foundational_security_waf_6 Title: "6 AWS WAF Classic global rules should have at least one condition" Description: "This control checks whether an AWS WAF global rule contains any conditions. The control fails if no conditions are present within a rule." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - rule_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when predicates is null or jsonb_array_length(predicates) = 0 then 'alarm' - else 'ok' - end as status, - case - when predicates is null or jsonb_array_length(predicates) = 0 then title || ' has no attached conditions.' - else title || ' has ' || jsonb_array_length(predicates) || ' attached conditions.' - end as reason - - - from - aws_waf_rule; + QueryToExecute: "select\n rule_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when predicates is null or jsonb_array_length(predicates) = 0 then 'alarm'\n else 'ok'\n end as status,\n case\n when predicates is null or jsonb_array_length(predicates) = 0 then title || ' has no attached conditions.'\n else title || ' has ' || jsonb_array_length(predicates) || ' attached conditions.'\n end as reason\n \n \nfrom\n aws_waf_rule;" PrimaryTable: aws_waf_rule ListOfTables: - - aws_waf_rule + - aws_waf_rule Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_waf_7.yaml b/compliance/controls/aws/aws_foundational_security_waf_7.yaml index a574e3679..21e2e471f 100755 --- a/compliance/controls/aws/aws_foundational_security_waf_7.yaml +++ b/compliance/controls/aws/aws_foundational_security_waf_7.yaml @@ -1,30 +1,14 @@ ID: aws_foundational_security_waf_7 Title: "7 AWS WAF Classic global rule groups should have at least one rule" Description: "This control checks whether an AWS WAF global rule group has at least one rule. The control fails if no rules are present within a rule group." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when activated_rules is null or jsonb_array_length(activated_rules) = 0 then 'alarm' - else 'ok' - end as status, - case - when activated_rules is null or jsonb_array_length(activated_rules) = 0 then title || ' has no attached rules.' - else title || ' has ' || jsonb_array_length(activated_rules) || ' rule(s) attached.' - end as reason - - - from - aws_waf_rule_group; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when activated_rules is null or jsonb_array_length(activated_rules) = 0 then 'alarm'\n else 'ok'\n end as status,\n case\n when activated_rules is null or jsonb_array_length(activated_rules) = 0 then title || ' has no attached rules.'\n else title || ' has ' || jsonb_array_length(activated_rules) || ' rule(s) attached.'\n end as reason\n \n \nfrom\n aws_waf_rule_group;" PrimaryTable: aws_waf_rule_group ListOfTables: - - aws_waf_rule_group + - aws_waf_rule_group Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_foundational_security_waf_8.yaml b/compliance/controls/aws/aws_foundational_security_waf_8.yaml index d7e343839..3069d9ca0 100755 --- a/compliance/controls/aws/aws_foundational_security_waf_8.yaml +++ b/compliance/controls/aws/aws_foundational_security_waf_8.yaml @@ -1,8 +1,6 @@ ID: aws_foundational_security_waf_8 Title: "8 AWS WAF Classic global web ACLs should have at least one rule or rule group" Description: "This control checks whether an AWS WAF global web ACL contains at least one WAF rule or WAF rule group. The control fails if a web ACL does not contain any WAF rules or rule groups." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_waf_web_acl; PrimaryTable: aws_waf_web_acl ListOfTables: - - aws_waf_web_acl + - aws_waf_web_acl Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_fsx_file_system_copy_tags_to_backup_and_volume_enabled.yaml b/compliance/controls/aws/aws_fsx_file_system_copy_tags_to_backup_and_volume_enabled.yaml index d61911504..b94aa455f 100755 --- a/compliance/controls/aws/aws_fsx_file_system_copy_tags_to_backup_and_volume_enabled.yaml +++ b/compliance/controls/aws/aws_fsx_file_system_copy_tags_to_backup_and_volume_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_fsx_file_system_copy_tags_to_backup_and_volume_enabled Title: "FSx for OpenZFS file systems should be configured to copy tags to backups and volumes" Description: "This control checks if an Amazon FSx for OpenZFS file system is configured to copy tags to backups and volumes. The control fails if the OpenZFS file system isn't configured to copy tags to backups and volumes." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -26,7 +24,9 @@ Query: aws_fsx_file_system; PrimaryTable: aws_fsx_file_system ListOfTables: - - aws_fsx_file_system + - aws_fsx_file_system Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_fsx_file_system_protected_by_backup_plan.yaml b/compliance/controls/aws/aws_fsx_file_system_protected_by_backup_plan.yaml index ed3bd8cf1..84e919088 100755 --- a/compliance/controls/aws/aws_fsx_file_system_protected_by_backup_plan.yaml +++ b/compliance/controls/aws/aws_fsx_file_system_protected_by_backup_plan.yaml @@ -1,64 +1,39 @@ ID: aws_fsx_file_system_protected_by_backup_plan Title: "FSx file system should be protected by backup plan" Description: "Checks if AWS FSx File Systems are protected by a backup plan. The rule is non-compliant if the AWS FSx File System is not covered by a backup plan." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with backup_protected_fsx_file_system as ( - select - resource_arn as arn - from - aws_backup_protected_resource as b - where - resource_type = 'FSx' - ) - select - f.arn as resource, - f.og_account_id as og_account_id, - f.og_resource_id as og_resource_id, - case - when b.arn is not null then 'ok' - else 'alarm' - end as status, - case - when b.arn is not null then f.title || ' is protected by backup plan.' - else f.title || ' is not protected by backup plan.' - end as reason - - , f.region, f.account_id - from - aws_fsx_file_system as f - left join backup_protected_fsx_file_system as b on f.arn = b.arn; + QueryToExecute: "with backup_protected_fsx_file_system as (\n select\n resource_arn as arn\n from\n aws_backup_protected_resource as b\n where\n resource_type = 'FSx'\n)\nselect\n f.arn as resource,\n f.og_account_id as og_account_id,\n f.og_resource_id as og_resource_id,\n case\n when b.arn is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when b.arn is not null then f.title || ' is protected by backup plan.'\n else f.title || ' is not protected by backup plan.'\n end as reason\n \n , f.region, f.account_id\nfrom\n aws_fsx_file_system as f\n left join backup_protected_fsx_file_system as b on f.arn = b.arn;\n" PrimaryTable: aws_fsx_file_system ListOfTables: - - aws_backup_protected_resource - - aws_fsx_file_system + - aws_backup_protected_resource + - aws_fsx_file_system Parameters: [] Severity: high Tags: cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" gxp_eu_annex_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" service: - - AWS/FSx + - AWS/FSx soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_gatewayv2_stage_access_logging_enabled.yaml b/compliance/controls/aws/aws_gatewayv2_stage_access_logging_enabled.yaml index 5c91cbaff..b7c286a82 100755 --- a/compliance/controls/aws/aws_gatewayv2_stage_access_logging_enabled.yaml +++ b/compliance/controls/aws/aws_gatewayv2_stage_access_logging_enabled.yaml @@ -1,42 +1,26 @@ ID: aws_gatewayv2_stage_access_logging_enabled Title: "Access logging should be configured for API Gateway V2 Stages" Description: "This control checks if AWS API Gateway V2 stages have access logging configured. This control fails if access log settings aren't defined." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - 'arn:' || partition || ':apigateway:' || region || '::/apis/' || api_id || '/stages/' || stage_name as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when access_log_settings is null then 'alarm' - else 'ok' - end as status, - case - when access_log_settings is null then title || ' access logging disabled.' - else title || ' access logging enabled.' - end as reason - - , region, account_id - from - aws_api_gatewayv2_stage; + QueryToExecute: "select\n 'arn:' || partition || ':apigateway:' || region || '::/apis/' || api_id || '/stages/' || stage_name as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when access_log_settings is null then 'alarm'\n else 'ok'\n end as status,\n case\n when access_log_settings is null then title || ' access logging disabled.'\n else title || ' access logging enabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_api_gatewayv2_stage;\n" PrimaryTable: aws_api_gatewayv2_stage ListOfTables: - - aws_api_gatewayv2_stage + - aws_api_gatewayv2_stage Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - logging + - logging foundational_security_item_id: - - apigateway_9 + - apigateway_9 plugin: - - aws + - aws service: - - AWS/APIGateway + - AWS/APIGateway +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_glacier_vault_restrict_public_access.yaml b/compliance/controls/aws/aws_glacier_vault_restrict_public_access.yaml index a9d0c45fb..d828c9a20 100755 --- a/compliance/controls/aws/aws_glacier_vault_restrict_public_access.yaml +++ b/compliance/controls/aws/aws_glacier_vault_restrict_public_access.yaml @@ -1,8 +1,6 @@ ID: aws_glacier_vault_restrict_public_access Title: "Glacier vault should restrict public access" Description: "Manage access to resources in the AWS Cloud by ensuring AWS Glacier vault cannot be publicly accessed." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -40,7 +38,9 @@ Query: left join wildcard_action_policies as p on p.vault_arn = g.vault_arn; PrimaryTable: aws_glacier_vault ListOfTables: - - aws_glacier_vault + - aws_glacier_vault Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_glue_connection_ssl_enabled.yaml b/compliance/controls/aws/aws_glue_connection_ssl_enabled.yaml index 9f6e49cb0..eea97485e 100755 --- a/compliance/controls/aws/aws_glue_connection_ssl_enabled.yaml +++ b/compliance/controls/aws/aws_glue_connection_ssl_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_glue_connection_ssl_enabled Title: "Glue connection SSL should be enabled" Description: "Ensure Glue connection encryption SSL is enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_glue_connection; PrimaryTable: aws_glue_connection ListOfTables: - - aws_glue_connection + - aws_glue_connection Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_glue_data_catalog_encryption_settings_metadata_encryption_enabled.yaml b/compliance/controls/aws/aws_glue_data_catalog_encryption_settings_metadata_encryption_enabled.yaml index a2c84f3fd..b75e58074 100755 --- a/compliance/controls/aws/aws_glue_data_catalog_encryption_settings_metadata_encryption_enabled.yaml +++ b/compliance/controls/aws/aws_glue_data_catalog_encryption_settings_metadata_encryption_enabled.yaml @@ -1,29 +1,14 @@ ID: aws_glue_data_catalog_encryption_settings_metadata_encryption_enabled Title: "Glue data catalog metadata encryption should be enabled" Description: "Ensure Glue data catalog metadata encryption is enabled to protect sensitive information at rest." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - 'arn:' || partition || '::' || region || ':' || account_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when encryption_at_rest is not null and encryption_at_rest ->> 'CatalogEncryptionMode' != 'DISABLED' then 'ok' - else 'alarm' - end as status, - case - when encryption_at_rest is not null and encryption_at_rest ->> 'CatalogEncryptionMode' != 'DISABLED' then 'Glue data catalog metadata encryption is enabled in ' || region || '.' - else 'Glue data catalog metadata encryption is disabled in ' || region || '.' - end as reason - - from - aws_glue_data_catalog_encryption_settings; + QueryToExecute: "select\n 'arn:' || partition || '::' || region || ':' || account_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when encryption_at_rest is not null and encryption_at_rest ->> 'CatalogEncryptionMode' != 'DISABLED' then 'ok'\n else 'alarm'\n end as status,\n case\n when encryption_at_rest is not null and encryption_at_rest ->> 'CatalogEncryptionMode' != 'DISABLED' then 'Glue data catalog metadata encryption is enabled in ' || region || '.'\n else 'Glue data catalog metadata encryption is disabled in ' || region || '.'\n end as reason\n \nfrom\n aws_glue_data_catalog_encryption_settings;" PrimaryTable: aws_glue_data_catalog_encryption_settings ListOfTables: - - aws_glue_data_catalog_encryption_settings + - aws_glue_data_catalog_encryption_settings Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_glue_data_catalog_encryption_settings_password_encryption_enabled.yaml b/compliance/controls/aws/aws_glue_data_catalog_encryption_settings_password_encryption_enabled.yaml index f97537a11..330c02866 100755 --- a/compliance/controls/aws/aws_glue_data_catalog_encryption_settings_password_encryption_enabled.yaml +++ b/compliance/controls/aws/aws_glue_data_catalog_encryption_settings_password_encryption_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_glue_data_catalog_encryption_settings_password_encryption_enabled Title: "Glue data catalog connection password encryption should be enabled" Description: "Ensure Glue data catalog connection password encryption is enabled to protect sensitive information at rest." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -22,7 +20,9 @@ Query: aws_glue_data_catalog_encryption_settings; PrimaryTable: aws_glue_data_catalog_encryption_settings ListOfTables: - - aws_glue_data_catalog_encryption_settings + - aws_glue_data_catalog_encryption_settings Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_glue_job_bookmarks_encryption_enabled.yaml b/compliance/controls/aws/aws_glue_job_bookmarks_encryption_enabled.yaml index c40121aad..91a8f529b 100755 --- a/compliance/controls/aws/aws_glue_job_bookmarks_encryption_enabled.yaml +++ b/compliance/controls/aws/aws_glue_job_bookmarks_encryption_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_glue_job_bookmarks_encryption_enabled Title: "Glue jobs bookmarks encryption should be enabled" Description: "Ensure Glue job bookmarks have encryption enabled to protect sensitive information at rest." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -23,8 +21,10 @@ Query: left join aws_glue_security_configuration as c on j.security_configuration = c.name; PrimaryTable: aws_glue_job ListOfTables: - - aws_glue_job - - aws_glue_security_configuration + - aws_glue_job + - aws_glue_security_configuration Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_guardduty_enabled.yaml b/compliance/controls/aws/aws_guardduty_enabled.yaml index cd87886c9..5e2f93a0a 100755 --- a/compliance/controls/aws/aws_guardduty_enabled.yaml +++ b/compliance/controls/aws/aws_guardduty_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_guardduty_enabled Title: "GuardDuty should be enabled" Description: "AWS GuardDuty can help to monitor and detect potential cybersecurity events by using threat intelligence feeds." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -32,44 +30,46 @@ Query: left join aws_guardduty_detector d on r.account_id = d.account_id and r.name = d.region; PrimaryTable: aws_region ListOfTables: - - aws_guardduty_detector - - aws_region + - aws_guardduty_detector + - aws_region Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" gxp_eu_annex_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/GuardDuty + - AWS/GuardDuty soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_guardduty_finding_archived.yaml b/compliance/controls/aws/aws_guardduty_finding_archived.yaml index 3e405646a..7d235a333 100755 --- a/compliance/controls/aws/aws_guardduty_finding_archived.yaml +++ b/compliance/controls/aws/aws_guardduty_finding_archived.yaml @@ -1,8 +1,6 @@ ID: aws_guardduty_finding_archived Title: "GuardDuty findings should be archived" Description: "AWS GuardDuty helps you understand the impact of an incident by classifying findings by severity: low, medium, and high." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -23,39 +21,41 @@ Query: aws_guardduty_finding; PrimaryTable: aws_guardduty_finding ListOfTables: - - aws_guardduty_finding + - aws_guardduty_finding Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_eu_annex_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/GuardDuty + - AWS/GuardDuty soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_guardduty_no_high_severity_findings.yaml b/compliance/controls/aws/aws_guardduty_no_high_severity_findings.yaml index 53ff1e43f..13310ae05 100755 --- a/compliance/controls/aws/aws_guardduty_no_high_severity_findings.yaml +++ b/compliance/controls/aws/aws_guardduty_no_high_severity_findings.yaml @@ -1,8 +1,6 @@ ID: aws_guardduty_no_high_severity_findings Title: "GuardDuty Detector should not have high severity findings" Description: "GuardDuty generates a finding whenever it detects unexpected and potentially malicious activity in your AWS environment. If critical findings are not addressed threats can spread in the environment. This rule is non-compliant if there are high severity findings." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -46,8 +44,10 @@ Query: left join finding_count as fc on fc.detector_id = d.detector_id; PrimaryTable: aws_guardduty_detector ListOfTables: - - aws_guardduty_detector - - aws_guardduty_finding + - aws_guardduty_detector + - aws_guardduty_finding Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_iam_access_analyzer_enabled.yaml b/compliance/controls/aws/aws_iam_access_analyzer_enabled.yaml index 1c3bdc436..01edde642 100755 --- a/compliance/controls/aws/aws_iam_access_analyzer_enabled.yaml +++ b/compliance/controls/aws/aws_iam_access_analyzer_enabled.yaml @@ -1,74 +1,34 @@ ID: aws_iam_access_analyzer_enabled Title: "Ensure that IAM Access analyzer is enabled for all regions" Description: "This control checks whether IAM Access analyzer is enabled for all regions. The control fails if IAM Access analyzer is not enabled for all regions." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with regions as ( - select - 'arn:' || r.partition || '::' || r.region || ':' || r.account_id as resource, - r.og_account_id as og_account_id, - r.og_resource_id as og_resource_id, - case - when r.opt_in_status = 'not-opted-in' then 1 - when aa.arn is not null then 0 - else 2 - end as status, - r.region, r.account_id - from - aws_region as r - left join aws_accessanalyzer_analyzer as aa on r.account_id = aa.account_id and r.region = aa.region - ), - results as ( - SELECT - account_id AS resource, - og_account_id as og_account_id, - og_account_id as og_resource_id, - case - when max(status) = 2 then 'alarm' - when max(status) = 1 then 'skip' - when max(status) = 0 then 'ok' - end as status, - case - when max(status) = 2 then 'IAM Access analyzer is not enabled for this account on regions: [' || string_agg(region, ',') || ']' - when max(status) = 1 then 'Account is not opted in regions: [' || string_agg(region, ',') || ']' - when max(status) = 0 then 'IAM Access analyzer is enabled for this account on regions: [' || string_agg(region, ',') || ']' - end as reason - FROM regions - GROUP BY account_id, og_account_id - ) - SELECT - r.resource AS resource, - r.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - r.status as status, - r.reason as reason - FROM results as r JOIN aws_account as a ON r.og_account_id = a.og_account_id + QueryToExecute: "with regions as (\n select\n 'arn:' || r.partition || '::' || r.region || ':' || r.account_id as resource,\n r.og_account_id as og_account_id,\n r.og_resource_id as og_resource_id,\n case\n when r.opt_in_status = 'not-opted-in' then 1\n when aa.arn is not null then 0\n else 2\n end as status,\n r.region, r.account_id\n from\n aws_region as r\n left join aws_accessanalyzer_analyzer as aa on r.account_id = aa.account_id and r.region = aa.region\n),\nresults as (\n SELECT\n account_id AS resource,\n og_account_id as og_account_id,\n og_account_id as og_resource_id,\n case\n when max(status) = 2 then 'alarm'\n when max(status) = 1 then 'skip'\n when max(status) = 0 then 'ok'\n end as status,\n case\n when max(status) = 2 then 'IAM Access analyzer is not enabled for this account on regions: [' || string_agg(region, ',') || ']' \n when max(status) = 1 then 'Account is not opted in regions: [' || string_agg(region, ',') || ']'\n when max(status) = 0 then 'IAM Access analyzer is enabled for this account on regions: [' || string_agg(region, ',') || ']'\n end as reason\n FROM regions\n GROUP BY account_id, og_account_id\n)\nSELECT \n r.resource AS resource,\n r.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n r.status as status,\n r.reason as reason\nFROM results as r JOIN aws_account as a ON r.og_account_id = a.og_account_id\n" PrimaryTable: aws_account ListOfTables: - - aws_accessanalyzer_analyzer - - aws_account - - aws_region + - aws_accessanalyzer_analyzer + - aws_account + - aws_region Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "1.21" + - "1.21" cis_level: - - "1" + - "1" cis_section_id: - - "1" + - "1" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - aws + - aws service: - - AWS/IAM + - AWS/IAM +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_iam_account_password_policy_min_length_14.yaml b/compliance/controls/aws/aws_iam_account_password_policy_min_length_14.yaml index 75e51d308..2b609f155 100755 --- a/compliance/controls/aws/aws_iam_account_password_policy_min_length_14.yaml +++ b/compliance/controls/aws/aws_iam_account_password_policy_min_length_14.yaml @@ -1,8 +1,6 @@ ID: aws_iam_account_password_policy_min_length_14 Title: "Ensure IAM password policy requires a minimum length of 14 or greater" Description: "Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords are at least a given length. Security Hub recommends that the password policy require a minimum password length of 14 characters." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -24,24 +22,26 @@ Query: left join aws_iam_account_password_policy as pol on a.account_id = pol.account_id; PrimaryTable: aws_account ListOfTables: - - aws_account - - aws_iam_account_password_policy + - aws_account + - aws_iam_account_password_policy Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" gdpr: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/IAM + - AWS/IAM +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_iam_account_password_policy_one_lowercase_letter.yaml b/compliance/controls/aws/aws_iam_account_password_policy_one_lowercase_letter.yaml index c686de05d..eb006b842 100755 --- a/compliance/controls/aws/aws_iam_account_password_policy_one_lowercase_letter.yaml +++ b/compliance/controls/aws/aws_iam_account_password_policy_one_lowercase_letter.yaml @@ -1,8 +1,6 @@ ID: aws_iam_account_password_policy_one_lowercase_letter Title: "Ensure IAM password policy requires at least one lowercase letter" Description: "Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets. Security Hub recommends that the password policy require at least one lowercase letter. Setting a password complexity policy increases account resiliency against brute force login attempts." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -25,26 +23,28 @@ Query: left join aws_iam_account_password_policy as pol on a.account_id = pol.account_id; PrimaryTable: aws_account ListOfTables: - - aws_account - - aws_iam_account_password_policy + - aws_account + - aws_iam_account_password_policy Parameters: [] Severity: low Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "1.6" + - "1.6" cis_level: - - "1" + - "1" cis_section_id: - - "1" + - "1" cis_type: - - scored + - scored cis_version: - - v1.2.0 + - v1.2.0 plugin: - - aws + - aws service: - - AWS/IAM + - AWS/IAM +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_iam_account_password_policy_one_number.yaml b/compliance/controls/aws/aws_iam_account_password_policy_one_number.yaml index 39ff38b20..36d96b894 100755 --- a/compliance/controls/aws/aws_iam_account_password_policy_one_number.yaml +++ b/compliance/controls/aws/aws_iam_account_password_policy_one_number.yaml @@ -1,8 +1,6 @@ ID: aws_iam_account_password_policy_one_number Title: "Ensure IAM password policy requires at least one number" Description: "Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -25,26 +23,28 @@ Query: left join aws_iam_account_password_policy as pol on a.account_id = pol.account_id; PrimaryTable: aws_account ListOfTables: - - aws_account - - aws_iam_account_password_policy + - aws_account + - aws_iam_account_password_policy Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "1.8" + - "1.8" cis_level: - - "1" + - "1" cis_section_id: - - "1" + - "1" cis_type: - - scored + - scored cis_version: - - v1.2.0 + - v1.2.0 plugin: - - aws + - aws service: - - AWS/IAM + - AWS/IAM +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_iam_account_password_policy_one_symbol.yaml b/compliance/controls/aws/aws_iam_account_password_policy_one_symbol.yaml index 847ac9922..ceb93c9c2 100755 --- a/compliance/controls/aws/aws_iam_account_password_policy_one_symbol.yaml +++ b/compliance/controls/aws/aws_iam_account_password_policy_one_symbol.yaml @@ -1,8 +1,6 @@ ID: aws_iam_account_password_policy_one_symbol Title: "Ensure IAM password policy requires at least one symbol" Description: "Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets. Security Hub recommends that the password policy require at least one symbol. Setting a password complexity policy increases account resiliency against brute force login attempts." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -25,26 +23,28 @@ Query: left join aws_iam_account_password_policy as pol on a.account_id = pol.account_id; PrimaryTable: aws_account ListOfTables: - - aws_account - - aws_iam_account_password_policy + - aws_account + - aws_iam_account_password_policy Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "1.7" + - "1.7" cis_level: - - "1" + - "1" cis_section_id: - - "1" + - "1" cis_type: - - scored + - scored cis_version: - - v1.2.0 + - v1.2.0 plugin: - - aws + - aws service: - - AWS/IAM + - AWS/IAM +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_iam_account_password_policy_one_uppercase_letter.yaml b/compliance/controls/aws/aws_iam_account_password_policy_one_uppercase_letter.yaml index 1043695ca..699437260 100755 --- a/compliance/controls/aws/aws_iam_account_password_policy_one_uppercase_letter.yaml +++ b/compliance/controls/aws/aws_iam_account_password_policy_one_uppercase_letter.yaml @@ -1,8 +1,6 @@ ID: aws_iam_account_password_policy_one_uppercase_letter Title: "Ensure IAM password policy requires at least one uppercase letter" Description: "Password policies, in part, enforce password complexity requirements. Use IAM password policies to ensure that passwords use different character sets." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -25,26 +23,28 @@ Query: left join aws_iam_account_password_policy as pol on a.account_id = pol.account_id; PrimaryTable: aws_account ListOfTables: - - aws_account - - aws_iam_account_password_policy + - aws_account + - aws_iam_account_password_policy Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "1.5" + - "1.5" cis_level: - - "1" + - "1" cis_section_id: - - "1" + - "1" cis_type: - - scored + - scored cis_version: - - v1.2.0 + - v1.2.0 plugin: - - aws + - aws service: - - AWS/IAM + - AWS/IAM +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_iam_account_password_policy_reuse_24.yaml b/compliance/controls/aws/aws_iam_account_password_policy_reuse_24.yaml index e1b19dbd4..5deab6149 100755 --- a/compliance/controls/aws/aws_iam_account_password_policy_reuse_24.yaml +++ b/compliance/controls/aws/aws_iam_account_password_policy_reuse_24.yaml @@ -1,8 +1,6 @@ ID: aws_iam_account_password_policy_reuse_24 Title: "Ensure IAM password policy prevents password reuse" Description: "This control checks whether the number of passwords to remember is set to 24. The control fails if the value is not 24. IAM password policies can prevent the reuse of a given password by the same user." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -25,26 +23,28 @@ Query: left join aws_iam_account_password_policy as pol on a.account_id = pol.account_id; PrimaryTable: aws_account ListOfTables: - - aws_account - - aws_iam_account_password_policy + - aws_account + - aws_iam_account_password_policy Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "1.10" + - "1.10" cis_level: - - "1" + - "1" cis_section_id: - - "1" + - "1" cis_type: - - scored + - scored cis_version: - - v1.2.0 + - v1.2.0 plugin: - - aws + - aws service: - - AWS/IAM + - AWS/IAM +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_iam_account_password_policy_strong_min_length_8.yaml b/compliance/controls/aws/aws_iam_account_password_policy_strong_min_length_8.yaml index 94a09cfd3..8aaea9a76 100755 --- a/compliance/controls/aws/aws_iam_account_password_policy_strong_min_length_8.yaml +++ b/compliance/controls/aws/aws_iam_account_password_policy_strong_min_length_8.yaml @@ -1,8 +1,6 @@ ID: aws_iam_account_password_policy_strong_min_length_8 Title: "Password policies for IAM users should have strong configurations with minimum length of 8 or greater" Description: "This control checks whether the account password policy for IAM users uses the recommended configurations." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -37,20 +35,22 @@ Query: left join aws_iam_account_password_policy as pol on a.account_id = pol.account_id; PrimaryTable: aws_account ListOfTables: - - aws_account - - aws_iam_account_password_policy + - aws_account + - aws_iam_account_password_policy Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - secure_access_management + - secure_access_management foundational_security_item_id: - - iam_7 + - iam_7 plugin: - - aws + - aws service: - - AWS/IAM + - AWS/IAM +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_iam_account_password_policy_strong_min_reuse_24.yaml b/compliance/controls/aws/aws_iam_account_password_policy_strong_min_reuse_24.yaml index 9fd110d10..013fdbf26 100755 --- a/compliance/controls/aws/aws_iam_account_password_policy_strong_min_reuse_24.yaml +++ b/compliance/controls/aws/aws_iam_account_password_policy_strong_min_reuse_24.yaml @@ -1,8 +1,6 @@ ID: aws_iam_account_password_policy_strong_min_reuse_24 Title: "IAM password policies for users should have strong configurations" Description: "The identities and the credentials are issued, managed, and verified based on an organizational IAM password policy." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -41,32 +39,34 @@ Query: left join aws_iam_account_password_policy as pol on a.account_id = pol.account_id; PrimaryTable: aws_account ListOfTables: - - aws_account - - aws_iam_account_password_policy + - aws_account + - aws_iam_account_password_policy Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/IAM + - AWS/IAM soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_iam_all_policy_no_service_wild_card.yaml b/compliance/controls/aws/aws_iam_all_policy_no_service_wild_card.yaml index 607227801..8634cbd98 100755 --- a/compliance/controls/aws/aws_iam_all_policy_no_service_wild_card.yaml +++ b/compliance/controls/aws/aws_iam_all_policy_no_service_wild_card.yaml @@ -1,8 +1,6 @@ ID: aws_iam_all_policy_no_service_wild_card Title: "Ensure IAM policy should not grant full access to service" Description: "Checks if AWS Identity and Access Management (IAM) policies grant permissions to all actions on individual AWS resources. The rule is non-compliant if the managed IAM policy allows full access to at least 1 AWS service." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -43,7 +41,9 @@ Query: not p.is_aws_managed; PrimaryTable: aws_iam_policy ListOfTables: - - aws_iam_policy + - aws_iam_policy Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_iam_custom_policy_unattached_no_star_star.yaml b/compliance/controls/aws/aws_iam_custom_policy_unattached_no_star_star.yaml index b09b3623e..2f2bae46c 100755 --- a/compliance/controls/aws/aws_iam_custom_policy_unattached_no_star_star.yaml +++ b/compliance/controls/aws/aws_iam_custom_policy_unattached_no_star_star.yaml @@ -1,8 +1,6 @@ ID: aws_iam_custom_policy_unattached_no_star_star Title: "IAM unattached custom policy should not have statements with admin access" Description: "AWS Identity and Access Management (IAM) can help you incorporate the principles of least privilege and separation of duties with access permissions and authorizations, restricting policies from containing 'Effect': 'Allow' with 'Action': '*' over 'Resource': '*'." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -46,7 +44,9 @@ Query: and not is_attached; PrimaryTable: aws_iam_policy ListOfTables: - - aws_iam_policy + - aws_iam_policy Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_iam_group_not_empty.yaml b/compliance/controls/aws/aws_iam_group_not_empty.yaml index 2c5f5d845..8a9815ad6 100755 --- a/compliance/controls/aws/aws_iam_group_not_empty.yaml +++ b/compliance/controls/aws/aws_iam_group_not_empty.yaml @@ -1,8 +1,6 @@ ID: aws_iam_group_not_empty Title: "IAM groups should have at least one user" Description: "AWS Identity and Access Management (IAM) can help you incorporate the principles of least privilege and separation of duties with access permissions and authorizations, by ensuring that IAM groups have at least one IAM user." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -23,35 +21,37 @@ Query: aws_iam_group; PrimaryTable: aws_iam_group ListOfTables: - - aws_iam_group + - aws_iam_group Parameters: [] Severity: low Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_csf: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/IAM + - AWS/IAM soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_iam_group_user_role_no_inline_policies.yaml b/compliance/controls/aws/aws_iam_group_user_role_no_inline_policies.yaml index 8fea2fbbf..50b44d783 100755 --- a/compliance/controls/aws/aws_iam_group_user_role_no_inline_policies.yaml +++ b/compliance/controls/aws/aws_iam_group_user_role_no_inline_policies.yaml @@ -1,8 +1,6 @@ ID: aws_iam_group_user_role_no_inline_policies Title: "IAM groups, users, and roles should not have any inline policies" Description: "Ensure an AWS Identity and Access Management (IAM) user, IAM role or IAM group does not have an inline policy to control access to systems and assets." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -51,41 +49,43 @@ Query: aws_iam_group; PrimaryTable: "" ListOfTables: - - aws_iam_group - - aws_iam_role - - aws_iam_user + - aws_iam_group + - aws_iam_role + - aws_iam_user Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/IAM + - AWS/IAM soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_iam_inline_policy_no_administrative_privileges.yaml b/compliance/controls/aws/aws_iam_inline_policy_no_administrative_privileges.yaml index 54d311023..d5e960e6a 100755 --- a/compliance/controls/aws/aws_iam_inline_policy_no_administrative_privileges.yaml +++ b/compliance/controls/aws/aws_iam_inline_policy_no_administrative_privileges.yaml @@ -1,8 +1,6 @@ ID: aws_iam_inline_policy_no_administrative_privileges Title: "IAM inline policy should not have administrative privileges" Description: "Ensure that no inline IAM policies exist that allow administrative privileges." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -77,15 +75,17 @@ Query: end status, p.name || ' contains ' || coalesce(bad.statements_num,0) || ' statements that allow action "*" on resource "*".' as reason - + from full_administrative_privilege_policies as p left join bad_policies as bad on p.arn = bad.arn; PrimaryTable: aws_iam_user ListOfTables: - - aws_iam_user - - aws_iam_role - - aws_iam_group + - aws_iam_user + - aws_iam_role + - aws_iam_group Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_iam_managed_policy_attached_to_role.yaml b/compliance/controls/aws/aws_iam_managed_policy_attached_to_role.yaml index 6c0348671..703fa98bd 100755 --- a/compliance/controls/aws/aws_iam_managed_policy_attached_to_role.yaml +++ b/compliance/controls/aws/aws_iam_managed_policy_attached_to_role.yaml @@ -1,54 +1,30 @@ ID: aws_iam_managed_policy_attached_to_role Title: "IAM AWS managed policies should be attached to IAM role" Description: "This control checks if all AWS managed policies specified in the list of managed policies are attached to the AWS Identity and Access Management (IAM) role. The rule is non-compliant if an AWS managed policy is not attached to the IAM role." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with role_attached_policies as ( - select - jsonb_array_elements_text(attached_policy_arns) as policy_arn - from - aws_iam_role - ) - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when arn in (select policy_arn from role_attached_policies) then 'ok' - else 'alarm' - end as status, - case - when arn in (select policy_arn from role_attached_policies) then title || ' attached to IAM role.' - else title || ' not attached to IAM role.' - end as reason - - , account_id - from - aws_iam_policy - where - is_aws_managed; + QueryToExecute: "with role_attached_policies as (\n select\n jsonb_array_elements_text(attached_policy_arns) as policy_arn\n from\n aws_iam_role\n)\nselect\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when arn in (select policy_arn from role_attached_policies) then 'ok'\n else 'alarm'\n end as status,\n case\n when arn in (select policy_arn from role_attached_policies) then title || ' attached to IAM role.'\n else title || ' not attached to IAM role.'\n end as reason\n \n , account_id\nfrom\n aws_iam_policy\nwhere\n is_aws_managed;\n" PrimaryTable: aws_iam_policy ListOfTables: - - aws_iam_policy - - aws_iam_role - - aws_managed + - aws_iam_policy + - aws_iam_role + - aws_managed Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" nist_csf: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/IAM + - AWS/IAM soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_iam_policy_all_attached_no_star_star.yaml b/compliance/controls/aws/aws_iam_policy_all_attached_no_star_star.yaml index f47fe257e..d5cb424fb 100755 --- a/compliance/controls/aws/aws_iam_policy_all_attached_no_star_star.yaml +++ b/compliance/controls/aws/aws_iam_policy_all_attached_no_star_star.yaml @@ -1,76 +1,33 @@ ID: aws_iam_policy_all_attached_no_star_star Title: "Ensure IAM policies that allow full \\\"*:*\\\" administrative privileges are not attached" Description: "IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege -that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with star_access_policies as ( - select - arn, - is_aws_managed, - count(*) as num_bad_statements - from - aws_iam_policy, - jsonb_array_elements(policy_std -> 'Statement') as s, - jsonb_array_elements_text(s -> 'Resource') as resource, - jsonb_array_elements_text(s -> 'Action') as action - where - s ->> 'Effect' = 'Allow' - and resource = '*' - and ( - (action = '*' - or action = '*:*' - ) - ) - and is_attached - group by - arn, - is_aws_managed - ) - select - p.arn as resource, - p.og_account_id as og_account_id, - p.og_resource_id as og_resource_id, - case - when s.arn is not null and s.is_aws_managed then 'info' - when s.arn is null then 'ok' - else 'alarm' - end status, - case - when s.arn is not null and s.is_aws_managed then p.name || ' is an AWS managed policy with ' || coalesce(s.num_bad_statements, 0) || ' statements that allow action "*" on resource "*".' - else p.name || ' contains ' || coalesce(s.num_bad_statements, 0) || ' statements that allow action "*" on resource "*".' - end as reason - - , p.account_id - from - aws_iam_policy as p - left join star_access_policies as s on p.arn = s.arn - where - p.is_attached; + QueryToExecute: "with star_access_policies as (\n select\n arn,\n is_aws_managed,\n count(*) as num_bad_statements\n from\n aws_iam_policy,\n jsonb_array_elements(policy_std -> 'Statement') as s,\n jsonb_array_elements_text(s -> 'Resource') as resource,\n jsonb_array_elements_text(s -> 'Action') as action\n where\n s ->> 'Effect' = 'Allow'\n and resource = '*'\n and (\n (action = '*'\n or action = '*:*'\n )\n )\n and is_attached\n group by\n arn,\n is_aws_managed\n)\nselect\n p.arn as resource,\n p.og_account_id as og_account_id,\n p.og_resource_id as og_resource_id,\n case\n when s.arn is not null and s.is_aws_managed then 'info'\n when s.arn is null then 'ok'\n else 'alarm'\n end status,\n case\n when s.arn is not null and s.is_aws_managed then p.name || ' is an AWS managed policy with ' || coalesce(s.num_bad_statements, 0) || ' statements that allow action \"*\" on resource \"*\".'\n else p.name || ' contains ' || coalesce(s.num_bad_statements, 0) || ' statements that allow action \"*\" on resource \"*\".'\n end as reason\n \n , p.account_id\nfrom\n aws_iam_policy as p\n left join star_access_policies as s on p.arn = s.arn\nwhere\n p.is_attached;\n" PrimaryTable: aws_iam_policy ListOfTables: - - aws_iam_policy - - aws_managed + - aws_iam_policy + - aws_managed Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "1.22" + - "1.22" cis_level: - - "2" + - "2" cis_section_id: - - "1" + - "1" cis_type: - - scored + - scored cis_version: - - v1.2.0 + - v1.2.0 plugin: - - aws + - aws service: - - AWS/IAM + - AWS/IAM +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_iam_policy_custom_attached_no_star_star.yaml b/compliance/controls/aws/aws_iam_policy_custom_attached_no_star_star.yaml index c5b8f14ea..0ca98e466 100755 --- a/compliance/controls/aws/aws_iam_policy_custom_attached_no_star_star.yaml +++ b/compliance/controls/aws/aws_iam_policy_custom_attached_no_star_star.yaml @@ -1,65 +1,27 @@ ID: aws_iam_policy_custom_attached_no_star_star Title: "IAM policies should not allow full '*' administrative privileges" Description: "This control checks whether the default version of IAM policies (also known as customer managed policies) has administrator access that includes a statement with 'Effect': 'Allow' with 'Action': '*' over 'Resource': '*'. The control only checks the customer managed policies that you create. It does not check inline and AWS managed policies." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - -- This query checks the customer managed policies having * access and attached to IAM resource(s) - with star_access_policies as ( - select - arn, - count(*) as num_bad_statements - from - aws_iam_policy, - jsonb_array_elements(policy_std -> 'Statement') as s, - jsonb_array_elements_text(s -> 'Resource') as resource, - jsonb_array_elements_text(s -> 'Action') as action - where - not is_aws_managed - and s ->> 'Effect' = 'Allow' - and resource = '*' - and ( - (action = '*' - or action = '*:*' - ) - ) - and is_attached - group by arn - ) - select - p.arn as resource, - p.og_account_id as og_account_id, - p.og_resource_id as og_resource_id, - case - when s.arn is null then 'ok' - else 'alarm' - end status, - p.name || ' contains ' || coalesce(s.num_bad_statements,0) || ' statements that allow action "*" on resource "*".' as reason - - , p.account_id - from - aws_iam_policy as p - left join star_access_policies as s on p.arn = s.arn - where - not p.is_aws_managed; + QueryToExecute: "-- This query checks the customer managed policies having * access and attached to IAM resource(s)\nwith star_access_policies as (\n select\n arn,\n count(*) as num_bad_statements\n from\n aws_iam_policy,\n jsonb_array_elements(policy_std -> 'Statement') as s,\n jsonb_array_elements_text(s -> 'Resource') as resource,\n jsonb_array_elements_text(s -> 'Action') as action\n where\n not is_aws_managed\n and s ->> 'Effect' = 'Allow'\n and resource = '*'\n and (\n (action = '*'\n or action = '*:*'\n )\n )\n and is_attached\n group by arn\n)\nselect\n p.arn as resource,\n p.og_account_id as og_account_id,\n p.og_resource_id as og_resource_id,\n case\n when s.arn is null then 'ok'\n else 'alarm'\n end status,\n p.name || ' contains ' || coalesce(s.num_bad_statements,0) || ' statements that allow action \"*\" on resource \"*\".' as reason\n \n , p.account_id\nfrom\n aws_iam_policy as p\n left join star_access_policies as s on p.arn = s.arn\nwhere\n not p.is_aws_managed;\n" PrimaryTable: aws_iam_policy ListOfTables: - - aws_iam_policy - - aws_managed + - aws_iam_policy + - aws_managed Parameters: [] Severity: high Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - secure_access_management + - secure_access_management foundational_security_item_id: - - iam_1 + - iam_1 plugin: - - aws + - aws service: - - AWS/IAM + - AWS/IAM +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_iam_policy_custom_no_assume_role.yaml b/compliance/controls/aws/aws_iam_policy_custom_no_assume_role.yaml index 5eb745cf4..e086a1a0f 100755 --- a/compliance/controls/aws/aws_iam_policy_custom_no_assume_role.yaml +++ b/compliance/controls/aws/aws_iam_policy_custom_no_assume_role.yaml @@ -1,8 +1,6 @@ ID: aws_iam_policy_custom_no_assume_role Title: "IAM roles should not have any assume role policies attached" Description: "Role assume policies can provide access to roles in external AWS accounts." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -36,7 +34,9 @@ Query: u.name; PrimaryTable: aws_iam_user ListOfTables: - - aws_iam_user + - aws_iam_user Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_iam_policy_custom_no_blocked_kms_actions.yaml b/compliance/controls/aws/aws_iam_policy_custom_no_blocked_kms_actions.yaml index 273964cff..b433b8b84 100755 --- a/compliance/controls/aws/aws_iam_policy_custom_no_blocked_kms_actions.yaml +++ b/compliance/controls/aws/aws_iam_policy_custom_no_blocked_kms_actions.yaml @@ -1,71 +1,39 @@ ID: aws_iam_policy_custom_no_blocked_kms_actions Title: "Ensure managed IAM policies should not allow blocked actions on KMS keys" Description: "Checks if the managed AWS Identity and Access Management (IAM) policies that you create do not allow blocked actions on AWS KMS keys. The rule is non - compliant if any blocked action is allowed on AWS KMS keys by the managed IAM policy." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with kms_blocked_actions as ( - select - arn, - count(*) as statements_num - from - aws_iam_policy, - jsonb_array_elements(policy_std -> 'Statement') as s, - jsonb_array_elements_text(s -> 'Resource') as resource, - jsonb_array_elements_text(s -> 'Action') as action - where - not is_aws_managed - and s ->> 'Effect' = 'Allow' - and action like any(array['kms:decrypt', 'kms:reencryptfrom']) - group by - arn - ) - select - p.arn as resource, - p.og_account_id as og_account_id, - p.og_resource_id as og_resource_id, - case - when w.arn is null then 'ok' - else 'alarm' - end status, - p.name || ' contains ' || coalesce(w.statements_num,0) || ' statements that allow blocked actions on AWS KMS keys.' as reason - - , p.account_id - from - aws_iam_policy as p - left join kms_blocked_actions as w on p.arn = w.arn - where - not p.is_aws_managed; + QueryToExecute: "with kms_blocked_actions as (\n select\n arn,\n count(*) as statements_num\n from\n aws_iam_policy,\n jsonb_array_elements(policy_std -> 'Statement') as s,\n jsonb_array_elements_text(s -> 'Resource') as resource,\n jsonb_array_elements_text(s -> 'Action') as action\n where\n not is_aws_managed\n and s ->> 'Effect' = 'Allow'\n and action like any(array['kms:decrypt', 'kms:reencryptfrom'])\n group by\n arn\n)\nselect\n p.arn as resource,\n p.og_account_id as og_account_id,\n p.og_resource_id as og_resource_id,\n case\n when w.arn is null then 'ok'\n else 'alarm'\n end status,\n p.name || ' contains ' || coalesce(w.statements_num,0) || ' statements that allow blocked actions on AWS KMS keys.' as reason\n \n , p.account_id\nfrom\n aws_iam_policy as p\n left join kms_blocked_actions as w on p.arn = w.arn\nwhere\n not p.is_aws_managed;\n" PrimaryTable: aws_iam_policy ListOfTables: - - aws_iam_policy - - aws_managed + - aws_iam_policy + - aws_managed Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/IAM + - AWS/IAM +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_iam_policy_custom_no_permissive_role_assumption.yaml b/compliance/controls/aws/aws_iam_policy_custom_no_permissive_role_assumption.yaml index 59bcab32b..792564afe 100755 --- a/compliance/controls/aws/aws_iam_policy_custom_no_permissive_role_assumption.yaml +++ b/compliance/controls/aws/aws_iam_policy_custom_no_permissive_role_assumption.yaml @@ -1,8 +1,6 @@ ID: aws_iam_policy_custom_no_permissive_role_assumption Title: "IAM custom policy should not have overly permissive STS role assumption" Description: "Ensure that no custom IAM policies exist which allow permissive role assumption." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -45,7 +43,9 @@ Query: not is_aws_managed; PrimaryTable: aws_iam_policy ListOfTables: - - aws_iam_policy + - aws_iam_policy Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_iam_policy_inline_no_blocked_kms_actions.yaml b/compliance/controls/aws/aws_iam_policy_inline_no_blocked_kms_actions.yaml index 224696438..56bc15f27 100755 --- a/compliance/controls/aws/aws_iam_policy_inline_no_blocked_kms_actions.yaml +++ b/compliance/controls/aws/aws_iam_policy_inline_no_blocked_kms_actions.yaml @@ -1,8 +1,6 @@ ID: aws_iam_policy_inline_no_blocked_kms_actions Title: "Ensure inline policies attached to IAM users, roles, and groups should not allow blocked actions on KMS keys" Description: "Checks if the inline policies attached to IAM users, roles, and groups do not allow blocked actions on all AWS Key Management Service (KMS) keys. The rule is non - compliant if any blocked action is allowed on all KMS keys in an inline policy." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -78,29 +76,31 @@ Query: left join kms_blocked_actions as w on u.arn = w.arn; PrimaryTable: "" ListOfTables: - - aws_iam_group - - aws_iam_role - - aws_iam_user + - aws_iam_group + - aws_iam_role + - aws_iam_user Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cisa_cyber_essentials: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/IAM + - AWS/IAM +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_iam_policy_no_full_access_to_cloudtrail.yaml b/compliance/controls/aws/aws_iam_policy_no_full_access_to_cloudtrail.yaml index d6d5002ae..f743bc23f 100755 --- a/compliance/controls/aws/aws_iam_policy_no_full_access_to_cloudtrail.yaml +++ b/compliance/controls/aws/aws_iam_policy_no_full_access_to_cloudtrail.yaml @@ -1,8 +1,6 @@ ID: aws_iam_policy_no_full_access_to_cloudtrail Title: "IAM policy should not grant full access to cloudtrail service" Description: "CloudTrail is a critical service and IAM policies should follow least privilege model for this service in particular. This control is non-compliant if the managed IAM policy allows full access to cloudtrail service." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -40,7 +38,9 @@ Query: not p.is_aws_managed; PrimaryTable: aws_iam_policy ListOfTables: - - aws_iam_policy + - aws_iam_policy Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_iam_policy_no_full_access_to_kms.yaml b/compliance/controls/aws/aws_iam_policy_no_full_access_to_kms.yaml index ed4aedd30..40d3a047d 100755 --- a/compliance/controls/aws/aws_iam_policy_no_full_access_to_kms.yaml +++ b/compliance/controls/aws/aws_iam_policy_no_full_access_to_kms.yaml @@ -1,48 +1,14 @@ ID: aws_iam_policy_no_full_access_to_kms Title: "IAM policy should not grant full access to KMS service" Description: "KMS is a critical service and IAM policies should follow least privilege model for this service in particular. This control is non-compliant if the managed IAM policy allows full access to KMS service." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - with cloudtrail_full_access_policies as ( - select - arn, - count(*) as statements_num - from - aws_iam_policy, - jsonb_array_elements(policy_std -> 'Statement') as s, - jsonb_array_elements_text(s -> 'Resource') as resource, - jsonb_array_elements_text(s -> 'Action') as action - where - not is_aws_managed - and s ->> 'Effect' = 'Allow' - and resource = '*' - and action = 'cloudtrail:*' - group by - arn - ) - select - p.arn as resource, - p.og_account_id as og_account_id, - p.og_resource_id as og_resource_id, - case - when w.arn is null then 'ok' - else 'alarm' - end status, - p.name || ' contains ' || coalesce(w.statements_num,0) || - ' statements that allow action "*" on at cloudtrail service on resource "*".' as reason - - - from - aws_iam_policy as p - left join cloudtrail_full_access_policies as w on p.arn = w.arn - where - not p.is_aws_managed; + QueryToExecute: "with cloudtrail_full_access_policies as (\n select\n arn,\n count(*) as statements_num\n from\n aws_iam_policy,\n jsonb_array_elements(policy_std -> 'Statement') as s,\n jsonb_array_elements_text(s -> 'Resource') as resource,\n jsonb_array_elements_text(s -> 'Action') as action\n where\n not is_aws_managed\n and s ->> 'Effect' = 'Allow'\n and resource = '*'\n and action = 'cloudtrail:*'\n group by\n arn\n)\nselect\n p.arn as resource,\n p.og_account_id as og_account_id,\n p.og_resource_id as og_resource_id,\n case\n when w.arn is null then 'ok'\n else 'alarm'\n end status,\n p.name || ' contains ' || coalesce(w.statements_num,0) ||\n ' statements that allow action \"*\" on at cloudtrail service on resource \"*\".' as reason\n \n \nfrom\n aws_iam_policy as p\n left join cloudtrail_full_access_policies as w on p.arn = w.arn\nwhere\n not p.is_aws_managed;" PrimaryTable: aws_iam_policy ListOfTables: - - aws_iam_policy + - aws_iam_policy Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_iam_policy_no_star_star.yaml b/compliance/controls/aws/aws_iam_policy_no_star_star.yaml index a0cbf61b8..5abd5fea5 100755 --- a/compliance/controls/aws/aws_iam_policy_no_star_star.yaml +++ b/compliance/controls/aws/aws_iam_policy_no_star_star.yaml @@ -1,8 +1,6 @@ ID: aws_iam_policy_no_star_star Title: "IAM policy should not have statements with admin access" Description: "AWS Identity and Access Management (IAM) can help you incorporate the principles of least privilege and separation of duties with access permissions and authorizations, restricting policies from containing 'Effect': 'Allow' with 'Action': '*' over 'Resource': '*'." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -46,19 +44,21 @@ Query: p.arn not like 'arn:aws:iam::aws:policy%' PrimaryTable: aws_iam_policy ListOfTables: - - aws_iam_policy + - aws_iam_policy Parameters: [] Severity: low Tags: pci: - - "true" + - "true" pci_item_id: - - iam_3 + - iam_3 pci_requirements: - - 7.2.1 + - 7.2.1 pci_version: - - v3.2.1 + - v3.2.1 plugin: - - aws + - aws service: - - iam + - iam +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_iam_policy_unused.yaml b/compliance/controls/aws/aws_iam_policy_unused.yaml index d90b3bade..191771922 100755 --- a/compliance/controls/aws/aws_iam_policy_unused.yaml +++ b/compliance/controls/aws/aws_iam_policy_unused.yaml @@ -1,65 +1,31 @@ ID: aws_iam_policy_unused Title: "IAM policy should be in use" Description: "This control checks whether the IAM policy ARN is attached to an IAM user, or a group with one or more IAM users, or an IAM role with one or more trusted entity." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with in_use_policies as ( - select - attached_policy_arns - from - aws_iam_user - union - select - attached_policy_arns - from - aws_iam_group - where - jsonb_array_length(users) > 0 - union - select - attached_policy_arns - from - aws_iam_role - ) - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when arn in (select jsonb_array_elements_text(attached_policy_arns) from in_use_policies) then 'ok' - else 'alarm' - end as status, - case - when arn in (select jsonb_array_elements_text(attached_policy_arns) from in_use_policies) then title || ' in use.' - else title || ' not in use.' - end as reason - - , account_id - from - aws_iam_policy; + QueryToExecute: "with in_use_policies as (\n select\n attached_policy_arns\n from\n aws_iam_user\n union\n select\n attached_policy_arns\n from\n aws_iam_group\n where\n jsonb_array_length(users) > 0\n union\n select\n attached_policy_arns\n from\n aws_iam_role\n)\nselect\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when arn in (select jsonb_array_elements_text(attached_policy_arns) from in_use_policies) then 'ok'\n else 'alarm'\n end as status,\n case\n when arn in (select jsonb_array_elements_text(attached_policy_arns) from in_use_policies) then title || ' in use.'\n else title || ' not in use.'\n end as reason\n \n , account_id\nfrom\n aws_iam_policy;\n" PrimaryTable: aws_iam_policy ListOfTables: - - aws_iam_group - - aws_iam_policy - - aws_iam_role - - aws_iam_user + - aws_iam_group + - aws_iam_policy + - aws_iam_role + - aws_iam_user Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_csf: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/IAM + - AWS/IAM soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_iam_role_no_administrator_access_policy_attached.yaml b/compliance/controls/aws/aws_iam_role_no_administrator_access_policy_attached.yaml index 32c20f004..dfb29f1f7 100755 --- a/compliance/controls/aws/aws_iam_role_no_administrator_access_policy_attached.yaml +++ b/compliance/controls/aws/aws_iam_role_no_administrator_access_policy_attached.yaml @@ -1,8 +1,6 @@ ID: aws_iam_role_no_administrator_access_policy_attached Title: "Ensure IAM role not attached with Administratoraccess policy" Description: "AWS IAM role should not be attached Administratoraccess policy." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -36,7 +34,9 @@ Query: r.name; PrimaryTable: aws_iam_role ListOfTables: - - aws_iam_role + - aws_iam_role Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_iam_role_should_not_have_trust_to_cognito_full_access.yaml b/compliance/controls/aws/aws_iam_role_should_not_have_trust_to_cognito_full_access.yaml index 73bbddb09..70949665f 100755 --- a/compliance/controls/aws/aws_iam_role_should_not_have_trust_to_cognito_full_access.yaml +++ b/compliance/controls/aws/aws_iam_role_should_not_have_trust_to_cognito_full_access.yaml @@ -1,8 +1,6 @@ ID: aws_iam_role_should_not_have_trust_to_cognito_full_access Title: "AWS IAM role should not have permissive trust with the Cognito Identity service and \"FullAccess\" permissions" Description: "" -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -33,7 +31,7 @@ Query: left join cognito_access on cognito_access.role_id = role.role_id; PrimaryTable: aws_iam_role ListOfTables: - - aws_iam_role + - aws_iam_role Parameters: [] Severity: critical Tags: @@ -49,3 +47,5 @@ Tags: x-kaytu-explanation: [] x-kaytu-noncompliance-cost: [] x-kaytu-usefulness-example: [] +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_iam_role_unused_60.yaml b/compliance/controls/aws/aws_iam_role_unused_60.yaml index fd5e19ac6..a21e4c009 100755 --- a/compliance/controls/aws/aws_iam_role_unused_60.yaml +++ b/compliance/controls/aws/aws_iam_role_unused_60.yaml @@ -1,32 +1,14 @@ ID: aws_iam_role_unused_60 Title: "IAM roles that have not been used in 60 days should be removed" Description: "This control checks whether the IAM role has been used in 60 days. Unused accounts and roles increase the attack surface area." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when role_last_used_date <= (current_date - interval '60' day) or role_last_used_date is null - then 'alarm' - else 'ok' - end as status, - case - when role_last_used_date is null - then name || ' was never used.' - else - name || ' was last used ' || to_char(role_last_used_date , 'DD-Mon-YYYY') || ' (' || extract(day from current_date - role_last_used_date) || ' days ago).' - end as reason - - from - aws_iam_role; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when role_last_used_date <= (current_date - interval '60' day) or role_last_used_date is null\n then 'alarm'\n else 'ok'\n end as status,\n case\n when role_last_used_date is null\n then name || ' was never used.'\n else\n name || ' was last used ' || to_char(role_last_used_date , 'DD-Mon-YYYY') || ' (' || extract(day from current_date - role_last_used_date) || ' days ago).'\n end as reason\n \nfrom\n aws_iam_role;" PrimaryTable: aws_iam_role ListOfTables: - - aws_iam_role + - aws_iam_role Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_iam_root_last_used.yaml b/compliance/controls/aws/aws_iam_root_last_used.yaml index 7dd4e9b7e..86bbc0f71 100755 --- a/compliance/controls/aws/aws_iam_root_last_used.yaml +++ b/compliance/controls/aws/aws_iam_root_last_used.yaml @@ -1,8 +1,6 @@ ID: aws_iam_root_last_used Title: "Eliminate use of the 'root' user for administrative and daily tasks" Description: "This control checks whether the root user has been used in the last 90 days. The control fails if the root user has been used in the last 90 days." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -35,25 +33,27 @@ Query: user_name = ''; PrimaryTable: aws_iam_credential_report ListOfTables: - - aws_iam_credential_report + - aws_iam_credential_report Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "1.7" + - "1.7" cis_level: - - "1" + - "1" cis_section_id: - - "1" + - "1" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - aws + - aws service: - - AWS/IAM + - AWS/IAM +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_iam_root_user_hardware_mfa_enabled.yaml b/compliance/controls/aws/aws_iam_root_user_hardware_mfa_enabled.yaml index fe82d84ad..80564ada9 100755 --- a/compliance/controls/aws/aws_iam_root_user_hardware_mfa_enabled.yaml +++ b/compliance/controls/aws/aws_iam_root_user_hardware_mfa_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_iam_root_user_hardware_mfa_enabled Title: "IAM root user hardware MFA should be enabled" Description: "Manage access to resources in the AWS Cloud by ensuring hardware MFA is enabled for the root user." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -25,44 +23,46 @@ Query: left join aws_iam_virtual_mfa_device on serial_number = 'arn:' || s.partition || ':iam::' || s.account_id || ':mfa/root-account-mfa-device'; PrimaryTable: aws_iam_account_summary ListOfTables: - - aws_iam_account_summary - - aws_iam_virtual_mfa_device + - aws_iam_account_summary + - aws_iam_virtual_mfa_device Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gdpr: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/IAM + - AWS/IAM soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_iam_root_user_mfa_enabled.yaml b/compliance/controls/aws/aws_iam_root_user_mfa_enabled.yaml index 0c0d0bd2e..874997858 100755 --- a/compliance/controls/aws/aws_iam_root_user_mfa_enabled.yaml +++ b/compliance/controls/aws/aws_iam_root_user_mfa_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_iam_root_user_mfa_enabled Title: "IAM root user MFA should be enabled" Description: "Manage access to resources in the AWS Cloud by ensuring MFA is enabled for the root user." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -23,43 +21,45 @@ Query: aws_iam_account_summary; PrimaryTable: aws_iam_account_summary ListOfTables: - - aws_iam_account_summary + - aws_iam_account_summary Parameters: [] Severity: critical Tags: audit_manager_control_tower: - - "true" + - "true" category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gdpr: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/IAM + - AWS/IAM soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_iam_root_user_no_access_keys.yaml b/compliance/controls/aws/aws_iam_root_user_no_access_keys.yaml index 9e9cd582d..49c8d24d7 100755 --- a/compliance/controls/aws/aws_iam_root_user_no_access_keys.yaml +++ b/compliance/controls/aws/aws_iam_root_user_no_access_keys.yaml @@ -1,8 +1,6 @@ ID: aws_iam_root_user_no_access_keys Title: "IAM root user should not have access keys" Description: "Access to systems and assets can be controlled by checking that the root user does not have access keys attached to their AWS Identity and Access Management (IAM) role." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -23,45 +21,47 @@ Query: aws_iam_account_summary; PrimaryTable: aws_iam_account_summary ListOfTables: - - aws_iam_account_summary + - aws_iam_account_summary Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gdpr: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/IAM + - AWS/IAM soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_iam_security_audit_role.yaml b/compliance/controls/aws/aws_iam_security_audit_role.yaml index d053e1d1c..efad5a0c7 100755 --- a/compliance/controls/aws/aws_iam_security_audit_role.yaml +++ b/compliance/controls/aws/aws_iam_security_audit_role.yaml @@ -1,8 +1,6 @@ ID: aws_iam_security_audit_role Title: "IAM Security Audit role should be created to conduct security audits" Description: "Ensure IAM Security Audit role is created. By creating an IAM role with a security audit policy, a distinct segregation of responsibilities is established between the security team and other teams within the organization." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -44,8 +42,10 @@ Query: security_audit_role_count; PrimaryTable: aws_iam_role ListOfTables: - - aws_account - - aws_iam_role + - aws_account + - aws_iam_role Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_iam_server_certificate_not_expired.yaml b/compliance/controls/aws/aws_iam_server_certificate_not_expired.yaml index 43cf1821c..f944d4041 100755 --- a/compliance/controls/aws/aws_iam_server_certificate_not_expired.yaml +++ b/compliance/controls/aws/aws_iam_server_certificate_not_expired.yaml @@ -1,48 +1,32 @@ ID: aws_iam_server_certificate_not_expired Title: "Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed" Description: "To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates. Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case when expiration < (current_date - interval '1' second) then 'alarm' - else 'ok' - end as status, - case when expiration < (current_date - interval '1' second) then - name || ' expired ' || to_char(expiration, 'DD-Mon-YYYY') || '.' - else - name || ' valid until ' || to_char(expiration, 'DD-Mon-YYYY') || '.' - end as reason - - , account_id - from - aws_iam_server_certificate; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case when expiration < (current_date - interval '1' second) then 'alarm'\n else 'ok'\n end as status,\n case when expiration < (current_date - interval '1' second) then\n name || ' expired ' || to_char(expiration, 'DD-Mon-YYYY') || '.'\n else\n name || ' valid until ' || to_char(expiration, 'DD-Mon-YYYY') || '.'\n end as reason\n \n , account_id\nfrom\n aws_iam_server_certificate;\n" PrimaryTable: aws_iam_server_certificate ListOfTables: - - aws_iam_server_certificate + - aws_iam_server_certificate Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "1.19" + - "1.19" cis_level: - - "1" + - "1" cis_section_id: - - "1" + - "1" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - aws + - aws service: - - AWS/IAM + - AWS/IAM +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_iam_support_role.yaml b/compliance/controls/aws/aws_iam_support_role.yaml index ef1c97e9a..bd00c38aa 100755 --- a/compliance/controls/aws/aws_iam_support_role.yaml +++ b/compliance/controls/aws/aws_iam_support_role.yaml @@ -1,8 +1,6 @@ ID: aws_iam_support_role Title: "Ensure a support role has been created to manage incidents with AWS Support" Description: "AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -48,28 +46,30 @@ Query: support_role_count; PrimaryTable: aws_account ListOfTables: - - aws_account - - aws_iam_role + - aws_account + - aws_iam_role Parameters: [] Severity: low Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "1.20" + - "1.20" cis_level: - - "1" + - "1" cis_section_id: - - "1" + - "1" cis_type: - - scored + - scored cis_version: - - v1.2.0 + - v1.2.0 plugin: - - aws + - aws score_tags: - - Problem Identities + - Problem Identities service: - - AWS/IAM + - AWS/IAM +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_iam_user_access_key_age_90.yaml b/compliance/controls/aws/aws_iam_user_access_key_age_90.yaml index e51d168a7..74b8e004e 100755 --- a/compliance/controls/aws/aws_iam_user_access_key_age_90.yaml +++ b/compliance/controls/aws/aws_iam_user_access_key_age_90.yaml @@ -1,8 +1,6 @@ ID: aws_iam_user_access_key_age_90 Title: "IAM user access keys should be rotated at least every 90 days" Description: "The credentials are audited for authorized devices, users, and processes by ensuring IAM access keys are rotated as per organizational policy." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -22,25 +20,27 @@ Query: aws_iam_access_key; PrimaryTable: aws_iam_access_key ListOfTables: - - aws_iam_access_key + - aws_iam_access_key Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "1.4" + - "1.4" cis_level: - - "1" + - "1" cis_section_id: - - "1" + - "1" cis_type: - - scored + - scored cis_version: - - v1.2.0 + - v1.2.0 plugin: - - aws + - aws service: - - AWS/IAM + - AWS/IAM +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_iam_user_access_key_unused_45.yaml b/compliance/controls/aws/aws_iam_user_access_key_unused_45.yaml index 908f7ce9f..a85b0c3c1 100755 --- a/compliance/controls/aws/aws_iam_user_access_key_unused_45.yaml +++ b/compliance/controls/aws/aws_iam_user_access_key_unused_45.yaml @@ -1,41 +1,14 @@ ID: aws_iam_user_access_key_unused_45 Title: "Ensure IAM users with access keys unused for 45 days or greater are disabled" Description: "AWS IAM users can access AWS resources using access keys. It is recommended that access keys that have been unused in 45 or greater days be deactivated or removed." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - user_arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when not access_key_1_active then 'ok' - when access_key_1_active and access_key_1_last_used_date is null then 'alarm' - when access_key_1_active and access_key_1_last_used_date < (current_date - interval '45' day) then 'alarm' - when not access_key_2_active then 'ok' - when access_key_2_active and access_key_2_last_used_date is null then 'alarm' - when access_key_2_active and access_key_2_last_used_date < (current_date - interval '45' day) then 'alarm' - else 'ok' - end as status, - user_name || - case - when not access_key_1_active then ' key 1 not enabled,' - when access_key_1_active and access_key_1_last_used_date is null then ' key 1 created ' || to_char(access_key_1_last_rotated, 'DD-Mon-YYYY') || ' never used,' - else ' key 1 used ' || to_char(access_key_1_last_used_date, 'DD-Mon-YYYY') || ',' - end || - case - when not access_key_2_active then ' key 2 not enabled.' - when access_key_2_active and access_key_2_last_used_date is null then ' key 2 created ' || to_char(access_key_2_last_rotated, 'DD-Mon-YYYY') || ' never used.' - else ' key 2 used ' || to_char(access_key_2_last_used_date, 'DD-Mon-YYYY') || '.' - end as reason - - from - aws_iam_credential_report; + QueryToExecute: "select\n user_arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when not access_key_1_active then 'ok'\n when access_key_1_active and access_key_1_last_used_date is null then 'alarm'\n when access_key_1_active and access_key_1_last_used_date < (current_date - interval '45' day) then 'alarm'\n when not access_key_2_active then 'ok'\n when access_key_2_active and access_key_2_last_used_date is null then 'alarm'\n when access_key_2_active and access_key_2_last_used_date < (current_date - interval '45' day) then 'alarm'\n else 'ok'\n end as status,\n user_name ||\n case\n when not access_key_1_active then ' key 1 not enabled,'\n when access_key_1_active and access_key_1_last_used_date is null then ' key 1 created ' || to_char(access_key_1_last_rotated, 'DD-Mon-YYYY') || ' never used,'\n else ' key 1 used ' || to_char(access_key_1_last_used_date, 'DD-Mon-YYYY') || ','\n end ||\n case\n when not access_key_2_active then ' key 2 not enabled.'\n when access_key_2_active and access_key_2_last_used_date is null then ' key 2 created ' || to_char(access_key_2_last_rotated, 'DD-Mon-YYYY') || ' never used.'\n else ' key 2 used ' || to_char(access_key_2_last_used_date, 'DD-Mon-YYYY') || '.'\n end as reason\n \nfrom\n aws_iam_credential_report;\n" PrimaryTable: aws_iam_credential_report ListOfTables: - - aws_iam_credential_report + - aws_iam_credential_report Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_iam_user_access_keys_and_password_at_setup.yaml b/compliance/controls/aws/aws_iam_user_access_keys_and_password_at_setup.yaml index 8ff2372bd..6da3b0ef3 100755 --- a/compliance/controls/aws/aws_iam_user_access_keys_and_password_at_setup.yaml +++ b/compliance/controls/aws/aws_iam_user_access_keys_and_password_at_setup.yaml @@ -1,8 +1,6 @@ ID: aws_iam_user_access_keys_and_password_at_setup Title: "Ensure IAM users are assigned access keys and passwords at setup" Description: "This control checks whether the IAM users have access keys and passwords at setup. The control fails if the IAM users do not have access keys and passwords at setup." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -27,25 +25,27 @@ Query: aws_iam_credential_report; PrimaryTable: aws_iam_credential_report ListOfTables: - - aws_iam_credential_report + - aws_iam_credential_report Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "1.21" + - "1.21" cis_level: - - "1" + - "1" cis_section_id: - - "1" + - "1" cis_type: - - not_scored + - not_scored cis_version: - - v1.2.0 + - v1.2.0 plugin: - - aws + - aws service: - - AWS/IAM + - AWS/IAM +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_iam_user_console_access_mfa_enabled.yaml b/compliance/controls/aws/aws_iam_user_console_access_mfa_enabled.yaml index e3e99b9b8..581d3ad9b 100755 --- a/compliance/controls/aws/aws_iam_user_console_access_mfa_enabled.yaml +++ b/compliance/controls/aws/aws_iam_user_console_access_mfa_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_iam_user_console_access_mfa_enabled Title: "IAM users with console access should have MFA enabled" Description: "Manage access to resources in the AWS Cloud by ensuring that MFA is enabled for all AWS Identity and Access Management (IAM) users that have a console password." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -24,45 +22,47 @@ Query: aws_iam_credential_report; PrimaryTable: aws_iam_credential_report ListOfTables: - - aws_iam_credential_report + - aws_iam_credential_report Parameters: [] Severity: high Tags: audit_manager_control_tower: - - "true" + - "true" category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gdpr: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/IAM + - AWS/IAM soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_iam_user_console_access_unused_45.yaml b/compliance/controls/aws/aws_iam_user_console_access_unused_45.yaml index b86732315..d0f1168f4 100755 --- a/compliance/controls/aws/aws_iam_user_console_access_unused_45.yaml +++ b/compliance/controls/aws/aws_iam_user_console_access_unused_45.yaml @@ -1,8 +1,6 @@ ID: aws_iam_user_console_access_unused_45 Title: "Ensure IAM users with console access unused for 45 days or greater are disabled" Description: "AWS IAM users can access AWS resources using console access. It is recommended that console access that have been unused in 45 or greater days be deactivated or removed." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -26,7 +24,9 @@ Query: aws_iam_credential_report; PrimaryTable: aws_iam_credential_report ListOfTables: - - aws_iam_credential_report + - aws_iam_credential_report Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_iam_user_group_role_cloudshell_fullaccess_restricted.yaml b/compliance/controls/aws/aws_iam_user_group_role_cloudshell_fullaccess_restricted.yaml index 3bb3c8298..1e126a870 100755 --- a/compliance/controls/aws/aws_iam_user_group_role_cloudshell_fullaccess_restricted.yaml +++ b/compliance/controls/aws/aws_iam_user_group_role_cloudshell_fullaccess_restricted.yaml @@ -1,8 +1,6 @@ ID: aws_iam_user_group_role_cloudshell_fullaccess_restricted Title: "Ensure access to AWSCloudShellFullAccess is restricted" Description: "This control checks whether the AWSCloudShellFullAccess policy is attached to any IAM user, group, or role. The control fails if the policy is attached to any IAM user, group, or role." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -58,28 +56,30 @@ Query: aws_iam_group; PrimaryTable: "" ListOfTables: - - aws_iam_group - - aws_iam_role - - aws_iam_user + - aws_iam_group + - aws_iam_role + - aws_iam_user Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "1.22" + - "1.22" cis_level: - - "1" + - "1" cis_section_id: - - "1" + - "1" cis_type: - - manual + - manual cis_version: - - v2.0.0 - - v2.0.0 + - v2.0.0 + - v2.0.0 plugin: - - aws + - aws service: - - AWS/IAM + - AWS/IAM +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_iam_user_in_group.yaml b/compliance/controls/aws/aws_iam_user_in_group.yaml index d8bd5c5a1..d48a5554a 100755 --- a/compliance/controls/aws/aws_iam_user_in_group.yaml +++ b/compliance/controls/aws/aws_iam_user_in_group.yaml @@ -1,60 +1,44 @@ ID: aws_iam_user_in_group Title: "IAM users should be in at least one group" Description: "AWS Identity and Access Management (IAM) can help you restrict access permissions and authorizations, by ensuring IAM users are members of at least one group." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when jsonb_array_length(groups) = 0 then 'alarm' - else 'ok' - end as status, - case - when jsonb_array_length(groups) = 0 then title || ' not associated with any IAM group.' - else title || ' associated with IAM group.' - end as reason - - , account_id - from - aws_iam_user; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when jsonb_array_length(groups) = 0 then 'alarm'\n else 'ok'\n end as status,\n case\n when jsonb_array_length(groups) = 0 then title || ' not associated with any IAM group.'\n else title || ' associated with IAM group.'\n end as reason\n \n , account_id\nfrom\n aws_iam_user;\n" PrimaryTable: aws_iam_user ListOfTables: - - aws_iam_user + - aws_iam_user Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/IAM + - AWS/IAM soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_iam_user_mfa_enabled.yaml b/compliance/controls/aws/aws_iam_user_mfa_enabled.yaml index 94410fb3a..c6da9f2a7 100755 --- a/compliance/controls/aws/aws_iam_user_mfa_enabled.yaml +++ b/compliance/controls/aws/aws_iam_user_mfa_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_iam_user_mfa_enabled Title: "IAM user MFA should be enabled" Description: "Enable this rule to restrict access to resources in the AWS Cloud." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -23,43 +21,45 @@ Query: aws_iam_credential_report; PrimaryTable: aws_iam_credential_report ListOfTables: - - aws_iam_credential_report + - aws_iam_credential_report Parameters: [] Severity: high Tags: audit_manager_control_tower: - - "true" + - "true" category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/IAM + - AWS/IAM soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_iam_user_no_inline_attached_policies.yaml b/compliance/controls/aws/aws_iam_user_no_inline_attached_policies.yaml index be51797a5..db9dee937 100755 --- a/compliance/controls/aws/aws_iam_user_no_inline_attached_policies.yaml +++ b/compliance/controls/aws/aws_iam_user_no_inline_attached_policies.yaml @@ -1,66 +1,52 @@ ID: aws_iam_user_no_inline_attached_policies Title: "IAM user should not have any inline or attached policies" Description: "This rule ensures AWS Identity and Access Management (IAM) policies are attached only to groups or roles to control access to systems and assets." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when inline_policies is null and attached_policy_arns is null then 'ok' - else 'alarm' - end status, - name || ' has ' || coalesce(jsonb_array_length(inline_policies),0) || ' inline and ' || - coalesce(jsonb_array_length(attached_policy_arns),0) || ' directly attached policies.' as reason - - , account_id - from - aws_iam_user; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when inline_policies is null and attached_policy_arns is null then 'ok'\n else 'alarm'\n end status,\n name || ' has ' || coalesce(jsonb_array_length(inline_policies),0) || ' inline and ' ||\n coalesce(jsonb_array_length(attached_policy_arns),0) || ' directly attached policies.' as reason\n \n , account_id\nfrom\n aws_iam_user;\n" PrimaryTable: aws_iam_user ListOfTables: - - aws_iam_user + - aws_iam_user Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gdpr: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/IAM + - AWS/IAM soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_iam_user_no_policies.yaml b/compliance/controls/aws/aws_iam_user_no_policies.yaml index 721307e18..d252474da 100755 --- a/compliance/controls/aws/aws_iam_user_no_policies.yaml +++ b/compliance/controls/aws/aws_iam_user_no_policies.yaml @@ -1,47 +1,34 @@ ID: aws_iam_user_no_policies Title: "Ensure IAM policies are attached only to groups or roles" Description: "By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended that IAM policies be applied directly to groups and roles but not users." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when attached_policy_arns is null then 'ok' - else 'alarm' - end status, - name || ' has ' || coalesce(jsonb_array_length(attached_policy_arns),0) || ' attached policies.' as reason - - , account_id - from - aws_iam_user; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when attached_policy_arns is null then 'ok'\n else 'alarm'\n end status,\n name || ' has ' || coalesce(jsonb_array_length(attached_policy_arns),0) || ' attached policies.' as reason\n \n , account_id\nfrom\n aws_iam_user;\n" PrimaryTable: aws_iam_user ListOfTables: - - aws_iam_user + - aws_iam_user Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "1.16" + - "1.16" cis_level: - - "1" + - "1" cis_section_id: - - "1" + - "1" cis_type: - - scored + - scored cis_version: - - v1.2.0 + - v1.2.0 plugin: - - aws + - aws score_tags: - - Problem Identities + - Problem Identities service: - - AWS/IAM + - AWS/IAM +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_iam_user_one_active_key.yaml b/compliance/controls/aws/aws_iam_user_one_active_key.yaml index c51458132..2e52071cf 100755 --- a/compliance/controls/aws/aws_iam_user_one_active_key.yaml +++ b/compliance/controls/aws/aws_iam_user_one_active_key.yaml @@ -1,57 +1,33 @@ ID: aws_iam_user_one_active_key Title: "Ensure there is only one active access key available for any single IAM user" Description: "Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK)." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - u.arn as resource, - u.og_account_id as og_account_id, - u.og_resource_id as og_resource_id, - case - when count(k.*) > 1 then 'alarm' - else 'ok' - end as status, - u.name || ' has ' || count(k.*) || ' active access key(s).' as reason - - , u.account_id - from - aws_iam_user as u - left join aws_iam_access_key as k on u.name = k.user_name and u.account_id = k.account_id - where - k.status = 'Active' or k.status is null - group by - u.arn, - u.name, - u.account_id, - u.tags, - u.og_account_id, - u.og_resource_id, - u._ctx; + QueryToExecute: "select\n u.arn as resource,\n u.og_account_id as og_account_id,\n u.og_resource_id as og_resource_id,\n case\n when count(k.*) > 1 then 'alarm'\n else 'ok'\n end as status,\n u.name || ' has ' || count(k.*) || ' active access key(s).' as reason\n \n , u.account_id\nfrom\n aws_iam_user as u\n left join aws_iam_access_key as k on u.name = k.user_name and u.account_id = k.account_id\nwhere\n k.status = 'Active' or k.status is null\ngroup by\n u.arn,\n u.name,\n u.account_id,\n u.tags,\n u.og_account_id,\n u.og_resource_id,\n u._ctx;\n" PrimaryTable: aws_iam_user ListOfTables: - - aws_iam_access_key - - aws_iam_user + - aws_iam_access_key + - aws_iam_user Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "1.13" + - "1.13" cis_level: - - "1" + - "1" cis_section_id: - - "1" + - "1" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - aws + - aws service: - - AWS/IAM + - AWS/IAM +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_iam_user_unused_credentials_45.yaml b/compliance/controls/aws/aws_iam_user_unused_credentials_45.yaml index 1136b5ebf..71b74b3d7 100755 --- a/compliance/controls/aws/aws_iam_user_unused_credentials_45.yaml +++ b/compliance/controls/aws/aws_iam_user_unused_credentials_45.yaml @@ -1,8 +1,6 @@ ID: aws_iam_user_unused_credentials_45 Title: "Ensure credentials unused for 45 days or greater are disabled" Description: "AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have been unused in 45 or greater days be deactivated or removed." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -59,25 +57,27 @@ Query: aws_iam_credential_report; PrimaryTable: aws_iam_credential_report ListOfTables: - - aws_iam_credential_report + - aws_iam_credential_report Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "1.12" + - "1.12" cis_level: - - "1" + - "1" cis_section_id: - - "1" + - "1" cis_type: - - automated + - automated cis_version: - - v1.4.0 + - v1.4.0 plugin: - - aws + - aws service: - - AWS/IAM + - AWS/IAM +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_iam_user_unused_credentials_90.yaml b/compliance/controls/aws/aws_iam_user_unused_credentials_90.yaml index ca65fd483..fc5cff6ba 100755 --- a/compliance/controls/aws/aws_iam_user_unused_credentials_90.yaml +++ b/compliance/controls/aws/aws_iam_user_unused_credentials_90.yaml @@ -1,8 +1,6 @@ ID: aws_iam_user_unused_credentials_90 Title: "IAM user credentials that have not been used in 90 days should be disabled" Description: "AWS Identity and Access Management (IAM) can help you with access permissions and authorizations by checking for IAM passwords and access keys that are not used for a specified time period." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -58,43 +56,45 @@ Query: aws_iam_credential_report; PrimaryTable: aws_iam_credential_report ListOfTables: - - aws_iam_credential_report + - aws_iam_credential_report Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gdpr: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/IAM + - AWS/IAM soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_iam_user_with_administrator_access_mfa_enabled.yaml b/compliance/controls/aws/aws_iam_user_with_administrator_access_mfa_enabled.yaml index 3e00d3109..7b912c409 100755 --- a/compliance/controls/aws/aws_iam_user_with_administrator_access_mfa_enabled.yaml +++ b/compliance/controls/aws/aws_iam_user_with_administrator_access_mfa_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_iam_user_with_administrator_access_mfa_enabled Title: "IAM administrator users should have MFA enabled" Description: "Manage access to resources in the AWS Cloud by ensuring MFA is enabled for users with administrative privileges." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -38,7 +36,9 @@ Query: u.name; PrimaryTable: aws_iam_user ListOfTables: - - aws_iam_user + - aws_iam_user Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_iam_users_with_api_keys_should_have_keys_rotated_every_x_days.yaml b/compliance/controls/aws/aws_iam_users_with_api_keys_should_have_keys_rotated_every_x_days.yaml index bc12cc3f0..bed48d148 100755 --- a/compliance/controls/aws/aws_iam_users_with_api_keys_should_have_keys_rotated_every_x_days.yaml +++ b/compliance/controls/aws/aws_iam_users_with_api_keys_should_have_keys_rotated_every_x_days.yaml @@ -1,49 +1,20 @@ ID: aws_iam_users_with_api_keys_should_have_keys_rotated_every_x_days Title: "IAM Users with API Keys should have keys rotated every X days" Description: "IAM Users with API Keys should have keys rotated every X days" -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - user_name as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - (date(current_timestamp) - date(access_key_1_last_rotated)), - (date(current_timestamp) - date(access_key_2_last_rotated)), - case - when - (access_key_1_active and - (date(current_timestamp) - date(access_key_1_last_rotated)) > '{{.awsIamUserKeyRotateDays}}'::int) or - (access_key_2_active and - (date(current_timestamp) - date(access_key_2_last_rotated)) > '{{.awsIamUserKeyRotateDays}}'::int) then 'alarm' - else 'ok' - end as status, - case - when (access_key_1_active and - (date(current_timestamp) - date(access_key_1_last_rotated)) > '{{.awsIamUserKeyRotateDays}}'::int) or - (access_key_2_active and - (date(current_timestamp) - date(access_key_2_last_rotated)) > '{{.awsIamUserKeyRotateDays}}'::int) then - case - when (access_key_1_last_rotated is null) then 'key last rotated in ' || (date(current_timestamp) - date(access_key_2_last_rotated)) || ' days' - when (access_key_2_last_rotated is null) then 'key last rotated in ' || (date(current_timestamp) - date(access_key_1_last_rotated)) || ' days' - else 'key last rotated in ' || greatest((date(current_timestamp) - date(access_key_1_last_rotated)), (date(current_timestamp) - date(access_key_2_last_rotated))) || ' days' - end - else 'keys rotated recently' - end as reason - , region, account_id - from - aws_iam_credential_report + QueryToExecute: "select\n user_name as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n (date(current_timestamp) - date(access_key_1_last_rotated)),\n (date(current_timestamp) - date(access_key_2_last_rotated)),\n case\n when \n (access_key_1_active and\n (date(current_timestamp) - date(access_key_1_last_rotated)) > '{{.awsIamUserKeyRotateDays}}'::int) or\n (access_key_2_active and\n (date(current_timestamp) - date(access_key_2_last_rotated)) > '{{.awsIamUserKeyRotateDays}}'::int) then 'alarm'\n else 'ok'\n end as status,\n case\n when (access_key_1_active and\n (date(current_timestamp) - date(access_key_1_last_rotated)) > '{{.awsIamUserKeyRotateDays}}'::int) or\n (access_key_2_active and\n (date(current_timestamp) - date(access_key_2_last_rotated)) > '{{.awsIamUserKeyRotateDays}}'::int) then \n case\n when (access_key_1_last_rotated is null) then 'key last rotated in ' || (date(current_timestamp) - date(access_key_2_last_rotated)) || ' days'\n when (access_key_2_last_rotated is null) then 'key last rotated in ' || (date(current_timestamp) - date(access_key_1_last_rotated)) || ' days'\n else 'key last rotated in ' || greatest((date(current_timestamp) - date(access_key_1_last_rotated)), (date(current_timestamp) - date(access_key_2_last_rotated))) || ' days'\n end\n else 'keys rotated recently'\n end as reason\n , region, account_id\nfrom\n aws_iam_credential_report\n" PrimaryTable: aws_iam_credential_report ListOfTables: - - aws_iam_credential_report + - aws_iam_credential_report Parameters: - Key: awsIamUserKeyRotateDays Required: true Severity: medium Tags: category: - - Compliance + - Compliance score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_iam_users_with_console_access_are_requried_to_have_MFA.yaml b/compliance/controls/aws/aws_iam_users_with_console_access_are_requried_to_have_MFA.yaml index fd76c189f..c4ae005b1 100755 --- a/compliance/controls/aws/aws_iam_users_with_console_access_are_requried_to_have_MFA.yaml +++ b/compliance/controls/aws/aws_iam_users_with_console_access_are_requried_to_have_MFA.yaml @@ -1,34 +1,17 @@ ID: aws_iam_users_with_console_access_are_requried_to_have_MFA Title: "IAM Users with Console Access are requried to have MFA" Description: "IAM Users with Console Access are requried to have MFA" -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - user_arn as resource, - case - when not(mfa_active::bool) then 'alarm' - else 'ok' - end as status, - case - when not(mfa_active::bool) then 'MFA is not enabled for ' || user_name - else user_name || ' has MFA' - end as reason, - u.og_resource_id, - u.og_account_id, - u.account_id - from - aws_iam_credential_report cr inner join aws_iam_user u on cr.user_arn = u.arn - where - not(login_profile ->> 'UserName' is null) + QueryToExecute: "select \n user_arn as resource,\n case \n when not(mfa_active::bool) then 'alarm'\n else 'ok'\n end as status,\n case \n when not(mfa_active::bool) then 'MFA is not enabled for ' || user_name\n else user_name || ' has MFA'\n end as reason,\n u.og_resource_id,\n u.og_account_id,\n u.account_id\nfrom \n aws_iam_credential_report cr inner join aws_iam_user u on cr.user_arn = u.arn \nwhere \n not(login_profile ->> 'UserName' is null)\n" PrimaryTable: aws_iam_user ListOfTables: - - aws_iam_credential_report - - aws_iam_user + - aws_iam_credential_report + - aws_iam_user Parameters: [] Severity: low Tags: score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_kinesis_firehose_delivery_stream_server_side_encryption_enabled.yaml b/compliance/controls/aws/aws_kinesis_firehose_delivery_stream_server_side_encryption_enabled.yaml index 4e2b4c85d..849562213 100755 --- a/compliance/controls/aws/aws_kinesis_firehose_delivery_stream_server_side_encryption_enabled.yaml +++ b/compliance/controls/aws/aws_kinesis_firehose_delivery_stream_server_side_encryption_enabled.yaml @@ -1,30 +1,14 @@ ID: aws_kinesis_firehose_delivery_stream_server_side_encryption_enabled Title: "Kinesis firehose delivery streams should have server side encryption enabled" Description: "Enable server side encryption (SSE) of your Kinesis firehose delivery stream, in order to protect your data and metadata from breaches or unauthorized access, and fulfill compliance requirements for data-at-rest encryption within your organization." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when delivery_stream_encryption_configuration ->> 'Status' = 'ENABLED' then 'ok' - else 'alarm' - end as status, - case - when delivery_stream_encryption_configuration ->> 'Status' = 'ENABLED' then title || ' server side encryption enabled.' - else title || ' server side encryption disabled.' - end as reason - - - from - aws_kinesis_firehose_delivery_stream; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when delivery_stream_encryption_configuration ->> 'Status' = 'ENABLED' then 'ok'\n else 'alarm'\n end as status,\n case\n when delivery_stream_encryption_configuration ->> 'Status' = 'ENABLED' then title || ' server side encryption enabled.'\n else title || ' server side encryption disabled.'\n end as reason\n \n \nfrom\n aws_kinesis_firehose_delivery_stream;" PrimaryTable: aws_kinesis_firehose_delivery_stream ListOfTables: - - aws_kinesis_firehose_delivery_stream + - aws_kinesis_firehose_delivery_stream Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_kinesis_stream_encrypted_with_kms_cmk.yaml b/compliance/controls/aws/aws_kinesis_stream_encrypted_with_kms_cmk.yaml index 5e6700093..3fdefb02c 100755 --- a/compliance/controls/aws/aws_kinesis_stream_encrypted_with_kms_cmk.yaml +++ b/compliance/controls/aws/aws_kinesis_stream_encrypted_with_kms_cmk.yaml @@ -1,30 +1,14 @@ ID: aws_kinesis_stream_encrypted_with_kms_cmk Title: "Kinesis streams should be encrypted with CMK" Description: "Ensure Kinesis streams are encrypted using CMK. Using KMS CMK, you gain full control over who can use the keys to access AWS Kinesis data (including the system metadata)." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - stream_arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when encryption_type = 'KMS' and key_id <> 'alias/aws/kinesis' then 'ok' - else 'alarm' - end as status, - case - when encryption_type = 'KMS' and key_id <> 'alias/aws/kinesis' then title || ' encrypted with CMK.' - else title || ' not encrypted with CMK.' - end as reason - - - from - aws_kinesis_stream; + QueryToExecute: "select\n stream_arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when encryption_type = 'KMS' and key_id <> 'alias/aws/kinesis' then 'ok'\n else 'alarm'\n end as status,\n case\n when encryption_type = 'KMS' and key_id <> 'alias/aws/kinesis' then title || ' encrypted with CMK.'\n else title || ' not encrypted with CMK.'\n end as reason\n \n \nfrom\n aws_kinesis_stream;" PrimaryTable: aws_kinesis_stream ListOfTables: - - aws_kinesis_stream + - aws_kinesis_stream Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_kinesis_stream_server_side_encryption_enabled.yaml b/compliance/controls/aws/aws_kinesis_stream_server_side_encryption_enabled.yaml index 8b077ce16..a1e122572 100755 --- a/compliance/controls/aws/aws_kinesis_stream_server_side_encryption_enabled.yaml +++ b/compliance/controls/aws/aws_kinesis_stream_server_side_encryption_enabled.yaml @@ -1,42 +1,26 @@ ID: aws_kinesis_stream_server_side_encryption_enabled Title: "Kinesis streams should have server side encryption enabled" Description: "Enable server side encryption (SSE) of your AWS Kinesis Server data at rest, in order to protect your data and metadata from breaches or unauthorized access, and fulfill compliance requirements for data-at-rest encryption within your organization." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - stream_arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when encryption_type = 'KMS' then 'ok' - else 'alarm' - end as status, - case - when encryption_type = 'KMS' then title || ' server side encryption enabled.' - else title || ' server side encryption disabled.' - end as reason - - , region, account_id - from - aws_kinesis_stream; + QueryToExecute: "select\n stream_arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when encryption_type = 'KMS' then 'ok'\n else 'alarm'\n end as status,\n case\n when encryption_type = 'KMS' then title || ' server side encryption enabled.'\n else title || ' server side encryption disabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_kinesis_stream;\n" PrimaryTable: aws_kinesis_stream ListOfTables: - - aws_kinesis_stream + - aws_kinesis_stream Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - encryption_of_data_at_rest + - encryption_of_data_at_rest foundational_security_item_id: - - kinesis_1 + - kinesis_1 plugin: - - aws + - aws service: - - AWS/Kinesis + - AWS/Kinesis +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_kms_cmk_policy_prohibit_public_access.yaml b/compliance/controls/aws/aws_kms_cmk_policy_prohibit_public_access.yaml index f59fd6f72..14d3578e0 100755 --- a/compliance/controls/aws/aws_kms_cmk_policy_prohibit_public_access.yaml +++ b/compliance/controls/aws/aws_kms_cmk_policy_prohibit_public_access.yaml @@ -1,51 +1,14 @@ ID: aws_kms_cmk_policy_prohibit_public_access Title: "KMS CMK policies should prohibit public access" Description: "Manage access to resources in the AWS Cloud by ensuring AWS KMS CMK cannot be publicly accessed." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - with wildcard_action_policies as ( - select - arn, - count(*) as statements_num - from - aws_kms_key, - jsonb_array_elements(policy_std -> 'Statement') as s - where - s ->> 'Effect' = 'Allow' - and ( - ( s -> 'Principal' -> 'AWS') = '["*"]' - or s ->> 'Principal' = '*' - ) - and key_manager = 'CUSTOMER' - group by - arn - ) - select - k.arn as resource, - k.og_account_id as og_account_id, - k.og_resource_id as og_resource_id, - case - when p.arn is null then 'ok' - else 'alarm' - end status, - case - when p.arn is null then title || ' does not allow public access.' - else title || ' contains ' || coalesce(p.statements_num, 0) || - ' statements that allow public access.' - end as reason - - - from - aws_kms_key as k - left join wildcard_action_policies as p on p.arn = k.arn - where - key_manager = 'CUSTOMER'; + QueryToExecute: "with wildcard_action_policies as (\n select\n arn,\n count(*) as statements_num\n from\n aws_kms_key,\n jsonb_array_elements(policy_std -> 'Statement') as s\n where\n s ->> 'Effect' = 'Allow'\n and (\n ( s -> 'Principal' -> 'AWS') = '[\"*\"]'\n or s ->> 'Principal' = '*'\n )\n and key_manager = 'CUSTOMER'\n group by\n arn\n)\nselect\n k.arn as resource,\n k.og_account_id as og_account_id,\n k.og_resource_id as og_resource_id,\n case\n when p.arn is null then 'ok'\n else 'alarm'\n end status,\n case\n when p.arn is null then title || ' does not allow public access.'\n else title || ' contains ' || coalesce(p.statements_num, 0) ||\n ' statements that allow public access.'\n end as reason\n \n \nfrom\n aws_kms_key as k\n left join wildcard_action_policies as p on p.arn = k.arn\nwhere\n key_manager = 'CUSTOMER';" PrimaryTable: aws_kms_key ListOfTables: - - aws_kms_key + - aws_kms_key Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_kms_cmk_rotation_enabled.yaml b/compliance/controls/aws/aws_kms_cmk_rotation_enabled.yaml index 9881dc2a2..2a5e766dd 100755 --- a/compliance/controls/aws/aws_kms_cmk_rotation_enabled.yaml +++ b/compliance/controls/aws/aws_kms_cmk_rotation_enabled.yaml @@ -1,66 +1,42 @@ ID: aws_kms_cmk_rotation_enabled Title: "KMS CMK rotation should be enabled" Description: "Enable key rotation to ensure that keys are rotated once they have reached the end of their crypto period." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when origin = 'EXTERNAL' then 'skip' - when key_state = 'PendingDeletion' then 'skip' - when key_state = 'Disabled' then 'skip' - when not key_rotation_enabled then 'alarm' - else 'ok' - end as status, - case - when origin = 'EXTERNAL' then title || ' has imported key material.' - when key_state = 'PendingDeletion' then title || ' is pending deletion.' - when key_state = 'Disabled' then title || ' is disabled.' - when not key_rotation_enabled then title || ' key rotation disabled.' - else title || ' key rotation enabled.' - end as reason - - , region, account_id - from - aws_kms_key - where - key_manager = 'CUSTOMER'; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when origin = 'EXTERNAL' then 'skip'\n when key_state = 'PendingDeletion' then 'skip'\n when key_state = 'Disabled' then 'skip'\n when not key_rotation_enabled then 'alarm'\n else 'ok'\n end as status,\n case\n when origin = 'EXTERNAL' then title || ' has imported key material.'\n when key_state = 'PendingDeletion' then title || ' is pending deletion.'\n when key_state = 'Disabled' then title || ' is disabled.'\n when not key_rotation_enabled then title || ' key rotation disabled.'\n else title || ' key rotation enabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_kms_key\nwhere\n key_manager = 'CUSTOMER';\n" PrimaryTable: aws_kms_key ListOfTables: - - aws_kms_key + - aws_kms_key Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" gdpr: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/KMS + - AWS/KMS +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_kms_cmk_unused.yaml b/compliance/controls/aws/aws_kms_cmk_unused.yaml index d7f6a15fa..84ea1c6e1 100755 --- a/compliance/controls/aws/aws_kms_cmk_unused.yaml +++ b/compliance/controls/aws/aws_kms_cmk_unused.yaml @@ -1,8 +1,6 @@ ID: aws_kms_cmk_unused Title: "KMS key should be in use" Description: "This control checks whether there are any unused CMK (Customer Master Key) KMS (Key Management Service) keys." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -26,7 +24,9 @@ Query: key_manager = 'CUSTOMER'; PrimaryTable: aws_kms_key ListOfTables: - - aws_kms_key + - aws_kms_key Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_kms_key_decryption_restricted_in_iam_customer_managed_policy.yaml b/compliance/controls/aws/aws_kms_key_decryption_restricted_in_iam_customer_managed_policy.yaml index 2a7e75514..8f5e79de9 100755 --- a/compliance/controls/aws/aws_kms_key_decryption_restricted_in_iam_customer_managed_policy.yaml +++ b/compliance/controls/aws/aws_kms_key_decryption_restricted_in_iam_customer_managed_policy.yaml @@ -1,58 +1,27 @@ ID: aws_kms_key_decryption_restricted_in_iam_customer_managed_policy Title: "KMS key decryption should be restricted in IAM customer managed policy" Description: "Checks whether the default version of IAM customer managed policies allow principals to use the AWS KMS decryption actions on all resources. This control uses Zelkova, an automated reasoning engine, to validate and warn you about policies that may grant broad access to your secrets across AWS accounts. This control fails if the kms:Decrypt or kms:ReEncryptFrom actions are allowed on all KMS keys. The control evaluates both attached and unattached customer managed policies. It does not check inline policies or AWS managed policies." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with policy_with_decrypt_grant as ( - select - distinct arn - from - aws_iam_policy, - jsonb_array_elements(policy_std -> 'Statement') as statement - where - not is_aws_managed - and statement ->> 'Effect' = 'Allow' - and statement -> 'Resource' ?| array['*', 'arn:aws:kms:*:' || account_id || ':key/*', 'arn:aws:kms:*:' || account_id || ':alias/*'] - and statement -> 'Action' ?| array['*', 'kms:*', 'kms:decrypt', 'kms:reencryptfrom', 'kms:reencrypt*'] - ) - select - i.arn as resource, - i.og_account_id as og_account_id, - i.og_resource_id as og_resource_id, - case - when d.arn is null then 'ok' - else 'alarm' - end as status, - case - when d.arn is null then i.title || ' doesn''t allow decryption actions on all keys.' - else i.title || ' allows decryption actions on all keys.' - end as reason - - , i.account_id - from - aws_iam_policy i - left join policy_with_decrypt_grant d on i.arn = d.arn - where - not is_aws_managed; + QueryToExecute: "with policy_with_decrypt_grant as (\n select\n distinct arn\n from\n aws_iam_policy,\n jsonb_array_elements(policy_std -> 'Statement') as statement\n where\n not is_aws_managed\n and statement ->> 'Effect' = 'Allow'\n and statement -> 'Resource' ?| array['*', 'arn:aws:kms:*:' || account_id || ':key/*', 'arn:aws:kms:*:' || account_id || ':alias/*']\n and statement -> 'Action' ?| array['*', 'kms:*', 'kms:decrypt', 'kms:reencryptfrom', 'kms:reencrypt*']\n)\nselect\n i.arn as resource,\n i.og_account_id as og_account_id,\n i.og_resource_id as og_resource_id,\n case\n when d.arn is null then 'ok'\n else 'alarm'\n end as status,\n case\n when d.arn is null then i.title || ' doesn''t allow decryption actions on all keys.'\n else i.title || ' allows decryption actions on all keys.'\n end as reason\n \n , i.account_id\nfrom\n aws_iam_policy i\nleft join policy_with_decrypt_grant d on i.arn = d.arn\nwhere\n not is_aws_managed;\n" PrimaryTable: aws_iam_policy ListOfTables: - - aws_iam_policy - - aws_managed + - aws_iam_policy + - aws_managed Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - secure_access_management + - secure_access_management foundational_security_item_id: - - kms_1 + - kms_1 plugin: - - aws + - aws service: - - AWS/KMS + - AWS/KMS +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_kms_key_decryption_restricted_in_iam_inline_policy.yaml b/compliance/controls/aws/aws_kms_key_decryption_restricted_in_iam_inline_policy.yaml index 22d6a3e7c..cec55ef2e 100755 --- a/compliance/controls/aws/aws_kms_key_decryption_restricted_in_iam_inline_policy.yaml +++ b/compliance/controls/aws/aws_kms_key_decryption_restricted_in_iam_inline_policy.yaml @@ -1,8 +1,6 @@ ID: aws_kms_key_decryption_restricted_in_iam_inline_policy Title: "KMS key decryption should be restricted in IAM inline policy" Description: "Checks whether the inline policies that are embedded in your IAM identities (role, user, or group) allow the AWS KMS decryption actions on all KMS keys. This control uses Zelkova, an automated reasoning engine, to validate and warn you about policies that may grant broad access to your secrets across AWS accounts. This control fails if kms:Decrypt or kms:ReEncryptFrom actions are allowed on all KMS keys in an inline policy." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -55,7 +53,7 @@ Query: when d.arn is null then 'User ' || i.title || ' not allowed to perform decryption actions on all keys.' else 'User ' || i.title || ' allowed to perform decryption actions on all keys.' end as reason - + , i.account_id from aws_iam_user i @@ -74,7 +72,7 @@ Query: when d.arn is null then 'Role ' || r.title || ' not allowed to perform decryption actions on all keys.' else 'Role ' || r.title || ' allowed to perform decryption actions on all keys.' end as reason - + , r.account_id from aws_iam_role r @@ -101,21 +99,23 @@ Query: left join group_with_decrypt_grant d on g.arn = d.arn; PrimaryTable: "" ListOfTables: - - aws_iam_group - - aws_iam_role - - aws_iam_user + - aws_iam_group + - aws_iam_role + - aws_iam_user Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - secure_access_management + - secure_access_management foundational_security_item_id: - - kms_2 + - kms_2 plugin: - - aws + - aws service: - - AWS/KMS + - AWS/KMS +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_kms_key_not_pending_deletion.yaml b/compliance/controls/aws/aws_kms_key_not_pending_deletion.yaml index f21896109..6b3df6283 100755 --- a/compliance/controls/aws/aws_kms_key_not_pending_deletion.yaml +++ b/compliance/controls/aws/aws_kms_key_not_pending_deletion.yaml @@ -1,62 +1,44 @@ ID: aws_kms_key_not_pending_deletion Title: "KMS keys should not be pending deletion" Description: "To help protect data at rest, ensure necessary customer master keys (CMKs) are not scheduled for deletion in AWS Key Management Service (AWS KMS)." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when key_state = 'PendingDeletion' then 'alarm' - else 'ok' - end as status, - case - when key_state = 'PendingDeletion' then title || ' scheduled for deletion and will be deleted in ' || extract(day from deletion_date - current_timestamp) || ' day(s).' - else title || ' not scheduled for deletion.' - end as reason - - , region, account_id - from - aws_kms_key - where - key_manager = 'CUSTOMER'; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when key_state = 'PendingDeletion' then 'alarm'\n else 'ok'\n end as status,\n case\n when key_state = 'PendingDeletion' then title || ' scheduled for deletion and will be deleted in ' || extract(day from deletion_date - current_timestamp) || ' day(s).'\n else title || ' not scheduled for deletion.'\n end as reason\n \n , region, account_id\nfrom\n aws_kms_key\nwhere\n key_manager = 'CUSTOMER';\n" PrimaryTable: aws_kms_key ListOfTables: - - aws_kms_key + - aws_kms_key Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/KMS + - AWS/KMS soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_lambda_function_cloudtrail_logging_enabled.yaml b/compliance/controls/aws/aws_lambda_function_cloudtrail_logging_enabled.yaml index a30ad28ee..f88347044 100755 --- a/compliance/controls/aws/aws_lambda_function_cloudtrail_logging_enabled.yaml +++ b/compliance/controls/aws/aws_lambda_function_cloudtrail_logging_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_lambda_function_cloudtrail_logging_enabled Title: "Lambda functions CloudTrail logging should be enabled" Description: "Lambda functions logging is essential because once lambdas are triggered, all of the underlying compute resources are automatically managed for you. This control is compliant if CloudTrail logging is enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -71,8 +69,10 @@ Query: left join function_logging_region_advance_es as a on a.cloudtrail_region = l.region; PrimaryTable: aws_lambda_function ListOfTables: - - aws_cloudtrail_trail - - aws_lambda_function + - aws_cloudtrail_trail + - aws_lambda_function Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_lambda_function_cloudwatch_insights_enabled.yaml b/compliance/controls/aws/aws_lambda_function_cloudwatch_insights_enabled.yaml index 587eef917..ef6b4d683 100755 --- a/compliance/controls/aws/aws_lambda_function_cloudwatch_insights_enabled.yaml +++ b/compliance/controls/aws/aws_lambda_function_cloudwatch_insights_enabled.yaml @@ -1,38 +1,14 @@ ID: aws_lambda_function_cloudwatch_insights_enabled Title: "Ensure Cloudwatch Lambda insights is enabled" Description: "Ensure that Amazon CloudWatch Lambda Insights is enabled for your Amazon Lambda functions for enhanced monitoring." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when exists ( - select 1 - from jsonb_array_elements(layers) as l - where l ->> 'Arn' like '%:layer:LambdaInsightsExtension:%' - ) then 'ok' - else 'alarm' - end as status, - case - when exists ( - select 1 - from jsonb_array_elements(layers) as l - where l ->> 'Arn' like '%:layer:LambdaInsightsExtension:%' - ) then title || ' CloudWatch Insights enabled.' - else title || ' CloudWatch Insights disabled.' - end as reason - - - from - aws_lambda_function; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when exists (\n select 1\n from jsonb_array_elements(layers) as l\n where l ->> 'Arn' like '%:layer:LambdaInsightsExtension:%'\n ) then 'ok'\n else 'alarm'\n end as status,\n case\n when exists (\n select 1\n from jsonb_array_elements(layers) as l\n where l ->> 'Arn' like '%:layer:LambdaInsightsExtension:%'\n ) then title || ' CloudWatch Insights enabled.'\n else title || ' CloudWatch Insights disabled.'\n end as reason\n \n \nfrom\n aws_lambda_function;" PrimaryTable: aws_lambda_function ListOfTables: - - aws_lambda_function + - aws_lambda_function Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_lambda_function_concurrent_execution_limit_configured.yaml b/compliance/controls/aws/aws_lambda_function_concurrent_execution_limit_configured.yaml index 8433649d1..92319d7cb 100755 --- a/compliance/controls/aws/aws_lambda_function_concurrent_execution_limit_configured.yaml +++ b/compliance/controls/aws/aws_lambda_function_concurrent_execution_limit_configured.yaml @@ -1,52 +1,36 @@ ID: aws_lambda_function_concurrent_execution_limit_configured Title: "Lambda functions concurrent execution limit configured" Description: "Checks whether the AWS Lambda function is configured with function-level concurrent execution limit. The control is non-compliant if the Lambda function is not configured with function-level concurrent execution limit." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when reserved_concurrent_executions is null then 'alarm' - else 'ok' - end as status, - case - when reserved_concurrent_executions is null then title || ' function-level concurrent execution limit not configured.' - else title || ' function-level concurrent execution limit configured.' - end as reason - - , region, account_id - from - aws_lambda_function; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when reserved_concurrent_executions is null then 'alarm'\n else 'ok'\n end as status,\n case\n when reserved_concurrent_executions is null then title || ' function-level concurrent execution limit not configured.'\n else title || ' function-level concurrent execution limit configured.'\n end as reason\n \n , region, account_id\nfrom\n aws_lambda_function;\n" PrimaryTable: aws_lambda_function ListOfTables: - - aws_lambda_function + - aws_lambda_function Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/Lambda + - AWS/Lambda soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_lambda_function_cors_configuration.yaml b/compliance/controls/aws/aws_lambda_function_cors_configuration.yaml index 0e2d0f228..285e26ea5 100755 --- a/compliance/controls/aws/aws_lambda_function_cors_configuration.yaml +++ b/compliance/controls/aws/aws_lambda_function_cors_configuration.yaml @@ -1,32 +1,14 @@ ID: aws_lambda_function_cors_configuration Title: "Lambda functions CORS configuration should not allow all origins" Description: "Enable this rule to ensure that the CORS configuration for your Lambda functions does not allow all origins." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when url_config is null then 'info' - when url_config -> 'Cors' ->> 'AllowOrigins' = '["*"]' then 'alarm' - else 'ok' - end as status, - case - when url_config is null then title || ' does not has a URL config.' - when url_config -> 'Cors' ->> 'AllowOrigins' = '["*"]' then title || ' CORS configuration allows all origins.' - else title || ' CORS configuration does not allow all origins.' - end as reason - - - from - aws_lambda_function; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when url_config is null then 'info'\n when url_config -> 'Cors' ->> 'AllowOrigins' = '[\"*\"]' then 'alarm'\n else 'ok'\n end as status,\n case\n when url_config is null then title || ' does not has a URL config.'\n when url_config -> 'Cors' ->> 'AllowOrigins' = '[\"*\"]' then title || ' CORS configuration allows all origins.'\n else title || ' CORS configuration does not allow all origins.'\n end as reason\n \n \nfrom\n aws_lambda_function;" PrimaryTable: aws_lambda_function ListOfTables: - - aws_lambda_function + - aws_lambda_function Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_lambda_function_dead_letter_queue_configured.yaml b/compliance/controls/aws/aws_lambda_function_dead_letter_queue_configured.yaml index f1b7b551b..26e4617e0 100755 --- a/compliance/controls/aws/aws_lambda_function_dead_letter_queue_configured.yaml +++ b/compliance/controls/aws/aws_lambda_function_dead_letter_queue_configured.yaml @@ -1,54 +1,38 @@ ID: aws_lambda_function_dead_letter_queue_configured Title: "Lambda functions should be configured with a dead-letter queue" Description: "Enable this rule to help notify the appropriate personnel through AWS Simple Queue Service (AWS SQS) or AWS Simple Notification Service (AWS SNS) when a function has failed." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when dead_letter_config_target_arn is null then 'alarm' - else 'ok' - end as status, - case - when dead_letter_config_target_arn is null then title || ' configured with dead-letter queue.' - else title || ' not configured with dead-letter queue.' - end as reason - - , region, account_id - from - aws_lambda_function; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when dead_letter_config_target_arn is null then 'alarm'\n else 'ok'\n end as status,\n case\n when dead_letter_config_target_arn is null then title || ' configured with dead-letter queue.'\n else title || ' not configured with dead-letter queue.'\n end as reason\n \n , region, account_id\nfrom\n aws_lambda_function;\n" PrimaryTable: aws_lambda_function ListOfTables: - - aws_lambda_function + - aws_lambda_function Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/Lambda + - AWS/Lambda soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_lambda_function_encryption_enabled.yaml b/compliance/controls/aws/aws_lambda_function_encryption_enabled.yaml index 3932359ac..09204a3ce 100755 --- a/compliance/controls/aws/aws_lambda_function_encryption_enabled.yaml +++ b/compliance/controls/aws/aws_lambda_function_encryption_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_lambda_function_encryption_enabled Title: "Ensure encryption in transit is enabled for Lambda environment variables" Description: "As you can set your own environmental variables for Lambda it is important to also encrypt them for in transit protection." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_lambda_function; PrimaryTable: aws_lambda_function ListOfTables: - - aws_lambda_function + - aws_lambda_function Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_lambda_function_in_vpc.yaml b/compliance/controls/aws/aws_lambda_function_in_vpc.yaml index c3c3f6935..e44a62a29 100755 --- a/compliance/controls/aws/aws_lambda_function_in_vpc.yaml +++ b/compliance/controls/aws/aws_lambda_function_in_vpc.yaml @@ -1,66 +1,50 @@ ID: aws_lambda_function_in_vpc Title: "Lambda functions should be in a VPC" Description: "Deploy AWS Lambda functions within an AWS Virtual Private Cloud (AWS VPC) for a secure communication between a function and other services within the AWS VPC." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when vpc_id is null or vpc_id = '' then 'alarm' - else 'ok' - end status, - case - when vpc_id is null or vpc_id = '' then title || ' is not in VPC.' - else title || ' is in VPC ' || vpc_id || '.' - end reason - - , region, account_id - from - aws_lambda_function; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when vpc_id is null or vpc_id = '' then 'alarm'\n else 'ok'\n end status,\n case\n when vpc_id is null or vpc_id = '' then title || ' is not in VPC.'\n else title || ' is in VPC ' || vpc_id || '.'\n end reason\n \n , region, account_id\nfrom\n aws_lambda_function;\n" PrimaryTable: aws_lambda_function ListOfTables: - - aws_lambda_function + - aws_lambda_function Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/Lambda + - AWS/Lambda soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_lambda_function_multiple_az_configured.yaml b/compliance/controls/aws/aws_lambda_function_multiple_az_configured.yaml index a133ecd56..19d200e9a 100755 --- a/compliance/controls/aws/aws_lambda_function_multiple_az_configured.yaml +++ b/compliance/controls/aws/aws_lambda_function_multiple_az_configured.yaml @@ -1,55 +1,27 @@ ID: aws_lambda_function_multiple_az_configured Title: "Lambda functions should operate in more than one availability zone" Description: "This control checks if Lambda has more than one availability zone associated. The rule fails if only one availability zone is associated with Lambda." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when vpc_id is null or vpc_id = '' then 'skip' - else case - when - ( - select - count(distinct availability_zone_id) - from - aws_vpc_subnet - where - subnet_id in (select jsonb_array_elements_text(vpc_subnet_ids) ) - ) >= 2 - then 'ok' - else 'alarm' - end - end as status, - case - when vpc_id is null or vpc_id = '' then title || ' is not in VPC.' - else title || ' has ' || jsonb_array_length(vpc_subnet_ids) || ' availability zone(s).' - end as reason - - , region, account_id - from - aws_lambda_function; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when vpc_id is null or vpc_id = '' then 'skip'\n else case\n when\n (\n select\n count(distinct availability_zone_id)\n from\n aws_vpc_subnet\n where\n subnet_id in (select jsonb_array_elements_text(vpc_subnet_ids) )\n ) >= 2\n then 'ok'\n else 'alarm'\n end\n end as status,\n case\n when vpc_id is null or vpc_id = '' then title || ' is not in VPC.'\n else title || ' has ' || jsonb_array_length(vpc_subnet_ids) || ' availability zone(s).'\n end as reason\n \n , region, account_id\nfrom\n aws_lambda_function;\n" PrimaryTable: aws_lambda_function ListOfTables: - - aws_lambda_function - - aws_vpc_subnet + - aws_lambda_function + - aws_vpc_subnet Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - high_availability + - high_availability foundational_security_item_id: - - lambda_5 + - lambda_5 plugin: - - aws + - aws service: - - AWS/Lambda + - AWS/Lambda +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_lambda_function_restrict_public_access.yaml b/compliance/controls/aws/aws_lambda_function_restrict_public_access.yaml index f0c2c785b..1b8dae84e 100755 --- a/compliance/controls/aws/aws_lambda_function_restrict_public_access.yaml +++ b/compliance/controls/aws/aws_lambda_function_restrict_public_access.yaml @@ -1,90 +1,50 @@ ID: aws_lambda_function_restrict_public_access Title: "Lambda functions should restrict public access" Description: "Manage access to resources in the AWS Cloud by ensuring AWS Lambda functions cannot be publicly accessed." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with wildcard_action_policies as ( - select - arn, - count(*) as statements_num - from - aws_lambda_function, - jsonb_array_elements( - case jsonb_typeof(policy_std -> 'Statement') - when 'array' - then policy_std -> 'Statement' - else '[]' - end - ) as s - where - s ->> 'Effect' = 'Allow' - and ( - ( s -> 'Principal' -> 'AWS') = '["*"]' - or s ->> 'Principal' = '*' - ) - group by - arn - ) - select - f.arn as resource, - f.og_account_id as og_account_id, - f.og_resource_id as og_resource_id, - case - when p.arn is null then 'ok' - else 'alarm' - end as status, - case - when p.arn is null then title || ' does not allow public access.' - else title || ' contains ' || coalesce(p.statements_num,0) || - ' statements that allows public access.' - end as reason - - , f.region, f.account_id - from - aws_lambda_function as f - left join wildcard_action_policies as p on p.arn = f.arn; + QueryToExecute: "with wildcard_action_policies as (\n select\n arn,\n count(*) as statements_num\n from\n aws_lambda_function,\n jsonb_array_elements(\n case jsonb_typeof(policy_std -> 'Statement') \n when 'array' \n then policy_std -> 'Statement' \n else '[]' \n end\n ) as s\n where\n s ->> 'Effect' = 'Allow'\n and (\n ( s -> 'Principal' -> 'AWS') = '[\"*\"]'\n or s ->> 'Principal' = '*'\n )\n group by\n arn\n)\nselect\n f.arn as resource,\n f.og_account_id as og_account_id,\n f.og_resource_id as og_resource_id,\n case\n when p.arn is null then 'ok'\n else 'alarm'\n end as status,\n case\n when p.arn is null then title || ' does not allow public access.'\n else title || ' contains ' || coalesce(p.statements_num,0) ||\n ' statements that allows public access.'\n end as reason\n \n , f.region, f.account_id\nfrom\n aws_lambda_function as f\n left join wildcard_action_policies as p on p.arn = f.arn;\n" PrimaryTable: aws_lambda_function ListOfTables: - - aws_lambda_function + - aws_lambda_function Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/Lambda + - AWS/Lambda soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_lambda_function_restrict_public_url.yaml b/compliance/controls/aws/aws_lambda_function_restrict_public_url.yaml index 7ff7c1866..036d56401 100755 --- a/compliance/controls/aws/aws_lambda_function_restrict_public_url.yaml +++ b/compliance/controls/aws/aws_lambda_function_restrict_public_url.yaml @@ -1,32 +1,14 @@ ID: aws_lambda_function_restrict_public_url Title: "Lambda functions should restrict public URL" Description: "This control verifies that the Lambda function does not have a publicly accessible URL. Exposing services publicly could potentially make sensitive data accessible to malicious actors." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when url_config is null then 'info' - when url_config ->> 'AuthType' = 'AWS_IAM' then 'ok' - else 'alarm' - end as status, - case - when url_config is null then title || ' having no URL config.' - when url_config ->> 'AuthType' = 'AWS_IAM' then title || ' restricts public function URL.' - else title || ' public function URL configured.' - end as reason - - - from - aws_lambda_function; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when url_config is null then 'info'\n when url_config ->> 'AuthType' = 'AWS_IAM' then 'ok'\n else 'alarm'\n end as status,\n case\n when url_config is null then title || ' having no URL config.'\n when url_config ->> 'AuthType' = 'AWS_IAM' then title || ' restricts public function URL.'\n else title || ' public function URL configured.'\n end as reason\n \n \nfrom\n aws_lambda_function;" PrimaryTable: aws_lambda_function ListOfTables: - - aws_lambda_function + - aws_lambda_function Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_lambda_function_tracing_enabled.yaml b/compliance/controls/aws/aws_lambda_function_tracing_enabled.yaml index 285cd255b..5016d3bc2 100755 --- a/compliance/controls/aws/aws_lambda_function_tracing_enabled.yaml +++ b/compliance/controls/aws/aws_lambda_function_tracing_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_lambda_function_tracing_enabled Title: "Lambda functions tracing should be enabled" Description: "AWS X-Ray can be used to visualize the components of application, identify performance bottlenecks, and troubleshoot requests that resulted in an error. Lambda functions send trace data to X-Ray, and X-Ray processes the data to generate a service map and searchable trace summaries." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_lambda_function; PrimaryTable: aws_lambda_function ListOfTables: - - aws_lambda_function + - aws_lambda_function Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_lambda_function_use_latest_runtime.yaml b/compliance/controls/aws/aws_lambda_function_use_latest_runtime.yaml index 927b48460..d58ed3438 100755 --- a/compliance/controls/aws/aws_lambda_function_use_latest_runtime.yaml +++ b/compliance/controls/aws/aws_lambda_function_use_latest_runtime.yaml @@ -1,44 +1,26 @@ ID: aws_lambda_function_use_latest_runtime Title: "Lambda functions should use latest runtimes" Description: "This control checks that the Lambda function settings for runtimes match the expected values set for the latest runtimes for each supported language. This control checks for the following runtimes: nodejs20.x, nodejs18.x, nodejs16.x, python3.12, python3.11, python3.10, python3.9, python3.8, ruby3.3, ruby3.2, java21, java17, java11, java8.al2, dotnet8, dotnet6" -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when package_type <> 'Zip' then 'skip' - when runtime in ('nodejs16.x', 'nodejs14.x', 'nodejs12.x', 'nodejs10.x', 'python3.9', 'python3.8', 'python3.7', 'python3.6', 'ruby2.5', 'ruby2.7', 'java11', 'java8', 'java8.al2', 'go1.x', 'dotnetcore2.1', 'dotnetcore3.1', 'dotnet6') then 'ok' - else 'alarm' - end as status, - case - when package_type <> 'Zip' then title || ' package type is ' || package_type || '.' - when runtime in ('nodejs16.x', 'nodejs14.x', 'nodejs12.x', 'nodejs10.x', 'python3.9', 'python3.8', 'python3.7', 'python3.6', 'ruby2.5', 'ruby2.7', 'java11', 'java8', 'java8.al2', 'go1.x', 'dotnetcore2.1', 'dotnetcore3.1', 'dotnet6') then title || ' uses latest runtime - ' || runtime || '.' - else title || ' uses ' || runtime || ' which is not the latest version.' - end as reason - - , region, account_id - from - aws_lambda_function; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when package_type <> 'Zip' then 'skip'\n when runtime in ('nodejs16.x', 'nodejs14.x', 'nodejs12.x', 'nodejs10.x', 'python3.9', 'python3.8', 'python3.7', 'python3.6', 'ruby2.5', 'ruby2.7', 'java11', 'java8', 'java8.al2', 'go1.x', 'dotnetcore2.1', 'dotnetcore3.1', 'dotnet6') then 'ok'\n else 'alarm'\n end as status,\n case\n when package_type <> 'Zip' then title || ' package type is ' || package_type || '.'\n when runtime in ('nodejs16.x', 'nodejs14.x', 'nodejs12.x', 'nodejs10.x', 'python3.9', 'python3.8', 'python3.7', 'python3.6', 'ruby2.5', 'ruby2.7', 'java11', 'java8', 'java8.al2', 'go1.x', 'dotnetcore2.1', 'dotnetcore3.1', 'dotnet6') then title || ' uses latest runtime - ' || runtime || '.'\n else title || ' uses ' || runtime || ' which is not the latest version.'\n end as reason\n \n , region, account_id\nfrom\n aws_lambda_function;\n" PrimaryTable: aws_lambda_function ListOfTables: - - aws_lambda_function + - aws_lambda_function Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - secure_development + - secure_development foundational_security_item_id: - - lambda_2 + - lambda_2 plugin: - - aws + - aws service: - - AWS/Lambda + - AWS/Lambda +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_lambda_function_variables_no_sensitive_data.yaml b/compliance/controls/aws/aws_lambda_function_variables_no_sensitive_data.yaml index 41e4d854d..afcbfc840 100755 --- a/compliance/controls/aws/aws_lambda_function_variables_no_sensitive_data.yaml +++ b/compliance/controls/aws/aws_lambda_function_variables_no_sensitive_data.yaml @@ -1,44 +1,14 @@ ID: aws_lambda_function_variables_no_sensitive_data Title: "Lambda functions variable should not have any sensitive data" Description: "Ensure functions environment variables is not having any sensitive data. Leveraging Secrets Manager enables secure provisioning of database credentials to Lambda functions while also ensuring the security of databases. This approach eliminates the need to hardcode secrets in code or pass them through environmental variables. Additionally, Secrets Manager facilitates the secure retrieval of credentials for establishing connections to databases and performing queries, enhancing overall security measures." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - with function_vaiable_with_sensitive_data as ( - select - distinct arn, - name - from - aws_lambda_function - join jsonb_each_text(environment_variables) d on true - where - d.key ilike any (array['%pass%', '%secret%', '%token%', '%key%']) - or d.key ~ '(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]' - or d.value ilike any (array['%pass%', '%secret%', '%token%', '%key%']) - or d.value ~ '(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]' - ) - select - f.arn as resource, - f.og_account_id as og_account_id, - f.og_resource_id as og_resource_id, - case - when b.arn is null then 'ok' - else 'alarm' - end as status, - case - when b.arn is null then f.title || ' has no sensitive data.' - else f.title || ' has potential sensitive data.' - end as reason - - - from - aws_lambda_function as f - left join function_vaiable_with_sensitive_data b on f.arn = b.arn; + QueryToExecute: "with function_vaiable_with_sensitive_data as (\nselect\n distinct arn,\n name\nfrom\n aws_lambda_function\n join jsonb_each_text(environment_variables) d on true\nwhere\n d.key ilike any (array['%pass%', '%secret%', '%token%', '%key%'])\n or d.key ~ '(?=.*[a-z])(?=.*[A-Z])(?=.*\\d)(?=.*[@$!%*?&])[A-Za-z\\d@$!%*?&]'\n or d.value ilike any (array['%pass%', '%secret%', '%token%', '%key%'])\n or d.value ~ '(?=.*[a-z])(?=.*[A-Z])(?=.*\\d)(?=.*[@$!%*?&])[A-Za-z\\d@$!%*?&]'\n)\nselect\n f.arn as resource,\n f.og_account_id as og_account_id,\n f.og_resource_id as og_resource_id,\n case\n when b.arn is null then 'ok'\n else 'alarm'\n end as status,\n case\n when b.arn is null then f.title || ' has no sensitive data.'\n else f.title || ' has potential sensitive data.'\n end as reason\n \n \nfrom\n aws_lambda_function as f\n left join function_vaiable_with_sensitive_data b on f.arn = b.arn;" PrimaryTable: aws_lambda_function ListOfTables: - - aws_lambda_function + - aws_lambda_function Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_lightsail_instance_ipv6_networking_disabled.yaml b/compliance/controls/aws/aws_lightsail_instance_ipv6_networking_disabled.yaml index 1a5552f8c..6fb723c03 100755 --- a/compliance/controls/aws/aws_lightsail_instance_ipv6_networking_disabled.yaml +++ b/compliance/controls/aws/aws_lightsail_instance_ipv6_networking_disabled.yaml @@ -1,29 +1,14 @@ ID: aws_lightsail_instance_ipv6_networking_disabled Title: "Disable IPv6 Networking if not in use within your organization" Description: "Any protocols enable within Lightsail by default that aren't being used should be disabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - name as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when ip_v6_addresses is null then 'ok' - else 'alarm' - end as status, - case - when ip_v6_addresses is null then name || ' has IPv6 networking disabled.' - else name || ' has IPv6 networking enabled.' - end as reason - - from - aws_lightsail_instance; + QueryToExecute: "select\n name as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when ip_v6_addresses is null then 'ok'\n else 'alarm'\n end as status,\n case\n when ip_v6_addresses is null then name || ' has IPv6 networking disabled.'\n else name || ' has IPv6 networking enabled.'\n end as reason\n \nfrom\n aws_lightsail_instance;" PrimaryTable: aws_lightsail_instance ListOfTables: - - aws_lightsail_instance + - aws_lightsail_instance Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_log_group_encryption_at_rest_enabled.yaml b/compliance/controls/aws/aws_log_group_encryption_at_rest_enabled.yaml index f3ee1ac19..63e28c502 100755 --- a/compliance/controls/aws/aws_log_group_encryption_at_rest_enabled.yaml +++ b/compliance/controls/aws/aws_log_group_encryption_at_rest_enabled.yaml @@ -1,66 +1,50 @@ ID: aws_log_group_encryption_at_rest_enabled Title: "Log group encryption at rest should be enabled" Description: "To help protect sensitive data at rest, ensure encryption is enabled for your AWS CloudWatch Log Group." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when kms_key_id is null then 'alarm' - else 'ok' - end as status, - case - when kms_key_id is null then title || ' not encrypted at rest.' - else title || ' encrypted at rest.' - end as reason - - , region, account_id - from - aws_cloudwatch_log_group; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when kms_key_id is null then 'alarm'\n else 'ok'\n end as status,\n case\n when kms_key_id is null then title || ' not encrypted at rest.'\n else title || ' encrypted at rest.'\n end as reason\n \n , region, account_id\nfrom\n aws_cloudwatch_log_group;\n" PrimaryTable: aws_cloudwatch_log_group ListOfTables: - - aws_cloudwatch_log_group + - aws_cloudwatch_log_group Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" gdpr: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" gxp_eu_annex_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/CloudWatch + - AWS/CloudWatch soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_log_metric_filter_bucket_policy.yaml b/compliance/controls/aws/aws_log_metric_filter_bucket_policy.yaml index fe2edb158..30f75bb58 100755 --- a/compliance/controls/aws/aws_log_metric_filter_bucket_policy.yaml +++ b/compliance/controls/aws/aws_log_metric_filter_bucket_policy.yaml @@ -1,8 +1,6 @@ ID: aws_log_metric_filter_bucket_policy Title: "Ensure a log metric filter and alarm exist for S3 bucket policy changes" Description: "You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for changes to S3 bucket policies. Monitoring these changes might reduce time to detect and correct permissive policies on sensitive S3 buckets." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -53,29 +51,31 @@ Query: left join filter_data as f on a.account_id = f.account_id; PrimaryTable: aws_account ListOfTables: - - aws_account - - aws_cloudtrail_trail - - aws_cloudwatch_alarm - - aws_cloudwatch_log_metric_filter - - aws_sns_topic_subscription + - aws_account + - aws_cloudtrail_trail + - aws_cloudwatch_alarm + - aws_cloudwatch_log_metric_filter + - aws_sns_topic_subscription Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "3.8" + - "3.8" cis_level: - - "1" + - "1" cis_section_id: - - "3" + - "3" cis_type: - - scored + - scored cis_version: - - v1.2.0 + - v1.2.0 plugin: - - aws + - aws service: - - AWS/CloudWatch + - AWS/CloudWatch +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_log_metric_filter_cloudtrail_configuration.yaml b/compliance/controls/aws/aws_log_metric_filter_cloudtrail_configuration.yaml index 29a3d7ff2..e8ebd6240 100755 --- a/compliance/controls/aws/aws_log_metric_filter_cloudtrail_configuration.yaml +++ b/compliance/controls/aws/aws_log_metric_filter_cloudtrail_configuration.yaml @@ -1,8 +1,6 @@ ID: aws_log_metric_filter_cloudtrail_configuration Title: "Ensure a log metric filter and alarm exist for CloudTrail configuration changes" Description: "You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for changes to CloudTrail configuration settings. Monitoring these changes helps ensure sustained visibility to activities in the account." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -52,29 +50,31 @@ Query: left join filter_data as f on a.account_id = f.account_id; PrimaryTable: aws_account ListOfTables: - - aws_account - - aws_cloudtrail_trail - - aws_cloudwatch_alarm - - aws_cloudwatch_log_metric_filter - - aws_sns_topic_subscription + - aws_account + - aws_cloudtrail_trail + - aws_cloudwatch_alarm + - aws_cloudwatch_log_metric_filter + - aws_sns_topic_subscription Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "3.5" + - "3.5" cis_level: - - "1" + - "1" cis_section_id: - - "3" + - "3" cis_type: - - scored + - scored cis_version: - - v1.2.0 + - v1.2.0 plugin: - - aws + - aws service: - - AWS/CloudWatch + - AWS/CloudWatch +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_log_metric_filter_config_configuration.yaml b/compliance/controls/aws/aws_log_metric_filter_config_configuration.yaml index 5aecdf49a..8c5cbf5b4 100755 --- a/compliance/controls/aws/aws_log_metric_filter_config_configuration.yaml +++ b/compliance/controls/aws/aws_log_metric_filter_config_configuration.yaml @@ -1,8 +1,6 @@ ID: aws_log_metric_filter_config_configuration Title: "Ensure a log metric filter and alarm exist for AWS Config configuration changes" Description: "You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for changes to AWS Config configuration settings. Monitoring these changes helps ensure sustained visibility of configuration items in the account" -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -52,29 +50,31 @@ Query: left join filter_data as f on a.account_id = f.account_id; PrimaryTable: aws_account ListOfTables: - - aws_account - - aws_cloudtrail_trail - - aws_cloudwatch_alarm - - aws_cloudwatch_log_metric_filter - - aws_sns_topic_subscription + - aws_account + - aws_cloudtrail_trail + - aws_cloudwatch_alarm + - aws_cloudwatch_log_metric_filter + - aws_sns_topic_subscription Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "3.9" + - "3.9" cis_level: - - "2" + - "2" cis_section_id: - - "3" + - "3" cis_type: - - scored + - scored cis_version: - - v1.2.0 + - v1.2.0 plugin: - - aws + - aws service: - - AWS/CloudWatch + - AWS/CloudWatch +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_log_metric_filter_console_authentication_failure.yaml b/compliance/controls/aws/aws_log_metric_filter_console_authentication_failure.yaml index 21f0de1bc..967dd295c 100755 --- a/compliance/controls/aws/aws_log_metric_filter_console_authentication_failure.yaml +++ b/compliance/controls/aws/aws_log_metric_filter_console_authentication_failure.yaml @@ -1,8 +1,6 @@ ID: aws_log_metric_filter_console_authentication_failure Title: "Ensure a log metric filter and alarm exist for AWS Management Console authentication failures" Description: "You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for failed console authentication attempts." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -52,29 +50,31 @@ Query: left join filter_data as f on a.account_id = f.account_id; PrimaryTable: aws_account ListOfTables: - - aws_account - - aws_cloudtrail_trail - - aws_cloudwatch_alarm - - aws_cloudwatch_log_metric_filter - - aws_sns_topic_subscription + - aws_account + - aws_cloudtrail_trail + - aws_cloudwatch_alarm + - aws_cloudwatch_log_metric_filter + - aws_sns_topic_subscription Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "3.6" + - "3.6" cis_level: - - "2" + - "2" cis_section_id: - - "3" + - "3" cis_type: - - scored + - scored cis_version: - - v1.2.0 + - v1.2.0 plugin: - - aws + - aws service: - - AWS/CloudWatch + - AWS/CloudWatch +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_log_metric_filter_console_login_mfa.yaml b/compliance/controls/aws/aws_log_metric_filter_console_login_mfa.yaml index c7c04f212..af0ad14c3 100755 --- a/compliance/controls/aws/aws_log_metric_filter_console_login_mfa.yaml +++ b/compliance/controls/aws/aws_log_metric_filter_console_login_mfa.yaml @@ -1,8 +1,6 @@ ID: aws_log_metric_filter_console_login_mfa Title: "Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA" Description: "You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm console logins that aren't protected by MFA." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -46,36 +44,38 @@ Query: when f.trail_name is null then 'No log metric filter and alarm exist for console sign-in without MFA.' else filter_name || ' forwards events for console sign-in without MFA.' end as reason - + , a.account_id from aws_account as a left join filter_data as f on a.account_id = f.account_id; PrimaryTable: aws_account ListOfTables: - - aws_account - - aws_cloudtrail_trail - - aws_cloudwatch_alarm - - aws_cloudwatch_log_metric_filter - - aws_sns_topic_subscription + - aws_account + - aws_cloudtrail_trail + - aws_cloudwatch_alarm + - aws_cloudwatch_log_metric_filter + - aws_sns_topic_subscription Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "3.2" + - "3.2" cis_level: - - "1" + - "1" cis_section_id: - - "3" + - "3" cis_type: - - scored + - scored cis_version: - - v1.2.0 + - v1.2.0 plugin: - - aws + - aws service: - - AWS/CloudWatch + - AWS/CloudWatch +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_log_metric_filter_disable_or_delete_cmk.yaml b/compliance/controls/aws/aws_log_metric_filter_disable_or_delete_cmk.yaml index f30c65baf..3c7ed3eea 100755 --- a/compliance/controls/aws/aws_log_metric_filter_disable_or_delete_cmk.yaml +++ b/compliance/controls/aws/aws_log_metric_filter_disable_or_delete_cmk.yaml @@ -1,8 +1,6 @@ ID: aws_log_metric_filter_disable_or_delete_cmk Title: "Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys" Description: "You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for customer managed keys that have changed state to disabled or scheduled deletion. Data encrypted with disabled or deleted keys is no longer accessible." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -52,29 +50,31 @@ Query: left join filter_data as f on a.account_id = f.account_id; PrimaryTable: aws_account ListOfTables: - - aws_account - - aws_cloudtrail_trail - - aws_cloudwatch_alarm - - aws_cloudwatch_log_metric_filter - - aws_sns_topic_subscription + - aws_account + - aws_cloudtrail_trail + - aws_cloudwatch_alarm + - aws_cloudwatch_log_metric_filter + - aws_sns_topic_subscription Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "3.7" + - "3.7" cis_level: - - "2" + - "2" cis_section_id: - - "3" + - "3" cis_type: - - scored + - scored cis_version: - - v1.2.0 + - v1.2.0 plugin: - - aws + - aws service: - - AWS/CloudWatch + - AWS/CloudWatch +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_log_metric_filter_iam_policy.yaml b/compliance/controls/aws/aws_log_metric_filter_iam_policy.yaml index fd9f22ee3..47ab98827 100755 --- a/compliance/controls/aws/aws_log_metric_filter_iam_policy.yaml +++ b/compliance/controls/aws/aws_log_metric_filter_iam_policy.yaml @@ -1,8 +1,6 @@ ID: aws_log_metric_filter_iam_policy Title: "Ensure a log metric filter and alarm exist for IAM policy changes" Description: "You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Hub recommends that you create a metric filter and alarm for changes made to IAM policies. Monitoring these changes helps ensure that authentication and authorization controls remain intact." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -47,36 +45,38 @@ Query: when f.trail_name is null then 'No log metric filter and alarm exist for IAM policy changes.' else filter_name || ' forwards events for IAM policy changes.' end as reason - + , a.account_id from aws_account as a left join filter_data as f on a.account_id = f.account_id; PrimaryTable: aws_account ListOfTables: - - aws_account - - aws_cloudtrail_trail - - aws_cloudwatch_alarm - - aws_cloudwatch_log_metric_filter - - aws_sns_topic_subscription + - aws_account + - aws_cloudtrail_trail + - aws_cloudwatch_alarm + - aws_cloudwatch_log_metric_filter + - aws_sns_topic_subscription Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "3.4" + - "3.4" cis_level: - - "1" + - "1" cis_section_id: - - "3" + - "3" cis_type: - - scored + - scored cis_version: - - v1.2.0 + - v1.2.0 plugin: - - aws + - aws service: - - AWS/CloudWatch + - AWS/CloudWatch +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_log_metric_filter_network_acl.yaml b/compliance/controls/aws/aws_log_metric_filter_network_acl.yaml index cfd2cd0be..b8fea12f5 100755 --- a/compliance/controls/aws/aws_log_metric_filter_network_acl.yaml +++ b/compliance/controls/aws/aws_log_metric_filter_network_acl.yaml @@ -1,8 +1,6 @@ ID: aws_log_metric_filter_network_acl Title: "Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)" Description: "You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets in a VPC. Security Hub recommends that you create a metric filter and alarm for changes to NACLs. Monitoring these changes helps ensure that AWS resources and services aren't unintentionally exposed." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -52,29 +50,31 @@ Query: left join filter_data as f on a.account_id = f.account_id; PrimaryTable: aws_account ListOfTables: - - aws_account - - aws_cloudtrail_trail - - aws_cloudwatch_alarm - - aws_cloudwatch_log_metric_filter - - aws_sns_topic_subscription + - aws_account + - aws_cloudtrail_trail + - aws_cloudwatch_alarm + - aws_cloudwatch_log_metric_filter + - aws_sns_topic_subscription Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "3.11" + - "3.11" cis_level: - - "2" + - "2" cis_section_id: - - "3" + - "3" cis_type: - - scored + - scored cis_version: - - v1.2.0 + - v1.2.0 plugin: - - aws + - aws service: - - AWS/CloudWatch + - AWS/CloudWatch +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_log_metric_filter_network_gateway.yaml b/compliance/controls/aws/aws_log_metric_filter_network_gateway.yaml index f5bc1b327..d3e0d1d4a 100755 --- a/compliance/controls/aws/aws_log_metric_filter_network_gateway.yaml +++ b/compliance/controls/aws/aws_log_metric_filter_network_gateway.yaml @@ -1,8 +1,6 @@ ID: aws_log_metric_filter_network_gateway Title: "Ensure a log metric filter and alarm exist for changes to network gateways" Description: "You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send and receive traffic to a destination outside a VPC. Security Hub recommends that you create a metric filter and alarm for changes to network gateways." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -53,29 +51,31 @@ Query: left join filter_data as f on a.account_id = f.account_id; PrimaryTable: aws_account ListOfTables: - - aws_account - - aws_cloudtrail_trail - - aws_cloudwatch_alarm - - aws_cloudwatch_log_metric_filter - - aws_sns_topic_subscription + - aws_account + - aws_cloudtrail_trail + - aws_cloudwatch_alarm + - aws_cloudwatch_log_metric_filter + - aws_sns_topic_subscription Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "3.12" + - "3.12" cis_level: - - "1" + - "1" cis_section_id: - - "3" + - "3" cis_type: - - scored + - scored cis_version: - - v1.2.0 + - v1.2.0 plugin: - - aws + - aws service: - - AWS/CloudWatch + - AWS/CloudWatch +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_log_metric_filter_organization.yaml b/compliance/controls/aws/aws_log_metric_filter_organization.yaml index ce0aaeead..a128f6df0 100755 --- a/compliance/controls/aws/aws_log_metric_filter_organization.yaml +++ b/compliance/controls/aws/aws_log_metric_filter_organization.yaml @@ -1,8 +1,6 @@ ID: aws_log_metric_filter_organization Title: "Ensure AWS Organizations changes are monitored" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for AWS Organizations changes made in the master AWS Account." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -53,29 +51,31 @@ Query: left join filter_data as f on a.account_id = f.account_id; PrimaryTable: aws_account ListOfTables: - - aws_account - - aws_cloudtrail_trail - - aws_cloudwatch_alarm - - aws_cloudwatch_log_metric_filter - - aws_sns_topic_subscription + - aws_account + - aws_cloudtrail_trail + - aws_cloudwatch_alarm + - aws_cloudwatch_log_metric_filter + - aws_sns_topic_subscription Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "4.15" + - "4.15" cis_level: - - "1" + - "1" cis_section_id: - - "4" + - "4" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - aws + - aws service: - - AWS/CloudWatch + - AWS/CloudWatch +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_log_metric_filter_root_login.yaml b/compliance/controls/aws/aws_log_metric_filter_root_login.yaml index 754b90d0a..0dc3e9159 100755 --- a/compliance/controls/aws/aws_log_metric_filter_root_login.yaml +++ b/compliance/controls/aws/aws_log_metric_filter_root_login.yaml @@ -1,8 +1,6 @@ ID: aws_log_metric_filter_root_login Title: "Ensure a log metric filter and alarm exist for usage of 'root' account" Description: "You can do real-time monitoring of API calls directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.Security Hub recommends that you create a metric filter and alarm for root login attempts. Monitoring for root account logins provides visibility into the use of a fully privileged account and an opportunity to reduce the use of it." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -46,36 +44,38 @@ Query: when f.trail_name is null then 'No log metric filter and alarm exist for usage of "root" account.' else filter_name || ' forwards events for usage of "root" account.' end as reason - + , a.account_id from aws_account as a left join filter_data as f on a.account_id = f.account_id; PrimaryTable: aws_account ListOfTables: - - aws_account - - aws_cloudtrail_trail - - aws_cloudwatch_alarm - - aws_cloudwatch_log_metric_filter - - aws_sns_topic_subscription + - aws_account + - aws_cloudtrail_trail + - aws_cloudwatch_alarm + - aws_cloudwatch_log_metric_filter + - aws_sns_topic_subscription Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "3.3" + - "3.3" cis_level: - - "1" + - "1" cis_section_id: - - "3" + - "3" cis_type: - - scored + - scored cis_version: - - v1.2.0 + - v1.2.0 plugin: - - aws + - aws service: - - AWS/CloudWatch + - AWS/CloudWatch +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_log_metric_filter_route_table.yaml b/compliance/controls/aws/aws_log_metric_filter_route_table.yaml index 4a90351c9..29f6487e6 100755 --- a/compliance/controls/aws/aws_log_metric_filter_route_table.yaml +++ b/compliance/controls/aws/aws_log_metric_filter_route_table.yaml @@ -1,8 +1,6 @@ ID: aws_log_metric_filter_route_table Title: "Ensure a log metric filter and alarm exist for route table changes" Description: "You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables route network traffic between subnets and to network gateways. Security Hub recommends that you create a metric filter and alarm for changes to route tables. Monitoring these changes helps ensure that all VPC traffic flows through an expected path." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -53,29 +51,31 @@ Query: left join filter_data as f on a.account_id = f.account_id; PrimaryTable: aws_account ListOfTables: - - aws_account - - aws_cloudtrail_trail - - aws_cloudwatch_alarm - - aws_cloudwatch_log_metric_filter - - aws_sns_topic_subscription + - aws_account + - aws_cloudtrail_trail + - aws_cloudwatch_alarm + - aws_cloudwatch_log_metric_filter + - aws_sns_topic_subscription Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "3.13" + - "3.13" cis_level: - - "1" + - "1" cis_section_id: - - "3" + - "3" cis_type: - - scored + - scored cis_version: - - v1.2.0 + - v1.2.0 plugin: - - aws + - aws service: - - AWS/CloudWatch + - AWS/CloudWatch +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_log_metric_filter_security_group.yaml b/compliance/controls/aws/aws_log_metric_filter_security_group.yaml index 8465a6045..f0a26d68f 100755 --- a/compliance/controls/aws/aws_log_metric_filter_security_group.yaml +++ b/compliance/controls/aws/aws_log_metric_filter_security_group.yaml @@ -1,8 +1,6 @@ ID: aws_log_metric_filter_security_group Title: "Ensure a log metric filter and alarm exist for security group changes" Description: "You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security groups are a stateful packet filter that controls ingress and egress traffic in a VPC. Security Hub recommends that you create a metric filter and alarm for changes to security groups. Monitoring these changes helps ensure that resources and services aren't unintentionally exposed." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -52,29 +50,31 @@ Query: left join filter_data as f on a.account_id = f.account_id; PrimaryTable: aws_account ListOfTables: - - aws_account - - aws_cloudtrail_trail - - aws_cloudwatch_alarm - - aws_cloudwatch_log_metric_filter - - aws_sns_topic_subscription + - aws_account + - aws_cloudtrail_trail + - aws_cloudwatch_alarm + - aws_cloudwatch_log_metric_filter + - aws_sns_topic_subscription Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "3.10" + - "3.10" cis_level: - - "2" + - "2" cis_section_id: - - "3" + - "3" cis_type: - - scored + - scored cis_version: - - v1.2.0 + - v1.2.0 plugin: - - aws + - aws service: - - AWS/CloudWatch + - AWS/CloudWatch +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_log_metric_filter_unauthorized_api.yaml b/compliance/controls/aws/aws_log_metric_filter_unauthorized_api.yaml index 5e78546d9..dd61ec23a 100755 --- a/compliance/controls/aws/aws_log_metric_filter_unauthorized_api.yaml +++ b/compliance/controls/aws/aws_log_metric_filter_unauthorized_api.yaml @@ -1,8 +1,6 @@ ID: aws_log_metric_filter_unauthorized_api Title: "Ensure a log metric filter and alarm exist for unauthorized API calls" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for unauthorized API calls." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -46,36 +44,38 @@ Query: when f.trail_name is null then 'No log metric filter and alarm exist for unauthorized API calls.' else filter_name || ' forwards events for unauthorized API calls.' end as reason - + , a.account_id from aws_account as a left join filter_data as f on a.account_id = f.account_id; PrimaryTable: aws_account ListOfTables: - - aws_account - - aws_cloudtrail_trail - - aws_cloudwatch_alarm - - aws_cloudwatch_log_metric_filter - - aws_sns_topic_subscription + - aws_account + - aws_cloudtrail_trail + - aws_cloudwatch_alarm + - aws_cloudwatch_log_metric_filter + - aws_sns_topic_subscription Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "3.1" + - "3.1" cis_level: - - "1" + - "1" cis_section_id: - - "3" + - "3" cis_type: - - scored + - scored cis_version: - - v1.2.0 + - v1.2.0 plugin: - - aws + - aws service: - - AWS/CloudWatch + - AWS/CloudWatch +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_log_metric_filter_vpc.yaml b/compliance/controls/aws/aws_log_metric_filter_vpc.yaml index 073f30159..6b687745f 100755 --- a/compliance/controls/aws/aws_log_metric_filter_vpc.yaml +++ b/compliance/controls/aws/aws_log_metric_filter_vpc.yaml @@ -1,8 +1,6 @@ ID: aws_log_metric_filter_vpc Title: "Ensure a log metric filter and alarm exist for VPC changes" Description: "You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. You can have more than one VPC in an account, and you can create a peer connection between two VPCs, enabling network traffic to route between VPCs. Security Hub recommends that you create a metric filter and alarm for changes to VPCs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -47,36 +45,38 @@ Query: when f.trail_name is null then 'No log metric filter and alarm exist for VPC changes.' else filter_name || ' forwards events for VPC changes.' end as reason - + , a.account_id from aws_account as a left join filter_data as f on a.account_id = f.account_id; PrimaryTable: aws_account ListOfTables: - - aws_account - - aws_cloudtrail_trail - - aws_cloudwatch_alarm - - aws_cloudwatch_log_metric_filter - - aws_sns_topic_subscription + - aws_account + - aws_cloudtrail_trail + - aws_cloudwatch_alarm + - aws_cloudwatch_log_metric_filter + - aws_sns_topic_subscription Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "3.14" + - "3.14" cis_level: - - "1" + - "1" cis_section_id: - - "3" + - "3" cis_type: - - scored + - scored cis_version: - - v1.2.0 + - v1.2.0 plugin: - - aws + - aws service: - - AWS/CloudWatch + - AWS/CloudWatch +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_accessanalyzer_analyzer_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_accessanalyzer_analyzer_mandatory.yaml index 3dc8d7928..fe9f60a85 100755 --- a/compliance/controls/aws/aws_mandatory_sql_accessanalyzer_analyzer_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_accessanalyzer_analyzer_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_accessanalyzer_analyzer_mandatory Title: "Access Analyzer analyzers should have mandatory tags" Description: "Check if Access Analyzer analyzers have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_accessanalyzer_analyzer - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_accessanalyzer_analyzer\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_accessanalyzer_analyzer ListOfTables: - - aws_accessanalyzer_analyzer + - aws_accessanalyzer_analyzer Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_api_gateway_stage_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_api_gateway_stage_mandatory.yaml index 256d62dd0..e9e7d6801 100755 --- a/compliance/controls/aws/aws_mandatory_sql_api_gateway_stage_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_api_gateway_stage_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_api_gateway_stage_mandatory Title: "API Gateway stages should have mandatory tags" Description: "Check if API Gateway stages have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_api_gateway_stage - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_api_gateway_stage\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_api_gateway_stage ListOfTables: - - aws_api_gateway_stage + - aws_api_gateway_stage Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_cloudfront_distribution_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_cloudfront_distribution_mandatory.yaml index 351e0ceb7..1e5957aa9 100755 --- a/compliance/controls/aws/aws_mandatory_sql_cloudfront_distribution_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_cloudfront_distribution_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_cloudfront_distribution_mandatory Title: "CloudFront distributions should have mandatory tags" Description: "Check if CloudFront distributions have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_cloudfront_distribution - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_cloudfront_distribution\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_cloudfront_distribution ListOfTables: - - aws_cloudfront_distribution + - aws_cloudfront_distribution Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_cloudtrail_trail_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_cloudtrail_trail_mandatory.yaml index e6cd2f969..12d6b0c54 100755 --- a/compliance/controls/aws/aws_mandatory_sql_cloudtrail_trail_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_cloudtrail_trail_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_cloudtrail_trail_mandatory Title: "CloudTrail trails should have mandatory tags" Description: "Check if CloudTrail trails have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_cloudtrail_trail - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_cloudtrail_trail\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_cloudtrail_trail ListOfTables: - - aws_cloudtrail_trail + - aws_cloudtrail_trail Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_cloudwatch_alarm_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_cloudwatch_alarm_mandatory.yaml index e87d964b6..170f30853 100755 --- a/compliance/controls/aws/aws_mandatory_sql_cloudwatch_alarm_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_cloudwatch_alarm_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_cloudwatch_alarm_mandatory Title: "CloudWatch alarms should have mandatory tags" Description: "Check if CloudWatch alarms have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_cloudwatch_alarm - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_cloudwatch_alarm\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_cloudwatch_alarm ListOfTables: - - aws_cloudwatch_alarm + - aws_cloudwatch_alarm Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_cloudwatch_log_group_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_cloudwatch_log_group_mandatory.yaml index 4e0bcb8f7..6c209646d 100755 --- a/compliance/controls/aws/aws_mandatory_sql_cloudwatch_log_group_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_cloudwatch_log_group_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_cloudwatch_log_group_mandatory Title: "CloudWatch log groups should have mandatory tags" Description: "Check if CloudWatch log groups have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_cloudwatch_log_group - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_cloudwatch_log_group\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_cloudwatch_log_group ListOfTables: - - aws_cloudwatch_log_group + - aws_cloudwatch_log_group Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_codebuild_project_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_codebuild_project_mandatory.yaml index 2c3f8b463..604fd2d20 100755 --- a/compliance/controls/aws/aws_mandatory_sql_codebuild_project_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_codebuild_project_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_codebuild_project_mandatory Title: "CodeBuild projects should have mandatory tags" Description: "Check if CodeBuild projects have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_codebuild_project - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_codebuild_project\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_codebuild_project ListOfTables: - - aws_codebuild_project + - aws_codebuild_project Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_codecommit_repository_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_codecommit_repository_mandatory.yaml index 6558c00f9..e1302db20 100755 --- a/compliance/controls/aws/aws_mandatory_sql_codecommit_repository_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_codecommit_repository_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_codecommit_repository_mandatory Title: "CodeCommit repositories should have mandatory tags" Description: "Check if CodeCommit repositories have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_codecommit_repository - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_codecommit_repository\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_codecommit_repository ListOfTables: - - aws_codecommit_repository + - aws_codecommit_repository Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_codepipeline_pipeline_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_codepipeline_pipeline_mandatory.yaml index d4bb205b0..bb1c8973e 100755 --- a/compliance/controls/aws/aws_mandatory_sql_codepipeline_pipeline_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_codepipeline_pipeline_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_codepipeline_pipeline_mandatory Title: "CodePipeline pipelines should have mandatory tags" Description: "Check if CodePipeline pipelines have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_codepipeline_pipeline - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_codepipeline_pipeline\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_codepipeline_pipeline ListOfTables: - - aws_codepipeline_pipeline + - aws_codepipeline_pipeline Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_config_rule_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_config_rule_mandatory.yaml index 361b755a0..a6bbcd426 100755 --- a/compliance/controls/aws/aws_mandatory_sql_config_rule_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_config_rule_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_config_rule_mandatory Title: "Config rules should have mandatory tags" Description: "Check if Config rules have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_config_rule - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_config_rule\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_config_rule ListOfTables: - - aws_config_rule + - aws_config_rule Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_dax_cluster_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_dax_cluster_mandatory.yaml index 1816ba0cc..79d3f02c5 100755 --- a/compliance/controls/aws/aws_mandatory_sql_dax_cluster_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_dax_cluster_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_dax_cluster_mandatory Title: "DAX clusters should have mandatory tags" Description: "Check if DAX clusters have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_dax_cluster - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_dax_cluster\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_dax_cluster ListOfTables: - - aws_dax_cluster + - aws_dax_cluster Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_directory_service_directory_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_directory_service_directory_mandatory.yaml index 16beefdb1..d5289e21e 100755 --- a/compliance/controls/aws/aws_mandatory_sql_directory_service_directory_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_directory_service_directory_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_directory_service_directory_mandatory Title: "Directory Service directories should have mandatory tags" Description: "Check if Directory Service directories have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_directory_service_directory - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_directory_service_directory\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_directory_service_directory ListOfTables: - - aws_directory_service_directory + - aws_directory_service_directory Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_dms_replication_instance_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_dms_replication_instance_mandatory.yaml index e27cc5998..d334fb210 100755 --- a/compliance/controls/aws/aws_mandatory_sql_dms_replication_instance_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_dms_replication_instance_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_dms_replication_instance_mandatory Title: "DMS replication instances should have mandatory tags" Description: "Check if Dms replication instances have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_dms_replication_instance - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_dms_replication_instance\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_dms_replication_instance ListOfTables: - - aws_dms_replication_instance + - aws_dms_replication_instance Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_dynamodb_table_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_dynamodb_table_mandatory.yaml index 0425491c4..277c7e727 100755 --- a/compliance/controls/aws/aws_mandatory_sql_dynamodb_table_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_dynamodb_table_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_dynamodb_table_mandatory Title: "DynamoDB tables should have mandatory tags" Description: "Check if DynamoDB tables have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_dynamodb_table - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_dynamodb_table\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_dynamodb_table ListOfTables: - - aws_dynamodb_table + - aws_dynamodb_table Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_ebs_snapshot_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_ebs_snapshot_mandatory.yaml index ed4e3f326..ee139dc53 100755 --- a/compliance/controls/aws/aws_mandatory_sql_ebs_snapshot_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_ebs_snapshot_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_ebs_snapshot_mandatory Title: "EBS snapshots should have mandatory tags" Description: "Check if EBS snapshots have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_ebs_snapshot - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_ebs_snapshot\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_ebs_snapshot ListOfTables: - - aws_ebs_snapshot + - aws_ebs_snapshot Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_ebs_volume_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_ebs_volume_mandatory.yaml index fd994cab5..828029c52 100755 --- a/compliance/controls/aws/aws_mandatory_sql_ebs_volume_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_ebs_volume_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_ebs_volume_mandatory Title: "EBS volumes should have mandatory tags" Description: "Check if EBS volumes have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_ebs_volume - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_ebs_volume\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_ebs_volume ListOfTables: - - aws_ebs_volume + - aws_ebs_volume Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_ec2_application_load_balancer_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_ec2_application_load_balancer_mandatory.yaml index ffdc03688..8da0a652c 100755 --- a/compliance/controls/aws/aws_mandatory_sql_ec2_application_load_balancer_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_ec2_application_load_balancer_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_ec2_application_load_balancer_mandatory Title: "EC2 application load balancers should have mandatory tags" Description: "Check if EC2 application load balancers have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_ec2_application_load_balancer - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_ec2_application_load_balancer\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_ec2_application_load_balancer ListOfTables: - - aws_ec2_application_load_balancer + - aws_ec2_application_load_balancer Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_ec2_classic_load_balancer_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_ec2_classic_load_balancer_mandatory.yaml index e85b99009..cd6808943 100755 --- a/compliance/controls/aws/aws_mandatory_sql_ec2_classic_load_balancer_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_ec2_classic_load_balancer_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_ec2_classic_load_balancer_mandatory Title: "EC2 classic load balancers should have mandatory tags" Description: "Check if EC2 classic load balancers have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_ec2_classic_load_balancer - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_ec2_classic_load_balancer\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_ec2_classic_load_balancer ListOfTables: - - aws_ec2_classic_load_balancer + - aws_ec2_classic_load_balancer Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_ec2_gateway_load_balancer_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_ec2_gateway_load_balancer_mandatory.yaml index b8db760ba..4e706f4a8 100755 --- a/compliance/controls/aws/aws_mandatory_sql_ec2_gateway_load_balancer_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_ec2_gateway_load_balancer_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_ec2_gateway_load_balancer_mandatory Title: "EC2 gateway load balancers should have mandatory tags" Description: "Check if EC2 gateway load balancers have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_ec2_gateway_load_balancer - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_ec2_gateway_load_balancer\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_ec2_gateway_load_balancer ListOfTables: - - aws_ec2_gateway_load_balancer + - aws_ec2_gateway_load_balancer Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_ec2_instance_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_ec2_instance_mandatory.yaml index 5648eba5d..dd12a636c 100755 --- a/compliance/controls/aws/aws_mandatory_sql_ec2_instance_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_ec2_instance_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_ec2_instance_mandatory Title: "EC2 instances should have mandatory tags" Description: "Check if EC2 instances have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_ec2_instance - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_ec2_instance\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_ec2_instance ListOfTables: - - aws_ec2_instance + - aws_ec2_instance Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_ec2_network_load_balancer_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_ec2_network_load_balancer_mandatory.yaml index 5541f077f..33e864a48 100755 --- a/compliance/controls/aws/aws_mandatory_sql_ec2_network_load_balancer_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_ec2_network_load_balancer_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_ec2_network_load_balancer_mandatory Title: "EC2 network load balancers should have mandatory tags" Description: "Check if EC2 network load balancers have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_ec2_network_load_balancer - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_ec2_network_load_balancer\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_ec2_network_load_balancer ListOfTables: - - aws_ec2_network_load_balancer + - aws_ec2_network_load_balancer Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_ec2_reserved_instance_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_ec2_reserved_instance_mandatory.yaml index e533bf9ae..4c9270f72 100755 --- a/compliance/controls/aws/aws_mandatory_sql_ec2_reserved_instance_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_ec2_reserved_instance_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_ec2_reserved_instance_mandatory Title: "EC2 reserved instances should have mandatory tags" Description: "Check if EC2 reserved instances have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_ec2_reserved_instance - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_ec2_reserved_instance\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_ec2_reserved_instance ListOfTables: - - aws_ec2_reserved_instance + - aws_ec2_reserved_instance Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_ecr_repository_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_ecr_repository_mandatory.yaml index 5501d92db..3576e933f 100755 --- a/compliance/controls/aws/aws_mandatory_sql_ecr_repository_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_ecr_repository_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_ecr_repository_mandatory Title: "ECR repositories should have mandatory tags" Description: "Check if ECR repositories have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_ecr_repository - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_ecr_repository\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_ecr_repository ListOfTables: - - aws_ecr_repository + - aws_ecr_repository Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_ecs_container_instance_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_ecs_container_instance_mandatory.yaml index c500cb76a..73f7e55bd 100755 --- a/compliance/controls/aws/aws_mandatory_sql_ecs_container_instance_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_ecs_container_instance_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_ecs_container_instance_mandatory Title: "ECS container instances should have mandatory tags" Description: "Check if ECS container instances have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_ecs_container_instance - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_ecs_container_instance\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_ecs_container_instance ListOfTables: - - aws_ecs_container_instance + - aws_ecs_container_instance Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_ecs_service_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_ecs_service_mandatory.yaml index 8ae222c9b..d40ec2cc9 100755 --- a/compliance/controls/aws/aws_mandatory_sql_ecs_service_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_ecs_service_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_ecs_service_mandatory Title: "ECS services should have mandatory tags" Description: "Check if ECS services have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_ecs_service - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_ecs_service\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_ecs_service ListOfTables: - - aws_ecs_service + - aws_ecs_service Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_efs_file_system_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_efs_file_system_mandatory.yaml index e614955e4..20ffc5415 100755 --- a/compliance/controls/aws/aws_mandatory_sql_efs_file_system_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_efs_file_system_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_efs_file_system_mandatory Title: "EFS file systems should have mandatory tags" Description: "Check if EFS file systems have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_efs_file_system - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_efs_file_system\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_efs_file_system ListOfTables: - - aws_efs_file_system + - aws_efs_file_system Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_eks_addon_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_eks_addon_mandatory.yaml index 55685f93b..53a22b08b 100755 --- a/compliance/controls/aws/aws_mandatory_sql_eks_addon_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_eks_addon_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_eks_addon_mandatory Title: "EKS addons should have mandatory tags" Description: "Check if EKS addons have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_eks_addon - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_eks_addon\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_eks_addon ListOfTables: - - aws_eks_addon + - aws_eks_addon Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_eks_cluster_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_eks_cluster_mandatory.yaml index c7592c417..4f45075c3 100755 --- a/compliance/controls/aws/aws_mandatory_sql_eks_cluster_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_eks_cluster_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_eks_cluster_mandatory Title: "EKS clusters should have mandatory tags" Description: "Check if EKS clusters have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_eks_cluster - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_eks_cluster\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_eks_cluster ListOfTables: - - aws_eks_cluster + - aws_eks_cluster Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_elastic_beanstalk_application_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_elastic_beanstalk_application_mandatory.yaml index 9267e062c..29231a99f 100755 --- a/compliance/controls/aws/aws_mandatory_sql_elastic_beanstalk_application_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_elastic_beanstalk_application_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_elastic_beanstalk_application_mandatory Title: "Elastic beanstalk applications should have mandatory tags" Description: "Check if Elastic beanstalk applications have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_elastic_beanstalk_application - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_elastic_beanstalk_application\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_elastic_beanstalk_application ListOfTables: - - aws_elastic_beanstalk_application + - aws_elastic_beanstalk_application Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_elastic_beanstalk_environment_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_elastic_beanstalk_environment_mandatory.yaml index af506ebc9..3f3fb1825 100755 --- a/compliance/controls/aws/aws_mandatory_sql_elastic_beanstalk_environment_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_elastic_beanstalk_environment_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_elastic_beanstalk_environment_mandatory Title: "Elastic beanstalk environments should have mandatory tags" Description: "Check if Elastic beanstalk environments have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_elastic_beanstalk_environment - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_elastic_beanstalk_environment\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_elastic_beanstalk_environment ListOfTables: - - aws_elastic_beanstalk_environment + - aws_elastic_beanstalk_environment Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_elasticache_cluster_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_elasticache_cluster_mandatory.yaml index d8b4f14e8..f97d6d958 100755 --- a/compliance/controls/aws/aws_mandatory_sql_elasticache_cluster_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_elasticache_cluster_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_elasticache_cluster_mandatory Title: "ElastiCache clusters should have mandatory tags" Description: "Check if ElastiCache clusters have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_elasticache_cluster - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_elasticache_cluster\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_elasticache_cluster ListOfTables: - - aws_elasticache_cluster + - aws_elasticache_cluster Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_elasticsearch_domain_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_elasticsearch_domain_mandatory.yaml index 6b6ca03d3..577f1b6b1 100755 --- a/compliance/controls/aws/aws_mandatory_sql_elasticsearch_domain_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_elasticsearch_domain_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_elasticsearch_domain_mandatory Title: "ElasticSearch domains should have mandatory tags" Description: "Check if ElasticSearch domains have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_elasticsearch_domain - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_elasticsearch_domain\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_elasticsearch_domain ListOfTables: - - aws_elasticsearch_domain + - aws_elasticsearch_domain Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_eventbridge_rule_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_eventbridge_rule_mandatory.yaml index dddc0d3ec..a367d0f27 100755 --- a/compliance/controls/aws/aws_mandatory_sql_eventbridge_rule_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_eventbridge_rule_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_eventbridge_rule_mandatory Title: "EventBridge rules should have mandatory tags" Description: "Check if EventBridge rules have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_eventbridge_rule - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_eventbridge_rule\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_eventbridge_rule ListOfTables: - - aws_eventbridge_rule + - aws_eventbridge_rule Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_guardduty_detector_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_guardduty_detector_mandatory.yaml index 5b13742f3..b5420610a 100755 --- a/compliance/controls/aws/aws_mandatory_sql_guardduty_detector_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_guardduty_detector_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_guardduty_detector_mandatory Title: "GuardDuty detectors should have mandatory tags" Description: "Check if GuardDuty detectors have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_guardduty_detector - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_guardduty_detector\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_guardduty_detector ListOfTables: - - aws_guardduty_detector + - aws_guardduty_detector Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_iam_role_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_iam_role_mandatory.yaml index 1875d28ab..f6b7a6c3b 100755 --- a/compliance/controls/aws/aws_mandatory_sql_iam_role_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_iam_role_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_iam_role_mandatory Title: "IAM roles should have mandatory tags" Description: "Check if IAM roles have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_iam_role - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_iam_role\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_iam_role ListOfTables: - - aws_iam_role + - aws_iam_role Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_iam_server_certificate_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_iam_server_certificate_mandatory.yaml index 6b146f21a..3b8d65081 100755 --- a/compliance/controls/aws/aws_mandatory_sql_iam_server_certificate_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_iam_server_certificate_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_iam_server_certificate_mandatory Title: "IAM server certificates should have mandatory tags" Description: "Check if IAM server certificates have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_iam_server_certificate - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_iam_server_certificate\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_iam_server_certificate ListOfTables: - - aws_iam_server_certificate + - aws_iam_server_certificate Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_iam_user_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_iam_user_mandatory.yaml index 382291b1c..61234c14b 100755 --- a/compliance/controls/aws/aws_mandatory_sql_iam_user_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_iam_user_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_iam_user_mandatory Title: "IAM users should have mandatory tags" Description: "Check if IAM users have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_iam_user - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_iam_user\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_iam_user ListOfTables: - - aws_iam_user + - aws_iam_user Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_inspector_assessment_template_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_inspector_assessment_template_mandatory.yaml index 5ee28a393..8ed640ecb 100755 --- a/compliance/controls/aws/aws_mandatory_sql_inspector_assessment_template_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_inspector_assessment_template_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_inspector_assessment_template_mandatory Title: "Inspector assessment templates should have mandatory tags" Description: "Check if Inspector assessment templates have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_inspector_assessment_template - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_inspector_assessment_template\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_inspector_assessment_template ListOfTables: - - aws_inspector_assessment_template + - aws_inspector_assessment_template Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_kinesis_firehose_delivery_stream_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_kinesis_firehose_delivery_stream_mandatory.yaml index 471bcdc8a..54241e11d 100755 --- a/compliance/controls/aws/aws_mandatory_sql_kinesis_firehose_delivery_stream_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_kinesis_firehose_delivery_stream_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_kinesis_firehose_delivery_stream_mandatory Title: "Kinesis firehose delivery streams should have mandatory tags" Description: "Check if Kinesis firehose delivery streams have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_kinesis_firehose_delivery_stream - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_kinesis_firehose_delivery_stream\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_kinesis_firehose_delivery_stream ListOfTables: - - aws_kinesis_firehose_delivery_stream + - aws_kinesis_firehose_delivery_stream Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_kms_key_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_kms_key_mandatory.yaml index bebe3ea5e..43021f80f 100755 --- a/compliance/controls/aws/aws_mandatory_sql_kms_key_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_kms_key_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_kms_key_mandatory Title: "KMS keys should have mandatory tags" Description: "Check if KMS keys have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_kms_key - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_kms_key\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_kms_key ListOfTables: - - aws_kms_key + - aws_kms_key Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_lambda_function_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_lambda_function_mandatory.yaml index 9fd7d6969..9241c9d4d 100755 --- a/compliance/controls/aws/aws_mandatory_sql_lambda_function_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_lambda_function_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_lambda_function_mandatory Title: "Lambda functions should have mandatory tags" Description: "Check if Lambda functions have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_lambda_function - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_lambda_function\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_lambda_function ListOfTables: - - aws_lambda_function + - aws_lambda_function Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_rds_db_cluster_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_rds_db_cluster_mandatory.yaml index a4d2df5e9..61e537107 100755 --- a/compliance/controls/aws/aws_mandatory_sql_rds_db_cluster_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_rds_db_cluster_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_rds_db_cluster_mandatory Title: "RDS DB clusters should have mandatory tags" Description: "Check if RDS DB clusters have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_rds_db_cluster - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_rds_db_cluster\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_rds_db_cluster ListOfTables: - - aws_rds_db_cluster + - aws_rds_db_cluster Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_rds_db_cluster_parameter_group_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_rds_db_cluster_parameter_group_mandatory.yaml index ebb784d7e..d82d5e74b 100755 --- a/compliance/controls/aws/aws_mandatory_sql_rds_db_cluster_parameter_group_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_rds_db_cluster_parameter_group_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_rds_db_cluster_parameter_group_mandatory Title: "RDS DB cluster parameter groups should have mandatory tags" Description: "Check if RDS DB cluster parameter groups have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_rds_db_cluster_parameter_group - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_rds_db_cluster_parameter_group\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_rds_db_cluster_parameter_group ListOfTables: - - aws_rds_db_cluster_parameter_group + - aws_rds_db_cluster_parameter_group Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_rds_db_cluster_snapshot_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_rds_db_cluster_snapshot_mandatory.yaml index 20dd81c47..ef15db7e2 100755 --- a/compliance/controls/aws/aws_mandatory_sql_rds_db_cluster_snapshot_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_rds_db_cluster_snapshot_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_rds_db_cluster_snapshot_mandatory Title: "RDS DB cluster snapshots should have mandatory tags" Description: "Check if RDS DB cluster snapshots have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_rds_db_cluster_snapshot - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_rds_db_cluster_snapshot\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_rds_db_cluster_snapshot ListOfTables: - - aws_rds_db_cluster_snapshot + - aws_rds_db_cluster_snapshot Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_rds_db_instance_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_rds_db_instance_mandatory.yaml index a6874848c..11cece641 100755 --- a/compliance/controls/aws/aws_mandatory_sql_rds_db_instance_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_rds_db_instance_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_rds_db_instance_mandatory Title: "RDS DB instances should have mandatory tags" Description: "Check if RDS DB instances have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_rds_db_instance - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_rds_db_instance\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_rds_db_instance + - aws_rds_db_instance Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_rds_db_option_group_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_rds_db_option_group_mandatory.yaml index 6cb0e1803..4ccae09be 100755 --- a/compliance/controls/aws/aws_mandatory_sql_rds_db_option_group_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_rds_db_option_group_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_rds_db_option_group_mandatory Title: "RDS DB option groups should have mandatory tags" Description: "Check if RDS DB option groups have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_rds_db_option_group - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_rds_db_option_group\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_rds_db_option_group ListOfTables: - - aws_rds_db_option_group + - aws_rds_db_option_group Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_rds_db_parameter_group_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_rds_db_parameter_group_mandatory.yaml index ddab3fba4..f0ccf2701 100755 --- a/compliance/controls/aws/aws_mandatory_sql_rds_db_parameter_group_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_rds_db_parameter_group_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_rds_db_parameter_group_mandatory Title: "RDS DB parameter groups should have mandatory tags" Description: "Check if RDS DB parameter groups have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_rds_db_parameter_group - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_rds_db_parameter_group\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_rds_db_parameter_group ListOfTables: - - aws_rds_db_parameter_group + - aws_rds_db_parameter_group Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_rds_db_snapshot_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_rds_db_snapshot_mandatory.yaml index 2e623c6f2..0250fefa8 100755 --- a/compliance/controls/aws/aws_mandatory_sql_rds_db_snapshot_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_rds_db_snapshot_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_rds_db_snapshot_mandatory Title: "RDS DB snapshots should have mandatory tags" Description: "Check if RDS DB snapshots have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_rds_db_snapshot - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_rds_db_snapshot\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_rds_db_snapshot ListOfTables: - - aws_rds_db_snapshot + - aws_rds_db_snapshot Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_rds_db_subnet_group_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_rds_db_subnet_group_mandatory.yaml index 866cf40ec..99e21a107 100755 --- a/compliance/controls/aws/aws_mandatory_sql_rds_db_subnet_group_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_rds_db_subnet_group_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_rds_db_subnet_group_mandatory Title: "RDS DB subnet groups should have mandatory tags" Description: "Check if RDS DB subnet groups have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_rds_db_subnet_group - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_rds_db_subnet_group\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_rds_db_subnet_group ListOfTables: - - aws_rds_db_subnet_group + - aws_rds_db_subnet_group Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_redshift_cluster_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_redshift_cluster_mandatory.yaml index f10bb0ad6..9ea64ef09 100755 --- a/compliance/controls/aws/aws_mandatory_sql_redshift_cluster_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_redshift_cluster_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_redshift_cluster_mandatory Title: "Redshift clusters should have mandatory tags" Description: "Check if Redshift clusters have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_redshift_cluster - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_redshift_cluster\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_redshift_cluster ListOfTables: - - aws_redshift_cluster + - aws_redshift_cluster Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_route53_domain_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_route53_domain_mandatory.yaml index 5ad357ce1..1835420ed 100755 --- a/compliance/controls/aws/aws_mandatory_sql_route53_domain_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_route53_domain_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_route53_domain_mandatory Title: "Route53 domains should have mandatory tags" Description: "Check if Route53 domains have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_route53_domain - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_route53_domain\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_route53_domain ListOfTables: - - aws_route53_domain + - aws_route53_domain Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_route53_resolver_endpoint_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_route53_resolver_endpoint_mandatory.yaml index 86d99f12a..bbbc5890e 100755 --- a/compliance/controls/aws/aws_mandatory_sql_route53_resolver_endpoint_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_route53_resolver_endpoint_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_route53_resolver_endpoint_mandatory Title: "Route 53 Resolver endpoints should have mandatory tags" Description: "Check if Route 53 Resolver endpoints have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_route53_resolver_endpoint - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_route53_resolver_endpoint\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_route53_resolver_endpoint ListOfTables: - - aws_route53_resolver_endpoint + - aws_route53_resolver_endpoint Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_s3_bucket_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_s3_bucket_mandatory.yaml index edae5f68a..20a9284b2 100755 --- a/compliance/controls/aws/aws_mandatory_sql_s3_bucket_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_s3_bucket_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_s3_bucket_mandatory Title: "S3 buckets should have mandatory tags" Description: "Check if S3 buckets have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_s3_bucket - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_s3_bucket\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_s3_bucket ListOfTables: - - aws_s3_bucket + - aws_s3_bucket Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_sagemaker_endpoint_configuration_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_sagemaker_endpoint_configuration_mandatory.yaml index e7838b1f9..11f649e45 100755 --- a/compliance/controls/aws/aws_mandatory_sql_sagemaker_endpoint_configuration_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_sagemaker_endpoint_configuration_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_sagemaker_endpoint_configuration_mandatory Title: "SageMaker endpoint configurations should have mandatory tags" Description: "Check if SageMaker endpoint configurations have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_sagemaker_endpoint_configuration - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_sagemaker_endpoint_configuration\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_sagemaker_endpoint_configuration ListOfTables: - - aws_sagemaker_endpoint_configuration + - aws_sagemaker_endpoint_configuration Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_sagemaker_model_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_sagemaker_model_mandatory.yaml index ebccc0abe..794fb3214 100755 --- a/compliance/controls/aws/aws_mandatory_sql_sagemaker_model_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_sagemaker_model_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_sagemaker_model_mandatory Title: "SageMaker models should have mandatory tags" Description: "Check if SageMaker models have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_sagemaker_model - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_sagemaker_model\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_sagemaker_model ListOfTables: - - aws_sagemaker_model + - aws_sagemaker_model Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_sagemaker_notebook_instance_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_sagemaker_notebook_instance_mandatory.yaml index e7fa6890a..a5eb27bad 100755 --- a/compliance/controls/aws/aws_mandatory_sql_sagemaker_notebook_instance_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_sagemaker_notebook_instance_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_sagemaker_notebook_instance_mandatory Title: "SageMaker notebook instances should have mandatory tags" Description: "Check if SageMaker notebook instances have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_sagemaker_notebook_instance - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_sagemaker_notebook_instance\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_sagemaker_notebook_instance ListOfTables: - - aws_sagemaker_notebook_instance + - aws_sagemaker_notebook_instance Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_sagemaker_training_job_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_sagemaker_training_job_mandatory.yaml index fd91ac1a1..3c258e6c2 100755 --- a/compliance/controls/aws/aws_mandatory_sql_sagemaker_training_job_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_sagemaker_training_job_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_sagemaker_training_job_mandatory Title: "SageMaker training jobs should have mandatory tags" Description: "Check if SageMaker training jobs have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_sagemaker_training_job - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_sagemaker_training_job\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_sagemaker_training_job ListOfTables: - - aws_sagemaker_training_job + - aws_sagemaker_training_job Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_secretsmanager_secret_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_secretsmanager_secret_mandatory.yaml index 8217c282f..4332dc910 100755 --- a/compliance/controls/aws/aws_mandatory_sql_secretsmanager_secret_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_secretsmanager_secret_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_secretsmanager_secret_mandatory Title: "Secrets Manager secrets should have mandatory tags" Description: "Check if Secrets Manager secrets have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_secretsmanager_secret - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_secretsmanager_secret\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_secretsmanager_secret ListOfTables: - - aws_secretsmanager_secret + - aws_secretsmanager_secret Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_ssm_parameter_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_ssm_parameter_mandatory.yaml index 8d97b18a9..15445e4dc 100755 --- a/compliance/controls/aws/aws_mandatory_sql_ssm_parameter_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_ssm_parameter_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_ssm_parameter_mandatory Title: "SSM parameters should have mandatory tags" Description: "Check if SSM parameters have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_ssm_parameter - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_ssm_parameter\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_ssm_parameter ListOfTables: - - aws_ssm_parameter + - aws_ssm_parameter Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_vpc_eip_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_vpc_eip_mandatory.yaml index 77e6172f0..61bad675c 100755 --- a/compliance/controls/aws/aws_mandatory_sql_vpc_eip_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_vpc_eip_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_vpc_eip_mandatory Title: "VPC elastic IP addresses should have mandatory tags" Description: "Check if VPC elastic IP addresses have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_vpc_eip - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_vpc_eip\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_vpc_eip ListOfTables: - - aws_vpc_eip + - aws_vpc_eip Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_vpc_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_vpc_mandatory.yaml index cb8e278a5..dd9ba85a6 100755 --- a/compliance/controls/aws/aws_mandatory_sql_vpc_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_vpc_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_vpc_mandatory Title: "VPCs should have mandatory tags" Description: "Check if VPCs have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_vpc - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_vpc\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_vpc ListOfTables: - - aws_vpc + - aws_vpc Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_vpc_nat_gateway_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_vpc_nat_gateway_mandatory.yaml index a9b82d04c..b92f4ff16 100755 --- a/compliance/controls/aws/aws_mandatory_sql_vpc_nat_gateway_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_vpc_nat_gateway_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_vpc_nat_gateway_mandatory Title: "VPC NAT gateways should have mandatory tags" Description: "Check if VPC NAT gateways have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_vpc_nat_gateway - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_vpc_nat_gateway\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_vpc_nat_gateway ListOfTables: - - aws_vpc_nat_gateway + - aws_vpc_nat_gateway Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_vpc_network_acl_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_vpc_network_acl_mandatory.yaml index e6bb2aaaa..bf388e407 100755 --- a/compliance/controls/aws/aws_mandatory_sql_vpc_network_acl_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_vpc_network_acl_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_vpc_network_acl_mandatory Title: "VPC network ACLs should have mandatory tags" Description: "Check if VPC network ACLs have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_vpc_network_acl - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_vpc_network_acl\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_vpc_network_acl ListOfTables: - - aws_vpc_network_acl + - aws_vpc_network_acl Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_vpc_security_group_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_vpc_security_group_mandatory.yaml index 5ceb57e1c..7437aa6bd 100755 --- a/compliance/controls/aws/aws_mandatory_sql_vpc_security_group_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_vpc_security_group_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_vpc_security_group_mandatory Title: "VPC security groups should have mandatory tags" Description: "Check if VPC security groups have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_vpc_security_group - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_vpc_security_group\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_vpc_security_group ListOfTables: - - aws_vpc_security_group + - aws_vpc_security_group Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_vpc_vpn_connection_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_vpc_vpn_connection_mandatory.yaml index cf53405c8..baa94f831 100755 --- a/compliance/controls/aws/aws_mandatory_sql_vpc_vpn_connection_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_vpc_vpn_connection_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_vpc_vpn_connection_mandatory Title: "VPC VPN connections should have mandatory tags" Description: "Check if VPC VPN connections have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_vpc_vpn_connection - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_vpc_vpn_connection\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_vpc_vpn_connection ListOfTables: - - aws_vpc_vpn_connection + - aws_vpc_vpn_connection Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_wafv2_ip_set_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_wafv2_ip_set_mandatory.yaml index c4ccf134e..654cd796c 100755 --- a/compliance/controls/aws/aws_mandatory_sql_wafv2_ip_set_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_wafv2_ip_set_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_wafv2_ip_set_mandatory Title: "WAFV2 ip sets should have mandatory tags" Description: "Check if WAFV2 ip sets have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_wafv2_ip_set - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_wafv2_ip_set\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_wafv2_ip_set ListOfTables: - - aws_wafv2_ip_set + - aws_wafv2_ip_set Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_wafv2_regex_pattern_set_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_wafv2_regex_pattern_set_mandatory.yaml index 4465bf049..4a7475626 100755 --- a/compliance/controls/aws/aws_mandatory_sql_wafv2_regex_pattern_set_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_wafv2_regex_pattern_set_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_wafv2_regex_pattern_set_mandatory Title: "WAFV2 regex pattern sets should have mandatory tags" Description: "Check if WAFV2 regex pattern sets have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_wafv2_regex_pattern_set - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_wafv2_regex_pattern_set\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_wafv2_regex_pattern_set ListOfTables: - - aws_wafv2_regex_pattern_set + - aws_wafv2_regex_pattern_set Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_wafv2_rule_group_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_wafv2_rule_group_mandatory.yaml index e7b208842..21bcd674f 100755 --- a/compliance/controls/aws/aws_mandatory_sql_wafv2_rule_group_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_wafv2_rule_group_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_wafv2_rule_group_mandatory Title: "WAFV2 rule groups should have mandatory tags" Description: "Check if WAFV2 rule groups have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_wafv2_rule_group - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_wafv2_rule_group\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_wafv2_rule_group ListOfTables: - - aws_wafv2_rule_group + - aws_wafv2_rule_group Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mandatory_sql_wafv2_web_acl_mandatory.yaml b/compliance/controls/aws/aws_mandatory_sql_wafv2_web_acl_mandatory.yaml index 9300fffbc..f33a76ac8 100755 --- a/compliance/controls/aws/aws_mandatory_sql_wafv2_web_acl_mandatory.yaml +++ b/compliance/controls/aws/aws_mandatory_sql_wafv2_web_acl_mandatory.yaml @@ -1,47 +1,16 @@ ID: aws_mandatory_sql_wafv2_web_acl_mandatory Title: "WAFV2 web acls should have mandatory tags" Description: "Check if WAFV2 web acls have mandatory tags." -Connector: -- aws Query: Engine: steampipe-v0.5 - QueryToExecute: | - with analysis as ( - select - og_account_id, - og_resource_id, - arn, - title, - tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags, - to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags, - region, - account_id, - tags, - _ctx - from - aws_wafv2_web_acl - ) - select - og_account_id, - og_resource_id, - arn as resource, - case - when has_mandatory_tags then 'ok' - else 'alarm' - end as status, - case - when has_mandatory_tags then title || ' has all mandatory tags.' - else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.' - end as reason - - , region, account_id - from - analysis; + QueryToExecute: "with analysis as (\n select\n og_account_id,\n og_resource_id,\n arn,\n title,\n tags ?& '{{.awsMandatoryTags}}'::text[] as has_mandatory_tags,\n to_jsonb('{{.awsMandatoryTags}}'::text[]) - array(select jsonb_object_keys(tags)) as missing_tags,\n region,\n account_id,\n tags,\n _ctx\n from\n aws_wafv2_web_acl\n)\nselect\n og_account_id,\n og_resource_id,\n arn as resource,\n case\n when has_mandatory_tags then 'ok'\n else 'alarm'\n end as status,\n case\n when has_mandatory_tags then title || ' has all mandatory tags.'\n else title || ' is missing tags: ' || array_to_string(array(select jsonb_array_elements_text(missing_tags)), ', ') || '.'\n end as reason\n \n , region, account_id\nfrom\n analysis;\n" PrimaryTable: aws_wafv2_web_acl ListOfTables: - - aws_wafv2_web_acl + - aws_wafv2_web_acl Parameters: - - key: awsMandatoryTags - required: true + - key: awsMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_mq_broker_restrict_public_access.yaml b/compliance/controls/aws/aws_mq_broker_restrict_public_access.yaml index 886cee88e..4a408febe 100755 --- a/compliance/controls/aws/aws_mq_broker_restrict_public_access.yaml +++ b/compliance/controls/aws/aws_mq_broker_restrict_public_access.yaml @@ -1,29 +1,14 @@ ID: aws_mq_broker_restrict_public_access Title: "MQ brokers should restrict public access" Description: "Ensure whether MQ broker is not publicly accessible. The rule is compliant if the MQ broker is publicly accessible." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when publicly_accessible then 'alarm' - else 'ok' - end as status, - case - when publicly_accessible then title || ' publicly accessible.' - else title || ' not publicly accessible.' - end as reason - - from - aws_mq_broker; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when publicly_accessible then 'alarm'\n else 'ok'\n end as status,\n case\n when publicly_accessible then title || ' publicly accessible.'\n else title || ' not publicly accessible.'\n end as reason\n \nfrom\n aws_mq_broker;" PrimaryTable: aws_mq_broker ListOfTables: - - aws_mq_broker + - aws_mq_broker Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_msk_cluster_encryption_in_transit_with_tls_enabled.yaml b/compliance/controls/aws/aws_msk_cluster_encryption_in_transit_with_tls_enabled.yaml index ed6db502a..807b8bbc2 100755 --- a/compliance/controls/aws/aws_msk_cluster_encryption_in_transit_with_tls_enabled.yaml +++ b/compliance/controls/aws/aws_msk_cluster_encryption_in_transit_with_tls_enabled.yaml @@ -1,30 +1,14 @@ ID: aws_msk_cluster_encryption_in_transit_with_tls_enabled Title: "MSK clusters should be encrypted in transit among broker nodes" Description: "This controls checks if an Amazon MSK cluster is encrypted in transit with HTTPS (TLS) among the broker nodes of the cluster. The control fails if plain text communication is enabled for a cluster broker node connection." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when provisioned -> 'EncryptionInfo' -> 'EncryptionInTransit' ->> 'ClientBroker' = 'TLS' then 'ok' - else 'alarm' - end as status, - case - when provisioned -> 'EncryptionInfo' -> 'EncryptionInTransit' ->> 'ClientBroker' = 'TLS' then title || ' encryption in transit enabled with TLS.' - else title || ' encryption in transit enabled with plaintext.' - end as reason - - - from - aws_msk_cluster; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when provisioned -> 'EncryptionInfo' -> 'EncryptionInTransit' ->> 'ClientBroker' = 'TLS' then 'ok'\n else 'alarm'\n end as status,\n case\n when provisioned -> 'EncryptionInfo' -> 'EncryptionInTransit' ->> 'ClientBroker' = 'TLS' then title || ' encryption in transit enabled with TLS.'\n else title || ' encryption in transit enabled with plaintext.'\n end as reason\n \n \nfrom\n aws_msk_cluster;" PrimaryTable: aws_msk_cluster ListOfTables: - - aws_msk_cluster + - aws_msk_cluster Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_neptune_db_cluster_audit_logging_enabled.yaml b/compliance/controls/aws/aws_neptune_db_cluster_audit_logging_enabled.yaml index 09e0d755c..9bfabea03 100755 --- a/compliance/controls/aws/aws_neptune_db_cluster_audit_logging_enabled.yaml +++ b/compliance/controls/aws/aws_neptune_db_cluster_audit_logging_enabled.yaml @@ -1,31 +1,14 @@ ID: aws_neptune_db_cluster_audit_logging_enabled Title: "Neptune DB clusters should publish audit logs to CloudWatch Logs" Description: "This control checks whether a Neptune DB cluster publishes audit logs to AWS CloudWatch Logs. The control fails if a Neptune DB cluster doesn't publish audit logs to CloudWatch Logs. EnableCloudWatchLogsExport should be set to Audit." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - engine, - case - when enabled_cloudwatch_logs_exports @> '["audit"]' then 'ok' - else 'alarm' - end as status, - case - when enabled_cloudwatch_logs_exports @> '["audit"]' then title || ' audit logging enabled.' - else title || ' audit logging disabled.' - end as reason - - - from - aws_neptune_db_cluster; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n engine,\n case\n when enabled_cloudwatch_logs_exports @> '[\"audit\"]' then 'ok'\n else 'alarm'\n end as status,\n case\n when enabled_cloudwatch_logs_exports @> '[\"audit\"]' then title || ' audit logging enabled.'\n else title || ' audit logging disabled.'\n end as reason\n \n \nfrom\n aws_neptune_db_cluster;" PrimaryTable: aws_neptune_db_cluster ListOfTables: - - aws_neptune_db_cluster + - aws_neptune_db_cluster Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_neptune_db_cluster_automated_backup_enabled.yaml b/compliance/controls/aws/aws_neptune_db_cluster_automated_backup_enabled.yaml index c6dec212d..bda45781d 100755 --- a/compliance/controls/aws/aws_neptune_db_cluster_automated_backup_enabled.yaml +++ b/compliance/controls/aws/aws_neptune_db_cluster_automated_backup_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_neptune_db_cluster_automated_backup_enabled Title: "Neptune DB clusters should have automated backups enabled" Description: "This control checks whether a Neptune DB cluster has automated backups enabled, and a backup retention period greater than or equal to 7 days. The control fails if backups aren't enabled for the Neptune DB cluster, or if the retention period is less than 7 days." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_neptune_db_cluster; PrimaryTable: aws_neptune_db_cluster ListOfTables: - - aws_neptune_db_cluster + - aws_neptune_db_cluster Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_neptune_db_cluster_copy_tags_to_snapshot_enabled.yaml b/compliance/controls/aws/aws_neptune_db_cluster_copy_tags_to_snapshot_enabled.yaml index 64ace520b..d9c0de94c 100755 --- a/compliance/controls/aws/aws_neptune_db_cluster_copy_tags_to_snapshot_enabled.yaml +++ b/compliance/controls/aws/aws_neptune_db_cluster_copy_tags_to_snapshot_enabled.yaml @@ -1,30 +1,14 @@ ID: aws_neptune_db_cluster_copy_tags_to_snapshot_enabled Title: "Neptune DB clusters should be configured to copy tags to snapshots" Description: "This control checks if a Neptune DB cluster is configured to copy all tags to snapshots when the snapshots are created. The control fails if a Neptune DB cluster isn't configured to copy tags to snapshots." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when copy_tags_to_snapshot then 'ok' - else 'alarm' - end as status, - case - when copy_tags_to_snapshot then title || ' copy tags to snapshot enabled.' - else title || ' copy tags to snapshot disabled.' - end as reason - - - from - aws_neptune_db_cluster; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when copy_tags_to_snapshot then 'ok'\n else 'alarm'\n end as status,\n case\n when copy_tags_to_snapshot then title || ' copy tags to snapshot enabled.'\n else title || ' copy tags to snapshot disabled.'\n end as reason\n \n \nfrom\n aws_neptune_db_cluster;" PrimaryTable: aws_neptune_db_cluster ListOfTables: - - aws_neptune_db_cluster + - aws_neptune_db_cluster Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_neptune_db_cluster_deletion_protection_enabled.yaml b/compliance/controls/aws/aws_neptune_db_cluster_deletion_protection_enabled.yaml index 83ba871d0..128e0c493 100755 --- a/compliance/controls/aws/aws_neptune_db_cluster_deletion_protection_enabled.yaml +++ b/compliance/controls/aws/aws_neptune_db_cluster_deletion_protection_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_neptune_db_cluster_deletion_protection_enabled Title: "Neptune DB clusters should have deletion protection enabled" Description: "This control checks if a Neptune DB cluster has deletion protection enabled. The control fails if a Neptune DB cluster doesn't have deletion protection enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_neptune_db_cluster; PrimaryTable: aws_neptune_db_cluster ListOfTables: - - aws_neptune_db_cluster + - aws_neptune_db_cluster Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_neptune_db_cluster_encryption_at_rest_enabled.yaml b/compliance/controls/aws/aws_neptune_db_cluster_encryption_at_rest_enabled.yaml index 31f594aff..200c649ce 100755 --- a/compliance/controls/aws/aws_neptune_db_cluster_encryption_at_rest_enabled.yaml +++ b/compliance/controls/aws/aws_neptune_db_cluster_encryption_at_rest_enabled.yaml @@ -1,29 +1,14 @@ ID: aws_neptune_db_cluster_encryption_at_rest_enabled Title: "Neptune DB clusters should be encrypted at rest" Description: "This control checks whether a Neptune DB cluster is encrypted at rest. The control fails if a Neptune DB cluster isn't encrypted at rest." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when storage_encrypted then 'ok' - else 'alarm' - end as status, - case - when storage_encrypted then title || ' encrypted at rest.' - else title || ' not encrypted at rest.' - end as reason - - from - aws_neptune_db_cluster; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when storage_encrypted then 'ok'\n else 'alarm'\n end as status,\n case\n when storage_encrypted then title || ' encrypted at rest.'\n else title || ' not encrypted at rest.'\n end as reason\n \nfrom\n aws_neptune_db_cluster;" PrimaryTable: aws_neptune_db_cluster ListOfTables: - - aws_neptune_db_cluster + - aws_neptune_db_cluster Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_neptune_db_cluster_iam_authentication_enabled.yaml b/compliance/controls/aws/aws_neptune_db_cluster_iam_authentication_enabled.yaml index 1ae602813..2d99ecd01 100755 --- a/compliance/controls/aws/aws_neptune_db_cluster_iam_authentication_enabled.yaml +++ b/compliance/controls/aws/aws_neptune_db_cluster_iam_authentication_enabled.yaml @@ -1,30 +1,14 @@ ID: aws_neptune_db_cluster_iam_authentication_enabled Title: "Neptune DB clusters should have IAM database authentication enabled" Description: "This control checks if a Neptune DB cluster has IAM database authentication enabled. The control fails if IAM database authentication isn't enabled for a Neptune DB cluster." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when iam_database_authentication_enabled then 'ok' - else 'alarm' - end as status, - case - when iam_database_authentication_enabled then title || ' IAM authentication enabled.' - else title || ' IAM authentication disabled.' - end as reason - - - from - aws_neptune_db_cluster; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when iam_database_authentication_enabled then 'ok'\n else 'alarm'\n end as status,\n case\n when iam_database_authentication_enabled then title || ' IAM authentication enabled.'\n else title || ' IAM authentication disabled.'\n end as reason\n \n \nfrom\n aws_neptune_db_cluster;" PrimaryTable: aws_neptune_db_cluster ListOfTables: - - aws_neptune_db_cluster + - aws_neptune_db_cluster Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_neptune_db_cluster_no_public_subnet.yaml b/compliance/controls/aws/aws_neptune_db_cluster_no_public_subnet.yaml index 70b0ea07f..863319755 100755 --- a/compliance/controls/aws/aws_neptune_db_cluster_no_public_subnet.yaml +++ b/compliance/controls/aws/aws_neptune_db_cluster_no_public_subnet.yaml @@ -1,8 +1,6 @@ ID: aws_neptune_db_cluster_no_public_subnet Title: "Neptune DB clusters should not use public_subnet" Description: "This control checks if Neptune DB clusters are configured with public subnet as there is a risk of exposing sensitive data." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -85,10 +83,12 @@ Query: left join cluster_public_subnet as s on s.subnet_group_name = c.db_subnet_group; PrimaryTable: aws_neptune_db_cluster ListOfTables: - - aws_vpc_route_table - - aws_vpc_subnet - - aws_rds_db_subnet_group - - aws_neptune_db_cluster + - aws_vpc_route_table + - aws_vpc_subnet + - aws_rds_db_subnet_group + - aws_neptune_db_cluster Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_neptune_db_cluster_snapshot_encryption_at_rest_enabled.yaml b/compliance/controls/aws/aws_neptune_db_cluster_snapshot_encryption_at_rest_enabled.yaml index 95f542f51..46b55a6d4 100755 --- a/compliance/controls/aws/aws_neptune_db_cluster_snapshot_encryption_at_rest_enabled.yaml +++ b/compliance/controls/aws/aws_neptune_db_cluster_snapshot_encryption_at_rest_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_neptune_db_cluster_snapshot_encryption_at_rest_enabled Title: "Neptune DB cluster snapshots should be encrypted at rest" Description: "This control checks whether a Neptune DB cluster snapshot is encrypted at rest. The control fails if a Neptune DB cluster isn't encrypted at rest." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_neptune_db_cluster_snapshot; PrimaryTable: aws_neptune_db_cluster_snapshot ListOfTables: - - aws_neptune_db_cluster_snapshot + - aws_neptune_db_cluster_snapshot Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_neptune_db_cluster_snapshot_prohibit_public_access.yaml b/compliance/controls/aws/aws_neptune_db_cluster_snapshot_prohibit_public_access.yaml index 77eb5c0fd..673ea65bb 100755 --- a/compliance/controls/aws/aws_neptune_db_cluster_snapshot_prohibit_public_access.yaml +++ b/compliance/controls/aws/aws_neptune_db_cluster_snapshot_prohibit_public_access.yaml @@ -1,30 +1,14 @@ ID: aws_neptune_db_cluster_snapshot_prohibit_public_access Title: "Neptune DB cluster snapshots should not be public" Description: "This control checks whether a Neptune manual DB cluster snapshot is public. The control fails if a Neptune manual DB cluster snapshot is public." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - db_cluster_snapshot_arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when cluster_snapshot -> 'AttributeValues' = '["all"]' then 'alarm' - else 'ok' - end status, - case - when cluster_snapshot -> 'AttributeValues' = '["all"]' then title || ' publicly accessible.' - else title || ' not publicly accessible.' - end reason - - from - aws_neptune_db_cluster_snapshot, - jsonb_array_elements(db_cluster_snapshot_attributes) as cluster_snapshot; + QueryToExecute: "select\n db_cluster_snapshot_arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when cluster_snapshot -> 'AttributeValues' = '[\"all\"]' then 'alarm'\n else 'ok'\n end status,\n case\n when cluster_snapshot -> 'AttributeValues' = '[\"all\"]' then title || ' publicly accessible.'\n else title || ' not publicly accessible.'\n end reason\n \nfrom\n aws_neptune_db_cluster_snapshot,\n jsonb_array_elements(db_cluster_snapshot_attributes) as cluster_snapshot;" PrimaryTable: aws_neptune_db_cluster_snapshot ListOfTables: - - aws_neptune_db_cluster_snapshot + - aws_neptune_db_cluster_snapshot Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_networkfirewall_firewall_deletion_protection_enabled.yaml b/compliance/controls/aws/aws_networkfirewall_firewall_deletion_protection_enabled.yaml index f999e7116..e5a9e4733 100755 --- a/compliance/controls/aws/aws_networkfirewall_firewall_deletion_protection_enabled.yaml +++ b/compliance/controls/aws/aws_networkfirewall_firewall_deletion_protection_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_networkfirewall_firewall_deletion_protection_enabled Title: "Network Firewall firewalls should have deletion protection enabled" Description: "This control checks whether an AWS Network Firewall firewall has deletion protection enabled. The control fails if deletion protection isn't enabled for a firewall." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_networkfirewall_firewall; PrimaryTable: aws_networkfirewall_firewall ListOfTables: - - aws_networkfirewall_firewall + - aws_networkfirewall_firewall Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_networkfirewall_firewall_in_vpc.yaml b/compliance/controls/aws/aws_networkfirewall_firewall_in_vpc.yaml index 2663982ac..0562db81d 100755 --- a/compliance/controls/aws/aws_networkfirewall_firewall_in_vpc.yaml +++ b/compliance/controls/aws/aws_networkfirewall_firewall_in_vpc.yaml @@ -1,30 +1,14 @@ ID: aws_networkfirewall_firewall_in_vpc Title: "Networkfirewall firewall should be in a VPC" Description: "Deploy AWS Networkfirewall firewall within an AWS Virtual Private Cloud (AWS VPC) for a secure communication between a function and other services within the AWS VPC." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when vpc_id is null or vpc_id = '' then 'alarm' - else 'ok' - end status, - case - when vpc_id is null or vpc_id = '' then title || ' is not in VPC.' - else title || ' is in VPC ' || vpc_id || '.' - end reason - - - from - aws_networkfirewall_firewall; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when vpc_id is null or vpc_id = '' then 'alarm'\n else 'ok'\n end status,\n case\n when vpc_id is null or vpc_id = '' then title || ' is not in VPC.'\n else title || ' is in VPC ' || vpc_id || '.'\n end reason\n \n \nfrom\n aws_networkfirewall_firewall;" PrimaryTable: aws_networkfirewall_firewall ListOfTables: - - aws_networkfirewall_firewall + - aws_networkfirewall_firewall Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_networkfirewall_firewall_logging_enabled.yaml b/compliance/controls/aws/aws_networkfirewall_firewall_logging_enabled.yaml index 17f64e336..a00bd4eb3 100755 --- a/compliance/controls/aws/aws_networkfirewall_firewall_logging_enabled.yaml +++ b/compliance/controls/aws/aws_networkfirewall_firewall_logging_enabled.yaml @@ -1,30 +1,14 @@ ID: aws_networkfirewall_firewall_logging_enabled Title: "Network Firewall logging should be enabled" Description: "This control checks whether logging is enabled for an AWS Network Firewall firewall. The control fails if logging isn't enabled for at least one log type or if the logging destination doesn't exist." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when jsonb_array_length(logging_configuration) > 0 then 'ok' - else 'alarm' - end status, - case - when jsonb_array_length(logging_configuration) > 0 then title || ' logging enabled.' - else title || ' logging disabled.' - end reason - - - from - aws_networkfirewall_firewall; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when jsonb_array_length(logging_configuration) > 0 then 'ok'\n else 'alarm'\n end status,\n case\n when jsonb_array_length(logging_configuration) > 0 then title || ' logging enabled.'\n else title || ' logging disabled.'\n end reason\n \n \nfrom\n aws_networkfirewall_firewall;" PrimaryTable: aws_networkfirewall_firewall ListOfTables: - - aws_networkfirewall_firewall + - aws_networkfirewall_firewall Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_networkfirewall_firewall_policy_default_stateless_action_check_fragmented_packets.yaml b/compliance/controls/aws/aws_networkfirewall_firewall_policy_default_stateless_action_check_fragmented_packets.yaml index 751363798..dbc83db7d 100755 --- a/compliance/controls/aws/aws_networkfirewall_firewall_policy_default_stateless_action_check_fragmented_packets.yaml +++ b/compliance/controls/aws/aws_networkfirewall_firewall_policy_default_stateless_action_check_fragmented_packets.yaml @@ -1,44 +1,26 @@ ID: aws_networkfirewall_firewall_policy_default_stateless_action_check_fragmented_packets Title: "The default stateless action for Network Firewall policies should be drop or forward for fragmented packets" Description: "This control checks whether the default stateless action for fragmented packets for a Network Firewall policy is drop or forward. The control passes if Drop or Forward is selected, and fails if Pass is selected." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when (not (firewall_policy -> 'StatelessFragmentDefaultActions') ? 'aws:drop' - and not (firewall_policy -> 'StatelessFragmentDefaultActions') ? 'aws:forward_to_sfe') then 'alarm' - else 'ok' - end as status, - case - when (not (firewall_policy -> 'StatelessFragmentDefaultActions') ? 'aws:drop' - and not (firewall_policy -> 'StatelessFragmentDefaultActions') ? 'aws:forward_to_sfe') then title || ' stateless action is neither drop nor forward for fragmented packets.' - else title || ' stateless action is either drop or forward for fragmented packets.' - end as reason - - , region, account_id - from - aws_networkfirewall_firewall_policy; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when (not (firewall_policy -> 'StatelessFragmentDefaultActions') ? 'aws:drop'\n and not (firewall_policy -> 'StatelessFragmentDefaultActions') ? 'aws:forward_to_sfe') then 'alarm'\n else 'ok'\n end as status,\n case\n when (not (firewall_policy -> 'StatelessFragmentDefaultActions') ? 'aws:drop'\n and not (firewall_policy -> 'StatelessFragmentDefaultActions') ? 'aws:forward_to_sfe') then title || ' stateless action is neither drop nor forward for fragmented packets.'\n else title || ' stateless action is either drop or forward for fragmented packets.'\n end as reason\n \n , region, account_id\nfrom\n aws_networkfirewall_firewall_policy;\n" PrimaryTable: aws_networkfirewall_firewall_policy ListOfTables: - - aws_networkfirewall_firewall_policy + - aws_networkfirewall_firewall_policy Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - secure_network_configuration + - secure_network_configuration foundational_security_item_id: - - networkfirewall_5 + - networkfirewall_5 plugin: - - aws + - aws service: - - AWS/NetworkFirewall + - AWS/NetworkFirewall +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_networkfirewall_firewall_policy_default_stateless_action_check_full_packets.yaml b/compliance/controls/aws/aws_networkfirewall_firewall_policy_default_stateless_action_check_full_packets.yaml index ff687d43b..e24f3d854 100755 --- a/compliance/controls/aws/aws_networkfirewall_firewall_policy_default_stateless_action_check_full_packets.yaml +++ b/compliance/controls/aws/aws_networkfirewall_firewall_policy_default_stateless_action_check_full_packets.yaml @@ -1,44 +1,26 @@ ID: aws_networkfirewall_firewall_policy_default_stateless_action_check_full_packets Title: "The default stateless action for Network Firewall policies should be drop or forward for full packets" Description: "A firewall policy defines how your firewall monitors and handles traffic in AWS VPC. You configure stateless and stateful rule groups to filter packets and traffic flows. Defaulting to Pass can allow unintended traffic." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when (not (firewall_policy -> 'StatelessDefaultActions') ? 'aws:drop' - and not (firewall_policy -> 'StatelessDefaultActions') ? 'aws:forward_to_sfe') then 'alarm' - else 'ok' - end as status, - case - when (not (firewall_policy -> 'StatelessDefaultActions') ? 'aws:drop' - and not (firewall_policy -> 'StatelessDefaultActions') ? 'aws:forward_to_sfe') then title || ' stateless action is neither drop nor forward for full packets.' - else title || ' stateless action is either drop or forward for full packets.' - end as reason - - , region, account_id - from - aws_networkfirewall_firewall_policy; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when (not (firewall_policy -> 'StatelessDefaultActions') ? 'aws:drop'\n and not (firewall_policy -> 'StatelessDefaultActions') ? 'aws:forward_to_sfe') then 'alarm'\n else 'ok'\n end as status,\n case\n when (not (firewall_policy -> 'StatelessDefaultActions') ? 'aws:drop'\n and not (firewall_policy -> 'StatelessDefaultActions') ? 'aws:forward_to_sfe') then title || ' stateless action is neither drop nor forward for full packets.'\n else title || ' stateless action is either drop or forward for full packets.'\n end as reason\n \n , region, account_id\nfrom\n aws_networkfirewall_firewall_policy;\n" PrimaryTable: aws_networkfirewall_firewall_policy ListOfTables: - - aws_networkfirewall_firewall_policy + - aws_networkfirewall_firewall_policy Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - secure_network_configuration + - secure_network_configuration foundational_security_item_id: - - networkfirewall_4 + - networkfirewall_4 plugin: - - aws + - aws service: - - AWS/NetworkFirewall + - AWS/NetworkFirewall +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_networkfirewall_firewall_policy_rule_group_not_empty.yaml b/compliance/controls/aws/aws_networkfirewall_firewall_policy_rule_group_not_empty.yaml index 9d9eed2f1..27c79f89d 100755 --- a/compliance/controls/aws/aws_networkfirewall_firewall_policy_rule_group_not_empty.yaml +++ b/compliance/controls/aws/aws_networkfirewall_firewall_policy_rule_group_not_empty.yaml @@ -1,44 +1,26 @@ ID: aws_networkfirewall_firewall_policy_rule_group_not_empty Title: "Network Firewall policies should have at least one rule group associated" Description: "This control checks whether a Network Firewall policy has any stateful or stateless rule groups associated. The control fails if stateless or stateful rule groups are not assigned." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when (firewall_policy ->> 'StatefulRuleGroupReferences' is null or jsonb_array_length(firewall_policy -> 'StatefulRuleGroupReferences') = 0) - and (firewall_policy ->> 'StatelessRuleGroupReferences' is null or jsonb_array_length(firewall_policy -> 'StatelessRuleGroupReferences') = 0) then 'alarm' - else 'ok' - end as status, - case - when (firewall_policy ->> 'StatefulRuleGroupReferences' is null or jsonb_array_length(firewall_policy -> 'StatefulRuleGroupReferences') = 0) - and (firewall_policy ->> 'StatelessRuleGroupReferences' is null or jsonb_array_length(firewall_policy -> 'StatelessRuleGroupReferences') = 0) then title || ' has no associated rule groups.' - else title || ' has associated rule groups.' - end as reason - - , region, account_id - from - aws_networkfirewall_firewall_policy; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when (firewall_policy ->> 'StatefulRuleGroupReferences' is null or jsonb_array_length(firewall_policy -> 'StatefulRuleGroupReferences') = 0)\n and (firewall_policy ->> 'StatelessRuleGroupReferences' is null or jsonb_array_length(firewall_policy -> 'StatelessRuleGroupReferences') = 0) then 'alarm'\n else 'ok'\n end as status,\n case\n when (firewall_policy ->> 'StatefulRuleGroupReferences' is null or jsonb_array_length(firewall_policy -> 'StatefulRuleGroupReferences') = 0)\n and (firewall_policy ->> 'StatelessRuleGroupReferences' is null or jsonb_array_length(firewall_policy -> 'StatelessRuleGroupReferences') = 0) then title || ' has no associated rule groups.'\n else title || ' has associated rule groups.'\n end as reason\n \n , region, account_id\nfrom\n aws_networkfirewall_firewall_policy;\n" PrimaryTable: aws_networkfirewall_firewall_policy ListOfTables: - - aws_networkfirewall_firewall_policy + - aws_networkfirewall_firewall_policy Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - secure_network_configuration + - secure_network_configuration foundational_security_item_id: - - networkfirewall_3 + - networkfirewall_3 plugin: - - aws + - aws service: - - AWS/NetworkFirewall + - AWS/NetworkFirewall +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_networkfirewall_stateless_rule_group_not_empty.yaml b/compliance/controls/aws/aws_networkfirewall_stateless_rule_group_not_empty.yaml index 22c7ad9d7..c3bdcd423 100755 --- a/compliance/controls/aws/aws_networkfirewall_stateless_rule_group_not_empty.yaml +++ b/compliance/controls/aws/aws_networkfirewall_stateless_rule_group_not_empty.yaml @@ -1,43 +1,26 @@ ID: aws_networkfirewall_stateless_rule_group_not_empty Title: "Stateless network firewall rule group should not be empty" Description: "A rule group contains rules that define how your firewall processes traffic in your VPC. An empty stateless rule group when present in a firewall policy might give the impression that the rule group will process traffic. However, when the stateless rule group is empty, it does not process traffic." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when type = 'STATEFUL' then 'skip' - when jsonb_array_length(rules_source -> 'StatelessRulesAndCustomActions' -> 'StatelessRules') > 0 then 'ok' - else 'alarm' - end as status, - case - when type = 'STATEFUL' then title || ' is a stateful rule group.' - else title || ' has ' || jsonb_array_length(rules_source -> 'StatelessRulesAndCustomActions' -> 'StatelessRules') || ' rule(s).' - end as reason - - , region, account_id - from - aws_networkfirewall_rule_group; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when type = 'STATEFUL' then 'skip'\n when jsonb_array_length(rules_source -> 'StatelessRulesAndCustomActions' -> 'StatelessRules') > 0 then 'ok'\n else 'alarm'\n end as status,\n case\n when type = 'STATEFUL' then title || ' is a stateful rule group.'\n else title || ' has ' || jsonb_array_length(rules_source -> 'StatelessRulesAndCustomActions' -> 'StatelessRules') || ' rule(s).'\n end as reason\n \n , region, account_id\nfrom\n aws_networkfirewall_rule_group;\n" PrimaryTable: aws_networkfirewall_rule_group ListOfTables: - - aws_networkfirewall_rule_group + - aws_networkfirewall_rule_group Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - secure_network_configuration + - secure_network_configuration foundational_security_item_id: - - networkfirewall_1 + - networkfirewall_1 plugin: - - aws + - aws service: - - AWS/NetworkFirewall + - AWS/NetworkFirewall +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_opensearch_domain_audit_logging_enabled.yaml b/compliance/controls/aws/aws_opensearch_domain_audit_logging_enabled.yaml index 430ba389d..d0e837d6f 100755 --- a/compliance/controls/aws/aws_opensearch_domain_audit_logging_enabled.yaml +++ b/compliance/controls/aws/aws_opensearch_domain_audit_logging_enabled.yaml @@ -1,42 +1,26 @@ ID: aws_opensearch_domain_audit_logging_enabled Title: "OpenSearch domains should have audit logging enabled." Description: "This control checks whether OpenSearch service domains have audit logging enabled. The rule is non-compliant if an OpenSearch service domain does not have audit logging enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when log_publishing_options -> 'AUDIT_LOGS' ->> 'Enabled' = 'true' then 'ok' - else 'ok' - end as status, - case - when log_publishing_options -> 'AUDIT_LOGS' ->> 'Enabled' = 'true' then title || ' audit logging enabled.' - else title || ' audit logging disabled.' - end as reason - - , region, account_id - from - aws_opensearch_domain; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when log_publishing_options -> 'AUDIT_LOGS' ->> 'Enabled' = 'true' then 'ok'\n else 'ok'\n end as status,\n case\n when log_publishing_options -> 'AUDIT_LOGS' ->> 'Enabled' = 'true' then title || ' audit logging enabled.'\n else title || ' audit logging disabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_opensearch_domain;\n" PrimaryTable: aws_opensearch_domain ListOfTables: - - aws_opensearch_domain + - aws_opensearch_domain Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - logging + - logging foundational_security_item_id: - - opensearch_5 + - opensearch_5 plugin: - - aws + - aws service: - - AWS/OpenSearch + - AWS/OpenSearch +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_opensearch_domain_cognito_authentication_enabled_for_kibana.yaml b/compliance/controls/aws/aws_opensearch_domain_cognito_authentication_enabled_for_kibana.yaml index dfc0154a0..63bd7ee48 100755 --- a/compliance/controls/aws/aws_opensearch_domain_cognito_authentication_enabled_for_kibana.yaml +++ b/compliance/controls/aws/aws_opensearch_domain_cognito_authentication_enabled_for_kibana.yaml @@ -1,30 +1,14 @@ ID: aws_opensearch_domain_cognito_authentication_enabled_for_kibana Title: "OpenSearch domains cognito authentication should be enabled for kibana" Description: "This control checks whether AWS OpenSearch domain has AWS Cognito authentication for Kibana enabled. AWS Cognito lets you easily add user sign-up and authentication to your mobile and web apps." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when cognito_options ->> 'Enabled' = 'true' then 'ok' - else 'alarm' - end status, - case - when cognito_options ->> 'Enabled' = 'true' then title || ' cognito authentication enabled for kibana.' - else title || ' cognito authentication disabled for kibana.' - end reason - - - from - aws_opensearch_domain; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when cognito_options ->> 'Enabled' = 'true' then 'ok'\n else 'alarm'\n end status,\n case\n when cognito_options ->> 'Enabled' = 'true' then title || ' cognito authentication enabled for kibana.'\n else title || ' cognito authentication disabled for kibana.'\n end reason\n \n \nfrom\n aws_opensearch_domain;" PrimaryTable: aws_opensearch_domain ListOfTables: - - aws_opensearch_domain + - aws_opensearch_domain Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_opensearch_domain_data_node_fault_tolerance.yaml b/compliance/controls/aws/aws_opensearch_domain_data_node_fault_tolerance.yaml index c5bbedad2..fcbef1635 100755 --- a/compliance/controls/aws/aws_opensearch_domain_data_node_fault_tolerance.yaml +++ b/compliance/controls/aws/aws_opensearch_domain_data_node_fault_tolerance.yaml @@ -1,43 +1,26 @@ ID: aws_opensearch_domain_data_node_fault_tolerance Title: "OpenSearch domains should have at least three data nodes" Description: "This control checks whether OpenSearch domains are configured with at least three data nodes and zoneAwarenessEnabled is true. This control fails for an OpenSearch domain if instanceCount is less than 3 or zoneAwarenessEnabled is false." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when cluster_config ->> 'ZoneAwarenessEnabled' = 'true' and cluster_config ->> 'InstanceCount' > '2' then 'ok' - else 'alarm' - end as status, - case - when cluster_config ->> 'ZoneAwarenessEnabled' = 'true' and cluster_config ->> 'InstanceCount' > '2' then title || ' zone awareness is ' - || case when cluster_config ->> 'ZoneAwarenessEnabled' = 'true' then 'enabled' else 'disabled' end || ' with ' || (cluster_config ->> 'InstanceCount') || ' data node(s) configued.' - else title || ' zone awareness is ' || case when cluster_config ->> 'ZoneAwarenessEnabled' = 'true' then 'enabled' else 'disabled' end || ' with ' || (cluster_config ->> 'InstanceCount') || ' data node(s) configued.' - end as reason - - , region, account_id - from - aws_opensearch_domain; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when cluster_config ->> 'ZoneAwarenessEnabled' = 'true' and cluster_config ->> 'InstanceCount' > '2' then 'ok'\n else 'alarm'\n end as status,\n case\n when cluster_config ->> 'ZoneAwarenessEnabled' = 'true' and cluster_config ->> 'InstanceCount' > '2' then title || ' zone awareness is '\n || case when cluster_config ->> 'ZoneAwarenessEnabled' = 'true' then 'enabled' else 'disabled' end || ' with ' || (cluster_config ->> 'InstanceCount') || ' data node(s) configued.'\n else title || ' zone awareness is ' || case when cluster_config ->> 'ZoneAwarenessEnabled' = 'true' then 'enabled' else 'disabled' end || ' with ' || (cluster_config ->> 'InstanceCount') || ' data node(s) configued.'\n end as reason\n \n , region, account_id\nfrom\n aws_opensearch_domain;\n" PrimaryTable: aws_opensearch_domain ListOfTables: - - aws_opensearch_domain + - aws_opensearch_domain Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - high_availability + - high_availability foundational_security_item_id: - - opensearch_6 + - opensearch_6 plugin: - - aws + - aws service: - - AWS/OpenSearch + - AWS/OpenSearch +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_opensearch_domain_encryption_at_rest_enabled.yaml b/compliance/controls/aws/aws_opensearch_domain_encryption_at_rest_enabled.yaml index bacdf5a25..14c4ec12e 100755 --- a/compliance/controls/aws/aws_opensearch_domain_encryption_at_rest_enabled.yaml +++ b/compliance/controls/aws/aws_opensearch_domain_encryption_at_rest_enabled.yaml @@ -1,42 +1,26 @@ ID: aws_opensearch_domain_encryption_at_rest_enabled Title: "OpenSearch domains should have encryption at rest enabled" Description: "This control checks whether AWS OpenSearch domains have encryption-at-rest configuration enabled. The check fails if encryption at rest is not enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when encryption_at_rest_options ->> 'Enabled' = 'false' then 'alarm' - else 'ok' - end status, - case - when encryption_at_rest_options ->> 'Enabled' = 'false' then title || ' encryption at rest disabled.' - else title || ' encryption at rest enabled.' - end reason - - , region, account_id - from - aws_opensearch_domain; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when encryption_at_rest_options ->> 'Enabled' = 'false' then 'alarm'\n else 'ok'\n end status,\n case\n when encryption_at_rest_options ->> 'Enabled' = 'false' then title || ' encryption at rest disabled.'\n else title || ' encryption at rest enabled.'\n end reason\n \n , region, account_id\nfrom\n aws_opensearch_domain;\n" PrimaryTable: aws_opensearch_domain ListOfTables: - - aws_opensearch_domain + - aws_opensearch_domain Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - encryption_of_data_at_rest + - encryption_of_data_at_rest foundational_security_item_id: - - opensearch_1 + - opensearch_1 plugin: - - aws + - aws service: - - AWS/OpenSearch + - AWS/OpenSearch +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_opensearch_domain_fine_grained_access_enabled.yaml b/compliance/controls/aws/aws_opensearch_domain_fine_grained_access_enabled.yaml index ea4143d8a..11d245096 100755 --- a/compliance/controls/aws/aws_opensearch_domain_fine_grained_access_enabled.yaml +++ b/compliance/controls/aws/aws_opensearch_domain_fine_grained_access_enabled.yaml @@ -1,42 +1,26 @@ ID: aws_opensearch_domain_fine_grained_access_enabled Title: "OpenSearch domains should have fine-grained access control enabled" Description: "This control checks whether OpenSearch domains have fine-grained access control enabled. The control fails if the fine-grained access control is not enabled. Fine-grained access control requires advanced-security-optionsin the OpenSearch parameter update-domain-config to be enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when advanced_security_options is null or not (advanced_security_options -> 'Enabled')::boolean then 'alarm' - else 'ok' - end as status, - case - when advanced_security_options is null or not (advanced_security_options -> 'Enabled')::boolean then title || ' has fine-grained access control disabled.' - else title || ' has fine-grained access control enabled.' - end as reason - - , region, account_id - from - aws_opensearch_domain; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when advanced_security_options is null or not (advanced_security_options -> 'Enabled')::boolean then 'alarm'\n else 'ok'\n end as status,\n case\n when advanced_security_options is null or not (advanced_security_options -> 'Enabled')::boolean then title || ' has fine-grained access control disabled.'\n else title || ' has fine-grained access control enabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_opensearch_domain;\n" PrimaryTable: aws_opensearch_domain ListOfTables: - - aws_opensearch_domain + - aws_opensearch_domain Parameters: [] Severity: high Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - secure_access_management + - secure_access_management foundational_security_item_id: - - opensearch_7 + - opensearch_7 plugin: - - aws + - aws service: - - AWS/OpenSearch + - AWS/OpenSearch +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_opensearch_domain_https_required.yaml b/compliance/controls/aws/aws_opensearch_domain_https_required.yaml index 6d996bfd7..0da72568c 100755 --- a/compliance/controls/aws/aws_opensearch_domain_https_required.yaml +++ b/compliance/controls/aws/aws_opensearch_domain_https_required.yaml @@ -1,42 +1,26 @@ ID: aws_opensearch_domain_https_required Title: "OpenSearch domains should use HTTPS" Description: "This control checks whether connections to OpenSearch domains are using HTTPS. The rule is non-compliant if the OpenSearch domain 'EnforceHTTPS' is not 'true' or is 'true' and 'TLSSecurityPolicy' is not in 'tlsPolicies'." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when (domain_endpoint_options ->> 'EnforceHTTPS' = 'false') or (domain_endpoint_options ->> 'EnforceHTTPS' = 'true' and domain_endpoint_options ->> 'TLSSecurityPolicy' not in ('tlsPolicies')) then 'alarm' - else 'ok' - end status, - case - when (domain_endpoint_options ->> 'EnforceHTTPS' = 'false') or (domain_endpoint_options ->> 'EnforceHTTPS' = 'true' and domain_endpoint_options ->> 'TLSSecurityPolicy' not in ('tlsPolicies')) then title || ' does not use HTTPS.' - else title || ' uses HTTPS.' - end as reason - - , region, account_id - from - aws_opensearch_domain; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when (domain_endpoint_options ->> 'EnforceHTTPS' = 'false') or (domain_endpoint_options ->> 'EnforceHTTPS' = 'true' and domain_endpoint_options ->> 'TLSSecurityPolicy' not in ('tlsPolicies')) then 'alarm'\n else 'ok'\n end status,\n case\n when (domain_endpoint_options ->> 'EnforceHTTPS' = 'false') or (domain_endpoint_options ->> 'EnforceHTTPS' = 'true' and domain_endpoint_options ->> 'TLSSecurityPolicy' not in ('tlsPolicies')) then title || ' does not use HTTPS.'\n else title || ' uses HTTPS.'\n end as reason\n \n , region, account_id\nfrom\n aws_opensearch_domain;\n" PrimaryTable: aws_opensearch_domain ListOfTables: - - aws_opensearch_domain + - aws_opensearch_domain Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - encryption_of_data_in_transit + - encryption_of_data_in_transit foundational_security_item_id: - - opensearch_8 + - opensearch_8 plugin: - - aws + - aws service: - - AWS/OpenSearch + - AWS/OpenSearch +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_opensearch_domain_in_vpc.yaml b/compliance/controls/aws/aws_opensearch_domain_in_vpc.yaml index 168d3731f..03e9f3c4a 100755 --- a/compliance/controls/aws/aws_opensearch_domain_in_vpc.yaml +++ b/compliance/controls/aws/aws_opensearch_domain_in_vpc.yaml @@ -1,8 +1,6 @@ ID: aws_opensearch_domain_in_vpc Title: "OpenSearch domains should be in a VPC" Description: "This control checks whether AWS OpenSearch domains are in a VPC. It does not evaluate the VPC subnet routing configuration to determine public access." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -44,22 +42,24 @@ Query: left join opensearch_domain_with_public_subnet as p on d.arn = p.arn; PrimaryTable: aws_opensearch_domain ListOfTables: - - aws_opensearch_domain - - aws_vpc_route_table + - aws_opensearch_domain + - aws_vpc_route_table Parameters: [] Severity: critical Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - resources_within_vpc + - resources_within_vpc foundational_security_item_id: - - opensearch_2 + - opensearch_2 plugin: - - aws + - aws score_tags: - - Exposed Endpoints + - Exposed Endpoints service: - - AWS/OpenSearch + - AWS/OpenSearch +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_opensearch_domain_internal_user_database_disabled.yaml b/compliance/controls/aws/aws_opensearch_domain_internal_user_database_disabled.yaml index 5aa7f44a3..4884161d5 100755 --- a/compliance/controls/aws/aws_opensearch_domain_internal_user_database_disabled.yaml +++ b/compliance/controls/aws/aws_opensearch_domain_internal_user_database_disabled.yaml @@ -1,30 +1,14 @@ ID: aws_opensearch_domain_internal_user_database_disabled Title: "OpenSearch domains internal user database should be disabled" Description: "Ensure that AWS OpenSearch domain has internal user database disabled. This control is non-compliant if the OpenSearch domain internal user database is enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when advanced_security_options ->> 'InternalUserDatabaseEnabled' = 'true' then 'alarm' - else 'ok' - end status, - case - when advanced_security_options ->> 'InternalUserDatabaseEnabled' = 'true' then title || ' internal user database enabled.' - else title || ' internal user database disabled.' - end reason - - - from - aws_opensearch_domain; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when advanced_security_options ->> 'InternalUserDatabaseEnabled' = 'true' then 'alarm'\n else 'ok'\n end status,\n case\n when advanced_security_options ->> 'InternalUserDatabaseEnabled' = 'true' then title || ' internal user database enabled.'\n else title || ' internal user database disabled.'\n end reason\n \n \nfrom\n aws_opensearch_domain;" PrimaryTable: aws_opensearch_domain ListOfTables: - - aws_opensearch_domain + - aws_opensearch_domain Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_opensearch_domain_logs_to_cloudwatch.yaml b/compliance/controls/aws/aws_opensearch_domain_logs_to_cloudwatch.yaml index ca451f041..436b20eaf 100755 --- a/compliance/controls/aws/aws_opensearch_domain_logs_to_cloudwatch.yaml +++ b/compliance/controls/aws/aws_opensearch_domain_logs_to_cloudwatch.yaml @@ -1,83 +1,26 @@ ID: aws_opensearch_domain_logs_to_cloudwatch Title: "OpenSearch domains logs to AWS CloudWatch Logs" Description: "This control checks whether AWS OpenSearch Service domains are configured to send logs to CloudWatch logs. The rule is non-compliant if logging is not configured." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when log_publishing_options is null then 'alarm' - when - ( log_publishing_options -> 'AUDIT_LOGS' is null - or log_publishing_options -> 'AUDIT_LOGS' -> 'Enabled' = 'false' - or (log_publishing_options -> 'AUDIT_LOGS' -> 'Enabled' = 'true' and log_publishing_options -> 'AUDIT_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null) - ) - and - ( log_publishing_options -> 'INDEX_SLOW_LOGS' is null - or log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'Enabled' = 'false' - or (log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'Enabled' = 'true' and log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null) - ) - and - ( log_publishing_options -> 'SEARCH_SLOW_LOGS' is null - or log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'Enabled' = 'false' - or (log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'Enabled' = 'true' and log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null) - ) - and - ( log_publishing_options -> 'ES_APPLICATION_LOGS' is null - or log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'Enabled' = 'false' - or (log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'Enabled' = 'true' and log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null) - ) - then 'ok' - else 'alarm' - end as status, - case - when log_publishing_options is null then title || ' logging not enabled.' - when - ( log_publishing_options -> 'AUDIT_LOGS' is null - or log_publishing_options -> 'AUDIT_LOGS' -> 'Enabled' = 'false' - or (log_publishing_options -> 'AUDIT_LOGS' -> 'Enabled' = 'true' and log_publishing_options -> 'AUDIT_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null) - ) - and - ( log_publishing_options -> 'INDEX_SLOW_LOGS' is null - or log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'Enabled' = 'false' - or (log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'Enabled' = 'true' and log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null) - ) - and - ( log_publishing_options -> 'SEARCH_SLOW_LOGS' is null - or log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'Enabled' = 'false' - or (log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'Enabled' = 'true' and log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null) - ) - and - ( log_publishing_options -> 'ES_APPLICATION_LOGS' is null - or log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'Enabled' = 'false' - or (log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'Enabled' = 'true' and log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null) - ) then title || ' send logs to Amazon CloudWatch.' - else title || ' does not send logs to Amazon CloudWatch.' - end as reason - - , region, account_id - from - aws_opensearch_domain; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when log_publishing_options is null then 'alarm'\n when\n ( log_publishing_options -> 'AUDIT_LOGS' is null\n or log_publishing_options -> 'AUDIT_LOGS' -> 'Enabled' = 'false'\n or (log_publishing_options -> 'AUDIT_LOGS' -> 'Enabled' = 'true' and log_publishing_options -> 'AUDIT_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null)\n )\n and\n ( log_publishing_options -> 'INDEX_SLOW_LOGS' is null\n or log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'Enabled' = 'false'\n or (log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'Enabled' = 'true' and log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null)\n )\n and\n ( log_publishing_options -> 'SEARCH_SLOW_LOGS' is null\n or log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'Enabled' = 'false'\n or (log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'Enabled' = 'true' and log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null)\n )\n and\n ( log_publishing_options -> 'ES_APPLICATION_LOGS' is null\n or log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'Enabled' = 'false'\n or (log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'Enabled' = 'true' and log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null)\n )\n then 'ok'\n else 'alarm'\n end as status,\n case\n when log_publishing_options is null then title || ' logging not enabled.'\n when\n ( log_publishing_options -> 'AUDIT_LOGS' is null\n or log_publishing_options -> 'AUDIT_LOGS' -> 'Enabled' = 'false'\n or (log_publishing_options -> 'AUDIT_LOGS' -> 'Enabled' = 'true' and log_publishing_options -> 'AUDIT_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null)\n )\n and\n ( log_publishing_options -> 'INDEX_SLOW_LOGS' is null\n or log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'Enabled' = 'false'\n or (log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'Enabled' = 'true' and log_publishing_options -> 'INDEX_SLOW_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null)\n )\n and\n ( log_publishing_options -> 'SEARCH_SLOW_LOGS' is null\n or log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'Enabled' = 'false'\n or (log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'Enabled' = 'true' and log_publishing_options -> 'SEARCH_SLOW_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null)\n )\n and\n ( log_publishing_options -> 'ES_APPLICATION_LOGS' is null\n or log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'Enabled' = 'false'\n or (log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'Enabled' = 'true' and log_publishing_options -> 'ES_APPLICATION_LOGS' -> 'CloudWatchLogsLogGroupArn' is not null)\n ) then title || ' send logs to Amazon CloudWatch.'\n else title || ' does not send logs to Amazon CloudWatch.'\n end as reason\n \n , region, account_id\nfrom\n aws_opensearch_domain;\n" PrimaryTable: aws_opensearch_domain ListOfTables: - - aws_opensearch_domain + - aws_opensearch_domain Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - logging + - logging foundational_security_item_id: - - opensearch_4 + - opensearch_4 plugin: - - aws + - aws service: - - AWS/OpenSearch + - AWS/OpenSearch +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_opensearch_domain_node_to_node_encryption_enabled.yaml b/compliance/controls/aws/aws_opensearch_domain_node_to_node_encryption_enabled.yaml index ef8b73638..fe7b08c70 100755 --- a/compliance/controls/aws/aws_opensearch_domain_node_to_node_encryption_enabled.yaml +++ b/compliance/controls/aws/aws_opensearch_domain_node_to_node_encryption_enabled.yaml @@ -1,44 +1,26 @@ ID: aws_opensearch_domain_node_to_node_encryption_enabled Title: "OpenSearch domains node-to-node encryption should be enabled" Description: "This control checks if AWS OpenSearch Service nodes are encrypted end to end. The rule is non-compliant if the node-to-node encryption is not enabled on the domain." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when region = any(array['af-south-1', 'eu-south-1', 'cn-north-1', 'cn-northwest-1']) then 'skip' - when node_to_node_encryption_options_enabled then 'ok' - else 'alarm' - end as status, - case - when region = any(array['af-south-1', 'eu-south-1', 'cn-north-1', 'cn-northwest-1']) then title || ' node-to-node encryption not supported in ' || region || '.' - when node_to_node_encryption_options_enabled then title || ' node-to-node encryption enabled.' - else title || ' node-to-node encryption disabled.' - end as reason - - , region, account_id - from - aws_opensearch_domain; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when region = any(array['af-south-1', 'eu-south-1', 'cn-north-1', 'cn-northwest-1']) then 'skip'\n when node_to_node_encryption_options_enabled then 'ok'\n else 'alarm'\n end as status,\n case\n when region = any(array['af-south-1', 'eu-south-1', 'cn-north-1', 'cn-northwest-1']) then title || ' node-to-node encryption not supported in ' || region || '.'\n when node_to_node_encryption_options_enabled then title || ' node-to-node encryption enabled.'\n else title || ' node-to-node encryption disabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_opensearch_domain;\n" PrimaryTable: aws_opensearch_domain ListOfTables: - - aws_opensearch_domain + - aws_opensearch_domain Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - encryption_of_data_in_transit + - encryption_of_data_in_transit foundational_security_item_id: - - opensearch_3 + - opensearch_3 plugin: - - aws + - aws service: - - AWS/OpenSearch + - AWS/OpenSearch +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_opensearch_domain_updated_with_latest_service_software_version.yaml b/compliance/controls/aws/aws_opensearch_domain_updated_with_latest_service_software_version.yaml index 80e31de0b..dd6935469 100755 --- a/compliance/controls/aws/aws_opensearch_domain_updated_with_latest_service_software_version.yaml +++ b/compliance/controls/aws/aws_opensearch_domain_updated_with_latest_service_software_version.yaml @@ -1,30 +1,14 @@ ID: aws_opensearch_domain_updated_with_latest_service_software_version Title: "OpenSearch domains should be updated to the latest service software version" Description: "This control checks whether AWS OpenSearch domain has any updates available. This control is non-compliant if the OpenSearch domain has any updates available." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when service_software_options ->> 'UpdateAvailable' = 'false' then 'ok' - else 'alarm' - end status, - case - when service_software_options ->> 'UpdateAvailable' = 'false' then title || ' updated with latest service software version.' - else title || ' not updated with latest service software version.' - end reason - - - from - aws_opensearch_domain; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when service_software_options ->> 'UpdateAvailable' = 'false' then 'ok'\n else 'alarm'\n end status,\n case\n when service_software_options ->> 'UpdateAvailable' = 'false' then title || ' updated with latest service software version.'\n else title || ' not updated with latest service software version.'\n end reason\n \n \nfrom\n aws_opensearch_domain;" PrimaryTable: aws_opensearch_domain ListOfTables: - - aws_opensearch_domain + - aws_opensearch_domain Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_organizational_tag_policies_enabled.yaml b/compliance/controls/aws/aws_organizational_tag_policies_enabled.yaml index 656a15eb5..e7b256fd3 100755 --- a/compliance/controls/aws/aws_organizational_tag_policies_enabled.yaml +++ b/compliance/controls/aws/aws_organizational_tag_policies_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_organizational_tag_policies_enabled Title: "Ensure Tag Policies are enabled" Description: "Tag policies help you standardize tags on all tagged resources across your organization" -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -40,7 +38,9 @@ Query: tag_policy_enabled; PrimaryTable: aws_organizations_policy ListOfTables: - - aws_organizations_policy + - aws_organizations_policy Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_rds_db_cluster_aurora_backtracking_enabled.yaml b/compliance/controls/aws/aws_rds_db_cluster_aurora_backtracking_enabled.yaml index bc2372b30..359ec3b87 100755 --- a/compliance/controls/aws/aws_rds_db_cluster_aurora_backtracking_enabled.yaml +++ b/compliance/controls/aws/aws_rds_db_cluster_aurora_backtracking_enabled.yaml @@ -1,44 +1,26 @@ ID: aws_rds_db_cluster_aurora_backtracking_enabled Title: "RDS Aurora clusters should have backtracking enabled" Description: "This control checks whether AWS Aurora clusters have backtracking enabled. Backups help you to recover more quickly from a security incident. They also strengthen the resilience of your systems. Aurora backtracking reduces the time to recover a database to a point in time. It does not require a database restore to so." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when engine not ilike '%aurora-mysql%' then 'skip' - when backtrack_window is not null then 'ok' - else 'alarm' - end as status, - case - when engine not ilike '%aurora-mysql%' then title || ' not Aurora MySQL-compatible edition.' - when backtrack_window is not null then title || ' backtracking enabled.' - else title || ' backtracking not enabled.' - end as reason - - , region, account_id - from - aws_rds_db_cluster; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when engine not ilike '%aurora-mysql%' then 'skip'\n when backtrack_window is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when engine not ilike '%aurora-mysql%' then title || ' not Aurora MySQL-compatible edition.'\n when backtrack_window is not null then title || ' backtracking enabled.'\n else title || ' backtracking not enabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_rds_db_cluster;\n" PrimaryTable: aws_rds_db_cluster ListOfTables: - - aws_rds_db_cluster + - aws_rds_db_cluster Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - backups_enabled + - backups_enabled foundational_security_item_id: - - rds_14 + - rds_14 plugin: - - aws + - aws service: - - AWS/RDS + - AWS/RDS +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_rds_db_cluster_aurora_mysql_audit_logging_enabled.yaml b/compliance/controls/aws/aws_rds_db_cluster_aurora_mysql_audit_logging_enabled.yaml index ed290e3c2..c0f309a7a 100755 --- a/compliance/controls/aws/aws_rds_db_cluster_aurora_mysql_audit_logging_enabled.yaml +++ b/compliance/controls/aws/aws_rds_db_cluster_aurora_mysql_audit_logging_enabled.yaml @@ -1,32 +1,14 @@ ID: aws_rds_db_cluster_aurora_mysql_audit_logging_enabled Title: "Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs" Description: "This control checks whether an Amazon Aurora MySQL DB cluster is configured to publish audit logs to Amazon CloudWatch Logs. The control fails if the cluster isn't configured to publish audit logs to CloudWatch Logs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when engine not ilike '%aurora-mysql%' then 'skip' - when enabled_cloudwatch_logs_exports @> '["audit"]' then 'ok' - else 'alarm' - end as status, - case - when engine not ilike '%aurora-mysql%' then title || ' is not Aurora MySQL-compatible edition.' - when enabled_cloudwatch_logs_exports @> '["audit"]' then title || ' audit logging enabled.' - else title || ' audit logging disabled.' - end as reason - - - from - aws_rds_db_cluster; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when engine not ilike '%aurora-mysql%' then 'skip'\n when enabled_cloudwatch_logs_exports @> '[\"audit\"]' then 'ok'\n else 'alarm'\n end as status,\n case\n when engine not ilike '%aurora-mysql%' then title || ' is not Aurora MySQL-compatible edition.'\n when enabled_cloudwatch_logs_exports @> '[\"audit\"]' then title || ' audit logging enabled.'\n else title || ' audit logging disabled.'\n end as reason\n \n \nfrom\n aws_rds_db_cluster;" PrimaryTable: aws_rds_db_cluster ListOfTables: - - aws_rds_db_cluster + - aws_rds_db_cluster Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_rds_db_cluster_aurora_postgres_not_exposed_to_local_file_read_vulnerability.yaml b/compliance/controls/aws/aws_rds_db_cluster_aurora_postgres_not_exposed_to_local_file_read_vulnerability.yaml index 83ecf5171..e344d01c2 100755 --- a/compliance/controls/aws/aws_rds_db_cluster_aurora_postgres_not_exposed_to_local_file_read_vulnerability.yaml +++ b/compliance/controls/aws/aws_rds_db_cluster_aurora_postgres_not_exposed_to_local_file_read_vulnerability.yaml @@ -1,32 +1,14 @@ ID: aws_rds_db_cluster_aurora_postgres_not_exposed_to_local_file_read_vulnerability Title: "RDS Aurora PostgreSQL clusters should not be exposed to local file read vulnerability" Description: "This control checks whether AWS Aurora PostgreSQL clusters are exposed to local file read vulnerability by ensuring that AWS RDS PostgreSQL instances use a non-vulnerable version of the log_fdw." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when not engine ilike '%aurora-postgres%' then 'skip' - when engine ilike '%aurora-postgres%' and engine_version like any (array ['10.11', '10.12', '10.13', '11.6', '11.7', '11.8']) then 'alarm' - else 'ok' - end as status, - case - when not engine ilike '%aurora-postgres%' then title || ' not Aurora PostgreSQL edition.' - when engine ilike '%aurora-postgres%' and engine_version like any (array ['10.11', '10.12', '10.13', '11.6', '11.7', '11.8']) then title || ' exposed to local file read vulnerability.' - else title || ' not exposed to local file read vulnerability.' - end as reason - - - from - aws_rds_db_instance; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when not engine ilike '%aurora-postgres%' then 'skip'\n when engine ilike '%aurora-postgres%' and engine_version like any (array ['10.11', '10.12', '10.13', '11.6', '11.7', '11.8']) then 'alarm'\n else 'ok'\n end as status,\n case\n when not engine ilike '%aurora-postgres%' then title || ' not Aurora PostgreSQL edition.'\n when engine ilike '%aurora-postgres%' and engine_version like any (array ['10.11', '10.12', '10.13', '11.6', '11.7', '11.8']) then title || ' exposed to local file read vulnerability.'\n else title || ' not exposed to local file read vulnerability.'\n end as reason\n \n \nfrom\n aws_rds_db_instance;" PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_rds_db_instance + - aws_rds_db_instance Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_rds_db_cluster_aurora_protected_by_backup_plan.yaml b/compliance/controls/aws/aws_rds_db_cluster_aurora_protected_by_backup_plan.yaml index 9a56ce70c..bede9afc6 100755 --- a/compliance/controls/aws/aws_rds_db_cluster_aurora_protected_by_backup_plan.yaml +++ b/compliance/controls/aws/aws_rds_db_cluster_aurora_protected_by_backup_plan.yaml @@ -1,72 +1,45 @@ ID: aws_rds_db_cluster_aurora_protected_by_backup_plan Title: "RDS Aurora clusters should be protected by backup plan" Description: "Checks if AWS Aurora DB clusters are protected by a backup plan. The rule is non-compliant if the AWS Relational Database Service (AWS RDS) Database Cluster is not protected by a backup plan." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with backup_protected_cluster as ( - select - resource_arn as arn - from - aws_backup_protected_resource as b - where - resource_type = 'Aurora' - ) - select - c.arn as resource, - c.og_account_id as og_account_id, - c.og_resource_id as og_resource_id, - case - when c.engine not like '%aurora%' then 'skip' - when b.arn is not null then 'ok' - else 'alarm' - end as status, - case - when c.engine not like '%aurora%' then c.title || ' not Aurora resources.' - when b.arn is not null then c.title || ' is protected by backup plan.' - else c.title || ' is not protected by backup plan.' - end as reason - - , c.region, c.account_id - from - aws_rds_db_cluster as c - left join backup_protected_cluster as b on c.arn = b.arn; + QueryToExecute: "with backup_protected_cluster as (\n select\n resource_arn as arn\n from\n aws_backup_protected_resource as b\n where\n resource_type = 'Aurora'\n)\nselect\n c.arn as resource,\n c.og_account_id as og_account_id,\n c.og_resource_id as og_resource_id,\n case\n when c.engine not like '%aurora%' then 'skip'\n when b.arn is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when c.engine not like '%aurora%' then c.title || ' not Aurora resources.'\n when b.arn is not null then c.title || ' is protected by backup plan.'\n else c.title || ' is not protected by backup plan.'\n end as reason\n \n , c.region, c.account_id\nfrom\n aws_rds_db_cluster as c\n left join backup_protected_cluster as b on c.arn = b.arn;\n" PrimaryTable: aws_rds_db_cluster ListOfTables: - - aws_backup_protected_resource - - aws_rds_db_cluster + - aws_backup_protected_resource + - aws_rds_db_cluster Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" gxp_eu_annex_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/RDS + - AWS/RDS soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_rds_db_cluster_automatic_minor_version_upgrade_enabled.yaml b/compliance/controls/aws/aws_rds_db_cluster_automatic_minor_version_upgrade_enabled.yaml index 2cb9217b3..1dd054efc 100755 --- a/compliance/controls/aws/aws_rds_db_cluster_automatic_minor_version_upgrade_enabled.yaml +++ b/compliance/controls/aws/aws_rds_db_cluster_automatic_minor_version_upgrade_enabled.yaml @@ -1,30 +1,14 @@ ID: aws_rds_db_cluster_automatic_minor_version_upgrade_enabled Title: "RDS DB clusters should have automatic minor version upgrade enabled" Description: "This control checks if automatic minor version upgrade is enabled for an Amazon RDS database cluster. The control fails if automatic minor version upgrade isn't enabled for an RDS cluster." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when auto_minor_version_upgrade then 'ok' - else 'alarm' - end as status, - case - when auto_minor_version_upgrade then title || ' automatic minor version upgrades enabled.' - else title || ' automatic minor version upgrades disabled.' - end as reason - - - from - aws_rds_db_cluster; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when auto_minor_version_upgrade then 'ok'\n else 'alarm'\n end as status,\n case\n when auto_minor_version_upgrade then title || ' automatic minor version upgrades enabled.'\n else title || ' automatic minor version upgrades disabled.'\n end as reason\n \n \nfrom\n aws_rds_db_cluster;" PrimaryTable: aws_rds_db_cluster ListOfTables: - - aws_rds_db_cluster + - aws_rds_db_cluster Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_rds_db_cluster_copy_tags_to_snapshot_enabled.yaml b/compliance/controls/aws/aws_rds_db_cluster_copy_tags_to_snapshot_enabled.yaml index ff65638da..9975fefc3 100755 --- a/compliance/controls/aws/aws_rds_db_cluster_copy_tags_to_snapshot_enabled.yaml +++ b/compliance/controls/aws/aws_rds_db_cluster_copy_tags_to_snapshot_enabled.yaml @@ -1,42 +1,26 @@ ID: aws_rds_db_cluster_copy_tags_to_snapshot_enabled Title: "RDS DB clusters should be configured to copy tags to snapshots" Description: "This control checks whether RDS DB clusters are configured to copy all tags to snapshots when the snapshots are created." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when copy_tags_to_snapshot then 'ok' - else 'alarm' - end as status, - case - when copy_tags_to_snapshot then title || ' copy tags to snapshot enabled.' - else title || ' copy tags to snapshot disabled.' - end as reason - - , region, account_id - from - aws_rds_db_cluster; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when copy_tags_to_snapshot then 'ok'\n else 'alarm'\n end as status,\n case\n when copy_tags_to_snapshot then title || ' copy tags to snapshot enabled.'\n else title || ' copy tags to snapshot disabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_rds_db_cluster;\n" PrimaryTable: aws_rds_db_cluster ListOfTables: - - aws_rds_db_cluster + - aws_rds_db_cluster Parameters: [] Severity: low Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - inventory + - inventory foundational_security_item_id: - - rds_16 + - rds_16 plugin: - - aws + - aws service: - - AWS/RDS + - AWS/RDS +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_rds_db_cluster_deletion_protection_enabled.yaml b/compliance/controls/aws/aws_rds_db_cluster_deletion_protection_enabled.yaml index f1d467b4f..df822fbf3 100755 --- a/compliance/controls/aws/aws_rds_db_cluster_deletion_protection_enabled.yaml +++ b/compliance/controls/aws/aws_rds_db_cluster_deletion_protection_enabled.yaml @@ -1,42 +1,26 @@ ID: aws_rds_db_cluster_deletion_protection_enabled Title: "RDS clusters should have deletion protection enabled" Description: "This control checks whether RDS clusters have deletion protection enabled. This control is intended for RDS DB instances. However, it can also generate findings for Aurora DB instances, Neptune DB instances, and AWS DocumentDB clusters. If these findings are not useful,then you can suppress them." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - db_cluster_identifier as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when deletion_protection then 'ok' - else 'alarm' - end as status, - case - when deletion_protection then title || ' deletion protection enabled.' - else title || ' deletion protection not enabled.' - end as reason - - , region, account_id - from - aws_rds_db_cluster; + QueryToExecute: "select\n db_cluster_identifier as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when deletion_protection then 'ok'\n else 'alarm'\n end as status,\n case\n when deletion_protection then title || ' deletion protection enabled.'\n else title || ' deletion protection not enabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_rds_db_cluster;\n" PrimaryTable: aws_rds_db_cluster ListOfTables: - - aws_rds_db_cluster + - aws_rds_db_cluster Parameters: [] Severity: low Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - data_deletion_protection + - data_deletion_protection foundational_security_item_id: - - rds_7 + - rds_7 plugin: - - aws + - aws service: - - AWS/RDS + - AWS/RDS +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_rds_db_cluster_encryption_at_rest_enabled.yaml b/compliance/controls/aws/aws_rds_db_cluster_encryption_at_rest_enabled.yaml index 873efb43b..96759899f 100755 --- a/compliance/controls/aws/aws_rds_db_cluster_encryption_at_rest_enabled.yaml +++ b/compliance/controls/aws/aws_rds_db_cluster_encryption_at_rest_enabled.yaml @@ -1,30 +1,14 @@ ID: aws_rds_db_cluster_encryption_at_rest_enabled Title: "RDS DB clusters should be encrypted at rest" Description: "This control checks if an RDS DB cluster is encrypted at rest. The control fails if an RDS DB cluster isn't encrypted at rest." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when storage_encrypted then 'ok' - else 'alarm' - end as status, - case - when storage_encrypted then title || ' encrypted at rest.' - else title || ' not encrypted at rest.' - end as reason - - - from - aws_rds_db_cluster; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when storage_encrypted then 'ok'\n else 'alarm'\n end as status,\n case\n when storage_encrypted then title || ' encrypted at rest.'\n else title || ' not encrypted at rest.'\n end as reason\n \n \nfrom\n aws_rds_db_cluster;" PrimaryTable: aws_rds_db_cluster ListOfTables: - - aws_rds_db_cluster + - aws_rds_db_cluster Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_rds_db_cluster_events_subscription.yaml b/compliance/controls/aws/aws_rds_db_cluster_events_subscription.yaml index 5e84c86d9..0760c9616 100755 --- a/compliance/controls/aws/aws_rds_db_cluster_events_subscription.yaml +++ b/compliance/controls/aws/aws_rds_db_cluster_events_subscription.yaml @@ -1,8 +1,6 @@ ID: aws_rds_db_cluster_events_subscription Title: "An RDS event notifications subscription should be configured for critical cluster events" Description: "This control checks whether an AWS RDS event subscription exists that has notifications enabled for the following source type, event category key-value pairs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -25,19 +23,21 @@ Query: aws_rds_db_event_subscription; PrimaryTable: aws_rds_db_event_subscription ListOfTables: - - aws_rds_db_event_subscription + - aws_rds_db_event_subscription Parameters: [] Severity: low Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - application_monitoring + - application_monitoring foundational_security_item_id: - - rds_19 + - rds_19 plugin: - - aws + - aws service: - - AWS/RDS + - AWS/RDS +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_rds_db_cluster_iam_authentication_enabled.yaml b/compliance/controls/aws/aws_rds_db_cluster_iam_authentication_enabled.yaml index 112fe3301..74931dbfa 100755 --- a/compliance/controls/aws/aws_rds_db_cluster_iam_authentication_enabled.yaml +++ b/compliance/controls/aws/aws_rds_db_cluster_iam_authentication_enabled.yaml @@ -1,42 +1,26 @@ ID: aws_rds_db_cluster_iam_authentication_enabled Title: "IAM authentication should be configured for RDS clusters" Description: "Checks if an AWS RDS Cluster has AWS Identity and Access Management (IAM) authentication enabled. The rule is non-compliant if an RDS Cluster does not have IAM authentication enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when iam_database_authentication_enabled then 'ok' - else 'alarm' - end as status, - case - when iam_database_authentication_enabled then title || ' IAM authentication enabled.' - else title || ' IAM authentication not enabled.' - end as reason - - , region, account_id - from - aws_rds_db_cluster; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when iam_database_authentication_enabled then 'ok'\n else 'alarm'\n end as status,\n case\n when iam_database_authentication_enabled then title || ' IAM authentication enabled.'\n else title || ' IAM authentication not enabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_rds_db_cluster;\n" PrimaryTable: aws_rds_db_cluster ListOfTables: - - aws_rds_db_cluster + - aws_rds_db_cluster Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - passwordless_aauthentication + - passwordless_aauthentication foundational_security_item_id: - - rds_12 + - rds_12 plugin: - - aws + - aws service: - - AWS/RDS + - AWS/RDS +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_rds_db_cluster_multiple_az_enabled.yaml b/compliance/controls/aws/aws_rds_db_cluster_multiple_az_enabled.yaml index 719a8ff5f..861a5b1a3 100755 --- a/compliance/controls/aws/aws_rds_db_cluster_multiple_az_enabled.yaml +++ b/compliance/controls/aws/aws_rds_db_cluster_multiple_az_enabled.yaml @@ -1,42 +1,26 @@ ID: aws_rds_db_cluster_multiple_az_enabled Title: "RDS DB clusters should be configured for multiple Availability Zones" Description: "This control checks whether high availability is enabled for your RDS DB clusters. RDS DB clusters should be configured for multiple Availability Zones to ensure availability of the data that is stored." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when multi_az then 'ok' - else 'alarm' - end as status, - case - when multi_az then title || ' Multi-AZ enabled.' - else title || ' Multi-AZ disabled.' - end as reason - - , region, account_id - from - aws_rds_db_cluster; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when multi_az then 'ok'\n else 'alarm'\n end as status,\n case\n when multi_az then title || ' Multi-AZ enabled.'\n else title || ' Multi-AZ disabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_rds_db_cluster;\n" PrimaryTable: aws_rds_db_cluster ListOfTables: - - aws_rds_db_cluster + - aws_rds_db_cluster Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - high_availability + - high_availability foundational_security_item_id: - - rds_15 + - rds_15 plugin: - - aws + - aws service: - - AWS/RDS + - AWS/RDS +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_rds_db_cluster_no_default_admin_name.yaml b/compliance/controls/aws/aws_rds_db_cluster_no_default_admin_name.yaml index d0a203d9a..b336d673c 100755 --- a/compliance/controls/aws/aws_rds_db_cluster_no_default_admin_name.yaml +++ b/compliance/controls/aws/aws_rds_db_cluster_no_default_admin_name.yaml @@ -1,42 +1,26 @@ ID: aws_rds_db_cluster_no_default_admin_name Title: "RDS database clusters should use a custom administrator username" Description: "This control checks whether an AWS RDS database cluster has changed the admin username from its default value. This rule will fail if the admin username is set to the default value." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when master_user_name in ('admin', 'postgres') then 'alarm' - else 'ok' - end status, - case - when master_user_name in ('admin', 'postgres') then title || ' using default master user name.' - else title || ' not using default master user name.' - end reason - - , region, account_id - from - aws_rds_db_cluster; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when master_user_name in ('admin', 'postgres') then 'alarm'\n else 'ok'\n end status,\n case\n when master_user_name in ('admin', 'postgres') then title || ' using default master user name.'\n else title || ' not using default master user name.'\n end reason\n \n , region, account_id\nfrom\n aws_rds_db_cluster;\n" PrimaryTable: aws_rds_db_cluster ListOfTables: - - aws_rds_db_cluster + - aws_rds_db_cluster Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - resource_configuration + - resource_configuration foundational_security_item_id: - - rds_24 + - rds_24 plugin: - - aws + - aws service: - - AWS/RDS + - AWS/RDS +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled.yaml b/compliance/controls/aws/aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled.yaml index 05c94286b..b3f36167e 100755 --- a/compliance/controls/aws/aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled.yaml +++ b/compliance/controls/aws/aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled.yaml @@ -1,80 +1,39 @@ ID: aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled Title: "RDS DB instance and cluster enhanced monitoring should be enabled" Description: "Enable AWS Relational Database Service (AWS RDS) to help monitor AWS RDS availability. This provides detailed visibility into the health of your AWS RDS database instances." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - ( - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'aws_rds_db_cluster' as og_table_name, - case - when enabled_cloudwatch_logs_exports is not null then 'ok' - else 'alarm' - end as status, - case - when enabled_cloudwatch_logs_exports is not null then title || ' enhanced monitoring enabled.' - else title || ' enhanced monitoring not enabled.' - end as reason - - , region, account_id - from - aws_rds_db_cluster - ) - union - ( - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'aws_rds_db_instance' as og_table_name, - case - when class = 'db.m1.small' then 'skip' - when enhanced_monitoring_resource_arn is not null then 'ok' - else 'alarm' - end as status, - case - when class = 'db.m1.small' then title || ' enhanced monitoring not supported.' - when enhanced_monitoring_resource_arn is not null then title || ' enhanced monitoring enabled.' - else title || ' enhanced monitoring not enabled.' - end as reason - - , region, account_id - from - aws_rds_db_instance - ); + QueryToExecute: "(\nselect\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'aws_rds_db_cluster' as og_table_name,\n case\n when enabled_cloudwatch_logs_exports is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when enabled_cloudwatch_logs_exports is not null then title || ' enhanced monitoring enabled.'\n else title || ' enhanced monitoring not enabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_rds_db_cluster\n)\nunion\n(\nselect\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'aws_rds_db_instance' as og_table_name,\n case\n when class = 'db.m1.small' then 'skip'\n when enhanced_monitoring_resource_arn is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when class = 'db.m1.small' then title || ' enhanced monitoring not supported.'\n when enhanced_monitoring_resource_arn is not null then title || ' enhanced monitoring enabled.'\n else title || ' enhanced monitoring not enabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_rds_db_instance\n);\n" PrimaryTable: "" ListOfTables: - - aws_rds_db_cluster - - aws_rds_db_instance + - aws_rds_db_cluster + - aws_rds_db_instance Parameters: [] Severity: low Tags: category: - - Compliance + - Compliance cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/RDS + - AWS/RDS +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_rds_db_instance_and_cluster_no_default_port.yaml b/compliance/controls/aws/aws_rds_db_instance_and_cluster_no_default_port.yaml index 3e1ebe221..6de5526c3 100755 --- a/compliance/controls/aws/aws_rds_db_instance_and_cluster_no_default_port.yaml +++ b/compliance/controls/aws/aws_rds_db_instance_and_cluster_no_default_port.yaml @@ -1,78 +1,27 @@ ID: aws_rds_db_instance_and_cluster_no_default_port Title: "RDS databases and clusters should not use a database engine default port" Description: "This control checks whether the RDS cluster or instance uses a port other than the default port of the database engine." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - ( - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'aws_rds_db_cluster' as og_table_name, - case - when engine similar to '%(aurora|mysql|mariadb)%' and port = '3306' then 'alarm' - when engine like '%postgres%' and port = '5432' then 'alarm' - when engine like 'oracle%' and port = '1521' then 'alarm' - when engine like 'sqlserver%' and port = '1433' then 'alarm' - else 'ok' - end as status, - case - when engine similar to '%(aurora|mysql|mariadb)%' and port = '3306' then title || ' ' || engine || ' uses a default port.' - when engine like '%postgres%' and port = '5432' then title || ' ' || engine || ' uses a default port.' - when engine like 'oracle%' and port = '1521' then title || ' ' || engine || ' uses a default port.' - when engine like 'sqlserver%' and port = '1433' then title || ' ' || engine || ' uses a default port.' - else title || ' doesnt use a default port.' - end as reason - - , region, account_id - from - aws_rds_db_cluster - ) - union - ( - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'aws_rds_db_instance' as og_table_name, - case - when engine similar to '%(aurora|mysql|mariadb)%' and port = '3306' then 'alarm' - when engine like '%postgres%' and port = '5432' then 'alarm' - when engine like 'oracle%' and port = '1521' then 'alarm' - when engine like 'sqlserver%' and port = '1433' then 'alarm' - else 'ok' - end as status, - case - when engine similar to '%(aurora|mysql|mariadb)%' and port = '3306' then title || ' ' || engine || ' uses a default port.' - when engine like '%postgres%' and port = '5432' then title || ' ' || engine || ' uses a default port.' - when engine like 'oracle%' and port = '1521' then title || ' ' || engine || ' uses a default port.' - when engine like 'sqlserver%' and port = '1433' then title || ' ' || engine || ' uses a default port.' - else title || ' doesnt use a default port.' - end as reason - - , region, account_id - from - aws_rds_db_instance - ); + QueryToExecute: "(\nselect\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'aws_rds_db_cluster' as og_table_name,\n case\n when engine similar to '%(aurora|mysql|mariadb)%' and port = '3306' then 'alarm'\n when engine like '%postgres%' and port = '5432' then 'alarm'\n when engine like 'oracle%' and port = '1521' then 'alarm'\n when engine like 'sqlserver%' and port = '1433' then 'alarm'\n else 'ok'\n end as status,\n case\n when engine similar to '%(aurora|mysql|mariadb)%' and port = '3306' then title || ' ' || engine || ' uses a default port.'\n when engine like '%postgres%' and port = '5432' then title || ' ' || engine || ' uses a default port.'\n when engine like 'oracle%' and port = '1521' then title || ' ' || engine || ' uses a default port.'\n when engine like 'sqlserver%' and port = '1433' then title || ' ' || engine || ' uses a default port.'\n else title || ' doesnt use a default port.'\n end as reason\n \n , region, account_id\nfrom\n aws_rds_db_cluster\n)\nunion\n(\nselect\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'aws_rds_db_instance' as og_table_name,\n case\n when engine similar to '%(aurora|mysql|mariadb)%' and port = '3306' then 'alarm'\n when engine like '%postgres%' and port = '5432' then 'alarm'\n when engine like 'oracle%' and port = '1521' then 'alarm'\n when engine like 'sqlserver%' and port = '1433' then 'alarm'\n else 'ok'\n end as status,\n case\n when engine similar to '%(aurora|mysql|mariadb)%' and port = '3306' then title || ' ' || engine || ' uses a default port.'\n when engine like '%postgres%' and port = '5432' then title || ' ' || engine || ' uses a default port.'\n when engine like 'oracle%' and port = '1521' then title || ' ' || engine || ' uses a default port.'\n when engine like 'sqlserver%' and port = '1433' then title || ' ' || engine || ' uses a default port.'\n else title || ' doesnt use a default port.'\n end as reason\n \n , region, account_id\nfrom\n aws_rds_db_instance\n);\n" PrimaryTable: "" ListOfTables: - - aws_rds_db_cluster - - aws_rds_db_instance + - aws_rds_db_cluster + - aws_rds_db_instance Parameters: [] Severity: low Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - secure_network_configuration + - secure_network_configuration foundational_security_item_id: - - rds_23 + - rds_23 plugin: - - aws + - aws service: - - AWS/RDS + - AWS/RDS +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_rds_db_instance_automatic_minor_version_upgrade_enabled.yaml b/compliance/controls/aws/aws_rds_db_instance_automatic_minor_version_upgrade_enabled.yaml index a2805a53f..b3102ed19 100755 --- a/compliance/controls/aws/aws_rds_db_instance_automatic_minor_version_upgrade_enabled.yaml +++ b/compliance/controls/aws/aws_rds_db_instance_automatic_minor_version_upgrade_enabled.yaml @@ -1,48 +1,32 @@ ID: aws_rds_db_instance_automatic_minor_version_upgrade_enabled Title: "RDS DB instance automatic minor version upgrade should be enabled" Description: "Ensure that AWS Relational Database Service (RDS) database instances are configured for automatic minor version upgrades. The rule is non-compliant if the value of 'autoMinorVersionUpgrade' is false." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when auto_minor_version_upgrade then 'ok' - else 'alarm' - end as status, - case - when auto_minor_version_upgrade then title || ' automatic minor version upgrades enabled.' - else title || ' automatic minor version upgrades not enabled.' - end as reason - - , region, account_id - from - aws_rds_db_instance; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when auto_minor_version_upgrade then 'ok'\n else 'alarm'\n end as status,\n case\n when auto_minor_version_upgrade then title || ' automatic minor version upgrades enabled.'\n else title || ' automatic minor version upgrades not enabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_rds_db_instance;\n" PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_rds_db_instance + - aws_rds_db_instance Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - 2.3.2 + - 2.3.2 cis_level: - - "1" + - "1" cis_section_id: - - "2.3" + - "2.3" cis_type: - - automated + - automated cis_version: - - v1.5.0 + - v1.5.0 plugin: - - aws + - aws service: - - AWS/RDS + - AWS/RDS +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_rds_db_instance_backup_enabled.yaml b/compliance/controls/aws/aws_rds_db_instance_backup_enabled.yaml index c9fabb9a3..f22a0ecf4 100755 --- a/compliance/controls/aws/aws_rds_db_instance_backup_enabled.yaml +++ b/compliance/controls/aws/aws_rds_db_instance_backup_enabled.yaml @@ -1,68 +1,52 @@ ID: aws_rds_db_instance_backup_enabled Title: "RDS DB instance backup should be enabled" Description: "The backup feature of AWS RDS creates backups of your databases and transaction logs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when backup_retention_period < 1 then 'alarm' - else 'ok' - end as status, - case - when backup_retention_period < 1 then title || ' backups not enabled.' - else title || ' backups enabled.' - end as reason - - , region, account_id - from - aws_rds_db_instance; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when backup_retention_period < 1 then 'alarm'\n else 'ok'\n end as status,\n case\n when backup_retention_period < 1 then title || ' backups not enabled.'\n else title || ' backups enabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_rds_db_instance;\n" PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_rds_db_instance + - aws_rds_db_instance Parameters: [] Severity: low Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" gxp_eu_annex_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/RDS + - AWS/RDS soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_rds_db_instance_backup_retention_period_less_than_7.yaml b/compliance/controls/aws/aws_rds_db_instance_backup_retention_period_less_than_7.yaml index 516a749a8..41e2bb09c 100755 --- a/compliance/controls/aws/aws_rds_db_instance_backup_retention_period_less_than_7.yaml +++ b/compliance/controls/aws/aws_rds_db_instance_backup_retention_period_less_than_7.yaml @@ -1,8 +1,6 @@ ID: aws_rds_db_instance_backup_retention_period_less_than_7 Title: "RDS DB instances backup retention period should be greater than or equal to 7" Description: "Ensure RDS DB instance backup retention period is greater than or equal to 7." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -15,12 +13,14 @@ Query: else 'ok' end as status, title || ' backup retention period set to ' || backup_retention_period || '.' as reason - + from aws_rds_db_instance; PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_rds_db_instance + - aws_rds_db_instance Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_rds_db_instance_ca_certificate_expires_7_days.yaml b/compliance/controls/aws/aws_rds_db_instance_ca_certificate_expires_7_days.yaml index 368092e1f..2062d910a 100755 --- a/compliance/controls/aws/aws_rds_db_instance_ca_certificate_expires_7_days.yaml +++ b/compliance/controls/aws/aws_rds_db_instance_ca_certificate_expires_7_days.yaml @@ -1,8 +1,6 @@ ID: aws_rds_db_instance_ca_certificate_expires_7_days Title: "RDS DB instances CA certificates should not expire within next 7 days" Description: "Ensure RDS DB instances CA certificates are not getting expired within the next 7 days." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,7 +19,9 @@ Query: aws_rds_db_instance; PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_rds_db_instance + - aws_rds_db_instance Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_rds_db_instance_cloudwatch_logs_enabled.yaml b/compliance/controls/aws/aws_rds_db_instance_cloudwatch_logs_enabled.yaml index f48f471e9..88dff5965 100755 --- a/compliance/controls/aws/aws_rds_db_instance_cloudwatch_logs_enabled.yaml +++ b/compliance/controls/aws/aws_rds_db_instance_cloudwatch_logs_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_rds_db_instance_cloudwatch_logs_enabled Title: "RDS DB instances should be integrated with CloudWatch logs" Description: "Use AWS CloudWatch to centrally collect and manage RDS DB instance activity." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_rds_db_instance; PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_rds_db_instance + - aws_rds_db_instance Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_rds_db_instance_connections_encryption_enabled.yaml b/compliance/controls/aws/aws_rds_db_instance_connections_encryption_enabled.yaml index 9e62c1423..a07bc139b 100755 --- a/compliance/controls/aws/aws_rds_db_instance_connections_encryption_enabled.yaml +++ b/compliance/controls/aws/aws_rds_db_instance_connections_encryption_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_rds_db_instance_connections_encryption_enabled Title: "RDS DB instances connections should be encrypted" Description: "This control checks if RDS DB instance connections are encrypted. Secure Sockets Layer (SSL) is used to encrypt between client applications and AWS RDS DB instances running Microsoft SQL Server or PostgreSQL." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -55,8 +53,10 @@ Query: left join pg_with_ssl_enabled as p on p.name = i.pg_name PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_rds_db_instance - - aws_rds_db_parameter_group + - aws_rds_db_instance + - aws_rds_db_parameter_group Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_rds_db_instance_copy_tags_to_snapshot_enabled.yaml b/compliance/controls/aws/aws_rds_db_instance_copy_tags_to_snapshot_enabled.yaml index 11d06328b..799b056c3 100755 --- a/compliance/controls/aws/aws_rds_db_instance_copy_tags_to_snapshot_enabled.yaml +++ b/compliance/controls/aws/aws_rds_db_instance_copy_tags_to_snapshot_enabled.yaml @@ -1,42 +1,26 @@ ID: aws_rds_db_instance_copy_tags_to_snapshot_enabled Title: "RDS DB instances should be configured to copy tags to snapshots" Description: "This control checks whether RDS DB instances are configured to copy all tags to snapshots when the snapshots are created." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when copy_tags_to_snapshot then 'ok' - else 'alarm' - end as status, - case - when copy_tags_to_snapshot then title || ' copy tags to snapshot enabled.' - else title || ' copy tags to snapshot disabled.' - end as reason - - , region, account_id - from - aws_rds_db_instance; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when copy_tags_to_snapshot then 'ok'\n else 'alarm'\n end as status,\n case\n when copy_tags_to_snapshot then title || ' copy tags to snapshot enabled.'\n else title || ' copy tags to snapshot disabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_rds_db_instance;\n" PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_rds_db_instance + - aws_rds_db_instance Parameters: [] Severity: low Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - inventory + - inventory foundational_security_item_id: - - rds_17 + - rds_17 plugin: - - aws + - aws service: - - AWS/RDS + - AWS/RDS +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_rds_db_instance_deletion_protection_enabled.yaml b/compliance/controls/aws/aws_rds_db_instance_deletion_protection_enabled.yaml index 3c0242477..e468fbf33 100755 --- a/compliance/controls/aws/aws_rds_db_instance_deletion_protection_enabled.yaml +++ b/compliance/controls/aws/aws_rds_db_instance_deletion_protection_enabled.yaml @@ -1,60 +1,42 @@ ID: aws_rds_db_instance_deletion_protection_enabled Title: "RDS DB instances should have deletion protection enabled" Description: "Ensure AWS Relational Database Service (AWS RDS) instances have deletion protection enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when engine like any(array['aurora%', 'docdb', 'neptune']) then 'skip' - when deletion_protection then 'ok' - else 'alarm' - end status, - case - when engine like any(array['aurora%', 'docdb', 'neptune']) then title || ' has engine ' || engine || ' cluster, deletion protection is set at cluster level.' - when deletion_protection then title || ' deletion protection enabled.' - else title || ' deletion protection not enabled.' - end reason - - , region, account_id - from - aws_rds_db_instance; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when engine like any(array['aurora%', 'docdb', 'neptune']) then 'skip'\n when deletion_protection then 'ok'\n else 'alarm'\n end status,\n case\n when engine like any(array['aurora%', 'docdb', 'neptune']) then title || ' has engine ' || engine || ' cluster, deletion protection is set at cluster level.'\n when deletion_protection then title || ' deletion protection enabled.'\n else title || ' deletion protection not enabled.'\n end reason\n \n , region, account_id\nfrom\n aws_rds_db_instance;\n" PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_rds_db_instance + - aws_rds_db_instance Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/RDS + - AWS/RDS soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_rds_db_instance_encryption_at_rest_enabled.yaml b/compliance/controls/aws/aws_rds_db_instance_encryption_at_rest_enabled.yaml index bab112077..6edbd8bd5 100755 --- a/compliance/controls/aws/aws_rds_db_instance_encryption_at_rest_enabled.yaml +++ b/compliance/controls/aws/aws_rds_db_instance_encryption_at_rest_enabled.yaml @@ -1,68 +1,52 @@ ID: aws_rds_db_instance_encryption_at_rest_enabled Title: "RDS DB instance encryption at rest should be enabled" Description: "To help protect data at rest, ensure that encryption is enabled for your AWS Relational Database Service (AWS RDS) instances." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when storage_encrypted then 'ok' - else 'alarm' - end as status, - case - when storage_encrypted then title || ' encrypted at rest.' - else title || ' not encrypted at rest.' - end as reason - - , region, account_id - from - aws_rds_db_instance; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when storage_encrypted then 'ok'\n else 'alarm'\n end as status,\n case\n when storage_encrypted then title || ' encrypted at rest.'\n else title || ' not encrypted at rest.'\n end as reason\n \n , region, account_id\nfrom\n aws_rds_db_instance;\n" PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_rds_db_instance + - aws_rds_db_instance Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gdpr: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" gxp_eu_annex_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/RDS + - AWS/RDS soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_rds_db_instance_events_subscription.yaml b/compliance/controls/aws/aws_rds_db_instance_events_subscription.yaml index 3ed47c2e6..0a57dad75 100755 --- a/compliance/controls/aws/aws_rds_db_instance_events_subscription.yaml +++ b/compliance/controls/aws/aws_rds_db_instance_events_subscription.yaml @@ -1,8 +1,6 @@ ID: aws_rds_db_instance_events_subscription Title: "An RDS event notifications subscription should be configured for critical database instance events" Description: "This control checks whether an AWS RDS event subscription exists with notifications enabled for the following source type, event category key-value pairs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -25,19 +23,21 @@ Query: aws_rds_db_event_subscription; PrimaryTable: aws_rds_db_event_subscription ListOfTables: - - aws_rds_db_event_subscription + - aws_rds_db_event_subscription Parameters: [] Severity: low Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - application_monitoring + - application_monitoring foundational_security_item_id: - - rds_20 + - rds_20 plugin: - - aws + - aws service: - - AWS/RDS + - AWS/RDS +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_rds_db_instance_iam_authentication_enabled.yaml b/compliance/controls/aws/aws_rds_db_instance_iam_authentication_enabled.yaml index 7b0e2bc22..cb960eb31 100755 --- a/compliance/controls/aws/aws_rds_db_instance_iam_authentication_enabled.yaml +++ b/compliance/controls/aws/aws_rds_db_instance_iam_authentication_enabled.yaml @@ -1,42 +1,26 @@ ID: aws_rds_db_instance_iam_authentication_enabled Title: "RDS DB instances should have iam authentication enabled" Description: "Checks if an AWS Relational Database Service (AWS RDS) instance has AWS Identity and Access Management (IAM) authentication enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when iam_database_authentication_enabled then 'ok' - else 'alarm' - end as status, - case - when iam_database_authentication_enabled then title || ' IAM authentication enabled.' - else title || ' IAM authentication not enabled.' - end as reason - - , region, account_id - from - aws_rds_db_instance; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when iam_database_authentication_enabled then 'ok'\n else 'alarm'\n end as status,\n case\n when iam_database_authentication_enabled then title || ' IAM authentication enabled.'\n else title || ' IAM authentication not enabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_rds_db_instance;\n" PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_rds_db_instance + - aws_rds_db_instance Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - passwordless_aauthentication + - passwordless_aauthentication foundational_security_item_id: - - rds_10 + - rds_10 plugin: - - aws + - aws service: - - AWS/RDS + - AWS/RDS +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_rds_db_instance_in_backup_plan.yaml b/compliance/controls/aws/aws_rds_db_instance_in_backup_plan.yaml index 1cfec8073..27955d37b 100755 --- a/compliance/controls/aws/aws_rds_db_instance_in_backup_plan.yaml +++ b/compliance/controls/aws/aws_rds_db_instance_in_backup_plan.yaml @@ -1,97 +1,51 @@ ID: aws_rds_db_instance_in_backup_plan Title: "RDS DB instances should be in a backup plan" Description: "To help with data back-up processes, ensure your AWS Relational Database Service (AWS RDS) instances are a part of an AWS Backup plan." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with mapped_with_id as ( - select - jsonb_agg(elems) as mapped_ids - from - aws_backup_selection, - jsonb_array_elements(resources) as elems - group by backup_plan_id - ), - mapped_with_tags as ( - select - jsonb_agg(elems ->> 'ConditionKey') as mapped_tags - from - aws_backup_selection, - jsonb_array_elements(list_of_tags) as elems - group by backup_plan_id - ), - backed_up_instance as ( - select - i.db_instance_identifier - from - aws_rds_db_instance as i - join mapped_with_id as t on t.mapped_ids ?| array[i.arn] - union - select - i.db_instance_identifier - from - aws_rds_db_instance as i - join mapped_with_tags as t on t.mapped_tags ?| array(select jsonb_object_keys(tags)) - ) - select - i.arn as resource, - i.og_account_id as og_account_id, - i.og_resource_id as og_resource_id, - case - when b.db_instance_identifier is null then 'alarm' - else 'ok' - end as status, - case - when b.db_instance_identifier is null then i.title || ' not in backup plan.' - else i.title || ' in backup plan.' - end as reason - - , i.region, i.account_id - from - aws_rds_db_instance as i - left join backed_up_instance as b on i.db_instance_identifier = b.db_instance_identifier; + QueryToExecute: "with mapped_with_id as (\n select\n jsonb_agg(elems) as mapped_ids\n from\n aws_backup_selection,\n jsonb_array_elements(resources) as elems\n group by backup_plan_id\n),\nmapped_with_tags as (\n select\n jsonb_agg(elems ->> 'ConditionKey') as mapped_tags\n from\n aws_backup_selection,\n jsonb_array_elements(list_of_tags) as elems\n group by backup_plan_id\n),\nbacked_up_instance as (\n select\n i.db_instance_identifier\n from\n aws_rds_db_instance as i\n join mapped_with_id as t on t.mapped_ids ?| array[i.arn]\n union\n select\n i.db_instance_identifier\n from\n aws_rds_db_instance as i\n join mapped_with_tags as t on t.mapped_tags ?| array(select jsonb_object_keys(tags))\n)\nselect\n i.arn as resource,\n i.og_account_id as og_account_id,\n i.og_resource_id as og_resource_id,\n case\n when b.db_instance_identifier is null then 'alarm'\n else 'ok'\n end as status,\n case\n when b.db_instance_identifier is null then i.title || ' not in backup plan.'\n else i.title || ' in backup plan.'\n end as reason\n \n , i.region, i.account_id\nfrom\n aws_rds_db_instance as i\n left join backed_up_instance as b on i.db_instance_identifier = b.db_instance_identifier;\n" PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_backup_selection - - aws_rds_db_instance + - aws_backup_selection + - aws_rds_db_instance Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" ffiec: - - "true" + - "true" gdpr: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" gxp_eu_annex_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/RDS + - AWS/RDS soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_rds_db_instance_in_vpc.yaml b/compliance/controls/aws/aws_rds_db_instance_in_vpc.yaml index 49538b275..be312e073 100755 --- a/compliance/controls/aws/aws_rds_db_instance_in_vpc.yaml +++ b/compliance/controls/aws/aws_rds_db_instance_in_vpc.yaml @@ -1,42 +1,26 @@ ID: aws_rds_db_instance_in_vpc Title: "RDS instances should be deployed in a VPC" Description: "This control checks whether an RDS instance is deployed in a VPC (EC2-VPC)." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when vpc_id is null then 'alarm' - else 'ok' - end as status, - case - when vpc_id is null then title || ' is not in VPC.' - else title || ' is in VPC ' || vpc_id || '.' - end as reason - - , region, account_id - from - aws_rds_db_instance; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when vpc_id is null then 'alarm'\n else 'ok'\n end as status,\n case\n when vpc_id is null then title || ' is not in VPC.'\n else title || ' is in VPC ' || vpc_id || '.'\n end as reason\n \n , region, account_id\nfrom\n aws_rds_db_instance;\n" PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_rds_db_instance + - aws_rds_db_instance Parameters: [] Severity: high Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - resources_within_vpc + - resources_within_vpc foundational_security_item_id: - - rds_18 + - rds_18 plugin: - - aws + - aws service: - - AWS/RDS + - AWS/RDS +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_rds_db_instance_logging_enabled.yaml b/compliance/controls/aws/aws_rds_db_instance_logging_enabled.yaml index aee8e7746..b3b582f47 100755 --- a/compliance/controls/aws/aws_rds_db_instance_logging_enabled.yaml +++ b/compliance/controls/aws/aws_rds_db_instance_logging_enabled.yaml @@ -1,83 +1,52 @@ ID: aws_rds_db_instance_logging_enabled Title: "Database logging should be enabled" Description: "To help with logging and monitoring within your environment, ensure AWS Relational Database Service (AWS RDS) logging is enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when engine = 'docdb' then 'skip' - when engine like any (array ['mariadb', '%mysql']) and enabled_cloudwatch_logs_exports ?& array ['audit','error','general','slowquery'] then 'ok' - when engine like any (array['%postgres%']) and enabled_cloudwatch_logs_exports ?& array ['postgresql','upgrade'] then 'ok' - when engine like 'oracle%' and enabled_cloudwatch_logs_exports ?& array ['alert','audit', 'trace','listener'] then 'ok' - when engine = 'sqlserver-ex' and enabled_cloudwatch_logs_exports ?& array ['error'] then 'ok' - when engine like 'sqlserver%' and enabled_cloudwatch_logs_exports ?& array ['error','agent'] then 'ok' - else 'alarm' - end as status, - case - when engine = 'docdb' then title || ' is docdb instance.' - when engine like any (array ['mariadb', '%mysql']) and enabled_cloudwatch_logs_exports ?& array ['audit','error','general','slowquery'] - then title || ' ' || engine || ' logging enabled.' - when engine like any (array['%postgres%']) and enabled_cloudwatch_logs_exports ?& array ['postgresql','upgrade'] - then title || ' ' || engine || ' logging enabled.' - when engine like 'oracle%' and enabled_cloudwatch_logs_exports ?& array ['alert','audit', 'trace','listener'] - then title || ' ' || engine || ' logging enabled.' - when engine = 'sqlserver-ex' and enabled_cloudwatch_logs_exports ?& array ['error'] - then title || ' ' || engine || ' logging enabled.' - when engine like 'sqlserver%' and enabled_cloudwatch_logs_exports ?& array ['error','agent'] - then title || ' ' || engine || ' logging enabled.' - else title || ' logging not enabled.' - end as reason - - , region, account_id - from - aws_rds_db_instance; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when engine = 'docdb' then 'skip'\n when engine like any (array ['mariadb', '%mysql']) and enabled_cloudwatch_logs_exports ?& array ['audit','error','general','slowquery'] then 'ok'\n when engine like any (array['%postgres%']) and enabled_cloudwatch_logs_exports ?& array ['postgresql','upgrade'] then 'ok'\n when engine like 'oracle%' and enabled_cloudwatch_logs_exports ?& array ['alert','audit', 'trace','listener'] then 'ok'\n when engine = 'sqlserver-ex' and enabled_cloudwatch_logs_exports ?& array ['error'] then 'ok'\n when engine like 'sqlserver%' and enabled_cloudwatch_logs_exports ?& array ['error','agent'] then 'ok'\n else 'alarm'\n end as status,\n case\n when engine = 'docdb' then title || ' is docdb instance.'\n when engine like any (array ['mariadb', '%mysql']) and enabled_cloudwatch_logs_exports ?& array ['audit','error','general','slowquery']\n then title || ' ' || engine || ' logging enabled.'\n when engine like any (array['%postgres%']) and enabled_cloudwatch_logs_exports ?& array ['postgresql','upgrade']\n then title || ' ' || engine || ' logging enabled.'\n when engine like 'oracle%' and enabled_cloudwatch_logs_exports ?& array ['alert','audit', 'trace','listener']\n then title || ' ' || engine || ' logging enabled.'\n when engine = 'sqlserver-ex' and enabled_cloudwatch_logs_exports ?& array ['error']\n then title || ' ' || engine || ' logging enabled.'\n when engine like 'sqlserver%' and enabled_cloudwatch_logs_exports ?& array ['error','agent']\n then title || ' ' || engine || ' logging enabled.'\n else title || ' logging not enabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_rds_db_instance;\n" PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_rds_db_instance + - aws_rds_db_instance Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gdpr: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/RDS + - AWS/RDS soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_rds_db_instance_multiple_az_enabled.yaml b/compliance/controls/aws/aws_rds_db_instance_multiple_az_enabled.yaml index 195ed48de..4b71e9c8d 100755 --- a/compliance/controls/aws/aws_rds_db_instance_multiple_az_enabled.yaml +++ b/compliance/controls/aws/aws_rds_db_instance_multiple_az_enabled.yaml @@ -1,60 +1,42 @@ ID: aws_rds_db_instance_multiple_az_enabled Title: "RDS DB instance multiple az should be enabled" Description: "Multi-AZ support in AWS Relational Database Service (AWS RDS) provides enhanced availability and durability for database instances." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when engine ilike any (array ['%aurora-mysql%', '%aurora-postgres%']) then 'skip' - when multi_az then 'ok' - else 'alarm' - end as status, - case - when engine ilike any (array ['%aurora-mysql%', '%aurora-postgres%']) then title || ' cluster instance.' - when multi_az then title || ' Multi-AZ enabled.' - else title || ' Multi-AZ disabled.' - end as reason - - , region, account_id - from - aws_rds_db_instance; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when engine ilike any (array ['%aurora-mysql%', '%aurora-postgres%']) then 'skip'\n when multi_az then 'ok'\n else 'alarm'\n end as status,\n case\n when engine ilike any (array ['%aurora-mysql%', '%aurora-postgres%']) then title || ' cluster instance.'\n when multi_az then title || ' Multi-AZ enabled.'\n else title || ' Multi-AZ disabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_rds_db_instance;\n" PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_rds_db_instance + - aws_rds_db_instance Parameters: [] Severity: low Tags: category: - - Compliance + - Compliance cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/RDS + - AWS/RDS +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_rds_db_instance_no_default_admin_name.yaml b/compliance/controls/aws/aws_rds_db_instance_no_default_admin_name.yaml index 5724938b7..301e6d0fe 100755 --- a/compliance/controls/aws/aws_rds_db_instance_no_default_admin_name.yaml +++ b/compliance/controls/aws/aws_rds_db_instance_no_default_admin_name.yaml @@ -1,42 +1,26 @@ ID: aws_rds_db_instance_no_default_admin_name Title: "RDS database instances should use a custom administrator username" Description: "This control checks whether you've changed the administrative username for AWS Relational Database Service (AWS RDS) database instances from the default value. The control fails if the administrative username is set to the default value." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when master_user_name in ('admin','postgres') then 'alarm' - else 'ok' - end status, - case - when master_user_name in ('admin', 'postgres') then title || ' using default master user name.' - else title || ' not using default master user name.' - end reason - - , region, account_id - from - aws_rds_db_instance; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when master_user_name in ('admin','postgres') then 'alarm'\n else 'ok'\n end status,\n case\n when master_user_name in ('admin', 'postgres') then title || ' using default master user name.'\n else title || ' not using default master user name.'\n end reason\n \n , region, account_id\nfrom\n aws_rds_db_instance;\n" PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_rds_db_instance + - aws_rds_db_instance Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - resource_configuration + - resource_configuration foundational_security_item_id: - - rds_25 + - rds_25 plugin: - - aws + - aws service: - - AWS/RDS + - AWS/RDS +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_rds_db_instance_postgres_not_exposed_to_local_file_read_vulnerability.yaml b/compliance/controls/aws/aws_rds_db_instance_postgres_not_exposed_to_local_file_read_vulnerability.yaml index 38dd72d7e..dbe524453 100755 --- a/compliance/controls/aws/aws_rds_db_instance_postgres_not_exposed_to_local_file_read_vulnerability.yaml +++ b/compliance/controls/aws/aws_rds_db_instance_postgres_not_exposed_to_local_file_read_vulnerability.yaml @@ -1,8 +1,6 @@ ID: aws_rds_db_instance_postgres_not_exposed_to_local_file_read_vulnerability Title: "RDS PostgreSQL DB instances should not be exposed to local file read vulnerability" Description: "This control checks whether AWS PostgreSQL DB isntance are exposed to local file read vulnerability by ensuring that AWS RDS PostgreSQL instances use a non-vulnerable version of the log_fdw." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -24,7 +22,9 @@ Query: aws_rds_db_instance; PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_rds_db_instance + - aws_rds_db_instance Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_rds_db_instance_prohibit_public_access.yaml b/compliance/controls/aws/aws_rds_db_instance_prohibit_public_access.yaml index f28d31995..693fd48e5 100755 --- a/compliance/controls/aws/aws_rds_db_instance_prohibit_public_access.yaml +++ b/compliance/controls/aws/aws_rds_db_instance_prohibit_public_access.yaml @@ -1,68 +1,52 @@ ID: aws_rds_db_instance_prohibit_public_access Title: "RDS DB instances should prohibit public access" Description: "Manage access to resources in the AWS Cloud by ensuring that AWS Relational Database Service (AWS RDS) instances are not public." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when publicly_accessible then 'alarm' - else 'ok' - end status, - case - when publicly_accessible then title || ' publicly accessible.' - else title || ' not publicly accessible.' - end reason - - , region, account_id - from - aws_rds_db_instance; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when publicly_accessible then 'alarm'\n else 'ok'\n end status,\n case\n when publicly_accessible then title || ' publicly accessible.'\n else title || ' not publicly accessible.'\n end reason\n \n , region, account_id\nfrom\n aws_rds_db_instance;\n" PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_rds_db_instance + - aws_rds_db_instance Parameters: [] Severity: high Tags: audit_manager_control_tower: - - "true" + - "true" category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/RDS + - AWS/RDS soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_rds_db_instance_protected_by_backup_plan.yaml b/compliance/controls/aws/aws_rds_db_instance_protected_by_backup_plan.yaml index 844688e5c..ba78d1652 100755 --- a/compliance/controls/aws/aws_rds_db_instance_protected_by_backup_plan.yaml +++ b/compliance/controls/aws/aws_rds_db_instance_protected_by_backup_plan.yaml @@ -1,70 +1,45 @@ ID: aws_rds_db_instance_protected_by_backup_plan Title: "RDS DB instance should be protected by backup plan" Description: "Ensure that AWS Relational Database Service (AWS RDS) instances are protected by a backup plan. The rule is non-compliant if the AWS RDS Database instance is not covered by a backup plan." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with backup_protected_rds_isntance as ( - select - resource_arn as arn - from - aws_backup_protected_resource as b - where - resource_type = 'RDS' - ) - select - r.arn as resource, - r.og_account_id as og_account_id, - r.og_resource_id as og_resource_id, - case - when b.arn is not null then 'ok' - else 'alarm' - end as status, - case - when b.arn is not null then r.title || ' is protected by backup plan.' - else r.title || ' is not protected by backup plan.' - end as reason - - , r.region, r.account_id - from - aws_rds_db_instance as r - left join backup_protected_rds_isntance as b on r.arn = b.arn; + QueryToExecute: "with backup_protected_rds_isntance as (\n select\n resource_arn as arn\n from\n aws_backup_protected_resource as b\n where\n resource_type = 'RDS'\n)\nselect\n r.arn as resource,\n r.og_account_id as og_account_id,\n r.og_resource_id as og_resource_id,\n case\n when b.arn is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when b.arn is not null then r.title || ' is protected by backup plan.'\n else r.title || ' is not protected by backup plan.'\n end as reason\n \n , r.region, r.account_id\nfrom\n aws_rds_db_instance as r\n left join backup_protected_rds_isntance as b on r.arn = b.arn;\n" PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_backup_protected_resource - - aws_rds_db_instance + - aws_backup_protected_resource + - aws_rds_db_instance Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" gxp_eu_annex_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/RDS + - AWS/RDS soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_rds_db_parameter_group_events_subscription.yaml b/compliance/controls/aws/aws_rds_db_parameter_group_events_subscription.yaml index 21478fdc6..61bfbc012 100755 --- a/compliance/controls/aws/aws_rds_db_parameter_group_events_subscription.yaml +++ b/compliance/controls/aws/aws_rds_db_parameter_group_events_subscription.yaml @@ -1,8 +1,6 @@ ID: aws_rds_db_parameter_group_events_subscription Title: "An RDS event notifications subscription should be configured for critical database parameter group events" Description: "This control checks whether an AWS RDS event subscription exists with notifications enabled for the following source type, event category key-value pairs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -25,19 +23,21 @@ Query: aws_rds_db_event_subscription; PrimaryTable: aws_rds_db_event_subscription ListOfTables: - - aws_rds_db_event_subscription + - aws_rds_db_event_subscription Parameters: [] Severity: low Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - application_monitoring + - application_monitoring foundational_security_item_id: - - rds_21 + - rds_21 plugin: - - aws + - aws service: - - AWS/RDS + - AWS/RDS +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_rds_db_security_group_events_subscription.yaml b/compliance/controls/aws/aws_rds_db_security_group_events_subscription.yaml index ebcfc9947..00edfac80 100755 --- a/compliance/controls/aws/aws_rds_db_security_group_events_subscription.yaml +++ b/compliance/controls/aws/aws_rds_db_security_group_events_subscription.yaml @@ -1,8 +1,6 @@ ID: aws_rds_db_security_group_events_subscription Title: "An RDS event notifications subscription should be configured for critical database security group events" Description: "This control checks whether an AWS RDS event subscription exists with notifications enabled for the following source type, event category key-value pairs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -25,19 +23,21 @@ Query: aws_rds_db_event_subscription; PrimaryTable: aws_rds_db_event_subscription ListOfTables: - - aws_rds_db_event_subscription + - aws_rds_db_event_subscription Parameters: [] Severity: low Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - application_monitoring + - application_monitoring foundational_security_item_id: - - rds_22 + - rds_22 plugin: - - aws + - aws service: - - AWS/RDS + - AWS/RDS +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_rds_db_snapshot_encrypted_at_rest.yaml b/compliance/controls/aws/aws_rds_db_snapshot_encrypted_at_rest.yaml index d5b5a2e5f..e056f5658 100755 --- a/compliance/controls/aws/aws_rds_db_snapshot_encrypted_at_rest.yaml +++ b/compliance/controls/aws/aws_rds_db_snapshot_encrypted_at_rest.yaml @@ -1,90 +1,51 @@ ID: aws_rds_db_snapshot_encrypted_at_rest Title: "RDS DB snapshots should be encrypted at rest" Description: "Ensure that encryption is enabled for your AWS Relational Database Service (AWS RDS) snapshots." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - ( - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'aws_rds_db_cluster_snapshot' as og_table_name, - case - when storage_encrypted then 'ok' - else 'alarm' - end as status, - case - when storage_encrypted then title || ' encrypted at rest.' - else title || ' not encrypted at rest.' - end as reason - - , region, account_id - from - aws_rds_db_cluster_snapshot - ) - union - ( - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'aws_rds_db_snapshot' as og_table_name, - case - when encrypted then 'ok' - else 'alarm' - end as status, - case - when encrypted then title || ' encrypted at rest.' - else title || ' not encrypted at rest.' - end as reason - - , region, account_id - from - aws_rds_db_snapshot - ); + QueryToExecute: "(\nselect\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'aws_rds_db_cluster_snapshot' as og_table_name,\n case\n when storage_encrypted then 'ok'\n else 'alarm'\n end as status,\n case\n when storage_encrypted then title || ' encrypted at rest.'\n else title || ' not encrypted at rest.'\n end as reason\n \n , region, account_id\nfrom\n aws_rds_db_cluster_snapshot\n)\nunion\n(\nselect\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'aws_rds_db_snapshot' as og_table_name,\n case\n when encrypted then 'ok'\n else 'alarm'\n end as status,\n case\n when encrypted then title || ' encrypted at rest.'\n else title || ' not encrypted at rest.'\n end as reason\n \n , region, account_id\nfrom\n aws_rds_db_snapshot\n);\n" PrimaryTable: "" ListOfTables: - - aws_rds_db_cluster_snapshot - - aws_rds_db_snapshot + - aws_rds_db_cluster_snapshot + - aws_rds_db_snapshot Parameters: [] Severity: high Tags: audit_manager_control_tower: - - "true" + - "true" category: - - Compliance + - Compliance cisa_cyber_essentials: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" gdpr: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" gxp_eu_annex_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/RDS + - AWS/RDS soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_rds_db_snapshot_prohibit_public_access.yaml b/compliance/controls/aws/aws_rds_db_snapshot_prohibit_public_access.yaml index 44759100d..0018c054b 100755 --- a/compliance/controls/aws/aws_rds_db_snapshot_prohibit_public_access.yaml +++ b/compliance/controls/aws/aws_rds_db_snapshot_prohibit_public_access.yaml @@ -1,94 +1,53 @@ ID: aws_rds_db_snapshot_prohibit_public_access Title: "RDS snapshots should prohibit public access" Description: "Manage access to resources in the AWS Cloud by ensuring that AWS Relational Database Service (AWS RDS) instances are not public." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - ( - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'aws_rds_db_cluster_snapshot' as og_table_name, - case - when cluster_snapshot -> 'AttributeValues' = '["all"]' then 'alarm' - else 'ok' - end status, - case - when cluster_snapshot -> 'AttributeValues' = '["all"]' then title || ' publicly restorable.' - else title || ' not publicly restorable.' - end reason - - , region, account_id - from - aws_rds_db_cluster_snapshot, - jsonb_array_elements(db_cluster_snapshot_attributes) as cluster_snapshot - ) - union - ( - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - 'aws_rds_db_snapshot' as og_table_name, - case - when database_snapshot -> 'AttributeValues' = '["all"]' then 'alarm' - else 'ok' - end status, - case - when database_snapshot -> 'AttributeValues' = '["all"]' then title || ' publicly restorable.' - else title || ' not publicly restorable.' - end reason - - , region, account_id - from - aws_rds_db_snapshot, - jsonb_array_elements(db_snapshot_attributes) as database_snapshot - ); + QueryToExecute: "(\nselect\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'aws_rds_db_cluster_snapshot' as og_table_name,\n case\n when cluster_snapshot -> 'AttributeValues' = '[\"all\"]' then 'alarm'\n else 'ok'\n end status,\n case\n when cluster_snapshot -> 'AttributeValues' = '[\"all\"]' then title || ' publicly restorable.'\n else title || ' not publicly restorable.'\n end reason\n \n , region, account_id\nfrom\n aws_rds_db_cluster_snapshot,\n jsonb_array_elements(db_cluster_snapshot_attributes) as cluster_snapshot\n)\nunion\n(\nselect\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n 'aws_rds_db_snapshot' as og_table_name,\n case\n when database_snapshot -> 'AttributeValues' = '[\"all\"]' then 'alarm'\n else 'ok'\n end status,\n case\n when database_snapshot -> 'AttributeValues' = '[\"all\"]' then title || ' publicly restorable.'\n else title || ' not publicly restorable.'\n end reason\n \n , region, account_id\nfrom\n aws_rds_db_snapshot,\n jsonb_array_elements(db_snapshot_attributes) as database_snapshot\n);\n" PrimaryTable: "" ListOfTables: - - aws_rds_db_cluster_snapshot - - aws_rds_db_snapshot + - aws_rds_db_cluster_snapshot + - aws_rds_db_snapshot Parameters: [] Severity: high Tags: audit_manager_control_tower: - - "true" + - "true" category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/RDS + - AWS/RDS soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_redshift_cluster_audit_logging_enabled.yaml b/compliance/controls/aws/aws_redshift_cluster_audit_logging_enabled.yaml index 409802c96..fa0042522 100755 --- a/compliance/controls/aws/aws_redshift_cluster_audit_logging_enabled.yaml +++ b/compliance/controls/aws/aws_redshift_cluster_audit_logging_enabled.yaml @@ -1,44 +1,28 @@ ID: aws_redshift_cluster_audit_logging_enabled Title: "AWS Redshift audit logging should be enabled" Description: "This control ensures if redshift clusters are logging audits to a specific bucket. The rule is no compliant if audit logging is not enabled for a redshift cluster or if the 'bucketNames' parameter is provided but the audit logging destination does not match." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when logging_status ->> 'LoggingEnabled' = 'true' then 'ok' - else 'alarm' - end as status, - case - when logging_status ->> 'LoggingEnabled' = 'true' then title || ' logging enabled.' - else title || ' logging disabled.' - end as reason - - , region, account_id - from - aws_redshift_cluster; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when logging_status ->> 'LoggingEnabled' = 'true' then 'ok'\n else 'alarm'\n end as status,\n case\n when logging_status ->> 'LoggingEnabled' = 'true' then title || ' logging enabled.'\n else title || ' logging disabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_redshift_cluster;\n" PrimaryTable: aws_redshift_cluster ListOfTables: - - aws_redshift_cluster + - aws_redshift_cluster Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance gxp_21_cfr_part_11: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/Redshift + - AWS/Redshift soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_redshift_cluster_automatic_snapshots_min_7_days.yaml b/compliance/controls/aws/aws_redshift_cluster_automatic_snapshots_min_7_days.yaml index c1c165162..086e17c7a 100755 --- a/compliance/controls/aws/aws_redshift_cluster_automatic_snapshots_min_7_days.yaml +++ b/compliance/controls/aws/aws_redshift_cluster_automatic_snapshots_min_7_days.yaml @@ -1,68 +1,52 @@ ID: aws_redshift_cluster_automatic_snapshots_min_7_days Title: "AWS Redshift clusters should have automatic snapshots enabled" Description: "This control checks whether AWS Redshift clusters have automated snapshots enabled. It also checks whether the snapshot retention period is greater than or equal to seven." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when automated_snapshot_retention_period >= 7 then 'ok' - else 'alarm' - end as status, - case - when automated_snapshot_retention_period >= 7 then title || ' automatic snapshots enabled with retention period greater than equals 7 days.' - else title || ' automatic snapshots enabled with retention period less than 7 days.' - end as reason - - , region, account_id - from - aws_redshift_cluster; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when automated_snapshot_retention_period >= 7 then 'ok'\n else 'alarm'\n end as status,\n case\n when automated_snapshot_retention_period >= 7 then title || ' automatic snapshots enabled with retention period greater than equals 7 days.'\n else title || ' automatic snapshots enabled with retention period less than 7 days.'\n end as reason\n \n , region, account_id\nfrom\n aws_redshift_cluster;\n" PrimaryTable: aws_redshift_cluster ListOfTables: - - aws_redshift_cluster + - aws_redshift_cluster Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gdpr: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" gxp_eu_annex_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/Redshift + - AWS/Redshift soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_redshift_cluster_automatic_upgrade_major_versions_enabled.yaml b/compliance/controls/aws/aws_redshift_cluster_automatic_upgrade_major_versions_enabled.yaml index 70a0a88c2..d4d9f48ba 100755 --- a/compliance/controls/aws/aws_redshift_cluster_automatic_upgrade_major_versions_enabled.yaml +++ b/compliance/controls/aws/aws_redshift_cluster_automatic_upgrade_major_versions_enabled.yaml @@ -1,42 +1,26 @@ ID: aws_redshift_cluster_automatic_upgrade_major_versions_enabled Title: "AWS Redshift should have automatic upgrades to major versions enabled" Description: "This control checks whether automatic major version upgrades are enabled for the AWS Redshift cluster." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when allow_version_upgrade then 'ok' - else 'alarm' - end as status, - case - when allow_version_upgrade then title || ' automatic upgrades to major versions enabled.' - else title || ' automatic upgrades to major versions disabled.' - end as reason - - , region, account_id - from - aws_redshift_cluster; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when allow_version_upgrade then 'ok'\n else 'alarm'\n end as status,\n case\n when allow_version_upgrade then title || ' automatic upgrades to major versions enabled.'\n else title || ' automatic upgrades to major versions disabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_redshift_cluster;\n" PrimaryTable: aws_redshift_cluster ListOfTables: - - aws_redshift_cluster + - aws_redshift_cluster Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - vulnerability_and_patch_management + - vulnerability_and_patch_management foundational_security_item_id: - - redshift_6 + - redshift_6 plugin: - - aws + - aws service: - - AWS/Redshift + - AWS/Redshift +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_redshift_cluster_encryption_in_transit_enabled.yaml b/compliance/controls/aws/aws_redshift_cluster_encryption_in_transit_enabled.yaml index 2be7891e9..461a00d27 100755 --- a/compliance/controls/aws/aws_redshift_cluster_encryption_in_transit_enabled.yaml +++ b/compliance/controls/aws/aws_redshift_cluster_encryption_in_transit_enabled.yaml @@ -1,80 +1,51 @@ ID: aws_redshift_cluster_encryption_in_transit_enabled Title: "Redshift cluster encryption in transit should be enabled" Description: "Ensure that your AWS Redshift clusters require TLS/SSL encryption to connect to SQL clients." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with pg_with_ssl as ( - select - name as pg_name, - p ->> 'ParameterName' as parameter_name, - p ->> 'ParameterValue' as parameter_value - from - aws_redshift_parameter_group, - jsonb_array_elements(parameters) as p - where - p ->> 'ParameterName' = 'require_ssl' - and p ->> 'ParameterValue' = 'true' - ) - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when cpg ->> 'ParameterGroupName' in (select pg_name from pg_with_ssl ) then 'ok' - else 'alarm' - end as status, - case - when cpg ->> 'ParameterGroupName' in (select pg_name from pg_with_ssl ) then title || ' encryption in transit enabled.' - else title || ' encryption in transit disabled.' - end as reason - - , region, account_id - from - aws_redshift_cluster, - jsonb_array_elements(cluster_parameter_groups) as cpg; + QueryToExecute: "with pg_with_ssl as (\nselect\n name as pg_name,\n p ->> 'ParameterName' as parameter_name,\n p ->> 'ParameterValue' as parameter_value\nfrom\n aws_redshift_parameter_group,\n jsonb_array_elements(parameters) as p\nwhere\n p ->> 'ParameterName' = 'require_ssl'\n and p ->> 'ParameterValue' = 'true'\n)\nselect\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when cpg ->> 'ParameterGroupName' in (select pg_name from pg_with_ssl ) then 'ok'\n else 'alarm'\n end as status,\n case\n when cpg ->> 'ParameterGroupName' in (select pg_name from pg_with_ssl ) then title || ' encryption in transit enabled.'\n else title || ' encryption in transit disabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_redshift_cluster,\n jsonb_array_elements(cluster_parameter_groups) as cpg;\n" PrimaryTable: aws_redshift_cluster ListOfTables: - - aws_redshift_cluster - - aws_redshift_parameter_group + - aws_redshift_cluster + - aws_redshift_parameter_group Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gdpr: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/Redshift + - AWS/Redshift soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_redshift_cluster_encryption_logging_enabled.yaml b/compliance/controls/aws/aws_redshift_cluster_encryption_logging_enabled.yaml index e7bda5209..5b1bb2ba8 100755 --- a/compliance/controls/aws/aws_redshift_cluster_encryption_logging_enabled.yaml +++ b/compliance/controls/aws/aws_redshift_cluster_encryption_logging_enabled.yaml @@ -1,72 +1,54 @@ ID: aws_redshift_cluster_encryption_logging_enabled Title: "Redshift cluster audit logging and encryption should be enabled" Description: "To protect data at rest, ensure that encryption is enabled for your AWS Redshift clusters. You must also ensure that required configurations are deployed on AWS Redshift clusters. The audit logging should be enabled to provide information about connections and user activities in the database." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when not encrypted then 'alarm' - when not (logging_status ->> 'LoggingEnabled') :: boolean then 'alarm' - else 'ok' - end as status, - case - when not encrypted then title || ' not encrypted.' - when not (logging_status ->> 'LoggingEnabled')::boolean then title || ' audit logging not enabled.' - else title || ' audit logging and encryption enabled.' - end as reason - - , region, account_id - from - aws_redshift_cluster; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when not encrypted then 'alarm'\n when not (logging_status ->> 'LoggingEnabled') :: boolean then 'alarm'\n else 'ok'\n end as status,\n case\n when not encrypted then title || ' not encrypted.'\n when not (logging_status ->> 'LoggingEnabled')::boolean then title || ' audit logging not enabled.'\n else title || ' audit logging and encryption enabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_redshift_cluster;\n" PrimaryTable: aws_redshift_cluster ListOfTables: - - aws_redshift_cluster + - aws_redshift_cluster Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gdpr: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" gxp_eu_annex_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/Redshift + - AWS/Redshift soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_redshift_cluster_enhanced_vpc_routing_enabled.yaml b/compliance/controls/aws/aws_redshift_cluster_enhanced_vpc_routing_enabled.yaml index 5019621c1..75a3f9b45 100755 --- a/compliance/controls/aws/aws_redshift_cluster_enhanced_vpc_routing_enabled.yaml +++ b/compliance/controls/aws/aws_redshift_cluster_enhanced_vpc_routing_enabled.yaml @@ -1,48 +1,32 @@ ID: aws_redshift_cluster_enhanced_vpc_routing_enabled Title: "AWS Redshift enhanced VPC routing should be enabled" Description: "Ensure that AWS Redshift cluster has 'enhancedVpcRouting' enabled. The rule is non-compliant if 'enhancedVpcRouting' is not enabled or if the configuration.enhancedVpcRouting field is 'false'." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when enhanced_vpc_routing then 'ok' - else 'alarm' - end as status, - case - when enhanced_vpc_routing then title || ' enhanced VPC routing enabled.' - else title || ' enhanced VPC routing disabled.' - end as reason - - , region, account_id - from - aws_redshift_cluster; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when enhanced_vpc_routing then 'ok'\n else 'alarm'\n end as status,\n case\n when enhanced_vpc_routing then title || ' enhanced VPC routing enabled.'\n else title || ' enhanced VPC routing disabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_redshift_cluster;\n" PrimaryTable: aws_redshift_cluster ListOfTables: - - aws_redshift_cluster + - aws_redshift_cluster Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/Redshift + - AWS/Redshift +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_redshift_cluster_kms_enabled.yaml b/compliance/controls/aws/aws_redshift_cluster_kms_enabled.yaml index cadbfb211..533daa18a 100755 --- a/compliance/controls/aws/aws_redshift_cluster_kms_enabled.yaml +++ b/compliance/controls/aws/aws_redshift_cluster_kms_enabled.yaml @@ -1,56 +1,40 @@ ID: aws_redshift_cluster_kms_enabled Title: "AWS Redshift clusters should be encrypted with KMS" Description: "Ensure that AWS Redshift clusters are using a specified AWS Key Management Service (AWS KMS) key for encryption. The rule is compliant if encryption is enabled and the cluster is encrypted with the key provided in the kmsKeyArn parameter. The rule is non-compliant if the cluster is not encrypted or encrypted with another key." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when encrypted and kms_key_id is not null then 'ok' - else 'alarm' - end as status, - case - when encrypted and kms_key_id is not null then title || ' encrypted with KMS.' - else title || ' not encrypted with KMS' - end as reason - - , region, account_id - from - aws_redshift_cluster; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when encrypted and kms_key_id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when encrypted and kms_key_id is not null then title || ' encrypted with KMS.'\n else title || ' not encrypted with KMS'\n end as reason\n \n , region, account_id\nfrom\n aws_redshift_cluster;\n" PrimaryTable: aws_redshift_cluster ListOfTables: - - aws_redshift_cluster + - aws_redshift_cluster Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/Redshift + - AWS/Redshift +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_redshift_cluster_maintenance_settings_check.yaml b/compliance/controls/aws/aws_redshift_cluster_maintenance_settings_check.yaml index 524e15774..eb827368c 100755 --- a/compliance/controls/aws/aws_redshift_cluster_maintenance_settings_check.yaml +++ b/compliance/controls/aws/aws_redshift_cluster_maintenance_settings_check.yaml @@ -1,52 +1,36 @@ ID: aws_redshift_cluster_maintenance_settings_check Title: "AWS Redshift should have required maintenance settings" Description: "Ensure whether AWS Redshift clusters have the specified maintenance settings. Redshift clusters `allowVersionUpgrade` should be set to `true` and `automatedSnapshotRetentionPeriod` should be greater than 7." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when allow_version_upgrade and automated_snapshot_retention_period >= 7 then 'ok' - else 'alarm' - end as status, - case - when allow_version_upgrade and automated_snapshot_retention_period >= 7 then title || ' has the required maintenance settings.' - else title || ' does not have required maintenance settings.' - end as reason - - , region, account_id - from - aws_redshift_cluster; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when allow_version_upgrade and automated_snapshot_retention_period >= 7 then 'ok'\n else 'alarm'\n end as status,\n case\n when allow_version_upgrade and automated_snapshot_retention_period >= 7 then title || ' has the required maintenance settings.'\n else title || ' does not have required maintenance settings.'\n end as reason\n \n , region, account_id\nfrom\n aws_redshift_cluster;\n" PrimaryTable: aws_redshift_cluster ListOfTables: - - aws_redshift_cluster + - aws_redshift_cluster Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" ffiec: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/Redshift + - AWS/Redshift +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_redshift_cluster_no_default_admin_name.yaml b/compliance/controls/aws/aws_redshift_cluster_no_default_admin_name.yaml index b287339d5..2b231c952 100755 --- a/compliance/controls/aws/aws_redshift_cluster_no_default_admin_name.yaml +++ b/compliance/controls/aws/aws_redshift_cluster_no_default_admin_name.yaml @@ -1,42 +1,26 @@ ID: aws_redshift_cluster_no_default_admin_name Title: "AWS Redshift clusters should not use the default Admin username" Description: "This control checks whether a AWS Redshift cluster has changed the admin username from its default value. This control will fail if the admin username for a Redshift cluster is set to awsuser." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when master_username = 'awsuser' then 'alarm' - else 'ok' - end as status, - case - when master_username = 'awsuser' then title || ' using default master user name.' - else title || ' not using default master user name.' - end as reason - - , region, account_id - from - aws_redshift_cluster; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when master_username = 'awsuser' then 'alarm'\n else 'ok'\n end as status,\n case\n when master_username = 'awsuser' then title || ' using default master user name.'\n else title || ' not using default master user name.'\n end as reason\n \n , region, account_id\nfrom\n aws_redshift_cluster;\n" PrimaryTable: aws_redshift_cluster ListOfTables: - - aws_redshift_cluster + - aws_redshift_cluster Parameters: [] Severity: high Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - resource_configuration + - resource_configuration foundational_security_item_id: - - redshift_8 + - redshift_8 plugin: - - aws + - aws service: - - AWS/Redshift + - AWS/Redshift +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_redshift_cluster_no_default_database_name.yaml b/compliance/controls/aws/aws_redshift_cluster_no_default_database_name.yaml index 4e986b5dd..bdcf99651 100755 --- a/compliance/controls/aws/aws_redshift_cluster_no_default_database_name.yaml +++ b/compliance/controls/aws/aws_redshift_cluster_no_default_database_name.yaml @@ -1,42 +1,26 @@ ID: aws_redshift_cluster_no_default_database_name Title: "Redshift clusters should not use the default database name" Description: "This control checks whether an AWS Redshift cluster has changed the database name from its default value. The control will fail if the database name for a Redshift cluster is set to dev." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when db_name = 'dev' then 'alarm' - else 'ok' - end as status, - case - when db_name = 'dev' then title || ' using default database name.' - else title || ' not using default database name.' - end as reason - - , region, account_id - from - aws_redshift_cluster; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when db_name = 'dev' then 'alarm'\n else 'ok'\n end as status,\n case\n when db_name = 'dev' then title || ' using default database name.'\n else title || ' not using default database name.'\n end as reason\n \n , region, account_id\nfrom\n aws_redshift_cluster;\n" PrimaryTable: aws_redshift_cluster ListOfTables: - - aws_redshift_cluster + - aws_redshift_cluster Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - resource_configuration + - resource_configuration foundational_security_item_id: - - redshift_9 + - redshift_9 plugin: - - aws + - aws service: - - AWS/Redshift + - AWS/Redshift +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_redshift_cluster_prohibit_public_access.yaml b/compliance/controls/aws/aws_redshift_cluster_prohibit_public_access.yaml index e82f5f0cb..7e79bafae 100755 --- a/compliance/controls/aws/aws_redshift_cluster_prohibit_public_access.yaml +++ b/compliance/controls/aws/aws_redshift_cluster_prohibit_public_access.yaml @@ -1,67 +1,50 @@ ID: aws_redshift_cluster_prohibit_public_access Title: "Redshift clusters should prohibit public access" Description: "Manage access to resources in the AWS Cloud by ensuring that AWS Redshift clusters are not public." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - cluster_namespace_arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when publicly_accessible then 'alarm' - else 'ok' - end status, - case - when publicly_accessible then title || ' publicly accessible.' - else title || ' not publicly accessible.' - end reason - - - , region, account_id - from - aws_redshift_cluster; + QueryToExecute: "select\n cluster_namespace_arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when publicly_accessible then 'alarm'\n else 'ok'\n end status,\n case\n when publicly_accessible then title || ' publicly accessible.'\n else title || ' not publicly accessible.'\n end reason\n\n \n , region, account_id\nfrom\n aws_redshift_cluster;\n" PrimaryTable: aws_redshift_cluster ListOfTables: - - aws_redshift_cluster + - aws_redshift_cluster Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/Redshift + - AWS/Redshift soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_root_accounts_needs_to_have_mfa.yaml b/compliance/controls/aws/aws_root_accounts_needs_to_have_mfa.yaml index 8b37b34cf..9b1d22c07 100755 --- a/compliance/controls/aws/aws_root_accounts_needs_to_have_mfa.yaml +++ b/compliance/controls/aws/aws_root_accounts_needs_to_have_mfa.yaml @@ -1,8 +1,6 @@ ID: aws_root_accounts_needs_to_have_mfa Title: "AWS Root Accounts needs to have MFA" Description: "AWS Root Account cannot have API Keys" -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -25,11 +23,13 @@ Query: user_name = ''; PrimaryTable: aws_iam_credential_report ListOfTables: - - aws_iam_credential_report + - aws_iam_credential_report Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_route53_domain_auto_renew_enabled.yaml b/compliance/controls/aws/aws_route53_domain_auto_renew_enabled.yaml index da15e1eba..104d402f0 100755 --- a/compliance/controls/aws/aws_route53_domain_auto_renew_enabled.yaml +++ b/compliance/controls/aws/aws_route53_domain_auto_renew_enabled.yaml @@ -1,30 +1,14 @@ ID: aws_route53_domain_auto_renew_enabled Title: "Route 53 domains auto renew should be enabled" Description: "This control ensures that AWS Route 53 Auto Renew feature is enabled to automatically renew your domain names as the expiration date approaches." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when auto_renew then 'ok' - else 'alarm' - end as status, - case - when auto_renew then title || ' auto renew enabled.' - else title || ' auto renew disabled.' - end as reason - - - from - aws_route53_domain; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when auto_renew then 'ok'\n else 'alarm'\n end as status,\n case\n when auto_renew then title || ' auto renew enabled.'\n else title || ' auto renew disabled.'\n end as reason\n \n \nfrom\n aws_route53_domain;" PrimaryTable: aws_route53_domain ListOfTables: - - aws_route53_domain + - aws_route53_domain Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_route53_domain_expires_30_days.yaml b/compliance/controls/aws/aws_route53_domain_expires_30_days.yaml index 864ac3749..dbcc8f231 100755 --- a/compliance/controls/aws/aws_route53_domain_expires_30_days.yaml +++ b/compliance/controls/aws/aws_route53_domain_expires_30_days.yaml @@ -1,8 +1,6 @@ ID: aws_route53_domain_expires_30_days Title: "Route 53 domains should not expire within next 30 days" Description: "This control ensures that all the domain names registered with AWS Route 53 or transferred to AWS Route 53 are renewed 30 days before their validity period ends." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -19,7 +17,9 @@ Query: aws_route53_domain; PrimaryTable: aws_route53_domain ListOfTables: - - aws_route53_domain + - aws_route53_domain Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_route53_domain_expires_7_days.yaml b/compliance/controls/aws/aws_route53_domain_expires_7_days.yaml index f0201334a..5e3d429cf 100755 --- a/compliance/controls/aws/aws_route53_domain_expires_7_days.yaml +++ b/compliance/controls/aws/aws_route53_domain_expires_7_days.yaml @@ -1,8 +1,6 @@ ID: aws_route53_domain_expires_7_days Title: "Route 53 domains should not expire within next 7 days" Description: "This controls ensures that all the domain names registered with AWS Route 53 or transferred to AWS Route 53 are renewed 7 days before their validity period ends." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -19,7 +17,9 @@ Query: aws_route53_domain; PrimaryTable: aws_route53_domain ListOfTables: - - aws_route53_domain + - aws_route53_domain Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_route53_domain_not_expired.yaml b/compliance/controls/aws/aws_route53_domain_not_expired.yaml index fec897ced..33b7601a2 100755 --- a/compliance/controls/aws/aws_route53_domain_not_expired.yaml +++ b/compliance/controls/aws/aws_route53_domain_not_expired.yaml @@ -1,30 +1,14 @@ ID: aws_route53_domain_not_expired Title: "Route 53 domains should not be expired" Description: "This control identifes any expired domain names registered with AWS Route 53. When the expired domain names are not restored promptly, they will become available for others to register. Restoring on time your Route 53 expired domains will allow you to reestablish full control over their registration." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when expiration_date < (current_date - interval '1' minute) then 'alarm' - else 'ok' - end as status, - case - when expiration_date < (current_date - interval '1' minute) then title || ' expired on ' || to_char(expiration_date, 'DD-Mon-YYYY') || '.' - else title || ' set to expire in ' || extract(day from expiration_date - current_date) || ' days.' - end as reason - - - from - aws_route53_domain; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when expiration_date < (current_date - interval '1' minute) then 'alarm'\n else 'ok'\n end as status,\n case\n when expiration_date < (current_date - interval '1' minute) then title || ' expired on ' || to_char(expiration_date, 'DD-Mon-YYYY') || '.'\n else title || ' set to expire in ' || extract(day from expiration_date - current_date) || ' days.'\n end as reason\n \n \nfrom\n aws_route53_domain;" PrimaryTable: aws_route53_domain ListOfTables: - - aws_route53_domain + - aws_route53_domain Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_route53_domain_privacy_protection_enabled.yaml b/compliance/controls/aws/aws_route53_domain_privacy_protection_enabled.yaml index 266e81b8a..c34931b5d 100755 --- a/compliance/controls/aws/aws_route53_domain_privacy_protection_enabled.yaml +++ b/compliance/controls/aws/aws_route53_domain_privacy_protection_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_route53_domain_privacy_protection_enabled Title: "Route53 domains privacy protection should be enabled" Description: "Ensure that your AWS Route 53 domains have Privacy Protection feature enabled in order to hide all their contact information from WHOIS queries and reduce the amount of spam received. The feature allows you to conceal your personal phone number, email and physical address for the domain names registered and/or transferred to AWS Route 53 service." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_route53_domain; PrimaryTable: aws_route53_domain ListOfTables: - - aws_route53_domain + - aws_route53_domain Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_route53_domain_transfer_lock_enabled.yaml b/compliance/controls/aws/aws_route53_domain_transfer_lock_enabled.yaml index 3144a1889..952de75f1 100755 --- a/compliance/controls/aws/aws_route53_domain_transfer_lock_enabled.yaml +++ b/compliance/controls/aws/aws_route53_domain_transfer_lock_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_route53_domain_transfer_lock_enabled Title: "Route 53 domains should have transfer lock enabled" Description: "Ensure Route 53 registered domains are locked to prevent any unauthorized transfers to another domain name registrar." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_route53_domain; PrimaryTable: aws_route53_domain ListOfTables: - - aws_route53_domain + - aws_route53_domain Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_route53_zone_query_logging_enabled.yaml b/compliance/controls/aws/aws_route53_zone_query_logging_enabled.yaml index cf22f1a32..f460e5487 100755 --- a/compliance/controls/aws/aws_route53_zone_query_logging_enabled.yaml +++ b/compliance/controls/aws/aws_route53_zone_query_logging_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_route53_zone_query_logging_enabled Title: "Route 53 zones should have query logging enabled" Description: "Ensure Route 53 zones have query logging enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -24,7 +22,9 @@ Query: aws_route53_zone; PrimaryTable: aws_route53_zone ListOfTables: - - aws_route53_zone + - aws_route53_zone Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_s3_access_point_restrict_public_access.yaml b/compliance/controls/aws/aws_s3_access_point_restrict_public_access.yaml index 6b07eeb6e..0ac186e7c 100755 --- a/compliance/controls/aws/aws_s3_access_point_restrict_public_access.yaml +++ b/compliance/controls/aws/aws_s3_access_point_restrict_public_access.yaml @@ -1,8 +1,6 @@ ID: aws_s3_access_point_restrict_public_access Title: "S3 access points should have block public access settings enabled" Description: "This control checks whether an Amazon S3 access point has block public access settings enabled. The control fails if block public access settings aren't enabled for the access point." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -36,7 +34,9 @@ Query: aws_s3_access_point; PrimaryTable: aws_s3_access_point ListOfTables: - - aws_s3_access_point + - aws_s3_access_point Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_s3_bucket_acls_should_prohibit_user_access.yaml b/compliance/controls/aws/aws_s3_bucket_acls_should_prohibit_user_access.yaml index 6b1b52fef..f800b7eb3 100755 --- a/compliance/controls/aws/aws_s3_bucket_acls_should_prohibit_user_access.yaml +++ b/compliance/controls/aws/aws_s3_bucket_acls_should_prohibit_user_access.yaml @@ -1,87 +1,26 @@ ID: aws_s3_bucket_acls_should_prohibit_user_access Title: "S3 buckets access control lists (ACLs) should not be used to manage user access to buckets" Description: "This control checks whether AWS S3 buckets provide user permissions via ACLs. The control fails if ACLs are configured for managing user access on S3 buckets." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with bucket_acl_details as ( - select - arn, - title, - array[acl -> 'Owner' ->> 'ID'] as bucket_owner, - array_agg(grantee_id) as bucket_acl_permissions, - object_ownership_controls, - region, - account_id, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - _ctx, - tags - from - aws_s3_bucket, - jsonb_path_query(acl, '$.Grants.Grantee.ID') as grantee_id - group by - arn, - title, - acl, - region, - account_id, - object_ownership_controls, - og_account_id, - og_resource_id, - _ctx, - tags - ), - bucket_acl_checks as ( - select - arn, - title, - to_jsonb(bucket_acl_permissions) - bucket_owner as additional_permissions, - object_ownership_controls, - region, - account_id, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - _ctx, - tags - from - bucket_acl_details - ) - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when object_ownership_controls -> 'Rules' @> '[{"ObjectOwnership": "BucketOwnerEnforced"} ]' then 'ok' - when jsonb_array_length(additional_permissions) = 0 then 'ok' - else 'alarm' - end as status, - case - when object_ownership_controls -> 'Rules' @> '[{"ObjectOwnership": "BucketOwnerEnforced"} ]' then title || ' ACLs are disabled.' - when jsonb_array_length(additional_permissions) = 0 then title || ' does not have ACLs for user access.' - else title || ' has ACLs for user access.' - end as reason - - , region, account_id - from - bucket_acl_checks; + QueryToExecute: "with bucket_acl_details as (\n select\n arn,\n title,\n array[acl -> 'Owner' ->> 'ID'] as bucket_owner,\n array_agg(grantee_id) as bucket_acl_permissions,\n object_ownership_controls,\n region,\n account_id,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n _ctx,\n tags\n from\n aws_s3_bucket,\n jsonb_path_query(acl, '$.Grants.Grantee.ID') as grantee_id\n group by\n arn,\n title,\n acl,\n region,\n account_id,\n object_ownership_controls,\n og_account_id,\n og_resource_id,\n _ctx,\n tags\n),\nbucket_acl_checks as (\n select\n arn,\n title,\n to_jsonb(bucket_acl_permissions) - bucket_owner as additional_permissions,\n object_ownership_controls,\n region,\n account_id,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n _ctx,\n tags\n from\n bucket_acl_details\n)\nselect\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when object_ownership_controls -> 'Rules' @> '[{\"ObjectOwnership\": \"BucketOwnerEnforced\"} ]' then 'ok'\n when jsonb_array_length(additional_permissions) = 0 then 'ok'\n else 'alarm'\n end as status,\n case\n when object_ownership_controls -> 'Rules' @> '[{\"ObjectOwnership\": \"BucketOwnerEnforced\"} ]' then title || ' ACLs are disabled.'\n when jsonb_array_length(additional_permissions) = 0 then title || ' does not have ACLs for user access.'\n else title || ' has ACLs for user access.'\n end as reason\n \n , region, account_id\nfrom\n bucket_acl_checks;\n" PrimaryTable: aws_s3_bucket ListOfTables: - - aws_s3_bucket + - aws_s3_bucket Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - access_control + - access_control foundational_security_item_id: - - s3_12 + - s3_12 plugin: - - aws + - aws service: - - AWS/S3 + - AWS/S3 +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_s3_bucket_cross_region_replication_enabled.yaml b/compliance/controls/aws/aws_s3_bucket_cross_region_replication_enabled.yaml index 027703df8..b69262210 100755 --- a/compliance/controls/aws/aws_s3_bucket_cross_region_replication_enabled.yaml +++ b/compliance/controls/aws/aws_s3_bucket_cross_region_replication_enabled.yaml @@ -1,77 +1,52 @@ ID: aws_s3_bucket_cross_region_replication_enabled Title: "S3 bucket cross-region replication should be enabled" Description: "AWS Simple Storage Service (AWS S3) Cross-Region Replication (CRR) supports maintaining adequate capacity and availability." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with bucket_with_replication as ( - select - name, - r ->> 'Status' as rep_status - from - aws_s3_bucket, - jsonb_array_elements(replication -> 'Rules' ) as r - ) - select - b.arn as resource, - b.og_account_id as og_account_id, - b.og_resource_id as og_resource_id, - case - when b.name = r.name and r.rep_status = 'Enabled' then 'ok' - else 'alarm' - end as status, - case - when b.name = r.name and r.rep_status = 'Enabled' then b.title || ' enabled with cross-region replication.' - else b.title || ' not enabled with cross-region replication.' - end as reason - - , b.region, b.account_id - from - aws_s3_bucket b - left join bucket_with_replication r on b.name = r.name; + QueryToExecute: "with bucket_with_replication as (\n select\n name,\n r ->> 'Status' as rep_status\n from\n aws_s3_bucket,\n jsonb_array_elements(replication -> 'Rules' ) as r\n)\nselect\n b.arn as resource,\n b.og_account_id as og_account_id,\n b.og_resource_id as og_resource_id,\n case\n when b.name = r.name and r.rep_status = 'Enabled' then 'ok'\n else 'alarm'\n end as status,\n case\n when b.name = r.name and r.rep_status = 'Enabled' then b.title || ' enabled with cross-region replication.'\n else b.title || ' not enabled with cross-region replication.'\n end as reason\n \n , b.region, b.account_id\nfrom\n aws_s3_bucket b\n left join bucket_with_replication r on b.name = r.name;\n" PrimaryTable: aws_s3_bucket ListOfTables: - - aws_s3_bucket + - aws_s3_bucket Parameters: [] Severity: low Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" gxp_eu_annex_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/S3 + - AWS/S3 soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_s3_bucket_default_encryption_enabled.yaml b/compliance/controls/aws/aws_s3_bucket_default_encryption_enabled.yaml index 62e49d044..73b2dab4b 100755 --- a/compliance/controls/aws/aws_s3_bucket_default_encryption_enabled.yaml +++ b/compliance/controls/aws/aws_s3_bucket_default_encryption_enabled.yaml @@ -1,66 +1,50 @@ ID: aws_s3_bucket_default_encryption_enabled Title: "S3 bucket default encryption should be enabled" Description: "To help protect data at rest, ensure encryption is enabled for your AWS Simple Storage Service (AWS S3) buckets." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when server_side_encryption_configuration is not null then 'ok' - else 'alarm' - end status, - case - when server_side_encryption_configuration is not null then name || ' default encryption enabled.' - else name || ' default encryption disabled.' - end reason - - , region, account_id - from - aws_s3_bucket; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when server_side_encryption_configuration is not null then 'ok'\n else 'alarm'\n end status,\n case\n when server_side_encryption_configuration is not null then name || ' default encryption enabled.'\n else name || ' default encryption disabled.'\n end reason\n \n , region, account_id\nfrom\n aws_s3_bucket;\n" PrimaryTable: aws_s3_bucket ListOfTables: - - aws_s3_bucket + - aws_s3_bucket Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" gdpr: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" gxp_eu_annex_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/S3 + - AWS/S3 soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_s3_bucket_default_encryption_enabled_kms.yaml b/compliance/controls/aws/aws_s3_bucket_default_encryption_enabled_kms.yaml index ab44b8f74..a6af146e8 100755 --- a/compliance/controls/aws/aws_s3_bucket_default_encryption_enabled_kms.yaml +++ b/compliance/controls/aws/aws_s3_bucket_default_encryption_enabled_kms.yaml @@ -1,8 +1,6 @@ ID: aws_s3_bucket_default_encryption_enabled_kms Title: "S3 bucket default encryption should be enabled with KMS" Description: "To help protect data at rest, ensure encryption is enabled for your AWS Simple Storage Service (AWS S3) buckets." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -33,41 +31,43 @@ Query: left join data as d on b.name = d.name; PrimaryTable: aws_s3_bucket ListOfTables: - - aws_s3_bucket + - aws_s3_bucket Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gdpr: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" gxp_eu_annex_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/S3 + - AWS/S3 +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_s3_bucket_enforces_ssl.yaml b/compliance/controls/aws/aws_s3_bucket_enforces_ssl.yaml index d035192e7..ab10507b0 100755 --- a/compliance/controls/aws/aws_s3_bucket_enforces_ssl.yaml +++ b/compliance/controls/aws/aws_s3_bucket_enforces_ssl.yaml @@ -1,88 +1,52 @@ ID: aws_s3_bucket_enforces_ssl Title: "S3 buckets should enforce SSL" Description: "To help protect data in transit, ensure that your AWS Simple Storage Service (AWS S3) buckets require requests to use Secure Socket Layer (SSL)." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with ssl_ok as ( - select - distinct name, - arn, - 'ok' as status - from - aws_s3_bucket, - jsonb_array_elements(policy_std -> 'Statement') as s, - jsonb_array_elements_text(s -> 'Principal' -> 'AWS') as p, - jsonb_array_elements_text(s -> 'Action') as a, - jsonb_array_elements_text(s -> 'Resource') as r, - jsonb_array_elements_text( - s -> 'Condition' -> 'Bool' -> 'aws:securetransport' - ) as ssl - where - p = '*' - and s ->> 'Effect' = 'Deny' - and ssl :: bool = false - ) - select - b.arn as resource, - b.og_account_id as og_account_id, - b.og_resource_id as og_resource_id, - case - when ok.status = 'ok' then 'ok' - else 'alarm' - end status, - case - when ok.status = 'ok' then b.name || ' bucket policy enforces HTTPS.' - else b.name || ' bucket policy does not enforce HTTPS.' - end reason - - , b.region, b.account_id - from - aws_s3_bucket as b - left join ssl_ok as ok on ok.name = b.name; + QueryToExecute: "with ssl_ok as (\n select\n distinct name,\n arn,\n 'ok' as status\n from\n aws_s3_bucket,\n jsonb_array_elements(policy_std -> 'Statement') as s,\n jsonb_array_elements_text(s -> 'Principal' -> 'AWS') as p,\n jsonb_array_elements_text(s -> 'Action') as a,\n jsonb_array_elements_text(s -> 'Resource') as r,\n jsonb_array_elements_text(\n s -> 'Condition' -> 'Bool' -> 'aws:securetransport'\n ) as ssl\n where\n p = '*'\n and s ->> 'Effect' = 'Deny'\n and ssl :: bool = false\n)\nselect\n b.arn as resource,\n b.og_account_id as og_account_id,\n b.og_resource_id as og_resource_id,\n case\n when ok.status = 'ok' then 'ok'\n else 'alarm'\n end status,\n case\n when ok.status = 'ok' then b.name || ' bucket policy enforces HTTPS.'\n else b.name || ' bucket policy does not enforce HTTPS.'\n end reason\n \n , b.region, b.account_id\nfrom\n aws_s3_bucket as b\n left join ssl_ok as ok on ok.name = b.name;\n" PrimaryTable: aws_s3_bucket ListOfTables: - - aws_s3_bucket + - aws_s3_bucket Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gdpr: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/S3 + - AWS/S3 soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_s3_bucket_event_notifications_enabled.yaml b/compliance/controls/aws/aws_s3_bucket_event_notifications_enabled.yaml index 5e989427f..6d0124445 100755 --- a/compliance/controls/aws/aws_s3_bucket_event_notifications_enabled.yaml +++ b/compliance/controls/aws/aws_s3_bucket_event_notifications_enabled.yaml @@ -1,50 +1,26 @@ ID: aws_s3_bucket_event_notifications_enabled Title: "S3 buckets should have event notifications enabled" Description: "This control checks whether S3 Event Notifications are enabled on an AWS S3 bucket. This control fails if S3 Event Notifications are not enabled on a bucket." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when - event_notification_configuration ->> 'EventBridgeConfiguration' is null - and event_notification_configuration ->> 'LambdaFunctionConfigurations' is null - and event_notification_configuration ->> 'QueueConfigurations' is null - and event_notification_configuration ->> 'TopicConfigurations' is null then 'alarm' - else 'ok' - end as status, - case - when - event_notification_configuration ->> 'EventBridgeConfiguration' is null - and event_notification_configuration ->> 'LambdaFunctionConfigurations' is null - and event_notification_configuration ->> 'QueueConfigurations' is null - and event_notification_configuration ->> 'TopicConfigurations' is null then title || ' event notifications disabled.' - else title || ' event notifications enabled.' - end as reason - - , region, account_id - from - aws_s3_bucket; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when\n event_notification_configuration ->> 'EventBridgeConfiguration' is null\n and event_notification_configuration ->> 'LambdaFunctionConfigurations' is null\n and event_notification_configuration ->> 'QueueConfigurations' is null\n and event_notification_configuration ->> 'TopicConfigurations' is null then 'alarm'\n else 'ok'\n end as status,\n case\n when\n event_notification_configuration ->> 'EventBridgeConfiguration' is null\n and event_notification_configuration ->> 'LambdaFunctionConfigurations' is null\n and event_notification_configuration ->> 'QueueConfigurations' is null\n and event_notification_configuration ->> 'TopicConfigurations' is null then title || ' event notifications disabled.'\n else title || ' event notifications enabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_s3_bucket;\n" PrimaryTable: aws_s3_bucket ListOfTables: - - aws_s3_bucket + - aws_s3_bucket Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - logging + - logging foundational_security_item_id: - - s3_11 + - s3_11 plugin: - - aws + - aws service: - - AWS/S3 + - AWS/S3 +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_s3_bucket_lifecycle_policy_enabled.yaml b/compliance/controls/aws/aws_s3_bucket_lifecycle_policy_enabled.yaml index 8fb17c54a..ad75b5b8f 100755 --- a/compliance/controls/aws/aws_s3_bucket_lifecycle_policy_enabled.yaml +++ b/compliance/controls/aws/aws_s3_bucket_lifecycle_policy_enabled.yaml @@ -1,52 +1,26 @@ ID: aws_s3_bucket_lifecycle_policy_enabled Title: "S3 buckets should have lifecycle policies configured" Description: "This control checks if AWS Simple Storage Service (AWS S3) buckets have lifecycle policy configured. This rule fails if AWS S3 lifecycle policy is not enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with lifecycle_rules_enabled as ( - select - arn - from - aws_s3_bucket, - jsonb_array_elements(lifecycle_rules) as r - where - r ->> 'Status' = 'Enabled' - ) - select - b.arn as resource, - b.og_account_id as og_account_id, - b.og_resource_id as og_resource_id, - case - when r.arn is not null then 'ok' - else 'alarm' - end status, - case - when r.arn is not null then name || ' lifecycle policy or rules configured.' - else name || ' lifecycle policy or rules not configured.' - end reason - - , b.region, b.account_id - from - aws_s3_bucket as b - left join lifecycle_rules_enabled as r on r.arn = b.arn; + QueryToExecute: "with lifecycle_rules_enabled as (\n select\n arn\n from\n aws_s3_bucket,\n jsonb_array_elements(lifecycle_rules) as r\n where\n r ->> 'Status' = 'Enabled'\n)\nselect\n b.arn as resource,\n b.og_account_id as og_account_id,\n b.og_resource_id as og_resource_id,\n case\n when r.arn is not null then 'ok'\n else 'alarm'\n end status,\n case\n when r.arn is not null then name || ' lifecycle policy or rules configured.'\n else name || ' lifecycle policy or rules not configured.'\n end reason\n \n , b.region, b.account_id\nfrom\n aws_s3_bucket as b\n left join lifecycle_rules_enabled as r on r.arn = b.arn;\n" PrimaryTable: aws_s3_bucket ListOfTables: - - aws_s3_bucket + - aws_s3_bucket Parameters: [] Severity: low Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - data_protection + - data_protection foundational_security_item_id: - - s3_13 + - s3_13 plugin: - - aws + - aws service: - - AWS/S3 + - AWS/S3 +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_s3_bucket_logging_enabled.yaml b/compliance/controls/aws/aws_s3_bucket_logging_enabled.yaml index dac3437ad..a12f9a2e1 100755 --- a/compliance/controls/aws/aws_s3_bucket_logging_enabled.yaml +++ b/compliance/controls/aws/aws_s3_bucket_logging_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_s3_bucket_logging_enabled Title: "S3 bucket logging should be enabled" Description: "AWS Simple Storage Service (AWS S3) server access logging provides a method to monitor the network for potential cybersecurity events." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -23,43 +21,45 @@ Query: aws_s3_bucket; PrimaryTable: aws_s3_bucket ListOfTables: - - aws_s3_bucket + - aws_s3_bucket Parameters: [] Severity: low Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/S3 + - AWS/S3 soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_s3_bucket_mfa_delete_enabled.yaml b/compliance/controls/aws/aws_s3_bucket_mfa_delete_enabled.yaml index fa9bee364..95d429a00 100755 --- a/compliance/controls/aws/aws_s3_bucket_mfa_delete_enabled.yaml +++ b/compliance/controls/aws/aws_s3_bucket_mfa_delete_enabled.yaml @@ -1,48 +1,32 @@ ID: aws_s3_bucket_mfa_delete_enabled Title: "Ensure MFA Delete is enabled on S3 buckets" Description: "Once MFA Delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when versioning_mfa_delete then 'ok' - else 'alarm' - end as status, - case - when versioning_mfa_delete then name || ' MFA delete enabled.' - else name || ' MFA delete disabled.' - end as reason - - , region, account_id - from - aws_s3_bucket; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when versioning_mfa_delete then 'ok'\n else 'alarm'\n end as status,\n case\n when versioning_mfa_delete then name || ' MFA delete enabled.'\n else name || ' MFA delete disabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_s3_bucket;\n" PrimaryTable: aws_s3_bucket ListOfTables: - - aws_s3_bucket + - aws_s3_bucket Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - 2.1.3 + - 2.1.3 cis_level: - - "1" + - "1" cis_section_id: - - "2.1" + - "2.1" cis_type: - - automated + - automated cis_version: - - v1.4.0 + - v1.4.0 plugin: - - aws + - aws service: - - AWS/S3 + - AWS/S3 +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_s3_bucket_not_accessible_to_all_authenticated_user.yaml b/compliance/controls/aws/aws_s3_bucket_not_accessible_to_all_authenticated_user.yaml index 037f6ec82..962d1337f 100755 --- a/compliance/controls/aws/aws_s3_bucket_not_accessible_to_all_authenticated_user.yaml +++ b/compliance/controls/aws/aws_s3_bucket_not_accessible_to_all_authenticated_user.yaml @@ -1,8 +1,6 @@ ID: aws_s3_bucket_not_accessible_to_all_authenticated_user Title: "S3 bucket ACLs should not be accessible to all authenticated user" Description: "This control checks whether AWS S3 bucket ACL allow access to all authenticated users." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -32,7 +30,9 @@ Query: left join public_acl as p on b.name = p.name; PrimaryTable: aws_s3_bucket ListOfTables: - - aws_s3_bucket + - aws_s3_bucket Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_s3_bucket_object_lock_enabled.yaml b/compliance/controls/aws/aws_s3_bucket_object_lock_enabled.yaml index 1e35516a1..0fb27a4d9 100755 --- a/compliance/controls/aws/aws_s3_bucket_object_lock_enabled.yaml +++ b/compliance/controls/aws/aws_s3_bucket_object_lock_enabled.yaml @@ -1,54 +1,38 @@ ID: aws_s3_bucket_object_lock_enabled Title: "S3 bucket object lock should be enabled" Description: "Ensure that your AWS Simple Storage Service (AWS S3) bucket has lock enabled, by default." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when object_lock_configuration is null then 'alarm' - else 'ok' - end as status, - case - when object_lock_configuration is null then title || ' object lock not enabled.' - else title || ' object lock enabled.' - end as reason - - , region, account_id - from - aws_s3_bucket; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when object_lock_configuration is null then 'alarm'\n else 'ok'\n end as status,\n case\n when object_lock_configuration is null then title || ' object lock not enabled.'\n else title || ' object lock enabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_s3_bucket;\n" PrimaryTable: aws_s3_bucket ListOfTables: - - aws_s3_bucket + - aws_s3_bucket Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_csf: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/S3 + - AWS/S3 soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_s3_bucket_policy_restrict_public_access.yaml b/compliance/controls/aws/aws_s3_bucket_policy_restrict_public_access.yaml index 0171fff65..ab0097a82 100755 --- a/compliance/controls/aws/aws_s3_bucket_policy_restrict_public_access.yaml +++ b/compliance/controls/aws/aws_s3_bucket_policy_restrict_public_access.yaml @@ -1,8 +1,6 @@ ID: aws_s3_bucket_policy_restrict_public_access Title: "S3 bucket policy should prohibit public access" Description: "This control checks that the access granted by the S3 bucket is restricted by any of the principals, federated users, service principals, IP addresses, or VPCs that you provide. The rule is compliant if a bucket policy is not present." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -39,25 +37,27 @@ Query: left join public_buckets as p on p.arn = b.arn; PrimaryTable: aws_s3_bucket ListOfTables: - - aws_s3_bucket + - aws_s3_bucket Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_csf: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/S3 + - AWS/S3 soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_s3_bucket_policy_restricts_cross_account_permission_changes.yaml b/compliance/controls/aws/aws_s3_bucket_policy_restricts_cross_account_permission_changes.yaml index f7a5a0baf..9a0287615 100755 --- a/compliance/controls/aws/aws_s3_bucket_policy_restricts_cross_account_permission_changes.yaml +++ b/compliance/controls/aws/aws_s3_bucket_policy_restricts_cross_account_permission_changes.yaml @@ -1,64 +1,24 @@ ID: aws_s3_bucket_policy_restricts_cross_account_permission_changes Title: "AWS S3 permissions granted to other AWS accounts in bucket policies should be restricted" Description: "This control checks whether the S3 bucket policy prevents principals from other AWS accounts from performing denied actions on resources in the S3 bucket." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with cross_account_buckets as ( - select - distinct arn - from - aws_s3_bucket, - jsonb_array_elements(policy_std -> 'Statement') as s, - jsonb_array_elements_text(s -> 'Principal' -> 'AWS') as p, - string_to_array(p, ':') as pa, - jsonb_array_elements_text(s -> 'Action') as a - where - s ->> 'Effect' = 'Allow' - and ( - pa [5] != account_id - or p = '*' - ) - and a in ( - 's3:deletebucketpolicy', - 's3:putbucketacl', - 's3:putbucketpolicy', - 's3:putencryptionconfiguration', - 's3:putobjectacl' - ) - ) - select - a.arn as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when b.arn is null then 'ok' - else 'alarm' - end as status, - case - when b.arn is null then title || ' restricts cross-account bucket access.' - else title || ' allows cross-account bucket access.' - end as reason - - , a.region, a.account_id - from - aws_s3_bucket a - left join cross_account_buckets b on a.arn = b.arn; + QueryToExecute: "with cross_account_buckets as (\n select\n distinct arn\n from\n aws_s3_bucket,\n jsonb_array_elements(policy_std -> 'Statement') as s,\n jsonb_array_elements_text(s -> 'Principal' -> 'AWS') as p,\n string_to_array(p, ':') as pa,\n jsonb_array_elements_text(s -> 'Action') as a\n where\n s ->> 'Effect' = 'Allow'\n and (\n pa [5] != account_id\n or p = '*'\n )\n and a in (\n 's3:deletebucketpolicy',\n 's3:putbucketacl',\n 's3:putbucketpolicy',\n 's3:putencryptionconfiguration',\n 's3:putobjectacl'\n )\n)\nselect\n a.arn as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when b.arn is null then 'ok'\n else 'alarm'\n end as status,\n case\n when b.arn is null then title || ' restricts cross-account bucket access.'\n else title || ' allows cross-account bucket access.'\n end as reason\n \n , a.region, a.account_id\nfrom\n aws_s3_bucket a\n left join cross_account_buckets b on a.arn = b.arn;\n" PrimaryTable: aws_s3_bucket ListOfTables: - - aws_s3_bucket + - aws_s3_bucket Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" nist_csf: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/S3 + - AWS/S3 +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_s3_bucket_protected_by_macie.yaml b/compliance/controls/aws/aws_s3_bucket_protected_by_macie.yaml index e7fea8785..ce3a23e10 100755 --- a/compliance/controls/aws/aws_s3_bucket_protected_by_macie.yaml +++ b/compliance/controls/aws/aws_s3_bucket_protected_by_macie.yaml @@ -1,60 +1,33 @@ ID: aws_s3_bucket_protected_by_macie Title: "Ensure all data in AWS S3 has been discovered, classified and secured when required" Description: "AWS S3 buckets can contain sensitive data, that for security purposes should be discovered, monitored, classified and protected. Macie along with other 3rd party tools can automatically provide an inventory of AWS S3 buckets." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with bucket_list as ( - select - trim(b::text, '"' ) as bucket_name - from - aws_macie2_classification_job, - jsonb_array_elements(s3_job_definition -> 'BucketDefinitions') as d, - jsonb_array_elements(d -> 'Buckets') as b - ) - select - b.arn as resource, - b.og_account_id as og_account_id, - b.og_resource_id as og_resource_id, - case - when b.region = any(array['us-gov-east-1', 'us-gov-west-1']) then 'skip' - when l.bucket_name is not null then 'ok' - else 'alarm' - end as status, - case - when b.region = any(array['us-gov-east-1', 'us-gov-west-1']) then b.title || ' not protected by Macie as Macie is not supported in ' || b.region || '.' - when l.bucket_name is not null then b.title || ' protected by Macie.' - else b.title || ' not protected by Macie.' - end as reason - - , b.region, b.account_id - from - aws_s3_bucket as b - left join bucket_list as l on b.name = l.bucket_name; + QueryToExecute: "with bucket_list as (\n select\n trim(b::text, '\"' ) as bucket_name\n from\n aws_macie2_classification_job,\n jsonb_array_elements(s3_job_definition -> 'BucketDefinitions') as d,\n jsonb_array_elements(d -> 'Buckets') as b\n)\nselect\n b.arn as resource,\n b.og_account_id as og_account_id,\n b.og_resource_id as og_resource_id,\n case\n when b.region = any(array['us-gov-east-1', 'us-gov-west-1']) then 'skip'\n when l.bucket_name is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when b.region = any(array['us-gov-east-1', 'us-gov-west-1']) then b.title || ' not protected by Macie as Macie is not supported in ' || b.region || '.'\n when l.bucket_name is not null then b.title || ' protected by Macie.'\n else b.title || ' not protected by Macie.'\n end as reason\n \n , b.region, b.account_id\nfrom\n aws_s3_bucket as b\n left join bucket_list as l on b.name = l.bucket_name;\n" PrimaryTable: aws_s3_bucket ListOfTables: - - aws_macie2_classification_job - - aws_s3_bucket + - aws_macie2_classification_job + - aws_s3_bucket Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - 2.1.4 + - 2.1.4 cis_level: - - "2" + - "2" cis_section_id: - - "2.1" + - "2.1" cis_type: - - manual + - manual cis_version: - - v1.4.0 + - v1.4.0 plugin: - - aws + - aws service: - - AWS/S3 + - AWS/S3 +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_s3_bucket_restrict_public_read_access.yaml b/compliance/controls/aws/aws_s3_bucket_restrict_public_read_access.yaml index a97c2bb82..4ca018ad5 100755 --- a/compliance/controls/aws/aws_s3_bucket_restrict_public_read_access.yaml +++ b/compliance/controls/aws/aws_s3_bucket_restrict_public_read_access.yaml @@ -1,115 +1,52 @@ ID: aws_s3_bucket_restrict_public_read_access Title: "S3 buckets should prohibit public read access" Description: "Manage access to resources in the AWS Cloud by only allowing authorized users, processes, and devices access to AWS Simple Storage Service (AWS S3) buckets." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with public_acl as ( - select - distinct name - from - aws_s3_bucket, - jsonb_array_elements(case jsonb_typeof(acl -> 'Grants') - when 'array' then acl -> 'Grants' - else '[]' end) as grants - where - (grants -> 'Grantee' ->> 'URI' = 'http://acs.amazonaws.com/groups/global/AllUsers' - or grants -> 'Grantee' ->> 'URI' = 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers') - and ( - grants ->> 'Permission' = 'FULL_CONTROL' - or grants ->> 'Permission' = 'READ_ACP' - or grants ->> 'Permission' = 'READ' - ) - ),read_access_policy as ( - select - distinct name - from - aws_s3_bucket, - jsonb_array_elements(case jsonb_typeof(policy_std -> 'Statement') - when 'array' then policy_std -> 'Statement' - else '[]' end ) as s, - jsonb_array_elements_text(case jsonb_typeof(s -> 'Action') - when 'array' then s -> 'Action' - else '[]' end) as action - where - s ->> 'Effect' = 'Allow' - and ( - s -> 'Principal' -> 'AWS' = '["*"]' - or s ->> 'Principal' = '*' - ) - and ( - action = '*' - or action = '*:*' - or action = 's3:*' - or action ilike 's3:get%' - or action ilike 's3:list%' - ) - ) - select - b.arn as resource, - b.og_account_id as og_account_id, - b.og_resource_id as og_resource_id, - case - when (block_public_acls or a.name is null) and not bucket_policy_is_public then 'ok' - when (block_public_acls or a.name is null) and (bucket_policy_is_public and block_public_policy) then 'ok' - when (block_public_acls or a.name is null) and (bucket_policy_is_public and p.name is null) then 'ok' - else 'alarm' - end as status, - case - when (block_public_acls or a.name is null) and not bucket_policy_is_public then b.title || ' not publicly readable.' - when (block_public_acls or a.name is null) and (bucket_policy_is_public and block_public_policy) then b.title || ' not publicly readable.' - when (block_public_acls or a.name is null) and (bucket_policy_is_public and p.name is null) then b.title || ' not publicly readable.' - else b.title || ' publicly readable.' - end as reason - - , b.region, b.account_id - from - aws_s3_bucket as b - left join public_acl as a on b.name = a.name - left join read_access_policy as p on b.name = p.name; + QueryToExecute: "with public_acl as (\n select\n distinct name\n from\n aws_s3_bucket,\n jsonb_array_elements(case jsonb_typeof(acl -> 'Grants') \n when 'array' then acl -> 'Grants' \n else '[]' end) as grants\n where\n (grants -> 'Grantee' ->> 'URI' = 'http://acs.amazonaws.com/groups/global/AllUsers'\n or grants -> 'Grantee' ->> 'URI' = 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers')\n and (\n grants ->> 'Permission' = 'FULL_CONTROL'\n or grants ->> 'Permission' = 'READ_ACP'\n or grants ->> 'Permission' = 'READ'\n )\n ),read_access_policy as (\n select\n distinct name\n from\n aws_s3_bucket,\n jsonb_array_elements(case jsonb_typeof(policy_std -> 'Statement') \n when 'array' then policy_std -> 'Statement' \n else '[]' end ) as s,\n jsonb_array_elements_text(case jsonb_typeof(s -> 'Action') \n when 'array' then s -> 'Action'\n else '[]' end) as action\n where\n s ->> 'Effect' = 'Allow'\n and (\n s -> 'Principal' -> 'AWS' = '[\"*\"]'\n or s ->> 'Principal' = '*'\n )\n and (\n action = '*'\n or action = '*:*'\n or action = 's3:*'\n or action ilike 's3:get%'\n or action ilike 's3:list%'\n )\n)\nselect\n b.arn as resource,\n b.og_account_id as og_account_id,\n b.og_resource_id as og_resource_id,\n case\n when (block_public_acls or a.name is null) and not bucket_policy_is_public then 'ok'\n when (block_public_acls or a.name is null) and (bucket_policy_is_public and block_public_policy) then 'ok'\n when (block_public_acls or a.name is null) and (bucket_policy_is_public and p.name is null) then 'ok'\n else 'alarm'\n end as status,\n case\n when (block_public_acls or a.name is null) and not bucket_policy_is_public then b.title || ' not publicly readable.'\n when (block_public_acls or a.name is null) and (bucket_policy_is_public and block_public_policy) then b.title || ' not publicly readable.'\n when (block_public_acls or a.name is null) and (bucket_policy_is_public and p.name is null) then b.title || ' not publicly readable.'\n else b.title || ' publicly readable.'\n end as reason\n \n , b.region, b.account_id\nfrom\n aws_s3_bucket as b\n left join public_acl as a on b.name = a.name\n left join read_access_policy as p on b.name = p.name;\n" PrimaryTable: aws_s3_bucket ListOfTables: - - aws_s3_bucket + - aws_s3_bucket Parameters: [] Severity: high Tags: audit_manager_control_tower: - - "true" + - "true" category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/S3 + - AWS/S3 soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_s3_bucket_restrict_public_write_access.yaml b/compliance/controls/aws/aws_s3_bucket_restrict_public_write_access.yaml index daed1fc08..1c26faed9 100755 --- a/compliance/controls/aws/aws_s3_bucket_restrict_public_write_access.yaml +++ b/compliance/controls/aws/aws_s3_bucket_restrict_public_write_access.yaml @@ -1,119 +1,52 @@ ID: aws_s3_bucket_restrict_public_write_access Title: "S3 buckets should prohibit public write access" Description: "Manage access to resources in the AWS Cloud by only allowing authorized users, processes, and devices access to AWS Simple Storage Service (AWS S3) buckets." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with public_acl as ( - select - distinct name - from - aws_s3_bucket, - jsonb_array_elements(case jsonb_typeof(acl -> 'Grants') - when 'array' then acl -> 'Grants' - else '[]' end) as grants - where - (grants -> 'Grantee' ->> 'URI' = 'http://acs.amazonaws.com/groups/global/AllUsers' - or grants -> 'Grantee' ->> 'URI' = 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers') - and ( - grants ->> 'Permission' = 'FULL_CONTROL' - or grants ->> 'Permission' = 'WRITE_ACP' - or grants ->> 'Permission' = 'WRITE' - ) - ), write_access_policy as ( - select - distinct name - from - aws_s3_bucket, - jsonb_array_elements(case jsonb_typeof(policy_std -> 'Statement') - when 'array' then policy_std -> 'Statement' - else '[]' end ) as s, - jsonb_array_elements_text(case jsonb_typeof(s -> 'Action') - when 'array' then s -> 'Action' - else '[]' end) as action - where - s ->> 'Effect' = 'Allow' - and ( - s -> 'Principal' -> 'AWS' = '["*"]' - or s ->> 'Principal' = '*' - ) - and ( - action = '*' - or action = '*:*' - or action = 's3:*' - or action ilike 's3:put%' - or action ilike 's3:delete%' - or action ilike 's3:create%' - or action ilike 's3:update%' - or action ilike 's3:replicate%' - or action ilike 's3:restore%' - ) - ) - select - b.arn as resource, - b.og_account_id as og_account_id, - b.og_resource_id as og_resource_id, - case - when (block_public_acls or a.name is null) and not bucket_policy_is_public then 'ok' - when (block_public_acls or a.name is null) and (bucket_policy_is_public and block_public_policy) then 'ok' - when bucket_policy_is_public and p.name is null then 'ok' - else 'alarm' - end status, - case - when (block_public_acls or a.name is null ) and not bucket_policy_is_public then b.title || ' not publicly writable.' - when (block_public_acls or a.name is null) and (bucket_policy_is_public and block_public_policy) then b.title || ' not publicly writable.' - when (block_public_acls or a.name is null) and (bucket_policy_is_public and p.name is null) then b.title || ' not publicly writable.' - else b.title || ' publicly writable.' - end reason - - , b.region, b.account_id - from - aws_s3_bucket as b - left join public_acl as a on b.name = a.name - left join write_access_policy as p on b.name = p.name; + QueryToExecute: "with public_acl as (\n select\n distinct name\n from\n aws_s3_bucket,\n jsonb_array_elements(case jsonb_typeof(acl -> 'Grants') \n when 'array' then acl -> 'Grants' \n else '[]' end) as grants\n where\n (grants -> 'Grantee' ->> 'URI' = 'http://acs.amazonaws.com/groups/global/AllUsers'\n or grants -> 'Grantee' ->> 'URI' = 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers')\n and (\n grants ->> 'Permission' = 'FULL_CONTROL'\n or grants ->> 'Permission' = 'WRITE_ACP'\n or grants ->> 'Permission' = 'WRITE'\n )\n), write_access_policy as (\n select\n distinct name\n from\n aws_s3_bucket,\n jsonb_array_elements(case jsonb_typeof(policy_std -> 'Statement') \n when 'array' then policy_std -> 'Statement' \n else '[]' end ) as s,\n jsonb_array_elements_text(case jsonb_typeof(s -> 'Action') \n when 'array' then s -> 'Action'\n else '[]' end) as action\n where\n s ->> 'Effect' = 'Allow'\n and (\n s -> 'Principal' -> 'AWS' = '[\"*\"]'\n or s ->> 'Principal' = '*'\n )\n and (\n action = '*'\n or action = '*:*'\n or action = 's3:*'\n or action ilike 's3:put%'\n or action ilike 's3:delete%'\n or action ilike 's3:create%'\n or action ilike 's3:update%'\n or action ilike 's3:replicate%'\n or action ilike 's3:restore%'\n )\n)\nselect\n b.arn as resource,\n b.og_account_id as og_account_id,\n b.og_resource_id as og_resource_id,\n case\n when (block_public_acls or a.name is null) and not bucket_policy_is_public then 'ok'\n when (block_public_acls or a.name is null) and (bucket_policy_is_public and block_public_policy) then 'ok'\n when bucket_policy_is_public and p.name is null then 'ok'\n else 'alarm'\n end status,\n case\n when (block_public_acls or a.name is null ) and not bucket_policy_is_public then b.title || ' not publicly writable.'\n when (block_public_acls or a.name is null) and (bucket_policy_is_public and block_public_policy) then b.title || ' not publicly writable.'\n when (block_public_acls or a.name is null) and (bucket_policy_is_public and p.name is null) then b.title || ' not publicly writable.'\n else b.title || ' publicly writable.'\n end reason\n\n , b.region, b.account_id\nfrom\n aws_s3_bucket as b\n left join public_acl as a on b.name = a.name\n left join write_access_policy as p on b.name = p.name;\n" PrimaryTable: aws_s3_bucket ListOfTables: - - aws_s3_bucket + - aws_s3_bucket Parameters: [] Severity: high Tags: audit_manager_control_tower: - - "true" + - "true" category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/S3 + - AWS/S3 soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_s3_bucket_static_website_hosting_disabled.yaml b/compliance/controls/aws/aws_s3_bucket_static_website_hosting_disabled.yaml index f527455dc..3aa4ac5e2 100755 --- a/compliance/controls/aws/aws_s3_bucket_static_website_hosting_disabled.yaml +++ b/compliance/controls/aws/aws_s3_bucket_static_website_hosting_disabled.yaml @@ -1,30 +1,14 @@ ID: aws_s3_bucket_static_website_hosting_disabled Title: "S3 buckets static website hosting should be disabled" Description: "Enabling static website on a S3 bucket requires to grant public read access to the bucket. There is a potential risk of exposure when you turn off block public access settings to make your bucket public. This is recommend to not configure static website on S3 bucket." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when website_configuration -> 'IndexDocument' ->> 'Suffix' is not null then 'alarm' - else 'ok' - end status, - case - when website_configuration -> 'IndexDocument' ->> 'Suffix' is not null then name || ' static website hosting enabled.' - else name || ' static website hosting disabled.' - end reason - - - from - aws_s3_bucket; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when website_configuration -> 'IndexDocument' ->> 'Suffix' is not null then 'alarm'\n else 'ok'\n end status,\n case\n when website_configuration -> 'IndexDocument' ->> 'Suffix' is not null then name || ' static website hosting enabled.'\n else name || ' static website hosting disabled.'\n end reason\n \n \nfrom\n aws_s3_bucket;" PrimaryTable: aws_s3_bucket ListOfTables: - - aws_s3_bucket + - aws_s3_bucket Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_s3_bucket_versioning_and_lifecycle_policy_enabled.yaml b/compliance/controls/aws/aws_s3_bucket_versioning_and_lifecycle_policy_enabled.yaml index e7589ddcf..b942d99bf 100755 --- a/compliance/controls/aws/aws_s3_bucket_versioning_and_lifecycle_policy_enabled.yaml +++ b/compliance/controls/aws/aws_s3_bucket_versioning_and_lifecycle_policy_enabled.yaml @@ -1,54 +1,26 @@ ID: aws_s3_bucket_versioning_and_lifecycle_policy_enabled Title: "S3 buckets with versioning enabled should have lifecycle policies configured" Description: "This control checks if AWS Simple Storage Service (AWS S3) version enabled buckets have lifecycle policy configured. This rule fails if AWS S3 lifecycle policy is not enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with lifecycle_rules_enabled as ( - select - arn - from - aws_s3_bucket, - jsonb_array_elements(lifecycle_rules) as r - where - r ->> 'Status' = 'Enabled' - ) - select - b.arn as resource, - b.og_account_id as og_account_id, - b.og_resource_id as og_resource_id, - case - when not versioning_enabled then 'alarm' - when versioning_enabled and r.arn is not null then 'ok' - else 'alarm' - end as status, - case - when not versioning_enabled then name || ' versioning diabled.' - when versioning_enabled and r.arn is not null then name || ' lifecycle policy configured.' - else name || ' lifecycle policy not configured.' - end as reason - - , b.region, b.account_id - from - aws_s3_bucket as b - left join lifecycle_rules_enabled as r on r.arn = b.arn; + QueryToExecute: "with lifecycle_rules_enabled as (\n select\n arn\n from\n aws_s3_bucket,\n jsonb_array_elements(lifecycle_rules) as r\n where\n r ->> 'Status' = 'Enabled'\n)\nselect\n b.arn as resource,\n b.og_account_id as og_account_id,\n b.og_resource_id as og_resource_id,\n case\n when not versioning_enabled then 'alarm'\n when versioning_enabled and r.arn is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when not versioning_enabled then name || ' versioning diabled.'\n when versioning_enabled and r.arn is not null then name || ' lifecycle policy configured.'\n else name || ' lifecycle policy not configured.'\n end as reason\n \n , b.region, b.account_id\nfrom\n aws_s3_bucket as b\n left join lifecycle_rules_enabled as r on r.arn = b.arn;\n" PrimaryTable: aws_s3_bucket ListOfTables: - - aws_s3_bucket + - aws_s3_bucket Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - logging + - logging foundational_security_item_id: - - s3_10 + - s3_10 plugin: - - aws + - aws service: - - AWS/S3 + - AWS/S3 +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_s3_bucket_versioning_enabled.yaml b/compliance/controls/aws/aws_s3_bucket_versioning_enabled.yaml index c21018b5c..82fe7e701 100755 --- a/compliance/controls/aws/aws_s3_bucket_versioning_enabled.yaml +++ b/compliance/controls/aws/aws_s3_bucket_versioning_enabled.yaml @@ -1,70 +1,54 @@ ID: aws_s3_bucket_versioning_enabled Title: "S3 bucket versioning should be enabled" Description: "AWS Simple Storage Service (AWS S3) bucket versioning helps keep multiple variants of an object in the same AWS S3 bucket." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when versioning_enabled then 'ok' - else 'alarm' - end as status, - case - when versioning_enabled then name || ' versioning enabled.' - else name || ' versioning disabled.' - end as reason - - , region, account_id - from - aws_s3_bucket; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when versioning_enabled then 'ok'\n else 'alarm'\n end as status,\n case\n when versioning_enabled then name || ' versioning enabled.'\n else name || ' versioning disabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_s3_bucket;\n" PrimaryTable: aws_s3_bucket ListOfTables: - - aws_s3_bucket + - aws_s3_bucket Parameters: [] Severity: low Tags: audit_manager_control_tower: - - "true" + - "true" category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" gxp_eu_annex_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/S3 + - AWS/S3 soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_s3_public_access_block_account.yaml b/compliance/controls/aws/aws_s3_public_access_block_account.yaml index 71644ecfb..78182c011 100755 --- a/compliance/controls/aws/aws_s3_public_access_block_account.yaml +++ b/compliance/controls/aws/aws_s3_public_access_block_account.yaml @@ -1,8 +1,6 @@ ID: aws_s3_public_access_block_account Title: "S3 public access should be blocked at account level" Description: "Manage access to resources in the AWS Cloud by ensuring that AWS Simple Storage Service (AWS S3) buckets cannot be publicly accessed." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -37,41 +35,43 @@ Query: aws_s3_account_settings; PrimaryTable: aws_s3_account_settings ListOfTables: - - aws_s3_account_settings + - aws_s3_account_settings Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/S3 + - AWS/S3 soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_s3_public_access_block_bucket.yaml b/compliance/controls/aws/aws_s3_public_access_block_bucket.yaml index 14307013b..f7540f630 100755 --- a/compliance/controls/aws/aws_s3_public_access_block_bucket.yaml +++ b/compliance/controls/aws/aws_s3_public_access_block_bucket.yaml @@ -1,66 +1,36 @@ ID: aws_s3_public_access_block_bucket Title: "S3 public access should be blocked at bucket levels" Description: "Ensure that AWS Simple Storage Service (AWS S3) buckets are publicly accessible. This rule is non-compliant if an AWS S3 bucket is not listed in the excludedPublicBuckets parameter and bucket level settings are public." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when block_public_acls - and block_public_policy - and ignore_public_acls - and restrict_public_buckets - then 'ok' - else 'alarm' - end as status, - case - when block_public_acls - and block_public_policy - and ignore_public_acls - and restrict_public_buckets - then name || ' all public access blocks enabled.' - else name || ' not enabled for: ' || - concat_ws(', ', - case when not block_public_acls then 'block_public_acls' end, - case when not block_public_policy then 'block_public_policy' end, - case when not ignore_public_acls then 'ignore_public_acls' end, - case when not restrict_public_buckets then 'restrict_public_buckets' end - ) || '.' - end as reason - - , region, account_id - from - aws_s3_bucket; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when block_public_acls\n and block_public_policy\n and ignore_public_acls\n and restrict_public_buckets\n then 'ok'\n else 'alarm'\n end as status,\n case\n when block_public_acls\n and block_public_policy\n and ignore_public_acls\n and restrict_public_buckets\n then name || ' all public access blocks enabled.'\n else name || ' not enabled for: ' ||\n concat_ws(', ',\n case when not block_public_acls then 'block_public_acls' end,\n case when not block_public_policy then 'block_public_policy' end,\n case when not ignore_public_acls then 'ignore_public_acls' end,\n case when not restrict_public_buckets then 'restrict_public_buckets' end\n ) || '.'\n end as reason\n \n , region, account_id\nfrom\n aws_s3_bucket;\n" PrimaryTable: aws_s3_bucket ListOfTables: - - aws_s3_bucket + - aws_s3_bucket Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/S3 + - AWS/S3 +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_s3_public_access_block_bucket_account.yaml b/compliance/controls/aws/aws_s3_public_access_block_bucket_account.yaml index bd39ed527..f4fe0abad 100755 --- a/compliance/controls/aws/aws_s3_public_access_block_bucket_account.yaml +++ b/compliance/controls/aws/aws_s3_public_access_block_bucket_account.yaml @@ -1,66 +1,33 @@ ID: aws_s3_public_access_block_bucket_account Title: "S3 public access should be blocked at account and bucket levels" Description: "Manage access to resources in the AWS Cloud by ensuring that AWS Simple Storage Service (AWS S3) buckets cannot be publicly accessed." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - bucket.arn as resource, - bucket.og_account_id as og_account_id, - bucket.og_resource_id as og_resource_id, - case - when (bucket.block_public_acls or s3account.block_public_acls) - and (bucket.block_public_policy or s3account.block_public_policy) - and (bucket.ignore_public_acls or s3account.ignore_public_acls) - and (bucket.restrict_public_buckets or s3account.restrict_public_buckets) - then 'ok' - else 'alarm' - end as status, - case - when (bucket.block_public_acls or s3account.block_public_acls) - and (bucket.block_public_policy or s3account.block_public_policy) - and (bucket.ignore_public_acls or s3account.ignore_public_acls) - and (bucket.restrict_public_buckets or s3account.restrict_public_buckets) - then name || ' all public access blocks enabled.' - else name || ' not enabled for: ' || - concat_ws(', ', - case when not (bucket.block_public_acls or s3account.block_public_acls) then 'block_public_acls' end, - case when not (bucket.block_public_policy or s3account.block_public_policy) then 'block_public_policy' end, - case when not (bucket.ignore_public_acls or s3account.ignore_public_acls) then 'ignore_public_acls' end, - case when not (bucket.restrict_public_buckets or s3account.restrict_public_buckets) then 'restrict_public_buckets' end - ) || '.' - end as reason - - , bucket.region, bucket.account_id - from - aws_s3_bucket as bucket, - aws_s3_account_settings as s3account - where - s3account.account_id = bucket.account_id; + QueryToExecute: "select\n bucket.arn as resource,\n bucket.og_account_id as og_account_id,\n bucket.og_resource_id as og_resource_id,\n case\n when (bucket.block_public_acls or s3account.block_public_acls)\n and (bucket.block_public_policy or s3account.block_public_policy)\n and (bucket.ignore_public_acls or s3account.ignore_public_acls)\n and (bucket.restrict_public_buckets or s3account.restrict_public_buckets)\n then 'ok'\n else 'alarm'\n end as status,\n case\n when (bucket.block_public_acls or s3account.block_public_acls)\n and (bucket.block_public_policy or s3account.block_public_policy)\n and (bucket.ignore_public_acls or s3account.ignore_public_acls)\n and (bucket.restrict_public_buckets or s3account.restrict_public_buckets)\n then name || ' all public access blocks enabled.'\n else name || ' not enabled for: ' ||\n concat_ws(', ',\n case when not (bucket.block_public_acls or s3account.block_public_acls) then 'block_public_acls' end,\n case when not (bucket.block_public_policy or s3account.block_public_policy) then 'block_public_policy' end,\n case when not (bucket.ignore_public_acls or s3account.ignore_public_acls) then 'ignore_public_acls' end,\n case when not (bucket.restrict_public_buckets or s3account.restrict_public_buckets) then 'restrict_public_buckets' end\n ) || '.'\n end as reason\n \n , bucket.region, bucket.account_id\nfrom\n aws_s3_bucket as bucket,\n aws_s3_account_settings as s3account\nwhere\n s3account.account_id = bucket.account_id;\n" PrimaryTable: aws_s3_bucket ListOfTables: - - aws_s3_account_settings - - aws_s3_bucket + - aws_s3_account_settings + - aws_s3_bucket Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "1.20" + - "1.20" cis_level: - - "1" + - "1" cis_section_id: - - "1" + - "1" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - aws + - aws service: - - AWS/S3 + - AWS/S3 +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled.yaml b/compliance/controls/aws/aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled.yaml index 6d3fa55a1..e615dd76a 100755 --- a/compliance/controls/aws/aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled.yaml +++ b/compliance/controls/aws/aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled.yaml @@ -1,66 +1,50 @@ ID: aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled Title: "SageMaker endpoint configuration encryption should be enabled" Description: "To help protect data at rest, ensure encryption with AWS Key Management Service (AWS KMS) is enabled for your SageMaker endpoint." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when kms_key_id is null then 'alarm' - else 'ok' - end as status, - case - when kms_key_id is null then title || ' encryption at rest disabled.' - else title || ' encryption at rest enabled.' - end as reason - - , region, account_id - from - aws_sagemaker_endpoint_configuration; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when kms_key_id is null then 'alarm'\n else 'ok'\n end as status,\n case\n when kms_key_id is null then title || ' encryption at rest disabled.'\n else title || ' encryption at rest enabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_sagemaker_endpoint_configuration;\n" PrimaryTable: aws_sagemaker_endpoint_configuration ListOfTables: - - aws_sagemaker_endpoint_configuration + - aws_sagemaker_endpoint_configuration Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" gdpr: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" gxp_eu_annex_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/SageMaker + - AWS/SageMaker soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_sagemaker_model_in_vpc.yaml b/compliance/controls/aws/aws_sagemaker_model_in_vpc.yaml index dd2f3e82d..b1a992e42 100755 --- a/compliance/controls/aws/aws_sagemaker_model_in_vpc.yaml +++ b/compliance/controls/aws/aws_sagemaker_model_in_vpc.yaml @@ -1,30 +1,14 @@ ID: aws_sagemaker_model_in_vpc Title: "SageMaker models should be in a VPC" Description: "Manage access to the AWS Cloud by ensuring SageMaker models are within an AWS Virtual Private Cloud (AWS VPC)." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when vpc_config is not null then 'ok' - else 'alarm' - end as status, - case - when vpc_config is not null then title || ' in VPC.' - else title || ' not in VPC.' - end as reason - - - from - aws_sagemaker_model; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when vpc_config is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when vpc_config is not null then title || ' in VPC.'\n else title || ' not in VPC.'\n end as reason\n \n \nfrom\n aws_sagemaker_model;\n" PrimaryTable: aws_sagemaker_model ListOfTables: - - aws_sagemaker_model + - aws_sagemaker_model Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_sagemaker_model_network_isolation_enabled.yaml b/compliance/controls/aws/aws_sagemaker_model_network_isolation_enabled.yaml index a70a199ea..86005963d 100755 --- a/compliance/controls/aws/aws_sagemaker_model_network_isolation_enabled.yaml +++ b/compliance/controls/aws/aws_sagemaker_model_network_isolation_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_sagemaker_model_network_isolation_enabled Title: "SageMaker models should have network isolation enabled" Description: "SageMaker models are internet-enabled by default. Network isolation should be enabled to avoid external network access to your inference containers." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_sagemaker_model; PrimaryTable: aws_sagemaker_model ListOfTables: - - aws_sagemaker_model + - aws_sagemaker_model Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_sagemaker_notebook_instance_direct_internet_access_disabled.yaml b/compliance/controls/aws/aws_sagemaker_notebook_instance_direct_internet_access_disabled.yaml index c90b9de24..b4b6dfa20 100755 --- a/compliance/controls/aws/aws_sagemaker_notebook_instance_direct_internet_access_disabled.yaml +++ b/compliance/controls/aws/aws_sagemaker_notebook_instance_direct_internet_access_disabled.yaml @@ -1,66 +1,50 @@ ID: aws_sagemaker_notebook_instance_direct_internet_access_disabled Title: "SageMaker notebook instances should not have direct internet access" Description: "Manage access to resources in the AWS Cloud by ensuring that AWS SageMaker notebooks do not allow direct internet access." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when direct_internet_access = 'Enabled' then 'alarm' - else 'ok' - end status, - case - when direct_internet_access = 'Enabled' then title || ' direct internet access enabled.' - else title || ' direct internet access disabled.' - end reason - - , region, account_id - from - aws_sagemaker_notebook_instance; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when direct_internet_access = 'Enabled' then 'alarm'\n else 'ok'\n end status,\n case\n when direct_internet_access = 'Enabled' then title || ' direct internet access enabled.'\n else title || ' direct internet access disabled.'\n end reason\n \n , region, account_id\nfrom\n aws_sagemaker_notebook_instance;\n" PrimaryTable: aws_sagemaker_notebook_instance ListOfTables: - - aws_sagemaker_notebook_instance + - aws_sagemaker_notebook_instance Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/SageMaker + - AWS/SageMaker soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_sagemaker_notebook_instance_encrypted_with_kms_cmk.yaml b/compliance/controls/aws/aws_sagemaker_notebook_instance_encrypted_with_kms_cmk.yaml index d2675a70c..ecffaca7a 100755 --- a/compliance/controls/aws/aws_sagemaker_notebook_instance_encrypted_with_kms_cmk.yaml +++ b/compliance/controls/aws/aws_sagemaker_notebook_instance_encrypted_with_kms_cmk.yaml @@ -1,8 +1,6 @@ ID: aws_sagemaker_notebook_instance_encrypted_with_kms_cmk Title: "SageMaker notebook instances should be encrypted using CMK" Description: "This control checks if SageMaker notebook instance storage volumes are encrypted with AWS KMS Customer Master Keys (CMKs) instead of AWS managed-keys." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -46,8 +44,10 @@ Query: left join kms_keys as k on i.kms_key_id = k.arn; PrimaryTable: aws_sagemaker_notebook_instance ListOfTables: - - aws_sagemaker_notebook_instance - - aws_kms_key + - aws_sagemaker_notebook_instance + - aws_kms_key Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_sagemaker_notebook_instance_encryption_at_rest_enabled.yaml b/compliance/controls/aws/aws_sagemaker_notebook_instance_encryption_at_rest_enabled.yaml index b63afdadb..059ecf5bf 100755 --- a/compliance/controls/aws/aws_sagemaker_notebook_instance_encryption_at_rest_enabled.yaml +++ b/compliance/controls/aws/aws_sagemaker_notebook_instance_encryption_at_rest_enabled.yaml @@ -1,66 +1,50 @@ ID: aws_sagemaker_notebook_instance_encryption_at_rest_enabled Title: "SageMaker notebook instance encryption should be enabled" Description: "To help protect data at rest, ensure encryption with AWS Key Management Service (AWS KMS) is enabled for your SageMaker notebook." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when kms_key_id is null then 'alarm' - else 'ok' - end as status, - case - when kms_key_id is null then title || ' encryption at rest enabled' - else title || ' encryption at rest not enabled' - end as reason - - , region, account_id - from - aws_sagemaker_notebook_instance; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when kms_key_id is null then 'alarm'\n else 'ok'\n end as status,\n case\n when kms_key_id is null then title || ' encryption at rest enabled'\n else title || ' encryption at rest not enabled'\n end as reason\n \n , region, account_id\nfrom\n aws_sagemaker_notebook_instance;\n" PrimaryTable: aws_sagemaker_notebook_instance ListOfTables: - - aws_sagemaker_notebook_instance + - aws_sagemaker_notebook_instance Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" gdpr: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" gxp_eu_annex_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/SageMaker + - AWS/SageMaker soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_sagemaker_notebook_instance_in_vpc.yaml b/compliance/controls/aws/aws_sagemaker_notebook_instance_in_vpc.yaml index b160aed78..57377474a 100755 --- a/compliance/controls/aws/aws_sagemaker_notebook_instance_in_vpc.yaml +++ b/compliance/controls/aws/aws_sagemaker_notebook_instance_in_vpc.yaml @@ -1,42 +1,26 @@ ID: aws_sagemaker_notebook_instance_in_vpc Title: "SageMaker notebook instances should be in a VPC" Description: "Manage access to the AWS Cloud by ensuring SageMaker notebook instances are within an AWS Virtual Private Cloud (AWS VPC)." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when subnet_id is not null then 'ok' - else 'alarm' - end as status, - case - when subnet_id is not null then title || ' in VPC.' - else title || ' not in VPC.' - end as reason - - , region, account_id - from - aws_sagemaker_notebook_instance; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when subnet_id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when subnet_id is not null then title || ' in VPC.'\n else title || ' not in VPC.'\n end as reason\n \n , region, account_id\nfrom\n aws_sagemaker_notebook_instance;\n" PrimaryTable: aws_sagemaker_notebook_instance ListOfTables: - - aws_sagemaker_notebook_instance + - aws_sagemaker_notebook_instance Parameters: [] Severity: high Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - resources_within_vpc + - resources_within_vpc foundational_security_item_id: - - sagemaker_2 + - sagemaker_2 plugin: - - aws + - aws service: - - AWS/SageMaker + - AWS/SageMaker +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_sagemaker_notebook_instance_root_access_disabled.yaml b/compliance/controls/aws/aws_sagemaker_notebook_instance_root_access_disabled.yaml index 7f2363509..856b48c28 100755 --- a/compliance/controls/aws/aws_sagemaker_notebook_instance_root_access_disabled.yaml +++ b/compliance/controls/aws/aws_sagemaker_notebook_instance_root_access_disabled.yaml @@ -1,42 +1,26 @@ ID: aws_sagemaker_notebook_instance_root_access_disabled Title: "SageMaker notebook instances root access should be disabled" Description: "Users with root access have administrator privileges and users can access and edit all files on a notebook instance. It is recommeneded to disable root access to restrict users from accessing and editing all the files." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when root_access = 'Disabled' then 'ok' - else 'alarm' - end as status, - case - when root_access = 'Disabled' then title || ' root access disabled.' - else title || ' root access enabled.' - end as reason - - , region, account_id - from - aws_sagemaker_notebook_instance; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when root_access = 'Disabled' then 'ok'\n else 'alarm'\n end as status,\n case\n when root_access = 'Disabled' then title || ' root access disabled.'\n else title || ' root access enabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_sagemaker_notebook_instance;\n" PrimaryTable: aws_sagemaker_notebook_instance ListOfTables: - - aws_sagemaker_notebook_instance + - aws_sagemaker_notebook_instance Parameters: [] Severity: high Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - root_user_access_restrictions + - root_user_access_restrictions foundational_security_item_id: - - sagemaker_3 + - sagemaker_3 plugin: - - aws + - aws service: - - AWS/SageMaker + - AWS/SageMaker +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_sagemaker_training_job_in_vpc.yaml b/compliance/controls/aws/aws_sagemaker_training_job_in_vpc.yaml index 0c890f799..21b6220ee 100755 --- a/compliance/controls/aws/aws_sagemaker_training_job_in_vpc.yaml +++ b/compliance/controls/aws/aws_sagemaker_training_job_in_vpc.yaml @@ -1,8 +1,6 @@ ID: aws_sagemaker_training_job_in_vpc Title: "SageMaker training jobs should be in VPC" Description: "Manage access to the AWS Cloud by ensuring SageMaker training jobs are within an AWS Virtual Private Cloud (AWS VPC)." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_sagemaker_training_job; PrimaryTable: aws_sagemaker_training_job ListOfTables: - - aws_sagemaker_training_job + - aws_sagemaker_training_job Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_sagemaker_training_job_inter_container_traffic_encryption_enabled.yaml b/compliance/controls/aws/aws_sagemaker_training_job_inter_container_traffic_encryption_enabled.yaml index 33780a393..bcae3547c 100755 --- a/compliance/controls/aws/aws_sagemaker_training_job_inter_container_traffic_encryption_enabled.yaml +++ b/compliance/controls/aws/aws_sagemaker_training_job_inter_container_traffic_encryption_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_sagemaker_training_job_inter_container_traffic_encryption_enabled Title: "SageMaker training jobs should be enabled with inter-container traffic encryption" Description: "Inter-container traffic encryption shoule be used to protect data that is transmitted between instances while performing distributed training. This control in compliant when inter-container traffic encryption is enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_sagemaker_training_job; PrimaryTable: aws_sagemaker_training_job ListOfTables: - - aws_sagemaker_training_job + - aws_sagemaker_training_job Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_sagemaker_training_job_network_isolation_enabled.yaml b/compliance/controls/aws/aws_sagemaker_training_job_network_isolation_enabled.yaml index c360bbf52..ca43f3115 100755 --- a/compliance/controls/aws/aws_sagemaker_training_job_network_isolation_enabled.yaml +++ b/compliance/controls/aws/aws_sagemaker_training_job_network_isolation_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_sagemaker_training_job_network_isolation_enabled Title: "SageMaker training jobs should have network isolation enabled" Description: "SageMaker training jobs are internet-enabled by default. Network isolation should be enabled to avoid external network access to your training." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_sagemaker_training_job; PrimaryTable: aws_sagemaker_training_job ListOfTables: - - aws_sagemaker_training_job + - aws_sagemaker_training_job Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_sagemaker_training_job_volume_and_data_encryption_enabled.yaml b/compliance/controls/aws/aws_sagemaker_training_job_volume_and_data_encryption_enabled.yaml index 195397d94..4ac85e37b 100755 --- a/compliance/controls/aws/aws_sagemaker_training_job_volume_and_data_encryption_enabled.yaml +++ b/compliance/controls/aws/aws_sagemaker_training_job_volume_and_data_encryption_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_sagemaker_training_job_volume_and_data_encryption_enabled Title: "SageMaker training jobs volumes and outputs should have KMS encryption enabled" Description: "Ensure that SageMaker training jobs have volumes and outputs with KMS encryption enabled in order to have a more granular control over the data-at-rest encryption/decryption process and to meet compliance requirements." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_sagemaker_training_job; PrimaryTable: aws_sagemaker_training_job ListOfTables: - - aws_sagemaker_training_job + - aws_sagemaker_training_job Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_secretsmanager_secret_automatic_rotation_enabled.yaml b/compliance/controls/aws/aws_secretsmanager_secret_automatic_rotation_enabled.yaml index 91eb3715a..fbb70c8b9 100755 --- a/compliance/controls/aws/aws_secretsmanager_secret_automatic_rotation_enabled.yaml +++ b/compliance/controls/aws/aws_secretsmanager_secret_automatic_rotation_enabled.yaml @@ -1,50 +1,34 @@ ID: aws_secretsmanager_secret_automatic_rotation_enabled Title: "Secrets Manager secrets should have automatic rotation enabled" Description: "This rule ensures AWS Secrets Manager secrets have rotation enabled. Rotating secrets on a regular schedule can shorten the period a secret is active, and potentially reduce the business impact if the secret is compromised." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when rotation_rules is null then 'alarm' - else 'ok' - end as status, - case - when rotation_rules is null then title || ' automatic rotation not enabled.' - else title || ' automatic rotation enabled.' - end as reason - - , region, account_id - from - aws_secretsmanager_secret; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when rotation_rules is null then 'alarm'\n else 'ok'\n end as status,\n case\n when rotation_rules is null then title || ' automatic rotation not enabled.'\n else title || ' automatic rotation enabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_secretsmanager_secret;\n" PrimaryTable: aws_secretsmanager_secret ListOfTables: - - aws_secretsmanager_secret + - aws_secretsmanager_secret Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cisa_cyber_essentials: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/SecretsManager + - AWS/SecretsManager soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_secretsmanager_secret_automatic_rotation_lambda_enabled.yaml b/compliance/controls/aws/aws_secretsmanager_secret_automatic_rotation_lambda_enabled.yaml index 12f3625ce..b38b85a50 100755 --- a/compliance/controls/aws/aws_secretsmanager_secret_automatic_rotation_lambda_enabled.yaml +++ b/compliance/controls/aws/aws_secretsmanager_secret_automatic_rotation_lambda_enabled.yaml @@ -1,43 +1,26 @@ ID: aws_secretsmanager_secret_automatic_rotation_lambda_enabled Title: "Secrets Manager secrets should be rotated within a specified number of days" Description: "This control checks whether your secrets have been rotated at least once within 90 days. Rotating secrets can help you to reduce the risk of an unauthorized use of your secrets in your AWS account. Examples include database credentials, passwords, third-party API keys, and even arbitrary text. If you do not change your secrets for a long period of time, the secrets are more likely to be compromised." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |+ - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when rotation_rules is not null and rotation_lambda_arn is not null then 'ok' - else 'alarm' - end as status, - case - when rotation_rules is not null and rotation_lambda_arn is not null then title || ' scheduled for rotation using Lambda function.' - else title || ' automatic rotation using Lambda function disabled.' - end as reason - - , region, account_id - from - aws_secretsmanager_secret; - + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when rotation_rules is not null and rotation_lambda_arn is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when rotation_rules is not null and rotation_lambda_arn is not null then title || ' scheduled for rotation using Lambda function.'\n else title || ' automatic rotation using Lambda function disabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_secretsmanager_secret;\n\n" PrimaryTable: aws_secretsmanager_secret ListOfTables: - - aws_secretsmanager_secret + - aws_secretsmanager_secret Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - secure_access_management + - secure_access_management foundational_security_item_id: - - secretsmanager_4 + - secretsmanager_4 plugin: - - aws + - aws service: - - AWS/SecretsManager + - AWS/SecretsManager +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_secretsmanager_secret_encrypted_with_kms_cmk.yaml b/compliance/controls/aws/aws_secretsmanager_secret_encrypted_with_kms_cmk.yaml index fe6a2636d..469601a10 100755 --- a/compliance/controls/aws/aws_secretsmanager_secret_encrypted_with_kms_cmk.yaml +++ b/compliance/controls/aws/aws_secretsmanager_secret_encrypted_with_kms_cmk.yaml @@ -1,63 +1,33 @@ ID: aws_secretsmanager_secret_encrypted_with_kms_cmk Title: "Secrets Manager secrets should be encrypted using CMK" Description: "Ensure that all secrets in AWS Secrets Manager are encrypted using the AWS managed key (aws/secretsmanager) or a customer managed key that was created in AWS Key Management Service (AWS KMS). The rule is compliant if a secret is encrypted using a customer managed key. This rule is non-compliant if a secret is encrypted using aws/secretsmanager." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - with encryption_keys as ( - select - distinct s.arn, - k.aliases as alias - from - aws_secretsmanager_secret as s - left join aws_kms_key as k on k.arn = s.kms_key_id - where - jsonb_array_length(k.aliases) > 0 - ) - select - s.arn as resource, - s.og_account_id as og_account_id, - s.og_resource_id as og_resource_id, - case - when kms_key_id is null - or kms_key_id = 'alias/aws/secretsmanager' - or k.alias @> '[{"AliasName":"alias/aws/secretsmanager"}]'then 'alarm' - else 'ok' - end as status, - case - when kms_key_id is null then title || ' not encrypted with KMS.' - when kms_key_id = 'alias/aws/secretsmanager' or k.alias @> '[{"AliasName":"alias/aws/secretsmanager"}]' then title || ' encrypted with AWS managed key.' - else title || ' encrypted with CMK.' - end as reason - - , region, account_id - from - aws_secretsmanager_secret as s - left join encryption_keys as k on s.arn = k.arn; + QueryToExecute: "with encryption_keys as (\n select\n distinct s.arn,\n k.aliases as alias\n from\n aws_secretsmanager_secret as s\n left join aws_kms_key as k on k.arn = s.kms_key_id\n where\n jsonb_array_length(k.aliases) > 0\n)\nselect\n s.arn as resource,\n s.og_account_id as og_account_id,\n s.og_resource_id as og_resource_id,\n case\n when kms_key_id is null\n or kms_key_id = 'alias/aws/secretsmanager'\n or k.alias @> '[{\"AliasName\":\"alias/aws/secretsmanager\"}]'then 'alarm'\n else 'ok'\n end as status,\n case\n when kms_key_id is null then title || ' not encrypted with KMS.'\n when kms_key_id = 'alias/aws/secretsmanager' or k.alias @> '[{\"AliasName\":\"alias/aws/secretsmanager\"}]' then title || ' encrypted with AWS managed key.'\n else title || ' encrypted with CMK.'\n end as reason\n \n , region, account_id\nfrom\n aws_secretsmanager_secret as s\n left join encryption_keys as k on s.arn = k.arn;" PrimaryTable: aws_secretsmanager_secret ListOfTables: - - aws_kms_key - - aws_secretsmanager_secret + - aws_kms_key + - aws_secretsmanager_secret Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance gxp_21_cfr_part_11: - - "true" + - "true" gxp_eu_annex_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/SecretsManager + - AWS/SecretsManager +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_secretsmanager_secret_last_changed_90_day.yaml b/compliance/controls/aws/aws_secretsmanager_secret_last_changed_90_day.yaml index 4f1e6c97a..46548a695 100755 --- a/compliance/controls/aws/aws_secretsmanager_secret_last_changed_90_day.yaml +++ b/compliance/controls/aws/aws_secretsmanager_secret_last_changed_90_day.yaml @@ -1,46 +1,28 @@ ID: aws_secretsmanager_secret_last_changed_90_day Title: "Secrets Manager secrets should be rotated within specific number of days" Description: "Ensure that AWS Secrets Manager secrets have been rotated in the past specified number of days. The rule is non-compliant if a secret has not been rotated for more than 'maxDaysSinceRotation' number of days. The default value is 90 days." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when last_changed_date is null then 'alarm' - when date(current_date) - date(last_changed_date) <= 90 then 'ok' - else 'alarm' - end as status, - case - when last_changed_date is null then title || ' never rotated.' - else - title || ' last rotated ' || extract(day from current_timestamp - last_changed_date) || ' day(s) ago.' - end as reason - - , region, account_id - from - aws_secretsmanager_secret; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when last_changed_date is null then 'alarm'\n when date(current_date) - date(last_changed_date) <= 90 then 'ok'\n else 'alarm'\n end as status,\n case\n when last_changed_date is null then title || ' never rotated.'\n else\n title || ' last rotated ' || extract(day from current_timestamp - last_changed_date) || ' day(s) ago.'\n end as reason\n \n , region, account_id\nfrom\n aws_secretsmanager_secret;\n" PrimaryTable: aws_secretsmanager_secret ListOfTables: - - aws_secretsmanager_secret + - aws_secretsmanager_secret Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cisa_cyber_essentials: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/SecretsManager + - AWS/SecretsManager +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_secretsmanager_secret_last_used_1_day.yaml b/compliance/controls/aws/aws_secretsmanager_secret_last_used_1_day.yaml index 1e35a325b..4de1ee2ca 100755 --- a/compliance/controls/aws/aws_secretsmanager_secret_last_used_1_day.yaml +++ b/compliance/controls/aws/aws_secretsmanager_secret_last_used_1_day.yaml @@ -1,42 +1,26 @@ ID: aws_secretsmanager_secret_last_used_1_day Title: "Remove unused Secrets Manager secrets" Description: "This control checks whether your secrets have been accessed within a specified number of days. The default value is 90 days. If a secret was accessed even once within the defined number of days, this control fails." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when date(last_accessed_date) - date(created_date) >= 1 then 'ok' - else 'alarm' - end as status, - case - when date(last_accessed_date)- date(created_date) >= 1 then title || ' recently used.' - else title || ' not used recently.' - end as reason - - , region, account_id - from - aws_secretsmanager_secret; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when date(last_accessed_date) - date(created_date) >= 1 then 'ok'\n else 'alarm'\n end as status,\n case\n when date(last_accessed_date)- date(created_date) >= 1 then title || ' recently used.'\n else title || ' not used recently.'\n end as reason\n \n , region, account_id\nfrom\n aws_secretsmanager_secret;\n" PrimaryTable: aws_secretsmanager_secret ListOfTables: - - aws_secretsmanager_secret + - aws_secretsmanager_secret Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - secure_access_management + - secure_access_management foundational_security_item_id: - - secretsmanager_3 + - secretsmanager_3 plugin: - - aws + - aws service: - - AWS/SecretsManager + - AWS/SecretsManager +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_secretsmanager_secret_rotated_as_scheduled.yaml b/compliance/controls/aws/aws_secretsmanager_secret_rotated_as_scheduled.yaml index fc9d788f4..b1f3cd44b 100755 --- a/compliance/controls/aws/aws_secretsmanager_secret_rotated_as_scheduled.yaml +++ b/compliance/controls/aws/aws_secretsmanager_secret_rotated_as_scheduled.yaml @@ -1,54 +1,26 @@ ID: aws_secretsmanager_secret_rotated_as_scheduled Title: "Secrets Manager secrets should be rotated as per the rotation schedule" Description: "This rule ensures that AWS Secrets Manager secrets have rotated successfully according to the rotation schedule. Rotating secrets on a regular schedule can shorten the period that a secret is active, and potentially reduce the business impact if it is compromised." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when primary_region is not null and region != primary_region then 'skip' -- Replica secret - when rotation_rules is null then 'alarm' -- Rotation not enabled - when last_rotated_date is null - and (date(current_date) - date(created_date)) <= (rotation_rules -> 'AutomaticallyAfterDays')::integer then 'ok' -- New secret not due for rotation yet - when last_rotated_date is null - and (date(current_date) - date(created_date)) > (rotation_rules -> 'AutomaticallyAfterDays')::integer then 'alarm' -- New secret overdue for rotation - when last_rotated_date is not null - and (date(current_date) - date(last_rotated_date)) > (rotation_rules -> 'AutomaticallyAfterDays')::integer then 'alarm' -- Secret has been rotated before but is overdue for another rotation - end as status, - case - when primary_region is not null and region != primary_region then title || ' is a replica.' - when rotation_rules is null then title || ' rotation not enabled.' - when last_rotated_date is null - and (date(current_date) - date(created_date)) <= (rotation_rules -> 'AutomaticallyAfterDays')::integer then title || ' scheduled for rotation.' - when last_rotated_date is null - and (date(current_date) - date(created_date)) > (rotation_rules -> 'AutomaticallyAfterDays')::integer then title || ' not rotated as per schedule.' - when last_rotated_date is not null - and (date(current_date) - date(last_rotated_date)) > (rotation_rules -> 'AutomaticallyAfterDays')::integer then title || ' not rotated as per schedule.' - end as reason - - , region, account_id - from - aws_secretsmanager_secret; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when primary_region is not null and region != primary_region then 'skip' -- Replica secret\n when rotation_rules is null then 'alarm' -- Rotation not enabled\n when last_rotated_date is null\n and (date(current_date) - date(created_date)) <= (rotation_rules -> 'AutomaticallyAfterDays')::integer then 'ok' -- New secret not due for rotation yet\n when last_rotated_date is null\n and (date(current_date) - date(created_date)) > (rotation_rules -> 'AutomaticallyAfterDays')::integer then 'alarm' -- New secret overdue for rotation\n when last_rotated_date is not null\n and (date(current_date) - date(last_rotated_date)) > (rotation_rules -> 'AutomaticallyAfterDays')::integer then 'alarm' -- Secret has been rotated before but is overdue for another rotation\n end as status,\n case\n when primary_region is not null and region != primary_region then title || ' is a replica.'\n when rotation_rules is null then title || ' rotation not enabled.'\n when last_rotated_date is null\n and (date(current_date) - date(created_date)) <= (rotation_rules -> 'AutomaticallyAfterDays')::integer then title || ' scheduled for rotation.'\n when last_rotated_date is null\n and (date(current_date) - date(created_date)) > (rotation_rules -> 'AutomaticallyAfterDays')::integer then title || ' not rotated as per schedule.'\n when last_rotated_date is not null\n and (date(current_date) - date(last_rotated_date)) > (rotation_rules -> 'AutomaticallyAfterDays')::integer then title || ' not rotated as per schedule.'\n end as reason\n \n , region, account_id\nfrom\n aws_secretsmanager_secret;\n" PrimaryTable: aws_secretsmanager_secret ListOfTables: - - aws_secretsmanager_secret + - aws_secretsmanager_secret Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - secure_development + - secure_development foundational_security_item_id: - - secretsmanager_2 + - secretsmanager_2 plugin: - - aws + - aws service: - - AWS/SecretsManager + - AWS/SecretsManager +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_secretsmanager_secret_unused_90_day.yaml b/compliance/controls/aws/aws_secretsmanager_secret_unused_90_day.yaml index ecaacdb0a..1dd28fe43 100755 --- a/compliance/controls/aws/aws_secretsmanager_secret_unused_90_day.yaml +++ b/compliance/controls/aws/aws_secretsmanager_secret_unused_90_day.yaml @@ -1,46 +1,28 @@ ID: aws_secretsmanager_secret_unused_90_day Title: "Secrets Manager secrets that have not been used in 90 days should be removed" Description: "Ensure that AWS Secrets Manager secrets have been accessed within a specified number of days. The rule is non-compliant if a secret has not been accessed in 'unusedForDays' number of days. The default value is 90 days." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when last_accessed_date is null then 'alarm' - when date(current_date) - date(last_accessed_date) <= 90 then 'ok' - else 'alarm' - end as status, - case - when last_accessed_date is null then title || ' never accessed.' - else - title || ' last used ' || extract(day from current_timestamp - last_accessed_date) || ' day(s) ago.' - end as reason - - , region, account_id - from - aws_secretsmanager_secret; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when last_accessed_date is null then 'alarm'\n when date(current_date) - date(last_accessed_date) <= 90 then 'ok'\n else 'alarm'\n end as status,\n case\n when last_accessed_date is null then title || ' never accessed.'\n else\n title || ' last used ' || extract(day from current_timestamp - last_accessed_date) || ' day(s) ago.'\n end as reason\n \n , region, account_id\nfrom\n aws_secretsmanager_secret;\n" PrimaryTable: aws_secretsmanager_secret ListOfTables: - - aws_secretsmanager_secret + - aws_secretsmanager_secret Parameters: [] Severity: low Tags: category: - - Compliance + - Compliance cisa_cyber_essentials: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/SecretsManager + - AWS/SecretsManager +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_securityhub_enabled.yaml b/compliance/controls/aws/aws_securityhub_enabled.yaml index b901a5370..32ba18a21 100755 --- a/compliance/controls/aws/aws_securityhub_enabled.yaml +++ b/compliance/controls/aws/aws_securityhub_enabled.yaml @@ -1,99 +1,52 @@ ID: aws_securityhub_enabled Title: "AWS Security Hub should be enabled for an AWS Account" Description: "AWS Security Hub helps to monitor unauthorized personnel, connections, devices, and software. AWS Security Hub aggregates, organizes, and prioritizes the security alerts, or findings, from multiple AWS services." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with regions as ( - select - 'arn:' || r.partition || '::' || r.region || ':' || r.account_id as resource, - r.og_account_id as og_account_id, - r.og_resource_id as og_resource_id, - case - when r.region = any(array['af-south-1', 'eu-south-1', 'cn-north-1', 'cn-northwest-1', 'ap-northeast-3']) then 1 - when r.opt_in_status = 'not-opted-in' then 1 - when h.hub_arn is not null then 0 - else 2 - end as status, - case - when r.region = any(array['af-south-1', 'eu-south-1', 'cn-north-1', 'cn-northwest-1', 'ap-northeast-3']) then r.region || ' region not supported.' - when r.opt_in_status = 'not-opted-in' then r.region || ' region is disabled.' - when h.hub_arn is not null then 'Security Hub enabled in ' || r.region || '.' - else 'Security Hub disabled in ' || r.region || '.' - end as reason - , r.region, r.account_id - from - aws_region as r - left join aws_securityhub_hub as h on r.account_id = h.account_id and r.name = h.region - ), - results as ( - SELECT - account_id AS resource, - og_account_id as og_account_id, - og_account_id as og_resource_id, - case - when max(status) = 2 then 'alarm' - when max(status) = 1 then 'skip' - when max(status) = 0 then 'ok' - end as status, - case - when max(status) = 2 then 'SecurityHub is not enabled for this account on regions: [' || string_agg(region, ',') || ']' - when max(status) = 1 then 'Account is not opted in regions: [' || string_agg(region, ',') || ']' - when max(status) = 0 then 'SecurityHub is enabled for this account on regions: [' || string_agg(region, ',') || ']' - end as reason - FROM regions - GROUP BY account_id, og_account_id - ) - SELECT - r.resource AS resource, - r.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - r.status as status, - r.reason as reason - FROM results as r JOIN aws_account as a ON r.og_account_id = a.og_account_id + QueryToExecute: "with regions as (\n select\n 'arn:' || r.partition || '::' || r.region || ':' || r.account_id as resource,\n r.og_account_id as og_account_id,\n r.og_resource_id as og_resource_id,\n case\n when r.region = any(array['af-south-1', 'eu-south-1', 'cn-north-1', 'cn-northwest-1', 'ap-northeast-3']) then 1\n when r.opt_in_status = 'not-opted-in' then 1\n when h.hub_arn is not null then 0\n else 2\n end as status,\n case\n when r.region = any(array['af-south-1', 'eu-south-1', 'cn-north-1', 'cn-northwest-1', 'ap-northeast-3']) then r.region || ' region not supported.'\n when r.opt_in_status = 'not-opted-in' then r.region || ' region is disabled.'\n when h.hub_arn is not null then 'Security Hub enabled in ' || r.region || '.'\n else 'Security Hub disabled in ' || r.region || '.'\n end as reason\n , r.region, r.account_id\n from\n aws_region as r\n left join aws_securityhub_hub as h on r.account_id = h.account_id and r.name = h.region\n),\nresults as (\n SELECT \n account_id AS resource,\n og_account_id as og_account_id,\n og_account_id as og_resource_id,\n case\n when max(status) = 2 then 'alarm'\n when max(status) = 1 then 'skip'\n when max(status) = 0 then 'ok'\n end as status,\n case\n when max(status) = 2 then 'SecurityHub is not enabled for this account on regions: [' || string_agg(region, ',') || ']' \n when max(status) = 1 then 'Account is not opted in regions: [' || string_agg(region, ',') || ']'\n when max(status) = 0 then 'SecurityHub is enabled for this account on regions: [' || string_agg(region, ',') || ']'\n end as reason\n FROM regions\n GROUP BY account_id, og_account_id\n)\nSELECT \n r.resource AS resource,\n r.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n r.status as status,\n r.reason as reason\nFROM results as r JOIN aws_account as a ON r.og_account_id = a.og_account_id\n" PrimaryTable: aws_account ListOfTables: - - aws_account - - aws_region - - aws_securityhub_hub + - aws_account + - aws_region + - aws_securityhub_hub Parameters: [] Severity: low Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" gxp_eu_annex_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/SecurityHub + - AWS/SecurityHub soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_sfn_state_machine_logging_enabled.yaml b/compliance/controls/aws/aws_sfn_state_machine_logging_enabled.yaml index 7966840bc..9fa8c00aa 100755 --- a/compliance/controls/aws/aws_sfn_state_machine_logging_enabled.yaml +++ b/compliance/controls/aws/aws_sfn_state_machine_logging_enabled.yaml @@ -1,30 +1,14 @@ ID: aws_sfn_state_machine_logging_enabled Title: "Step Functions state machines should have logging turned on" Description: "This controls checks whether an AWS Step Functions state machine has logging turned on. The control fails if a state machine doesn't have logging turned on. If you provide a custom value for the logLevel parameter, the control passes only if the state machine has the specified logging level turned on." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when logging_configuration ->> 'Level' = 'OFF' then 'alarm' - else 'ok' - end as status, - case - when logging_configuration ->> 'Level' = 'OFF' then title || ' loggging disabled.' - else title || ' loggging enabled.' - end as reason - - - from - aws_sfn_state_machine; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when logging_configuration ->> 'Level' = 'OFF' then 'alarm'\n else 'ok'\n end as status,\n case\n when logging_configuration ->> 'Level' = 'OFF' then title || ' loggging disabled.'\n else title || ' loggging enabled.'\n end as reason\n \n \nfrom\n aws_sfn_state_machine;" PrimaryTable: aws_sfn_state_machine ListOfTables: - - aws_sfn_state_machine + - aws_sfn_state_machine Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_sns_topic_encrypted_at_rest.yaml b/compliance/controls/aws/aws_sns_topic_encrypted_at_rest.yaml index 8b30e737b..0b8c9bcde 100755 --- a/compliance/controls/aws/aws_sns_topic_encrypted_at_rest.yaml +++ b/compliance/controls/aws/aws_sns_topic_encrypted_at_rest.yaml @@ -1,64 +1,48 @@ ID: aws_sns_topic_encrypted_at_rest Title: "SNS topics should be encrypted at rest" Description: "To help protect data at rest, ensure that your AWS Simple Notification Service (AWS SNS) topics require encryption using AWS Key Management Service (AWS KMS)." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - topic_arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when kms_master_key_id is null then 'alarm' - else 'ok' - end as status, - case - when kms_master_key_id is null then title || ' encryption at rest disabled.' - else title || ' encryption at rest enabled.' - end as reason - - , region, account_id - from - aws_sns_topic; + QueryToExecute: "select\n topic_arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when kms_master_key_id is null then 'alarm'\n else 'ok'\n end as status,\n case\n when kms_master_key_id is null then title || ' encryption at rest disabled.'\n else title || ' encryption at rest enabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_sns_topic;\n" PrimaryTable: aws_sns_topic ListOfTables: - - aws_sns_topic + - aws_sns_topic Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" gdpr: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" gxp_eu_annex_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/SNS + - AWS/SNS soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_sns_topic_notification_delivery_status_enabled.yaml b/compliance/controls/aws/aws_sns_topic_notification_delivery_status_enabled.yaml index 172d64a6a..0033d0f91 100755 --- a/compliance/controls/aws/aws_sns_topic_notification_delivery_status_enabled.yaml +++ b/compliance/controls/aws/aws_sns_topic_notification_delivery_status_enabled.yaml @@ -1,50 +1,26 @@ ID: aws_sns_topic_notification_delivery_status_enabled Title: "Logging of delivery status should be enabled for notification messages sent to a topic" Description: "This control checks whether logging is enabled for the delivery status of notification messages sent to an AWS SNS topic for the endpoints. This control fails if the delivery status notification for messages is not enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - topic_arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when application_failure_feedback_role_arn is null - and firehose_failure_feedback_role_arn is null - and http_failure_feedback_role_arn is null - and lambda_failure_feedback_role_arn is null - and sqs_failure_feedback_role_arn is null then 'alarm' - else 'ok' - end as status, - case - when application_failure_feedback_role_arn is null - and firehose_failure_feedback_role_arn is null - and http_failure_feedback_role_arn is null - and lambda_failure_feedback_role_arn is null - and sqs_failure_feedback_role_arn is null then title || ' has delivery status logging for notification messages disabled.' - else title || ' has delivery status logging for notification messages enabled.' - end as reason - - , region, account_id - from - aws_sns_topic; + QueryToExecute: "select\n topic_arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when application_failure_feedback_role_arn is null\n and firehose_failure_feedback_role_arn is null\n and http_failure_feedback_role_arn is null\n and lambda_failure_feedback_role_arn is null\n and sqs_failure_feedback_role_arn is null then 'alarm'\n else 'ok'\n end as status,\n case\n when application_failure_feedback_role_arn is null\n and firehose_failure_feedback_role_arn is null\n and http_failure_feedback_role_arn is null\n and lambda_failure_feedback_role_arn is null\n and sqs_failure_feedback_role_arn is null then title || ' has delivery status logging for notification messages disabled.'\n else title || ' has delivery status logging for notification messages enabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_sns_topic;\n" PrimaryTable: aws_sns_topic ListOfTables: - - aws_sns_topic + - aws_sns_topic Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - resource_configuration + - resource_configuration foundational_security_item_id: - - sns_2 + - sns_2 plugin: - - aws + - aws service: - - AWS/SNS + - AWS/SNS +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_sns_topic_policy_prohibit_cross_account_access.yaml b/compliance/controls/aws/aws_sns_topic_policy_prohibit_cross_account_access.yaml index 23e42b1ab..3c56c8210 100755 --- a/compliance/controls/aws/aws_sns_topic_policy_prohibit_cross_account_access.yaml +++ b/compliance/controls/aws/aws_sns_topic_policy_prohibit_cross_account_access.yaml @@ -1,8 +1,6 @@ ID: aws_sns_topic_policy_prohibit_cross_account_access Title: "SNS topic policies should prohibit cross account access" Description: "Manage access to resources in the AWS Cloud by ensuring SNS topics does not have cross account access." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -41,7 +39,9 @@ Query: left join cross_account_policies as p on p.topic_arn = t.topic_arn; PrimaryTable: aws_sns_topic ListOfTables: - - aws_sns_topic + - aws_sns_topic Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_sns_topic_policy_prohibit_public_access.yaml b/compliance/controls/aws/aws_sns_topic_policy_prohibit_public_access.yaml index 9eb5800b7..7d3c36a14 100755 --- a/compliance/controls/aws/aws_sns_topic_policy_prohibit_public_access.yaml +++ b/compliance/controls/aws/aws_sns_topic_policy_prohibit_public_access.yaml @@ -1,8 +1,6 @@ ID: aws_sns_topic_policy_prohibit_public_access Title: "SNS topic policies should prohibit public access" Description: "Manage access to resources in the AWS Cloud by ensuring AWS SNS topics cannot be publicly accessed." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -40,7 +38,9 @@ Query: left join wildcard_action_policies as p on p.topic_arn = t.topic_arn; PrimaryTable: aws_sns_topic ListOfTables: - - aws_sns_topic + - aws_sns_topic Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_sns_topic_policy_prohibit_publishing_access.yaml b/compliance/controls/aws/aws_sns_topic_policy_prohibit_publishing_access.yaml index 6c8a6a022..de3cc6a1d 100755 --- a/compliance/controls/aws/aws_sns_topic_policy_prohibit_publishing_access.yaml +++ b/compliance/controls/aws/aws_sns_topic_policy_prohibit_publishing_access.yaml @@ -1,8 +1,6 @@ ID: aws_sns_topic_policy_prohibit_publishing_access Title: "SNS topic policies should prohibit publishing access" Description: "Manage access to resources in the AWS Cloud by ensuring SNS topics cannot be accessed publicly for publishing." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -42,7 +40,9 @@ Query: left join wildcard_action_policies as p on p.topic_arn = t.topic_arn; PrimaryTable: aws_sns_topic ListOfTables: - - aws_sns_topic + - aws_sns_topic Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_sns_topic_policy_prohibit_subscription_access.yaml b/compliance/controls/aws/aws_sns_topic_policy_prohibit_subscription_access.yaml index 78b30553f..7b019e8a5 100755 --- a/compliance/controls/aws/aws_sns_topic_policy_prohibit_subscription_access.yaml +++ b/compliance/controls/aws/aws_sns_topic_policy_prohibit_subscription_access.yaml @@ -1,8 +1,6 @@ ID: aws_sns_topic_policy_prohibit_subscription_access Title: "SNS topic policies should prohibit subscription public access" Description: "Manage access to resources in the AWS Cloud by ensuring SNS topics cannot be accessed publicly for subscription." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -42,7 +40,9 @@ Query: left join wildcard_action_policies as p on p.topic_arn = t.topic_arn; PrimaryTable: aws_sns_topic ListOfTables: - - aws_sns_topic + - aws_sns_topic Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_sqs_queue_dead_letter_queue_configured.yaml b/compliance/controls/aws/aws_sqs_queue_dead_letter_queue_configured.yaml index 9bda5fd02..d353bc3c6 100755 --- a/compliance/controls/aws/aws_sqs_queue_dead_letter_queue_configured.yaml +++ b/compliance/controls/aws/aws_sqs_queue_dead_letter_queue_configured.yaml @@ -1,30 +1,14 @@ ID: aws_sqs_queue_dead_letter_queue_configured Title: "SQS queues should be configured with a dead-letter queue." Description: "Ensure SQS queue is configured with a dead-letter queue. Dead-letter queues are useful for debugging your application or messaging system because they let you isolate problematic messages to determine why their processing didn't succeed." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - queue_arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when redrive_policy is not null then 'ok' - else 'alarm' - end as status, - case - when redrive_policy is not null then title || ' configured with dead-letter queue.' - else title || ' not configured with dead-letter queue.' - end as reason - - - from - aws_sqs_queue; + QueryToExecute: "select\n queue_arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when redrive_policy is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when redrive_policy is not null then title || ' configured with dead-letter queue.'\n else title || ' not configured with dead-letter queue.'\n end as reason\n \n \nfrom\n aws_sqs_queue;" PrimaryTable: aws_sqs_queue ListOfTables: - - aws_sqs_queue + - aws_sqs_queue Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_sqs_queue_encrypted_at_rest.yaml b/compliance/controls/aws/aws_sqs_queue_encrypted_at_rest.yaml index 5c92b2e9d..12342b606 100755 --- a/compliance/controls/aws/aws_sqs_queue_encrypted_at_rest.yaml +++ b/compliance/controls/aws/aws_sqs_queue_encrypted_at_rest.yaml @@ -1,42 +1,26 @@ ID: aws_sqs_queue_encrypted_at_rest Title: "AWS SQS queues should be encrypted at rest" Description: "This control checks whether AWS SQS queues are encrypted at rest." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - queue_arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when kms_master_key_id is null then 'alarm' - else 'ok' - end as status, - case - when kms_master_key_id is null then title || ' encryption at rest disabled.' - else title || ' encryption at rest enabled.' - end as reason - - , region, account_id - from - aws_sqs_queue; + QueryToExecute: "select\n queue_arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when kms_master_key_id is null then 'alarm'\n else 'ok'\n end as status,\n case\n when kms_master_key_id is null then title || ' encryption at rest disabled.'\n else title || ' encryption at rest enabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_sqs_queue;\n" PrimaryTable: aws_sqs_queue ListOfTables: - - aws_sqs_queue + - aws_sqs_queue Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - encryption_of_data_at_rest + - encryption_of_data_at_rest foundational_security_item_id: - - sqs_1 + - sqs_1 plugin: - - aws + - aws service: - - AWS/SQS + - AWS/SQS +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_sqs_queue_encrypted_with_kms_cmk.yaml b/compliance/controls/aws/aws_sqs_queue_encrypted_with_kms_cmk.yaml index 6fc0bb495..bd5bd1b30 100755 --- a/compliance/controls/aws/aws_sqs_queue_encrypted_with_kms_cmk.yaml +++ b/compliance/controls/aws/aws_sqs_queue_encrypted_with_kms_cmk.yaml @@ -1,32 +1,14 @@ ID: aws_sqs_queue_encrypted_with_kms_cmk Title: "SQS queues should be encrypted with KMS CMK" Description: "To help protect sensitive data at rest, ensure encryption is enabled for your AWS SQS queues with KMS CMK." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - queue_arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when kms_master_key_id is null then 'alarm' - when kms_master_key_id is not null and kms_master_key_id = 'alias/aws/sqs' then 'alarm' - else 'ok' - end as status, - case - when kms_master_key_id is null then title || ' encryption at rest disabled.' - when kms_master_key_id is not null and kms_master_key_id = 'alias/aws/sqs' then title || ' not encrypted with CMK.' - else title || ' encrypted with CMK.' - end as reason - - - from - aws_sqs_queue; + QueryToExecute: "select\n queue_arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when kms_master_key_id is null then 'alarm'\n when kms_master_key_id is not null and kms_master_key_id = 'alias/aws/sqs' then 'alarm'\n else 'ok'\n end as status,\n case\n when kms_master_key_id is null then title || ' encryption at rest disabled.'\n when kms_master_key_id is not null and kms_master_key_id = 'alias/aws/sqs' then title || ' not encrypted with CMK.'\n else title || ' encrypted with CMK.'\n end as reason\n \n \nfrom\n aws_sqs_queue;" PrimaryTable: aws_sqs_queue ListOfTables: - - aws_sqs_queue + - aws_sqs_queue Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_sqs_queue_policy_prohibit_public_access.yaml b/compliance/controls/aws/aws_sqs_queue_policy_prohibit_public_access.yaml index d38a51031..663367013 100755 --- a/compliance/controls/aws/aws_sqs_queue_policy_prohibit_public_access.yaml +++ b/compliance/controls/aws/aws_sqs_queue_policy_prohibit_public_access.yaml @@ -1,8 +1,6 @@ ID: aws_sqs_queue_policy_prohibit_public_access Title: "SQS queue policies should prohibit public access" Description: "Manage access to resources in the AWS Cloud by ensuring AWS SQS queues cannot be publicly accessed." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -40,7 +38,9 @@ Query: left join wildcard_action_policies as p on q.queue_arn = p.queue_arn; PrimaryTable: aws_sqs_queue ListOfTables: - - aws_sqs_queue + - aws_sqs_queue Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ssm_document_prohibit_public_access.yaml b/compliance/controls/aws/aws_ssm_document_prohibit_public_access.yaml index 729b9da20..7053213a7 100755 --- a/compliance/controls/aws/aws_ssm_document_prohibit_public_access.yaml +++ b/compliance/controls/aws/aws_ssm_document_prohibit_public_access.yaml @@ -1,44 +1,26 @@ ID: aws_ssm_document_prohibit_public_access Title: "SSM documents should not be public" Description: "This control checks whether AWS Systems Manager documents that are owned by the account are public. This control fails if SSM documents with the owner Self are public." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - 'arn:' || partition || ':ssm:' || region || ':' || account_id || ':document/' || name as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when account_ids :: jsonb ? 'all' then 'alarm' - else 'ok' - end as status, - case - when account_ids :: jsonb ? 'all' then title || ' publicly accesible.' - else title || ' not publicly accesible.' - end as reason - - , region, account_id - from - aws_ssm_document - where - owner_type = 'Self'; + QueryToExecute: "select\n 'arn:' || partition || ':ssm:' || region || ':' || account_id || ':document/' || name as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when account_ids :: jsonb ? 'all' then 'alarm'\n else 'ok'\n end as status,\n case\n when account_ids :: jsonb ? 'all' then title || ' publicly accesible.'\n else title || ' not publicly accesible.'\n end as reason\n \n , region, account_id\nfrom\n aws_ssm_document\nwhere\n owner_type = 'Self';\n" PrimaryTable: aws_ssm_document ListOfTables: - - aws_ssm_document + - aws_ssm_document Parameters: [] Severity: critical Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - resources_not_publicly_accessible + - resources_not_publicly_accessible foundational_security_item_id: - - ssm_4 + - ssm_4 plugin: - - aws + - aws service: - - AWS/SSM + - AWS/SSM +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ssm_managed_instance_compliance_association_compliant.yaml b/compliance/controls/aws/aws_ssm_managed_instance_compliance_association_compliant.yaml index 25169b956..93f37e812 100755 --- a/compliance/controls/aws/aws_ssm_managed_instance_compliance_association_compliant.yaml +++ b/compliance/controls/aws/aws_ssm_managed_instance_compliance_association_compliant.yaml @@ -1,8 +1,6 @@ ID: aws_ssm_managed_instance_compliance_association_compliant Title: "SSM managed instance associations should be compliant" Description: "Use AWS Systems Manager Associations to help with inventory of software platforms and applications within an organization." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -18,7 +16,7 @@ Query: when c.status = 'COMPLIANT' then c.resource_id || ' association ' || c.title || ' is compliant.' else c.resource_id || ' association ' || c.title || ' is non-compliant.' end as reason - + , c.region, c.account_id from aws_ssm_managed_instance as i, @@ -28,44 +26,46 @@ Query: and c.compliance_type = 'Association'; PrimaryTable: aws_ssm_managed_instance_compliance ListOfTables: - - aws_ssm_managed_instance - - aws_ssm_managed_instance_compliance + - aws_ssm_managed_instance + - aws_ssm_managed_instance_compliance Parameters: [] Severity: low Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/SSM + - AWS/SSM soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ssm_managed_instance_compliance_patch_compliant.yaml b/compliance/controls/aws/aws_ssm_managed_instance_compliance_patch_compliant.yaml index ae6ec66c2..63ded176d 100755 --- a/compliance/controls/aws/aws_ssm_managed_instance_compliance_patch_compliant.yaml +++ b/compliance/controls/aws/aws_ssm_managed_instance_compliance_patch_compliant.yaml @@ -1,8 +1,6 @@ ID: aws_ssm_managed_instance_compliance_patch_compliant Title: "SSM managed instance patching should be compliant" Description: "Enable this rule to help with identification and documentation of AWS Elastic Compute Cloud (AWS EC2) vulnerabilities." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -27,44 +25,46 @@ Query: and c.compliance_type = 'Patch'; PrimaryTable: aws_ssm_managed_instance_compliance ListOfTables: - - aws_ssm_managed_instance - - aws_ssm_managed_instance_compliance + - aws_ssm_managed_instance + - aws_ssm_managed_instance_compliance Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/SSM + - AWS/SSM soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_ssm_parameter_encryption_enabled.yaml b/compliance/controls/aws/aws_ssm_parameter_encryption_enabled.yaml index 69376a51d..232d35538 100755 --- a/compliance/controls/aws/aws_ssm_parameter_encryption_enabled.yaml +++ b/compliance/controls/aws/aws_ssm_parameter_encryption_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_ssm_parameter_encryption_enabled Title: "SSM parameters encryption should be enabled" Description: "This control checks if SSM parameter has encryption enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_ssm_parameter; PrimaryTable: aws_ssm_parameter ListOfTables: - - aws_ssm_parameter + - aws_ssm_parameter Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_sso_users_with_permission_assignments_are_required_to_have_MFA_on_AzureAD.yaml b/compliance/controls/aws/aws_sso_users_with_permission_assignments_are_required_to_have_MFA_on_AzureAD.yaml index bd81ce071..b2fbfd6f0 100755 --- a/compliance/controls/aws/aws_sso_users_with_permission_assignments_are_required_to_have_MFA_on_AzureAD.yaml +++ b/compliance/controls/aws/aws_sso_users_with_permission_assignments_are_required_to_have_MFA_on_AzureAD.yaml @@ -1,40 +1,23 @@ ID: aws_sso_users_with_permission_assignments_are_required_to_have_MFA_on_AzureAD Title: "AWS SSO Users with Permission Assignments are required to have MFA on AzureAD" Description: "AWS SSO Users with Permission Assignments are required to have MFA on AzureAD" -Connector: -- aws -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - iden.id as resource, - iden.og_account_id, - iden.og_resource_id, - case - when is_mfa_registered::bool then 'ok' - else 'alarm' - end status, - case - when is_mfa_registered::bool then iden.name || ' has MFA registered' - else iden.name || ' doesnt have MFA' - end reason - from - (aws_identitystore_user cross join jsonb_array_elements(external_ids) as external_id) iden - inner join azuread_user_registration_details az on az.id = value ->> 'Id' - where - exists(select * from aws_ssoadmin_account_assignment where principal_type = 'USER' and principal_id = iden.id) + QueryToExecute: "select \n iden.id as resource,\n iden.og_account_id,\n iden.og_resource_id,\n case\n when is_mfa_registered::bool then 'ok'\n else 'alarm'\n end status,\n case\n when is_mfa_registered::bool then iden.name || ' has MFA registered'\n else iden.name || ' doesnt have MFA'\n end reason\nfrom \n (aws_identitystore_user cross join jsonb_array_elements(external_ids) as external_id) iden\n inner join azuread_user_registration_details az on az.id = value ->> 'Id'\nwhere \n exists(select * from aws_ssoadmin_account_assignment where principal_type = 'USER' and principal_id = iden.id) \n" PrimaryTable: aws_identitystore_user ListOfTables: - - aws_identitystore_user - - aws_ssoadmin_account_assignment - - azuread_user_registration_details + - aws_identitystore_user + - aws_ssoadmin_account_assignment + - azuread_user_registration_details Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance plugin: - - aws + - aws score_service_name: - - AWS Single Sign-On (SSO) + - AWS Single Sign-On (SSO) +IntegrationTypeName: + - aws_cloud + - azure_subscription diff --git a/compliance/controls/aws/aws_vpc_configured_to_use_vpc_endpoints.yaml b/compliance/controls/aws/aws_vpc_configured_to_use_vpc_endpoints.yaml index b02dbaf4b..8415e33b7 100755 --- a/compliance/controls/aws/aws_vpc_configured_to_use_vpc_endpoints.yaml +++ b/compliance/controls/aws/aws_vpc_configured_to_use_vpc_endpoints.yaml @@ -1,57 +1,27 @@ ID: aws_vpc_configured_to_use_vpc_endpoints Title: "VPC should be configured to use VPC endpoints" Description: "Checks if Service Endpoint for the service provided in rule parameter is created for each AWS Virtual Private Cloud (AWS VPC). The rule is non-compliant if an AWS VPC doesn't have an AWS VPC endpoint created for the service." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when vpc_id not in ( - select - vpc_id - from - aws_vpc_endpoint - where - service_name like 'com.amazonaws.' || region || '.ec2' - ) then 'alarm' - else 'ok' - end as status, - case - when vpc_id not in ( - select - vpc_id - from - aws_vpc_endpoint - where - service_name like 'com.amazonaws.' || region || '.ec2' - ) then title || ' not configured to use VPC endpoints.' - else title || ' configured to use VPC endpoints.' - end as reason - - , region, account_id - from - aws_vpc; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when vpc_id not in (\n select\n vpc_id\n from\n aws_vpc_endpoint\n where\n service_name like 'com.amazonaws.' || region || '.ec2'\n ) then 'alarm'\n else 'ok'\n end as status,\n case\n when vpc_id not in (\n select\n vpc_id\n from\n aws_vpc_endpoint\n where\n service_name like 'com.amazonaws.' || region || '.ec2'\n ) then title || ' not configured to use VPC endpoints.'\n else title || ' configured to use VPC endpoints.'\n end as reason\n \n , region, account_id\nfrom\n aws_vpc;\n" PrimaryTable: aws_vpc ListOfTables: - - aws_vpc - - aws_vpc_endpoint + - aws_vpc + - aws_vpc_endpoint Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - api_private_access + - api_private_access foundational_security_item_id: - - ec2_10 + - ec2_10 plugin: - - aws + - aws service: - - AWS/EC2 + - AWS/EC2 +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_vpc_default_security_group_restricts_all_traffic.yaml b/compliance/controls/aws/aws_vpc_default_security_group_restricts_all_traffic.yaml index a4e199b57..e76c1d91e 100755 --- a/compliance/controls/aws/aws_vpc_default_security_group_restricts_all_traffic.yaml +++ b/compliance/controls/aws/aws_vpc_default_security_group_restricts_all_traffic.yaml @@ -1,71 +1,48 @@ ID: aws_vpc_default_security_group_restricts_all_traffic Title: "VPC default security group should not allow inbound and outbound traffic" Description: "AWS Elastic Compute Cloud (AWS EC2) security groups can help in the management of network access by providing stateful filtering of ingress and egress network traffic to AWS resources." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when jsonb_array_length(ip_permissions) = 0 and jsonb_array_length(ip_permissions_egress) = 0 then 'ok' - else 'alarm' - end status, - case - when jsonb_array_length(ip_permissions) > 0 and jsonb_array_length(ip_permissions_egress) > 0 - then 'Default security group ' || group_id || ' has inbound and outbound rules.' - when jsonb_array_length(ip_permissions) > 0 and jsonb_array_length(ip_permissions_egress) = 0 - then 'Default security group ' || group_id || ' has inbound rules.' - when jsonb_array_length(ip_permissions) = 0 and jsonb_array_length(ip_permissions_egress) > 0 - then 'Default security group ' || group_id || ' has outbound rules.' - else 'Default security group ' || group_id || ' has no inbound or outbound rules.' - end reason - - , region, account_id - from - aws_vpc_security_group - where - group_name = 'default'; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when jsonb_array_length(ip_permissions) = 0 and jsonb_array_length(ip_permissions_egress) = 0 then 'ok'\n else 'alarm'\n end status,\n case\n when jsonb_array_length(ip_permissions) > 0 and jsonb_array_length(ip_permissions_egress) > 0\n then 'Default security group ' || group_id || ' has inbound and outbound rules.'\n when jsonb_array_length(ip_permissions) > 0 and jsonb_array_length(ip_permissions_egress) = 0\n then 'Default security group ' || group_id || ' has inbound rules.'\n when jsonb_array_length(ip_permissions) = 0 and jsonb_array_length(ip_permissions_egress) > 0\n then 'Default security group ' || group_id || ' has outbound rules.'\n else 'Default security group ' || group_id || ' has no inbound or outbound rules.'\n end reason\n \n , region, account_id\nfrom\n aws_vpc_security_group\nwhere\n group_name = 'default';\n" PrimaryTable: aws_vpc_security_group ListOfTables: - - aws_vpc_security_group + - aws_vpc_security_group Parameters: [] Severity: low Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/VPC + - AWS/VPC soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_vpc_eip_associated.yaml b/compliance/controls/aws/aws_vpc_eip_associated.yaml index 5118358d5..ece2c4c44 100755 --- a/compliance/controls/aws/aws_vpc_eip_associated.yaml +++ b/compliance/controls/aws/aws_vpc_eip_associated.yaml @@ -1,50 +1,34 @@ ID: aws_vpc_eip_associated Title: "VPC EIPs should be associated with an EC2 instance or ENI" Description: "This rule ensures Elastic IPs allocated to a AWS Virtual Private Cloud (AWS VPC) are attached to AWS Elastic Compute Cloud (AWS EC2) instances or in-use Elastic Network Interfaces." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - 'arn:' || partition || ':ec2:' || region || ':' || account_id || ':eip/' || allocation_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when association_id is null then 'alarm' - else 'ok' - end status, - case - when association_id is null then title || ' is not associated with any resource.' - else title || ' is associated with a resource.' - end reason - - , region, account_id - from - aws_vpc_eip; + QueryToExecute: "select\n 'arn:' || partition || ':ec2:' || region || ':' || account_id || ':eip/' || allocation_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when association_id is null then 'alarm'\n else 'ok'\n end status,\n case\n when association_id is null then title || ' is not associated with any resource.'\n else title || ' is associated with a resource.'\n end reason\n \n , region, account_id\nfrom\n aws_vpc_eip;\n" PrimaryTable: aws_vpc_eip ListOfTables: - - aws_vpc_eip + - aws_vpc_eip Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" ffiec: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/VPC + - AWS/VPC soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_vpc_endpoint_service_acceptance_required_enabled.yaml b/compliance/controls/aws/aws_vpc_endpoint_service_acceptance_required_enabled.yaml index 5897d758a..18857ba69 100755 --- a/compliance/controls/aws/aws_vpc_endpoint_service_acceptance_required_enabled.yaml +++ b/compliance/controls/aws/aws_vpc_endpoint_service_acceptance_required_enabled.yaml @@ -1,30 +1,14 @@ ID: aws_vpc_endpoint_service_acceptance_required_enabled Title: "VPC endpoint services should have acceptance required enabled" Description: "Ensure VPC endpoints connection requests to the service are accepted by the service owner." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - service_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when acceptance_required then 'ok' - else 'alarm' - end as status, - case - when acceptance_required then title || ' acceptance_required enabled.' - else title || ' acceptance_required disabled.' - end as reason - - - from - aws_vpc_endpoint_service; + QueryToExecute: "select\n service_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when acceptance_required then 'ok'\n else 'alarm'\n end as status,\n case\n when acceptance_required then title || ' acceptance_required enabled.'\n else title || ' acceptance_required disabled.'\n end as reason\n \n \nfrom\n aws_vpc_endpoint_service;" PrimaryTable: aws_vpc_endpoint_service ListOfTables: - - aws_vpc_endpoint_service + - aws_vpc_endpoint_service Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_vpc_flow_logs_enabled.yaml b/compliance/controls/aws/aws_vpc_flow_logs_enabled.yaml index 55d4ce087..d03d8d787 100755 --- a/compliance/controls/aws/aws_vpc_flow_logs_enabled.yaml +++ b/compliance/controls/aws/aws_vpc_flow_logs_enabled.yaml @@ -1,74 +1,55 @@ ID: aws_vpc_flow_logs_enabled Title: "VPC flow logs should be enabled" Description: "The VPC flow logs provide detailed records for information about the IP traffic going to and from network interfaces in your AWS Virtual Private Cloud (AWS VPC." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - distinct v.arn as resource, - v.og_account_id as og_account_id, - v.og_resource_id as og_resource_id, - case - when v.account_id <> v.owner_id then 'skip' - when f.resource_id is not null then 'ok' - else 'alarm' - end as status, - case - when v.account_id <> v.owner_id then vpc_id || ' is a shared VPC.' - when f.resource_id is not null then vpc_id || ' flow logging enabled.' - else vpc_id || ' flow logging disabled.' - end as reason - - , v.region, v.account_id - from - aws_vpc as v - left join aws_vpc_flow_log as f on v.vpc_id = f.resource_id; + QueryToExecute: "select\n distinct v.arn as resource,\n v.og_account_id as og_account_id,\n v.og_resource_id as og_resource_id,\n case\n when v.account_id <> v.owner_id then 'skip'\n when f.resource_id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when v.account_id <> v.owner_id then vpc_id || ' is a shared VPC.'\n when f.resource_id is not null then vpc_id || ' flow logging enabled.'\n else vpc_id || ' flow logging disabled.'\n end as reason\n \n , v.region, v.account_id\nfrom\n aws_vpc as v\n left join aws_vpc_flow_log as f on v.vpc_id = f.resource_id;\n" PrimaryTable: aws_vpc ListOfTables: - - aws_vpc - - aws_vpc_flow_log + - aws_vpc + - aws_vpc_flow_log Parameters: [] Severity: low Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gdpr: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" score_tags: - - Unencrypted Traffic + - Unencrypted Traffic service: - - AWS/VPC + - AWS/VPC soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_vpc_gateway_endpoint_restrict_public_access.yaml b/compliance/controls/aws/aws_vpc_gateway_endpoint_restrict_public_access.yaml index 8a73d6a9f..5f4a35eac 100755 --- a/compliance/controls/aws/aws_vpc_gateway_endpoint_restrict_public_access.yaml +++ b/compliance/controls/aws/aws_vpc_gateway_endpoint_restrict_public_access.yaml @@ -1,51 +1,14 @@ ID: aws_vpc_gateway_endpoint_restrict_public_access Title: "VPC gateway endpoints should restrict public access" Description: "Manage access to resources in the AWS Cloud by ensuring VPC gateway endpoints cannot be publicly accessed." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - with wildcard_action_policies as ( - select - vpc_endpoint_id, - count(*) as statements_num - from - aws_vpc_endpoint, - jsonb_array_elements(policy_std -> 'Statement') as s - where - s ->> 'Effect' = 'Allow' - and s -> 'Condition' is null - and ( - (s -> 'Principal' -> 'AWS') = '["*"]' - or s ->> 'Principal' = '*' - ) - and s ->> 'Action' = '["*"]' - group by - vpc_endpoint_id - ) - select - e.vpc_endpoint_id as resource, - e.og_account_id as og_account_id, - e.og_resource_id as og_resource_id, - case - when e.vpc_endpoint_type <> 'Gateway' then 'skip' - when p.vpc_endpoint_id is null then 'ok' - else 'alarm' - end as status, - case - when vpc_endpoint_type <> 'Gateway' then e.title || ' is of ' || e.vpc_endpoint_type || ' endpoint type.' - when p.vpc_endpoint_id is null then e.title || ' does not allow public access.' - else title || ' contains ' || coalesce(p.statements_num, 0) || - ' statements that allows public access.' - end as reason - - from - aws_vpc_endpoint as e - left join wildcard_action_policies as p on p.vpc_endpoint_id = e.vpc_endpoint_id; + QueryToExecute: "with wildcard_action_policies as (\n select\n vpc_endpoint_id,\n count(*) as statements_num\n from\n aws_vpc_endpoint,\n jsonb_array_elements(policy_std -> 'Statement') as s\n where\n s ->> 'Effect' = 'Allow'\n and s -> 'Condition' is null\n and (\n (s -> 'Principal' -> 'AWS') = '[\"*\"]'\n or s ->> 'Principal' = '*'\n )\n and s ->> 'Action' = '[\"*\"]'\n group by\n vpc_endpoint_id\n)\nselect\n e.vpc_endpoint_id as resource,\n e.og_account_id as og_account_id,\n e.og_resource_id as og_resource_id,\n case\n when e.vpc_endpoint_type <> 'Gateway' then 'skip'\n when p.vpc_endpoint_id is null then 'ok'\n else 'alarm'\n end as status,\n case\n when vpc_endpoint_type <> 'Gateway' then e.title || ' is of ' || e.vpc_endpoint_type || ' endpoint type.'\n when p.vpc_endpoint_id is null then e.title || ' does not allow public access.'\n else title || ' contains ' || coalesce(p.statements_num, 0) ||\n ' statements that allows public access.'\n end as reason\n \nfrom\n aws_vpc_endpoint as e\n left join wildcard_action_policies as p on p.vpc_endpoint_id = e.vpc_endpoint_id;" PrimaryTable: aws_vpc_endpoint ListOfTables: - - aws_vpc_endpoint + - aws_vpc_endpoint Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_vpc_igw_attached_to_authorized_vpc.yaml b/compliance/controls/aws/aws_vpc_igw_attached_to_authorized_vpc.yaml index afd5a5113..398e4b684 100755 --- a/compliance/controls/aws/aws_vpc_igw_attached_to_authorized_vpc.yaml +++ b/compliance/controls/aws/aws_vpc_igw_attached_to_authorized_vpc.yaml @@ -1,8 +1,6 @@ ID: aws_vpc_igw_attached_to_authorized_vpc Title: "VPC internet gateways should be attached to authorized vpc" Description: "Manage access to resources in the AWS Cloud by ensuring that internet gateways are only attached to authorized AWS Virtual Private Cloud (AWS VPC)." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -22,37 +20,39 @@ Query: 2 ) || '.' end as reason - + , region, account_id from aws_vpc_internet_gateway; PrimaryTable: aws_vpc_internet_gateway ListOfTables: - - aws_vpc_internet_gateway + - aws_vpc_internet_gateway Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/VPC + - AWS/VPC soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_vpc_in_more_than_one_region.yaml b/compliance/controls/aws/aws_vpc_in_more_than_one_region.yaml index 888e3b4b1..2969ddc1d 100755 --- a/compliance/controls/aws/aws_vpc_in_more_than_one_region.yaml +++ b/compliance/controls/aws/aws_vpc_in_more_than_one_region.yaml @@ -1,46 +1,15 @@ ID: aws_vpc_in_more_than_one_region Title: "VPCs should exist in multiple regions" Description: "This control checks whether there are VPCs present in multiple regions." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - with vpc_region_list as ( - select - distinct region, account_id - from - aws_vpc - ), vpc_count_in_account as ( - select - count(*) as num, - account_id - from - vpc_region_list - group by account_id - ) - select - arn as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when v.num > 1 then 'ok' - when v.num = 1 then 'alarm' - else 'alarm' - end as status, - case - when v.num > 1 then 'VPCs exist in ' || v.num || ' regions.' - when v.num = 1 then 'VPCs exist only in one region.' - else 'VPC does not exist.' - end as reason - - from - aws_account as a - left join vpc_count_in_account as v on v.account_id = a.account_id; + QueryToExecute: "with vpc_region_list as (\n select\n distinct region, account_id\n from\n aws_vpc\n), vpc_count_in_account as (\n select\n count(*) as num,\n account_id\n from\n vpc_region_list\n group by account_id\n)\nselect\n arn as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when v.num > 1 then 'ok'\n when v.num = 1 then 'alarm'\n else 'alarm'\n end as status,\n case\n when v.num > 1 then 'VPCs exist in ' || v.num || ' regions.'\n when v.num = 1 then 'VPCs exist only in one region.'\n else 'VPC does not exist.'\n end as reason\n \nfrom\n aws_account as a\n left join vpc_count_in_account as v on v.account_id = a.account_id;" PrimaryTable: aws_vpc ListOfTables: - - aws_vpc - - aws_account + - aws_vpc + - aws_account Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_vpc_network_acl_remote_administration.yaml b/compliance/controls/aws/aws_vpc_network_acl_remote_administration.yaml index 564c127b4..175578958 100755 --- a/compliance/controls/aws/aws_vpc_network_acl_remote_administration.yaml +++ b/compliance/controls/aws/aws_vpc_network_acl_remote_administration.yaml @@ -1,8 +1,6 @@ ID: aws_vpc_network_acl_remote_administration Title: "Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389" Description: "This control checks if default ports for SSH/RDP ingress traffic for network access control lists (NACLs) is unrestricted. The rule fails if a NACL inbound entry allows a source CIDR block of '0.0.0.0/0' or '::/0' for ports 22 or 3389." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -57,25 +55,27 @@ Query: left join bad_rules on bad_rules.network_acl_id = acl.network_acl_id; PrimaryTable: aws_vpc_network_acl ListOfTables: - - aws_vpc_network_acl + - aws_vpc_network_acl Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "5.1" + - "5.1" cis_level: - - "1" + - "1" cis_section_id: - - "5" + - "5" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - aws + - aws service: - - AWS/VPC + - AWS/VPC +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_vpc_network_acl_unused.yaml b/compliance/controls/aws/aws_vpc_network_acl_unused.yaml index 00035b097..7870cc78b 100755 --- a/compliance/controls/aws/aws_vpc_network_acl_unused.yaml +++ b/compliance/controls/aws/aws_vpc_network_acl_unused.yaml @@ -1,42 +1,26 @@ ID: aws_vpc_network_acl_unused Title: "VPC network access control lists (network ACLs) should be associated with a subnet." Description: "Ensure there are no unused network access control lists (network ACLs). The rule is compliant if each network ACL is associated with a subnet. The rule is non-compliant if a network ACL is not associated with a subnet." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - network_acl_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when jsonb_array_length(associations) >= 1 then 'ok' - else 'alarm' - end status, - case - when jsonb_array_length(associations) >= 1 then title || ' associated with subnet.' - else title || ' not associated with subnet.' - end reason - - , region, account_id - from - aws_vpc_network_acl; + QueryToExecute: "select\n network_acl_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when jsonb_array_length(associations) >= 1 then 'ok'\n else 'alarm'\n end status,\n case\n when jsonb_array_length(associations) >= 1 then title || ' associated with subnet.'\n else title || ' not associated with subnet.'\n end reason\n \n , region, account_id\nfrom\n aws_vpc_network_acl;\n" PrimaryTable: aws_vpc_network_acl ListOfTables: - - aws_vpc_network_acl + - aws_vpc_network_acl Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" nist_csf: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/VPC + - AWS/VPC +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_vpc_not_in_use.yaml b/compliance/controls/aws/aws_vpc_not_in_use.yaml index bfd81b9f0..8e157b50e 100755 --- a/compliance/controls/aws/aws_vpc_not_in_use.yaml +++ b/compliance/controls/aws/aws_vpc_not_in_use.yaml @@ -1,8 +1,6 @@ ID: aws_vpc_not_in_use Title: "VPCs should be in use" Description: "This control checks whether there are any unused VPCs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -31,8 +29,10 @@ Query: left join vpc_without_subnet as s on s.vpc_id = v.vpc_id; PrimaryTable: aws_vpc ListOfTables: - - aws_vpc - - aws_vpc_subnet + - aws_vpc + - aws_vpc_subnet Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_vpc_peering_connection_no_cross_account_access.yaml b/compliance/controls/aws/aws_vpc_peering_connection_no_cross_account_access.yaml index d7b03b2d6..6b9224c34 100755 --- a/compliance/controls/aws/aws_vpc_peering_connection_no_cross_account_access.yaml +++ b/compliance/controls/aws/aws_vpc_peering_connection_no_cross_account_access.yaml @@ -1,8 +1,6 @@ ID: aws_vpc_peering_connection_no_cross_account_access Title: "VPCs peering connection should not be allowed in cross account" Description: "Ensure that all VPCs peering connection are not having cross account access." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -24,7 +22,9 @@ Query: aws_vpc_peering_connection; PrimaryTable: aws_vpc_peering_connection ListOfTables: - - aws_vpc_peering_connection + - aws_vpc_peering_connection Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_vpc_peering_connection_route_table_least_privilege.yaml b/compliance/controls/aws/aws_vpc_peering_connection_route_table_least_privilege.yaml index 751bee8e0..79b652eee 100755 --- a/compliance/controls/aws/aws_vpc_peering_connection_route_table_least_privilege.yaml +++ b/compliance/controls/aws/aws_vpc_peering_connection_route_table_least_privilege.yaml @@ -1,8 +1,6 @@ ID: aws_vpc_peering_connection_route_table_least_privilege Title: "VPCs peering connection route tables should have least privilege" Description: "Ensure that all VPCs peering connection route tables have least privilege." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -39,8 +37,10 @@ Query: left join vpc_peering_routing_tables as t on t.peering_connection_id = c.id; PrimaryTable: aws_vpc_peering_connection ListOfTables: - - aws_vpc_route_table - - aws_vpc_peering_connection + - aws_vpc_route_table + - aws_vpc_peering_connection Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_vpc_route_table_restrict_public_access_to_igw.yaml b/compliance/controls/aws/aws_vpc_route_table_restrict_public_access_to_igw.yaml index 9f4ed2b04..b8d90164d 100755 --- a/compliance/controls/aws/aws_vpc_route_table_restrict_public_access_to_igw.yaml +++ b/compliance/controls/aws/aws_vpc_route_table_restrict_public_access_to_igw.yaml @@ -1,74 +1,42 @@ ID: aws_vpc_route_table_restrict_public_access_to_igw Title: "VPC route table should restrict public access to IGW" Description: "Ensure that there are public routes in the route table to an Internet Gateway (IGW). The rule is non-compliant if a route to an IGW has a destination CIDR block of '0.0.0.0/0' or '::/0'." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with route_with_public_access as ( - select - route_table_id, - count(*) as num - from - aws_vpc_route_table, - jsonb_array_elements(routes) as r - where - ( r ->> 'DestinationCidrBlock' = '0.0.0.0/0' - or r ->> 'DestinationCidrBlock' = '::/0' - ) - and r ->> 'GatewayId' like 'igw%' - group by - route_table_id - ) - select - a.route_table_id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when b.route_table_id is null then 'ok' - else 'alarm' - end as status, - case - when b.route_table_id is null then a.title || ' does not have public routes to an Internet Gateway (IGW)' - else a.title || ' contains ' || b.num || ' rule(s) which have public routes to an Internet Gateway (IGW)' - end as reason - - , region, account_id - from - aws_vpc_route_table as a - left join route_with_public_access as b on b.route_table_id = a.route_table_id; + QueryToExecute: "with route_with_public_access as (\n select\n route_table_id,\n count(*) as num\n from\n aws_vpc_route_table,\n jsonb_array_elements(routes) as r\n where\n ( r ->> 'DestinationCidrBlock' = '0.0.0.0/0'\n or r ->> 'DestinationCidrBlock' = '::/0'\n )\n and r ->> 'GatewayId' like 'igw%'\n group by\n route_table_id\n)\nselect\n a.route_table_id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when b.route_table_id is null then 'ok'\n else 'alarm'\n end as status,\n case\n when b.route_table_id is null then a.title || ' does not have public routes to an Internet Gateway (IGW)'\n else a.title || ' contains ' || b.num || ' rule(s) which have public routes to an Internet Gateway (IGW)'\n end as reason\n \n , region, account_id\nfrom\n aws_vpc_route_table as a\n left join route_with_public_access as b on b.route_table_id = a.route_table_id;\n" PrimaryTable: aws_vpc_route_table ListOfTables: - - aws_vpc_route_table + - aws_vpc_route_table Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/VPC + - AWS/VPC +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_vpc_security_group_allows_ingress_authorized_ports.yaml b/compliance/controls/aws/aws_vpc_security_group_allows_ingress_authorized_ports.yaml index 36c2af1a1..241687634 100755 --- a/compliance/controls/aws/aws_vpc_security_group_allows_ingress_authorized_ports.yaml +++ b/compliance/controls/aws/aws_vpc_security_group_allows_ingress_authorized_ports.yaml @@ -1,57 +1,27 @@ ID: aws_vpc_security_group_allows_ingress_authorized_ports Title: "VPC Security groups should only allow unrestricted incoming traffic for authorized ports" Description: "This control checks whether the VPC security groups that are in use allow unrestricted incoming traffic. Optionally the rule checks whether the port numbers are listed in the authorizedTcpPorts parameter. The default values for authorizedTcpPorts are 80 and 443." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with ingress_unauthorized_ports as ( - select - group_id, - count(*) - from - aws_vpc_security_group_rule - where - type = 'ingress' - and cidr_ipv4 = '0.0.0.0/0' - and (from_port is null or from_port not in (80,443)) - group by - group_id - ) - select - sg.arn as resource, - sg.og_account_id as og_account_id, - sg.og_resource_id as og_resource_id, - case - when ingress_unauthorized_ports.count > 0 then 'alarm' - else 'ok' - end as status, - case - when ingress_unauthorized_ports.count > 0 then sg.title || ' having unrestricted incoming traffic other than default ports from 0.0.0.0/0 ' - else sg.title || ' allows unrestricted incoming traffic for authorized default ports (80,443).' - end as reason - - , sg.region, sg.account_id - from - aws_vpc_security_group as sg - left join ingress_unauthorized_ports on ingress_unauthorized_ports.group_id = sg.group_id; + QueryToExecute: "with ingress_unauthorized_ports as (\n select\n group_id,\n count(*)\n from\n aws_vpc_security_group_rule\n where\n type = 'ingress'\n and cidr_ipv4 = '0.0.0.0/0'\n and (from_port is null or from_port not in (80,443))\n group by\n group_id\n)\nselect\n sg.arn as resource,\n sg.og_account_id as og_account_id,\n sg.og_resource_id as og_resource_id,\n case\n when ingress_unauthorized_ports.count > 0 then 'alarm'\n else 'ok'\n end as status,\n case\n when ingress_unauthorized_ports.count > 0 then sg.title || ' having unrestricted incoming traffic other than default ports from 0.0.0.0/0 '\n else sg.title || ' allows unrestricted incoming traffic for authorized default ports (80,443).'\n end as reason\n \n , sg.region, sg.account_id\nfrom\n aws_vpc_security_group as sg\n left join ingress_unauthorized_ports on ingress_unauthorized_ports.group_id = sg.group_id;\n" PrimaryTable: aws_vpc_security_group ListOfTables: - - aws_vpc_security_group - - aws_vpc_security_group_rule + - aws_vpc_security_group + - aws_vpc_security_group_rule Parameters: [] Severity: high Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - security_group_configuration + - security_group_configuration foundational_security_item_id: - - ec2_18 + - ec2_18 plugin: - - aws + - aws service: - - AWS/EC2 + - AWS/EC2 +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_vpc_security_group_allows_ingress_to_cassandra_ports.yaml b/compliance/controls/aws/aws_vpc_security_group_allows_ingress_to_cassandra_ports.yaml index cbd3a8959..de0267a27 100755 --- a/compliance/controls/aws/aws_vpc_security_group_allows_ingress_to_cassandra_ports.yaml +++ b/compliance/controls/aws/aws_vpc_security_group_allows_ingress_to_cassandra_ports.yaml @@ -1,58 +1,15 @@ ID: aws_vpc_security_group_allows_ingress_to_cassandra_ports Title: "VPC security groups should restrict ingress from 0.0.0.0/0 or ::/0 to cassandra ports 7199 or 9160 or 8888" Description: "This control checks whether the VPC security groups allow ingress from 0.0.0.0/0 or ::/0 to cassandra ports 7199 or 9160 or 8888. This control passes when none of the rules in a security group allow ingress traffic from 0.0.0.0/0 from ports 7199 or 9160 or 8888." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - with ingress_ssh_rules as ( - select - group_id, - count(*) as num_ssh_rules - from - aws_vpc_security_group_rule - where - type = 'ingress' - and cidr_ipv4 = '0.0.0.0/0' - and ( - ( ip_protocol = '-1' - and from_port is null - ) - or ( - from_port >= 7199 - and to_port <= 7199 - ) or ( - from_port >= 9160 - and to_port <= 9160 - ) or ( - from_port >= 8888 - and to_port <= 8888 - ) - ) - group by - group_id - ) - select - arn as resource, - sg.og_account_id as og_account_id, - sg.og_resource_id as og_resource_id, - case - when ingress_ssh_rules.group_id is null then 'ok' - else 'alarm' - end as status, - case - when ingress_ssh_rules.group_id is null then sg.group_id || ' ingress restricted for cassandra ports from 0.0.0.0/0.' - else sg.group_id || ' contains ' || ingress_ssh_rules.num_ssh_rules || ' ingress rule(s) allowing access for cassandra ports from 0.0.0.0/0.' - end as reason - - from - aws_vpc_security_group as sg - left join ingress_ssh_rules on ingress_ssh_rules.group_id = sg.group_id; + QueryToExecute: "with ingress_ssh_rules as (\n select\n group_id,\n count(*) as num_ssh_rules\n from\n aws_vpc_security_group_rule\n where\n type = 'ingress'\n and cidr_ipv4 = '0.0.0.0/0'\n and (\n ( ip_protocol = '-1'\n and from_port is null\n )\n or (\n from_port >= 7199\n and to_port <= 7199\n ) or (\n from_port >= 9160\n and to_port <= 9160\n ) or (\n from_port >= 8888\n and to_port <= 8888\n )\n )\n group by\n group_id\n)\nselect\n arn as resource,\n sg.og_account_id as og_account_id,\n sg.og_resource_id as og_resource_id,\n case\n when ingress_ssh_rules.group_id is null then 'ok'\n else 'alarm'\n end as status,\n case\n when ingress_ssh_rules.group_id is null then sg.group_id || ' ingress restricted for cassandra ports from 0.0.0.0/0.'\n else sg.group_id || ' contains ' || ingress_ssh_rules.num_ssh_rules || ' ingress rule(s) allowing access for cassandra ports from 0.0.0.0/0.'\n end as reason \n \nfrom\n aws_vpc_security_group as sg\n left join ingress_ssh_rules on ingress_ssh_rules.group_id = sg.group_id;" PrimaryTable: aws_vpc_security_group ListOfTables: - - aws_vpc_security_group_rule - - aws_vpc_security_group + - aws_vpc_security_group_rule + - aws_vpc_security_group Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_vpc_security_group_allows_ingress_to_memcached_port.yaml b/compliance/controls/aws/aws_vpc_security_group_allows_ingress_to_memcached_port.yaml index f5fb0086b..90a8e6fb9 100755 --- a/compliance/controls/aws/aws_vpc_security_group_allows_ingress_to_memcached_port.yaml +++ b/compliance/controls/aws/aws_vpc_security_group_allows_ingress_to_memcached_port.yaml @@ -1,8 +1,6 @@ ID: aws_vpc_security_group_allows_ingress_to_memcached_port Title: "VPC security groups should restrict ingress from 0.0.0.0/0 or ::/0 to memcached port 11211" Description: "This control checks whether the VPC security groups that are in use allow allow ingress from 0.0.0.0/0 or ::/0 to memcached port 11211. Optionally the rule checks whether the port numbers are listed in the authorizedTcpPorts parameter. This control passes when none of the rules in a security group allow ingress traffic from 0.0.0.0/0 from port 11211." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -44,8 +42,10 @@ Query: left join ingress_ssh_rules on ingress_ssh_rules.group_id = sg.group_id; PrimaryTable: aws_vpc_security_group ListOfTables: - - aws_vpc_security_group_rule - - aws_vpc_security_group + - aws_vpc_security_group_rule + - aws_vpc_security_group Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_vpc_security_group_allows_ingress_to_mongodb_ports.yaml b/compliance/controls/aws/aws_vpc_security_group_allows_ingress_to_mongodb_ports.yaml index 1c269efde..b1ba2ea48 100755 --- a/compliance/controls/aws/aws_vpc_security_group_allows_ingress_to_mongodb_ports.yaml +++ b/compliance/controls/aws/aws_vpc_security_group_allows_ingress_to_mongodb_ports.yaml @@ -1,8 +1,6 @@ ID: aws_vpc_security_group_allows_ingress_to_mongodb_ports Title: "VPC security groups should restrict ingress from 0.0.0.0/0 or ::/0 to mongoDB ports 27017 and 27018" Description: "This control checks whether the VPC security groups that are in use allow ingress from 0.0.0.0/0 or ::/0 to mongoDB ports 27017 and 27018. Optionally the rule checks whether the port numbers are listed in the authorizedTcpPorts parameter. This control passes when none of the rules in a security group allow ingress traffic from 0.0.0.0/0 from ports 27017 and 27018." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -48,8 +46,10 @@ Query: left join ingress_ssh_rules on ingress_ssh_rules.group_id = sg.group_id; PrimaryTable: aws_vpc_security_group ListOfTables: - - aws_vpc_security_group_rule - - aws_vpc_security_group + - aws_vpc_security_group_rule + - aws_vpc_security_group Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_vpc_security_group_allows_ingress_to_oracle_ports.yaml b/compliance/controls/aws/aws_vpc_security_group_allows_ingress_to_oracle_ports.yaml index 9a2c18a2c..7275ed908 100755 --- a/compliance/controls/aws/aws_vpc_security_group_allows_ingress_to_oracle_ports.yaml +++ b/compliance/controls/aws/aws_vpc_security_group_allows_ingress_to_oracle_ports.yaml @@ -1,8 +1,6 @@ ID: aws_vpc_security_group_allows_ingress_to_oracle_ports Title: "VPC security groups should restrict ingress from 0.0.0.0/0 or ::/0 to oracle ports 1521 or 2483" Description: "This control checks whether the VPC security groups that are in use allow ingress from 0.0.0.0/0 or ::/0 to oracle ports 1521 or 2483. Optionally the rule checks whether the port numbers are listed in the authorizedTcpPorts parameter. This control passes when none of the rules in a security group allow ingress traffic from 0.0.0.0/0 from ports 1521 or 2483." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -47,8 +45,10 @@ Query: left join ingress_ssh_rules on ingress_ssh_rules.group_id = sg.group_id; PrimaryTable: aws_vpc_security_group ListOfTables: - - aws_vpc_security_group_rule - - aws_vpc_security_group + - aws_vpc_security_group_rule + - aws_vpc_security_group Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_vpc_security_group_associated_to_eni.yaml b/compliance/controls/aws/aws_vpc_security_group_associated_to_eni.yaml index fa116ecc3..8e7a185a2 100755 --- a/compliance/controls/aws/aws_vpc_security_group_associated_to_eni.yaml +++ b/compliance/controls/aws/aws_vpc_security_group_associated_to_eni.yaml @@ -1,53 +1,27 @@ ID: aws_vpc_security_group_associated_to_eni Title: "VPC security groups should be associated with at least one ENI" Description: "This rule ensures the security groups are attached to an AWS Elastic Compute Cloud (AWS EC2) instance or to an ENI. This rule helps monitoring unused security groups in the inventory and the management of your environment." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with associated_sg as ( - select - count(sg ->> 'GroupId'), - sg ->> 'GroupId' as secgrp_id - from - aws_ec2_network_interface, - jsonb_array_elements(groups) as sg - group by sg ->> 'GroupId' - ) - select - distinct s.arn as resource, - s.og_account_id as og_account_id, - s.og_resource_id as og_resource_id, - case - when a.secgrp_id = s.group_id then 'ok' - else 'alarm' - end as status, - case - when a.secgrp_id = s.group_id then s.title || ' is associated with ' || a.count || ' ENI(s).' - else s.title || ' not associated to any ENI.' - end as reason - - , region, account_id - from - aws_vpc_security_group as s - left join associated_sg as a on s.group_id = a.secgrp_id; + QueryToExecute: "with associated_sg as (\n select\n count(sg ->> 'GroupId'),\n sg ->> 'GroupId' as secgrp_id\n from\n aws_ec2_network_interface,\n jsonb_array_elements(groups) as sg\n group by sg ->> 'GroupId'\n)\nselect\n distinct s.arn as resource,\n s.og_account_id as og_account_id,\n s.og_resource_id as og_resource_id,\n case\n when a.secgrp_id = s.group_id then 'ok'\n else 'alarm'\n end as status,\n case\n when a.secgrp_id = s.group_id then s.title || ' is associated with ' || a.count || ' ENI(s).'\n else s.title || ' not associated to any ENI.'\n end as reason\n \n , region, account_id\nfrom\n aws_vpc_security_group as s\n left join associated_sg as a on s.group_id = a.secgrp_id;\n" PrimaryTable: aws_vpc_security_group ListOfTables: - - aws_ec2_network_interface - - aws_vpc_security_group + - aws_ec2_network_interface + - aws_vpc_security_group Parameters: [] Severity: low Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/VPC + - AWS/VPC soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_vpc_security_group_not_uses_launch_wizard_sg.yaml b/compliance/controls/aws/aws_vpc_security_group_not_uses_launch_wizard_sg.yaml index d5c3e4421..1273d4c50 100755 --- a/compliance/controls/aws/aws_vpc_security_group_not_uses_launch_wizard_sg.yaml +++ b/compliance/controls/aws/aws_vpc_security_group_not_uses_launch_wizard_sg.yaml @@ -1,8 +1,6 @@ ID: aws_vpc_security_group_not_uses_launch_wizard_sg Title: "VPC security groups should restrict uses of 'launch-wizard' security groups." Description: "Ensure the launch-wizard security group in your AWS account is not being used." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -34,8 +32,10 @@ Query: group_name like 'launch-wizard%'; PrimaryTable: aws_vpc_security_group ListOfTables: - - aws_ec2_network_interface - - aws_vpc_security_group + - aws_ec2_network_interface + - aws_vpc_security_group Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_vpc_security_group_remote_administration.yaml b/compliance/controls/aws/aws_vpc_security_group_remote_administration.yaml index 18ce904eb..4e0f44785 100755 --- a/compliance/controls/aws/aws_vpc_security_group_remote_administration.yaml +++ b/compliance/controls/aws/aws_vpc_security_group_remote_administration.yaml @@ -1,78 +1,33 @@ ID: aws_vpc_security_group_remote_administration Title: "Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports" Description: "Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with bad_rules as ( - select - group_id, - count(*) as num_bad_rules - from - aws_vpc_security_group_rule - where - type = 'ingress' - and ( - cidr_ipv4 = '0.0.0.0/0' - or cidr_ipv6 = '::/0' - ) - and ( - ( ip_protocol = '-1' -- all traffic - and from_port is null - ) - or ( - from_port >= 22 - and to_port <= 22 - ) - or ( - from_port >= 3389 - and to_port <= 3389 - ) - ) - group by - group_id - ) - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when bad_rules.group_id is null then 'ok' - else 'alarm' - end as status, - case - when bad_rules.group_id is null then sg.group_id || ' does not allow ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.' - else sg.group_id || ' contains ' || bad_rules.num_bad_rules || ' rule(s) that allow ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.' - end as reason - - , sg.region, sg.account_id - from - aws_vpc_security_group as sg - left join bad_rules on bad_rules.group_id = sg.group_id; + QueryToExecute: "with bad_rules as (\n select\n group_id,\n count(*) as num_bad_rules\n from\n aws_vpc_security_group_rule\n where\n type = 'ingress'\n and (\n cidr_ipv4 = '0.0.0.0/0'\n or cidr_ipv6 = '::/0'\n )\n and (\n ( ip_protocol = '-1' -- all traffic\n and from_port is null\n )\n or (\n from_port >= 22\n and to_port <= 22\n )\n or (\n from_port >= 3389\n and to_port <= 3389\n )\n )\n group by\n group_id\n)\nselect\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when bad_rules.group_id is null then 'ok'\n else 'alarm'\n end as status,\n case\n when bad_rules.group_id is null then sg.group_id || ' does not allow ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.'\n else sg.group_id || ' contains ' || bad_rules.num_bad_rules || ' rule(s) that allow ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.'\n end as reason\n \n , sg.region, sg.account_id\nfrom\n aws_vpc_security_group as sg\n left join bad_rules on bad_rules.group_id = sg.group_id;\n" PrimaryTable: aws_vpc_security_group ListOfTables: - - aws_vpc_security_group - - aws_vpc_security_group_rule + - aws_vpc_security_group + - aws_vpc_security_group_rule Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "5.2" + - "5.2" cis_level: - - "1" + - "1" cis_section_id: - - "5" + - "5" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - aws + - aws service: - - AWS/VPC + - AWS/VPC +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_vpc_security_group_remote_administration_ipv4.yaml b/compliance/controls/aws/aws_vpc_security_group_remote_administration_ipv4.yaml index a06353027..1d6fba005 100755 --- a/compliance/controls/aws/aws_vpc_security_group_remote_administration_ipv4.yaml +++ b/compliance/controls/aws/aws_vpc_security_group_remote_administration_ipv4.yaml @@ -1,77 +1,33 @@ ID: aws_vpc_security_group_remote_administration_ipv4 Title: "Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports" Description: "Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389, using either the TCP (6), UDP (17) or ALL (-1) protocols." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with bad_rules as ( - select - group_id, - count(*) as num_bad_rules - from - aws_vpc_security_group_rule - where - type = 'ingress' - and ( - cidr_ipv4 = '0.0.0.0/0' - ) - and ( - ( ip_protocol = '-1' -- all traffic - and from_port is null - ) - or ( - from_port >= 22 - and to_port <= 22 - ) - or ( - from_port >= 3389 - and to_port <= 3389 - ) - ) - group by - group_id - ) - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when bad_rules.group_id is null then 'ok' - else 'alarm' - end as status, - case - when bad_rules.group_id is null then sg.group_id || ' does not allow ingress to port 22 or 3389 from 0.0.0.0/0.' - else sg.group_id || ' contains ' || bad_rules.num_bad_rules || ' rule(s) that allow ingress to port 22 or 3389 from 0.0.0.0/0.' - end as reason - - , sg.region, sg.account_id - from - aws_vpc_security_group as sg - left join bad_rules on bad_rules.group_id = sg.group_id; + QueryToExecute: "with bad_rules as (\n select\n group_id,\n count(*) as num_bad_rules\n from\n aws_vpc_security_group_rule\n where\n type = 'ingress'\n and (\n cidr_ipv4 = '0.0.0.0/0'\n )\n and (\n ( ip_protocol = '-1' -- all traffic\n and from_port is null\n )\n or (\n from_port >= 22\n and to_port <= 22\n )\n or (\n from_port >= 3389\n and to_port <= 3389\n )\n )\n group by\n group_id\n)\nselect\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when bad_rules.group_id is null then 'ok'\n else 'alarm'\n end as status,\n case\n when bad_rules.group_id is null then sg.group_id || ' does not allow ingress to port 22 or 3389 from 0.0.0.0/0.'\n else sg.group_id || ' contains ' || bad_rules.num_bad_rules || ' rule(s) that allow ingress to port 22 or 3389 from 0.0.0.0/0.'\n end as reason\n \n , sg.region, sg.account_id\nfrom\n aws_vpc_security_group as sg\n left join bad_rules on bad_rules.group_id = sg.group_id;\n" PrimaryTable: aws_vpc_security_group ListOfTables: - - aws_vpc_security_group - - aws_vpc_security_group_rule + - aws_vpc_security_group + - aws_vpc_security_group_rule Parameters: [] Severity: critical Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "5.2" + - "5.2" cis_level: - - "1" + - "1" cis_section_id: - - "5" + - "5" cis_type: - - automated + - automated cis_version: - - v1.5.0 + - v1.5.0 plugin: - - aws + - aws service: - - AWS/VPC + - AWS/VPC +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_vpc_security_group_remote_administration_ipv6.yaml b/compliance/controls/aws/aws_vpc_security_group_remote_administration_ipv6.yaml index 12cf95bcd..bff136e58 100755 --- a/compliance/controls/aws/aws_vpc_security_group_remote_administration_ipv6.yaml +++ b/compliance/controls/aws/aws_vpc_security_group_remote_administration_ipv6.yaml @@ -1,77 +1,33 @@ ID: aws_vpc_security_group_remote_administration_ipv6 Title: "Ensure no security groups allow ingress from ::/0 to remote server administration ports" Description: "Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with bad_rules as ( - select - group_id, - count(*) as num_bad_rules - from - aws_vpc_security_group_rule - where - type = 'ingress' - and ( - cidr_ipv6 = '::/0' - ) - and ( - ( ip_protocol = '-1' -- all traffic - and from_port is null - ) - or ( - from_port >= 22 - and to_port <= 22 - ) - or ( - from_port >= 3389 - and to_port <= 3389 - ) - ) - group by - group_id - ) - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when bad_rules.group_id is null then 'ok' - else 'alarm' - end as status, - case - when bad_rules.group_id is null then sg.group_id || ' does not allow ingress to port 22 or 3389 from ::/0.' - else sg.group_id || ' contains ' || bad_rules.num_bad_rules || ' rule(s) that allow ingress to port 22 or 3389 from ::/0.' - end as reason - - , sg.region, sg.account_id - from - aws_vpc_security_group as sg - left join bad_rules on bad_rules.group_id = sg.group_id; + QueryToExecute: "with bad_rules as (\n select\n group_id,\n count(*) as num_bad_rules\n from\n aws_vpc_security_group_rule\n where\n type = 'ingress'\n and (\n cidr_ipv6 = '::/0'\n )\n and (\n ( ip_protocol = '-1' -- all traffic\n and from_port is null\n )\n or (\n from_port >= 22\n and to_port <= 22\n )\n or (\n from_port >= 3389\n and to_port <= 3389\n )\n )\n group by\n group_id\n)\nselect\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when bad_rules.group_id is null then 'ok'\n else 'alarm'\n end as status,\n case\n when bad_rules.group_id is null then sg.group_id || ' does not allow ingress to port 22 or 3389 from ::/0.'\n else sg.group_id || ' contains ' || bad_rules.num_bad_rules || ' rule(s) that allow ingress to port 22 or 3389 from ::/0.'\n end as reason\n \n , sg.region, sg.account_id\nfrom\n aws_vpc_security_group as sg\n left join bad_rules on bad_rules.group_id = sg.group_id;\n" PrimaryTable: aws_vpc_security_group ListOfTables: - - aws_vpc_security_group - - aws_vpc_security_group_rule + - aws_vpc_security_group + - aws_vpc_security_group_rule Parameters: [] Severity: critical Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "5.3" + - "5.3" cis_level: - - "1" + - "1" cis_section_id: - - "5" + - "5" cis_type: - - automated + - automated cis_version: - - v1.5.0 + - v1.5.0 plugin: - - aws + - aws service: - - AWS/VPC + - AWS/VPC +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_vpc_security_group_restrict_ingress_common_ports_all.yaml b/compliance/controls/aws/aws_vpc_security_group_restrict_ingress_common_ports_all.yaml index f2d25b461..bf877a497 100755 --- a/compliance/controls/aws/aws_vpc_security_group_restrict_ingress_common_ports_all.yaml +++ b/compliance/controls/aws/aws_vpc_security_group_restrict_ingress_common_ports_all.yaml @@ -1,107 +1,49 @@ ID: aws_vpc_security_group_restrict_ingress_common_ports_all Title: "VPC security groups should restrict ingress access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0" Description: "Manage access to resources in the AWS Cloud by ensuring common ports are restricted on AWS Elastic Compute Cloud (AWS EC2) security groups." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with ingress_ssh_rules as ( - select - group_id, - count(*) as num_ssh_rules - from - aws_vpc_security_group_rule - where - type = 'ingress' - and cidr_ipv4 = '0.0.0.0/0' - and ( - ( ip_protocol = '-1' - and from_port is null - ) - or ( - from_port >= 22 - and to_port <= 22 - ) - or ( - from_port >= 3389 - and to_port <= 3389 - ) - or ( - from_port >= 21 - and to_port <= 21 - ) - or ( - from_port >= 20 - and to_port <= 20 - ) - or ( - from_port >= 3306 - and to_port <= 3306 - ) - or ( - from_port >= 4333 - and to_port <= 4333 - ) - ) - group by - group_id - ) - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when ingress_ssh_rules.group_id is null then 'ok' - else 'alarm' - end as status, - case - when ingress_ssh_rules.group_id is null then sg.group_id || ' ingress restricted for ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0.' - else sg.group_id || ' contains ' || ingress_ssh_rules.num_ssh_rules || ' ingress rule(s) allowing access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0.' - end as reason - - , region, account_id - from - aws_vpc_security_group as sg - left join ingress_ssh_rules on ingress_ssh_rules.group_id = sg.group_id; + QueryToExecute: "with ingress_ssh_rules as (\n select\n group_id,\n count(*) as num_ssh_rules\n from\n aws_vpc_security_group_rule\n where\n type = 'ingress'\n and cidr_ipv4 = '0.0.0.0/0'\n and (\n ( ip_protocol = '-1'\n and from_port is null\n )\n or (\n from_port >= 22\n and to_port <= 22\n )\n or (\n from_port >= 3389\n and to_port <= 3389\n )\n or (\n from_port >= 21\n and to_port <= 21\n )\n or (\n from_port >= 20\n and to_port <= 20\n )\n or (\n from_port >= 3306\n and to_port <= 3306\n )\n or (\n from_port >= 4333\n and to_port <= 4333\n )\n )\n group by\n group_id\n)\nselect\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when ingress_ssh_rules.group_id is null then 'ok'\n else 'alarm'\n end as status,\n case\n when ingress_ssh_rules.group_id is null then sg.group_id || ' ingress restricted for ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0.'\n else sg.group_id || ' contains ' || ingress_ssh_rules.num_ssh_rules || ' ingress rule(s) allowing access on ports 20, 21, 22, 3306, 3389, 4333 from 0.0.0.0/0.'\n end as reason\n \n , region, account_id\nfrom\n aws_vpc_security_group as sg\n left join ingress_ssh_rules on ingress_ssh_rules.group_id = sg.group_id;\n" PrimaryTable: aws_vpc_security_group ListOfTables: - - aws_vpc_security_group - - aws_vpc_security_group_rule + - aws_vpc_security_group + - aws_vpc_security_group_rule Parameters: [] Severity: high Tags: audit_manager_control_tower: - - "true" + - "true" category: - - Compliance + - Compliance cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/VPC + - AWS/VPC soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_vpc_security_group_restrict_ingress_kafka_port.yaml b/compliance/controls/aws/aws_vpc_security_group_restrict_ingress_kafka_port.yaml index 2089baa6a..1fbe5327a 100755 --- a/compliance/controls/aws/aws_vpc_security_group_restrict_ingress_kafka_port.yaml +++ b/compliance/controls/aws/aws_vpc_security_group_restrict_ingress_kafka_port.yaml @@ -1,8 +1,6 @@ ID: aws_vpc_security_group_restrict_ingress_kafka_port Title: "VPC security groups should restrict ingress Kafka port access from 0.0.0.0/0" Description: "AWS VPC security groups can help in managing network access by providing stateful filtering of ingress and egress network traffic to AWS resources." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -47,8 +45,10 @@ Query: left join ingress_kafka_port as k on k.group_id = sg.group_id; PrimaryTable: aws_vpc_security_group ListOfTables: - - aws_vpc_security_group_rule - - aws_vpc_security_group + - aws_vpc_security_group_rule + - aws_vpc_security_group Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_vpc_security_group_restrict_ingress_kibana_port.yaml b/compliance/controls/aws/aws_vpc_security_group_restrict_ingress_kibana_port.yaml index a2b959bf3..1affebc86 100755 --- a/compliance/controls/aws/aws_vpc_security_group_restrict_ingress_kibana_port.yaml +++ b/compliance/controls/aws/aws_vpc_security_group_restrict_ingress_kibana_port.yaml @@ -1,8 +1,6 @@ ID: aws_vpc_security_group_restrict_ingress_kibana_port Title: "VPC security groups should restrict ingress kibana port access from 0.0.0.0/0" Description: "AWS VPC security groups can help in managing network access by providing stateful filtering of ingress and egress network traffic to AWS resources." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -51,8 +49,10 @@ Query: left join ingress_kibana_port as k on k.group_id = sg.group_id; PrimaryTable: aws_vpc_security_group ListOfTables: - - aws_vpc_security_group_rule - - aws_vpc_security_group + - aws_vpc_security_group_rule + - aws_vpc_security_group Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_vpc_security_group_restrict_ingress_rdp_all.yaml b/compliance/controls/aws/aws_vpc_security_group_restrict_ingress_rdp_all.yaml index 85d57d3f8..36b9564e1 100755 --- a/compliance/controls/aws/aws_vpc_security_group_restrict_ingress_rdp_all.yaml +++ b/compliance/controls/aws/aws_vpc_security_group_restrict_ingress_rdp_all.yaml @@ -1,71 +1,33 @@ ID: aws_vpc_security_group_restrict_ingress_rdp_all Title: "Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389" Description: "Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 3389." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with ingress_rdp_rules as ( - select - group_id, - count(*) as num_rdp_rules - from - aws_vpc_security_group_rule - where - type = 'ingress' - and cidr_ipv4 = '0.0.0.0/0' - and ( - ( ip_protocol = '-1' - and from_port is null - ) - or ( - from_port >= 3389 - and to_port <= 3389 - ) - ) - group by - group_id - ) - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when ingress_rdp_rules.group_id is null then 'ok' - else 'alarm' - end as status, - case - when ingress_rdp_rules.group_id is null then sg.group_id || ' ingress restricted for RDP from 0.0.0.0/0.' - else sg.group_id || ' contains ' || ingress_rdp_rules.num_rdp_rules || ' ingress rule(s) allowing RDP from 0.0.0.0/0.' - end as reason - - , sg.region, sg.account_id - from - aws_vpc_security_group as sg - left join ingress_rdp_rules on ingress_rdp_rules.group_id = sg.group_id; + QueryToExecute: "with ingress_rdp_rules as (\n select\n group_id,\n count(*) as num_rdp_rules\n from\n aws_vpc_security_group_rule\n where\n type = 'ingress'\n and cidr_ipv4 = '0.0.0.0/0'\n and (\n ( ip_protocol = '-1'\n and from_port is null\n )\n or (\n from_port >= 3389\n and to_port <= 3389\n )\n )\n group by\n group_id\n)\nselect\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when ingress_rdp_rules.group_id is null then 'ok'\n else 'alarm'\n end as status,\n case\n when ingress_rdp_rules.group_id is null then sg.group_id || ' ingress restricted for RDP from 0.0.0.0/0.'\n else sg.group_id || ' contains ' || ingress_rdp_rules.num_rdp_rules || ' ingress rule(s) allowing RDP from 0.0.0.0/0.'\n end as reason\n \n , sg.region, sg.account_id\nfrom\n aws_vpc_security_group as sg\n left join ingress_rdp_rules on ingress_rdp_rules.group_id = sg.group_id;\n" PrimaryTable: aws_vpc_security_group ListOfTables: - - aws_vpc_security_group - - aws_vpc_security_group_rule + - aws_vpc_security_group + - aws_vpc_security_group_rule Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "4.2" + - "4.2" cis_level: - - "1" + - "1" cis_section_id: - - "4" + - "4" cis_type: - - scored + - scored cis_version: - - v1.2.0 + - v1.2.0 plugin: - - aws + - aws service: - - AWS/VPC + - AWS/VPC +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_vpc_security_group_restrict_ingress_redis_port.yaml b/compliance/controls/aws/aws_vpc_security_group_restrict_ingress_redis_port.yaml index 2fba8cd15..2191650de 100755 --- a/compliance/controls/aws/aws_vpc_security_group_restrict_ingress_redis_port.yaml +++ b/compliance/controls/aws/aws_vpc_security_group_restrict_ingress_redis_port.yaml @@ -1,8 +1,6 @@ ID: aws_vpc_security_group_restrict_ingress_redis_port Title: "VPC security groups should restrict ingress redis access from 0.0.0.0/0" Description: "AWS VPC security groups can help in managing network access by providing stateful filtering of ingress and egress network traffic to AWS resources." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -47,8 +45,10 @@ Query: left join ingress_redis_port on ingress_redis_port.group_id = sg.group_id; PrimaryTable: aws_vpc_security_group ListOfTables: - - aws_vpc_security_group_rule - - aws_vpc_security_group + - aws_vpc_security_group_rule + - aws_vpc_security_group Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_vpc_security_group_restrict_ingress_ssh_all.yaml b/compliance/controls/aws/aws_vpc_security_group_restrict_ingress_ssh_all.yaml index 64ab4c316..0f596ac92 100755 --- a/compliance/controls/aws/aws_vpc_security_group_restrict_ingress_ssh_all.yaml +++ b/compliance/controls/aws/aws_vpc_security_group_restrict_ingress_ssh_all.yaml @@ -1,91 +1,53 @@ ID: aws_vpc_security_group_restrict_ingress_ssh_all Title: "VPC security groups should restrict ingress SSH access from 0.0.0.0/0" Description: "AWS Elastic Compute Cloud (AWS EC2) Security Groups can help manage network access by providing stateful filtering of ingress and egress network traffic to AWS resources." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with ingress_ssh_rules as ( - select - group_id, - count(*) as num_ssh_rules - from - aws_vpc_security_group_rule - where - type = 'ingress' - and cidr_ipv4 = '0.0.0.0/0' - and ( - ( ip_protocol = '-1' - and from_port is null - ) - or ( - from_port >= 22 - and to_port <= 22 - ) - ) - group by - group_id - ) - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when ingress_ssh_rules.group_id is null then 'ok' - else 'alarm' - end as status, - case - when ingress_ssh_rules.group_id is null then sg.group_id || ' ingress restricted for SSH from 0.0.0.0/0.' - else sg.group_id || ' contains ' || ingress_ssh_rules.num_ssh_rules || ' ingress rule(s) allowing SSH from 0.0.0.0/0.' - end as reason - - , region, account_id - from - aws_vpc_security_group as sg - left join ingress_ssh_rules on ingress_ssh_rules.group_id = sg.group_id; + QueryToExecute: "with ingress_ssh_rules as (\n select\n group_id,\n count(*) as num_ssh_rules\n from\n aws_vpc_security_group_rule\n where\n type = 'ingress'\n and cidr_ipv4 = '0.0.0.0/0'\n and (\n ( ip_protocol = '-1'\n and from_port is null\n )\n or (\n from_port >= 22\n and to_port <= 22\n )\n )\n group by\n group_id\n)\nselect\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when ingress_ssh_rules.group_id is null then 'ok'\n else 'alarm'\n end as status,\n case\n when ingress_ssh_rules.group_id is null then sg.group_id || ' ingress restricted for SSH from 0.0.0.0/0.'\n else sg.group_id || ' contains ' || ingress_ssh_rules.num_ssh_rules || ' ingress rule(s) allowing SSH from 0.0.0.0/0.'\n end as reason\n \n , region, account_id\nfrom\n aws_vpc_security_group as sg\n left join ingress_ssh_rules on ingress_ssh_rules.group_id = sg.group_id;\n" PrimaryTable: aws_vpc_security_group ListOfTables: - - aws_vpc_security_group - - aws_vpc_security_group_rule + - aws_vpc_security_group + - aws_vpc_security_group_rule Parameters: [] Severity: high Tags: audit_manager_control_tower: - - "true" + - "true" category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/VPC + - AWS/VPC soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_vpc_security_group_restrict_ingress_tcp_udp_all.yaml b/compliance/controls/aws/aws_vpc_security_group_restrict_ingress_tcp_udp_all.yaml index 89e8e1ced..f5f4cdd88 100755 --- a/compliance/controls/aws/aws_vpc_security_group_restrict_ingress_tcp_udp_all.yaml +++ b/compliance/controls/aws/aws_vpc_security_group_restrict_ingress_tcp_udp_all.yaml @@ -1,8 +1,6 @@ ID: aws_vpc_security_group_restrict_ingress_tcp_udp_all Title: "VPC security groups should restrict ingress TCP and UDP access from 0.0.0.0/0" Description: "Manage access to resources in the AWS Cloud by ensuring common ports are restricted on AWS Elastic Compute Cloud (AWS EC2) Security Groups." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -43,42 +41,44 @@ Query: left join bad_rules on bad_rules.group_id = sg.group_id; PrimaryTable: aws_vpc_security_group ListOfTables: - - aws_vpc_security_group - - aws_vpc_security_group_rule + - aws_vpc_security_group + - aws_vpc_security_group_rule Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/VPC + - AWS/VPC soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_vpc_security_group_restricted_common_ports.yaml b/compliance/controls/aws/aws_vpc_security_group_restricted_common_ports.yaml index 368243727..64592dd9d 100755 --- a/compliance/controls/aws/aws_vpc_security_group_restricted_common_ports.yaml +++ b/compliance/controls/aws/aws_vpc_security_group_restricted_common_ports.yaml @@ -1,133 +1,27 @@ ID: aws_vpc_security_group_restricted_common_ports Title: "Security groups should not allow unrestricted access to ports with high risk" Description: "This control checks whether unrestricted incoming traffic for the security groups is accessible to the specified ports that have the highest risk. This control passes when none of the rules in a security group allow ingress traffic from 0.0.0.0/0 for those ports." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with ingress_ssh_rules as ( - select - group_id, - count(*) as num_ssh_rules - from - aws_vpc_security_group_rule - where - type = 'ingress' - and cidr_ipv4 = '0.0.0.0/0' - and ( - ( ip_protocol = '-1' - and from_port is null - ) - or ( - from_port >= 22 - and to_port <= 22 - ) - or ( - from_port >= 3389 - and to_port <= 3389 - ) - or ( - from_port >= 21 - and to_port <= 21 - ) - or ( - from_port >= 20 - and to_port <= 20 - ) - or ( - from_port >= 3306 - and to_port <= 3306 - ) - or ( - from_port >= 4333 - and to_port <= 4333 - ) - or ( - from_port >= 23 - and to_port <= 23 - ) - or ( - from_port >= 25 - and to_port <= 25 - ) - or ( - from_port >= 445 - and to_port <= 445 - ) - or ( - from_port >= 110 - and to_port <= 110 - ) - or ( - from_port >= 135 - and to_port <= 135 - ) - or ( - from_port >= 143 - and to_port <= 143 - ) - or ( - from_port >= 1433 - and to_port <= 1433 - ) - or ( - from_port >= 5432 - and to_port <= 5432 - ) - or ( - from_port >= 5500 - and to_port <= 5500 - ) - or ( - from_port >= 5601 - and to_port <= 5601 - ) - or ( - from_port >= 9200 - and to_port <= 9300 - ) - or ( - from_port >= 8080 - and to_port <= 8080 - ) - ) - group by - group_id - ) - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when ingress_ssh_rules.group_id is null then 'ok' - else 'alarm' - end as status, - case - when ingress_ssh_rules.group_id is null then sg.group_id || ' ingress restricted for common ports from 0.0.0.0/0..' - else sg.group_id || ' contains ' || ingress_ssh_rules.num_ssh_rules || ' ingress rule(s) allowing access for common ports from 0.0.0.0/0.' - end as reason - - , sg.region, sg.account_id - from - aws_vpc_security_group as sg - left join ingress_ssh_rules on ingress_ssh_rules.group_id = sg.group_id; + QueryToExecute: "with ingress_ssh_rules as (\n select\n group_id,\n count(*) as num_ssh_rules\n from\n aws_vpc_security_group_rule\n where\n type = 'ingress'\n and cidr_ipv4 = '0.0.0.0/0'\n and (\n ( ip_protocol = '-1'\n and from_port is null\n )\n or (\n from_port >= 22\n and to_port <= 22\n )\n or (\n from_port >= 3389\n and to_port <= 3389\n )\n or (\n from_port >= 21\n and to_port <= 21\n )\n or (\n from_port >= 20\n and to_port <= 20\n )\n or (\n from_port >= 3306\n and to_port <= 3306\n )\n or (\n from_port >= 4333\n and to_port <= 4333\n )\n or (\n from_port >= 23\n and to_port <= 23\n )\n or (\n from_port >= 25\n and to_port <= 25\n )\n or (\n from_port >= 445\n and to_port <= 445\n )\n or (\n from_port >= 110\n and to_port <= 110\n )\n or (\n from_port >= 135\n and to_port <= 135\n )\n or (\n from_port >= 143\n and to_port <= 143\n )\n or (\n from_port >= 1433\n and to_port <= 1433\n )\n or (\n from_port >= 5432\n and to_port <= 5432\n )\n or (\n from_port >= 5500\n and to_port <= 5500\n )\n or (\n from_port >= 5601\n and to_port <= 5601\n )\n or (\n from_port >= 9200\n and to_port <= 9300\n )\n or (\n from_port >= 8080\n and to_port <= 8080\n )\n )\n group by\n group_id\n)\nselect\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when ingress_ssh_rules.group_id is null then 'ok'\n else 'alarm'\n end as status,\n case\n when ingress_ssh_rules.group_id is null then sg.group_id || ' ingress restricted for common ports from 0.0.0.0/0..'\n else sg.group_id || ' contains ' || ingress_ssh_rules.num_ssh_rules || ' ingress rule(s) allowing access for common ports from 0.0.0.0/0.'\n end as reason\n \n , sg.region, sg.account_id\nfrom\n aws_vpc_security_group as sg\n left join ingress_ssh_rules on ingress_ssh_rules.group_id = sg.group_id;\n" PrimaryTable: aws_vpc_security_group ListOfTables: - - aws_vpc_security_group - - aws_vpc_security_group_rule + - aws_vpc_security_group + - aws_vpc_security_group_rule Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - security_group_configuration + - security_group_configuration foundational_security_item_id: - - ec2_19 + - ec2_19 plugin: - - aws + - aws service: - - AWS/EC2 + - AWS/EC2 +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_vpc_security_group_unused.yaml b/compliance/controls/aws/aws_vpc_security_group_unused.yaml index f95753004..a975cbd56 100755 --- a/compliance/controls/aws/aws_vpc_security_group_unused.yaml +++ b/compliance/controls/aws/aws_vpc_security_group_unused.yaml @@ -1,60 +1,28 @@ ID: aws_vpc_security_group_unused Title: "Unused EC2 security groups should be removed" Description: "This AWS control checks that security groups are attached to AWS Elastic Compute Cloud (AWS EC2) instances or to an elastic network interface. The control will fail if the security group is not associated with an AWS EC2 instance or an elastic network interface." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with associated_sg as ( - select - sg ->> 'GroupId' as secgrp_id - from - aws_ec2_network_interface, - jsonb_array_elements(groups) as sg - group by sg ->> 'GroupId' - union - select - sg ->> 'GroupId' as secgrp_id - from - aws_ec2_instance, - jsonb_array_elements(security_groups) as sg - group by sg ->> 'GroupId' - ) - select - distinct s.arn as resource, - s.og_account_id as og_account_id, - s.og_resource_id as og_resource_id, - case - when a.secgrp_id is not null then 'ok' - else 'alarm' - end as status, - case - when a.secgrp_id is not null then s.title || ' is in use.' - else s.title || ' not in use.' - end as reason - - , s.region, s.account_id - from - aws_vpc_security_group as s - left join associated_sg as a on s.group_id = a.secgrp_id; + QueryToExecute: "with associated_sg as (\n select\n sg ->> 'GroupId' as secgrp_id\n from\n aws_ec2_network_interface,\n jsonb_array_elements(groups) as sg\n group by sg ->> 'GroupId'\n union\n select\n sg ->> 'GroupId' as secgrp_id\n from\n aws_ec2_instance,\n jsonb_array_elements(security_groups) as sg\n group by sg ->> 'GroupId'\n)\nselect\n distinct s.arn as resource,\n s.og_account_id as og_account_id,\n s.og_resource_id as og_resource_id,\n case\n when a.secgrp_id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when a.secgrp_id is not null then s.title || ' is in use.'\n else s.title || ' not in use.'\n end as reason\n \n , s.region, s.account_id\nfrom\n aws_vpc_security_group as s\n left join associated_sg as a on s.group_id = a.secgrp_id;\n" PrimaryTable: aws_vpc_security_group ListOfTables: - - aws_ec2_instance - - aws_ec2_network_interface - - aws_vpc_security_group + - aws_ec2_instance + - aws_ec2_network_interface + - aws_vpc_security_group Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - inventory + - inventory foundational_security_item_id: - - ec2_22 + - ec2_22 plugin: - - aws + - aws service: - - AWS/EC2 + - AWS/EC2 +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_vpc_subnet_auto_assign_public_ip_disabled.yaml b/compliance/controls/aws/aws_vpc_subnet_auto_assign_public_ip_disabled.yaml index f5d9d06da..03950516d 100755 --- a/compliance/controls/aws/aws_vpc_subnet_auto_assign_public_ip_disabled.yaml +++ b/compliance/controls/aws/aws_vpc_subnet_auto_assign_public_ip_disabled.yaml @@ -1,58 +1,42 @@ ID: aws_vpc_subnet_auto_assign_public_ip_disabled Title: "VPC subnet auto assign public IP should be disabled" Description: "Ensure that AWS Virtual Private Cloud (AWS VPC) subnets are assigned a public IP address. The control is compliant if AWS VPC does not have subnets that are assigned a public IP address. The control is non-compliant if AWS VPC has subnets that are assigned a public IP address." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - subnet_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when map_public_ip_on_launch = 'false' then 'ok' - else 'alarm' - end as status, - case - when map_public_ip_on_launch = 'false' then title || ' auto assign public IP disabled.' - else title || ' auto assign public IP enabled.' - end as reason - - , region, account_id - from - aws_vpc_subnet; + QueryToExecute: "select\n subnet_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when map_public_ip_on_launch = 'false' then 'ok'\n else 'alarm'\n end as status,\n case\n when map_public_ip_on_launch = 'false' then title || ' auto assign public IP disabled.'\n else title || ' auto assign public IP enabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_vpc_subnet;\n" PrimaryTable: aws_vpc_subnet ListOfTables: - - aws_vpc_subnet + - aws_vpc_subnet Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/VPC + - AWS/VPC +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_vpc_vpn_tunnel_up.yaml b/compliance/controls/aws/aws_vpc_vpn_tunnel_up.yaml index 7dfa3d9cb..dded160ba 100755 --- a/compliance/controls/aws/aws_vpc_vpn_tunnel_up.yaml +++ b/compliance/controls/aws/aws_vpc_vpn_tunnel_up.yaml @@ -1,66 +1,38 @@ ID: aws_vpc_vpn_tunnel_up Title: "Both VPN tunnels provided by AWS Site-to-Site VPN should be in UP status" Description: "Redundant Site-to-Site VPN tunnels can be implemented to achieve resilience requirements." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with filter_data as ( - select - arn, - count(t ->> 'Status') - from - aws_vpc_vpn_connection, - jsonb_array_elements(vgw_telemetry) as t - where t ->> 'Status' = 'UP' - group by arn - ) - select - a.arn as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when b.count is null or b.count < 2 then 'alarm' - else 'ok' - end as status, - case - when b.count is null then a.title || ' has both tunnels offline.' - when b.count = 1 then a.title || ' has one tunnel offline.' - else a.title || ' has both tunnels online.' - end as reason - - , region, account_id - from - aws_vpc_vpn_connection as a - left join filter_data as b on a.arn = b.arn; + QueryToExecute: "with filter_data as (\n select\n arn,\n count(t ->> 'Status')\n from\n aws_vpc_vpn_connection,\n jsonb_array_elements(vgw_telemetry) as t\n where t ->> 'Status' = 'UP'\n group by arn\n)\nselect\n a.arn as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when b.count is null or b.count < 2 then 'alarm'\n else 'ok'\n end as status,\n case\n when b.count is null then a.title || ' has both tunnels offline.'\n when b.count = 1 then a.title || ' has one tunnel offline.'\n else a.title || ' has both tunnels online.'\n end as reason\n \n , region, account_id\nfrom\n aws_vpc_vpn_connection as a\n left join filter_data as b on a.arn = b.arn;\n" PrimaryTable: aws_vpc_vpn_connection ListOfTables: - - aws_vpc_vpn_connection + - aws_vpc_vpn_connection Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/VPC + - AWS/VPC +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_waf_regional_rule_condition_attached.yaml b/compliance/controls/aws/aws_waf_regional_rule_condition_attached.yaml index cc582334f..c801bbf70 100755 --- a/compliance/controls/aws/aws_waf_regional_rule_condition_attached.yaml +++ b/compliance/controls/aws/aws_waf_regional_rule_condition_attached.yaml @@ -1,8 +1,6 @@ ID: aws_waf_regional_rule_condition_attached Title: "WAF regional rule should have at least one condition" Description: "This control checks whether WAF regional rule contains any conditions. The control fails if no conditions are present within a rule." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -23,19 +21,21 @@ Query: aws_wafregional_rule; PrimaryTable: aws_wafregional_rule ListOfTables: - - aws_wafregional_rule + - aws_wafregional_rule Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - secure_network_configuration + - secure_network_configuration foundational_security_item_id: - - waf_2 + - waf_2 plugin: - - aws + - aws service: - - AWS/WAF + - AWS/WAF +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_waf_regional_rule_group_rule_attached.yaml b/compliance/controls/aws/aws_waf_regional_rule_group_rule_attached.yaml index e58c816c3..a579709eb 100755 --- a/compliance/controls/aws/aws_waf_regional_rule_group_rule_attached.yaml +++ b/compliance/controls/aws/aws_waf_regional_rule_group_rule_attached.yaml @@ -1,42 +1,26 @@ ID: aws_waf_regional_rule_group_rule_attached Title: "WAF regional rule group should have at least one rule attached" Description: "This control checks if WAF regional rule groups contain any rules. The rule is non-compliant if there are no rules present within a WAF regional rule group." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when activated_rules is null or jsonb_array_length(activated_rules) = 0 then 'alarm' - else 'ok' - end as status, - case - when activated_rules is null or jsonb_array_length(activated_rules) = 0 then title || ' has no attached rules.' - else title || ' has ' || jsonb_array_length(activated_rules) || ' rule(s) attached.' - end as reason - - , region, account_id - from - aws_wafregional_rule_group; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when activated_rules is null or jsonb_array_length(activated_rules) = 0 then 'alarm'\n else 'ok'\n end as status,\n case\n when activated_rules is null or jsonb_array_length(activated_rules) = 0 then title || ' has no attached rules.'\n else title || ' has ' || jsonb_array_length(activated_rules) || ' rule(s) attached.'\n end as reason\n \n , region, account_id\nfrom\n aws_wafregional_rule_group;\n" PrimaryTable: aws_wafregional_rule_group ListOfTables: - - aws_wafregional_rule_group + - aws_wafregional_rule_group Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - secure_network_configuration + - secure_network_configuration foundational_security_item_id: - - waf_3 + - waf_3 plugin: - - aws + - aws service: - - AWS/WAF + - AWS/WAF +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_waf_regional_web_acl_rule_attached.yaml b/compliance/controls/aws/aws_waf_regional_web_acl_rule_attached.yaml index 4a70d0640..a365a32ac 100755 --- a/compliance/controls/aws/aws_waf_regional_web_acl_rule_attached.yaml +++ b/compliance/controls/aws/aws_waf_regional_web_acl_rule_attached.yaml @@ -1,42 +1,26 @@ ID: aws_waf_regional_web_acl_rule_attached Title: "WAF regional web ACL should have at least one rule or rule group attached" Description: "This control checks if a WAF regional Web ACL contains any WAF rules or rule groups. The rule is non-compliant if there are no WAF rules or rule groups present within a Web ACL." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when rules is null or jsonb_array_length(rules) = 0 then 'alarm' - else 'ok' - end as status, - case - when rules is null or jsonb_array_length(rules) = 0 then title || ' has no attached rules.' - else title || ' has ' || jsonb_array_length(rules) || ' rule(s) attached.' - end as reason - - , region, account_id - from - aws_wafregional_web_acl; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when rules is null or jsonb_array_length(rules) = 0 then 'alarm'\n else 'ok'\n end as status,\n case\n when rules is null or jsonb_array_length(rules) = 0 then title || ' has no attached rules.'\n else title || ' has ' || jsonb_array_length(rules) || ' rule(s) attached.'\n end as reason\n \n , region, account_id\nfrom\n aws_wafregional_web_acl;\n" PrimaryTable: aws_wafregional_web_acl ListOfTables: - - aws_wafregional_web_acl + - aws_wafregional_web_acl Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - secure_network_configuration + - secure_network_configuration foundational_security_item_id: - - waf_4 + - waf_4 plugin: - - aws + - aws service: - - AWS/WAF + - AWS/WAF +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_waf_rule_condition_attached.yaml b/compliance/controls/aws/aws_waf_rule_condition_attached.yaml index 1b6038779..69e14fe9e 100755 --- a/compliance/controls/aws/aws_waf_rule_condition_attached.yaml +++ b/compliance/controls/aws/aws_waf_rule_condition_attached.yaml @@ -1,42 +1,26 @@ ID: aws_waf_rule_condition_attached Title: "WAF global rule should have at least one condition" Description: "This control checks whether an AWS WAF global rule contains any conditions. The control fails if no conditions are present within a rule." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - rule_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when predicates is null or jsonb_array_length(predicates) = 0 then 'alarm' - else 'ok' - end as status, - case - when predicates is null or jsonb_array_length(predicates) = 0 then title || ' has no attached conditions.' - else title || ' has ' || jsonb_array_length(predicates) || ' attached conditions.' - end as reason - - , region, account_id - from - aws_waf_rule; + QueryToExecute: "select\n rule_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when predicates is null or jsonb_array_length(predicates) = 0 then 'alarm'\n else 'ok'\n end as status,\n case\n when predicates is null or jsonb_array_length(predicates) = 0 then title || ' has no attached conditions.'\n else title || ' has ' || jsonb_array_length(predicates) || ' attached conditions.'\n end as reason\n \n , region, account_id\nfrom\n aws_waf_rule;\n" PrimaryTable: aws_waf_rule ListOfTables: - - aws_waf_rule + - aws_waf_rule Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - resource_configuration + - resource_configuration foundational_security_item_id: - - waf_6 + - waf_6 plugin: - - aws + - aws service: - - AWS/WAF + - AWS/WAF +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_waf_rule_group_rule_attached.yaml b/compliance/controls/aws/aws_waf_rule_group_rule_attached.yaml index 67645a32f..b10085d70 100755 --- a/compliance/controls/aws/aws_waf_rule_group_rule_attached.yaml +++ b/compliance/controls/aws/aws_waf_rule_group_rule_attached.yaml @@ -1,42 +1,26 @@ ID: aws_waf_rule_group_rule_attached Title: "WAF global rule group should have at least one rule" Description: "This control checks whether WAF global rule group has at least one rule. The control fails if no rules are present within a rule group." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when activated_rules is null or jsonb_array_length(activated_rules) = 0 then 'alarm' - else 'ok' - end as status, - case - when activated_rules is null or jsonb_array_length(activated_rules) = 0 then title || ' has no attached rules.' - else title || ' has ' || jsonb_array_length(activated_rules) || ' rule(s) attached.' - end as reason - - , region, account_id - from - aws_waf_rule_group; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when activated_rules is null or jsonb_array_length(activated_rules) = 0 then 'alarm'\n else 'ok'\n end as status,\n case\n when activated_rules is null or jsonb_array_length(activated_rules) = 0 then title || ' has no attached rules.'\n else title || ' has ' || jsonb_array_length(activated_rules) || ' rule(s) attached.'\n end as reason\n \n , region, account_id\nfrom\n aws_waf_rule_group;\n" PrimaryTable: aws_waf_rule_group ListOfTables: - - aws_waf_rule_group + - aws_waf_rule_group Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - resource_configuration + - resource_configuration foundational_security_item_id: - - waf_7 + - waf_7 plugin: - - aws + - aws service: - - AWS/WAF + - AWS/WAF +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_waf_web_acl_logging_enabled.yaml b/compliance/controls/aws/aws_waf_web_acl_logging_enabled.yaml index 8675947bb..3bbefb663 100755 --- a/compliance/controls/aws/aws_waf_web_acl_logging_enabled.yaml +++ b/compliance/controls/aws/aws_waf_web_acl_logging_enabled.yaml @@ -1,42 +1,26 @@ ID: aws_waf_web_acl_logging_enabled Title: "WAF web ACL logging should be enabled" Description: "To help with logging and monitoring within your environment, enable AWS WAF logging on regional and global web ACLs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when logging_configuration is null then 'alarm' - else 'ok' - end as status, - case - when logging_configuration is null then title || ' logging disabled.' - else title || ' logging enabled.' - end as reason - - , region, account_id - from - aws_waf_web_acl; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when logging_configuration is null then 'alarm'\n else 'ok'\n end as status,\n case\n when logging_configuration is null then title || ' logging disabled.'\n else title || ' logging enabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_waf_web_acl;\n" PrimaryTable: aws_waf_web_acl ListOfTables: - - aws_waf_web_acl + - aws_waf_web_acl Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - logging + - logging foundational_security_item_id: - - waf_1 + - waf_1 plugin: - - aws + - aws service: - - AWS/WAF + - AWS/WAF +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_waf_web_acl_resource_associated.yaml b/compliance/controls/aws/aws_waf_web_acl_resource_associated.yaml index 8749ee8c2..dda6aec91 100755 --- a/compliance/controls/aws/aws_waf_web_acl_resource_associated.yaml +++ b/compliance/controls/aws/aws_waf_web_acl_resource_associated.yaml @@ -1,40 +1,24 @@ ID: aws_waf_web_acl_resource_associated Title: "WAF web ACL should be associated with an Application Load Balancer, API Gateway stage, or CloudFront distributions" Description: "This control checks if the web ACL is associated with an Application Load Balancer, API Gateway stage, or CloudFront distributions." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when jsonb_array_length(resources) > 0 then 'ok' - else 'alarm' - end as status, - case - when jsonb_array_length(resources) > 0 then title || ' associated with ' || jsonb_array_length(resources) || ' AWS resource(s).' - else title || ' not assoicated with AWS resource.' - end as reason - - , region, account_id - from - aws_wafregional_web_acl; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when jsonb_array_length(resources) > 0 then 'ok'\n else 'alarm'\n end as status,\n case\n when jsonb_array_length(resources) > 0 then title || ' associated with ' || jsonb_array_length(resources) || ' AWS resource(s).'\n else title || ' not assoicated with AWS resource.'\n end as reason\n \n , region, account_id\nfrom\n aws_wafregional_web_acl;\n" PrimaryTable: aws_wafregional_web_acl ListOfTables: - - aws_wafregional_web_acl + - aws_wafregional_web_acl Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws service: - - AWS/WAF + - AWS/WAF +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_waf_web_acl_rule_attached.yaml b/compliance/controls/aws/aws_waf_web_acl_rule_attached.yaml index 05c7eb823..35e465dbe 100755 --- a/compliance/controls/aws/aws_waf_web_acl_rule_attached.yaml +++ b/compliance/controls/aws/aws_waf_web_acl_rule_attached.yaml @@ -1,42 +1,26 @@ ID: aws_waf_web_acl_rule_attached Title: "WAF global web ACL should have at least one rule or rule group" Description: "This control checks whether WAF global web ACL contains at least one WAF rule or WAF rule group. The control fails if a web ACL does not contain any WAF rules or rule groups." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when rules is null or jsonb_array_length(rules) = 0 then 'alarm' - else 'ok' - end as status, - case - when rules is null or jsonb_array_length(rules) = 0 then title || ' has no attached rules.' - else title || ' has ' || jsonb_array_length(rules) || ' rule(s) attached.' - end as reason - - , region, account_id - from - aws_waf_web_acl; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when rules is null or jsonb_array_length(rules) = 0 then 'alarm'\n else 'ok'\n end as status,\n case\n when rules is null or jsonb_array_length(rules) = 0 then title || ' has no attached rules.'\n else title || ' has ' || jsonb_array_length(rules) || ' rule(s) attached.'\n end as reason\n \n , region, account_id\nfrom\n aws_waf_web_acl;\n" PrimaryTable: aws_waf_web_acl ListOfTables: - - aws_waf_web_acl + - aws_waf_web_acl Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - resource_configuration + - resource_configuration foundational_security_item_id: - - waf_8 + - waf_8 plugin: - - aws + - aws service: - - AWS/WAF + - AWS/WAF +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_wafv2_rule_group_logging_enabled.yaml b/compliance/controls/aws/aws_wafv2_rule_group_logging_enabled.yaml index a3f7b28ae..30884655d 100755 --- a/compliance/controls/aws/aws_wafv2_rule_group_logging_enabled.yaml +++ b/compliance/controls/aws/aws_wafv2_rule_group_logging_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_wafv2_rule_group_logging_enabled Title: "AWS WAF rules should have CloudWatch metrics enabled" Description: "This control checks whether an AWS WAF rule or rule group has Amazon CloudWatch metrics enabled. The control fails if the rule or rule group doesn't have CloudWatch metrics enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,7 +20,9 @@ Query: aws_wafv2_rule_group; PrimaryTable: aws_wafv2_rule_group ListOfTables: - - aws_wafv2_rule_group + - aws_wafv2_rule_group Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_wafv2_web_acl_logging_enabled.yaml b/compliance/controls/aws/aws_wafv2_web_acl_logging_enabled.yaml index a6b2d70b0..f2da1a3cb 100755 --- a/compliance/controls/aws/aws_wafv2_web_acl_logging_enabled.yaml +++ b/compliance/controls/aws/aws_wafv2_web_acl_logging_enabled.yaml @@ -1,68 +1,52 @@ ID: aws_wafv2_web_acl_logging_enabled Title: "Logging should be enabled on AWS WAFv2 regional and global web access control list (ACLs)" Description: "To help with logging and monitoring within your environment, enable AWS WAF (V2) logging on regional and global web ACLs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when logging_configuration is null then 'alarm' - else 'ok' - end as status, - case - when logging_configuration is null then title || ' logging disabled.' - else title || ' logging enabled.' - end as reason - - , region, account_id - from - aws_wafv2_web_acl; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when logging_configuration is null then 'alarm'\n else 'ok'\n end as status,\n case\n when logging_configuration is null then title || ' logging disabled.'\n else title || ' logging enabled.'\n end as reason\n \n , region, account_id\nfrom\n aws_wafv2_web_acl;\n" PrimaryTable: aws_wafv2_web_acl ListOfTables: - - aws_wafv2_web_acl + - aws_wafv2_web_acl Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis_controls_v8_ig1: - - "true" + - "true" cisa_cyber_essentials: - - "true" + - "true" fedramp_low_rev_4: - - "true" + - "true" fedramp_moderate_rev_4: - - "true" + - "true" ffiec: - - "true" + - "true" gdpr: - - "true" + - "true" gxp_21_cfr_part_11: - - "true" + - "true" hipaa_final_omnibus_security_rule_2013: - - "true" + - "true" hipaa_security_rule_2003: - - "true" + - "true" nist_800_171_rev_2: - - "true" + - "true" nist_800_53_rev_4: - - "true" + - "true" nist_800_53_rev_5: - - "true" + - "true" nist_csf: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" plugin: - - aws + - aws rbi_cyber_security: - - "true" + - "true" service: - - AWS/WAFv2 + - AWS/WAFv2 soc_2: - - "true" + - "true" +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_wafv2_web_acl_rule_attached.yaml b/compliance/controls/aws/aws_wafv2_web_acl_rule_attached.yaml index abd2b55e0..2bed3f23e 100755 --- a/compliance/controls/aws/aws_wafv2_web_acl_rule_attached.yaml +++ b/compliance/controls/aws/aws_wafv2_web_acl_rule_attached.yaml @@ -1,55 +1,26 @@ ID: aws_wafv2_web_acl_rule_attached Title: "A WAFV2 web ACL should have at least one rule or rule group" Description: "This control checks whether a WAFV2 web access control list (web ACL) contains at least one WAF rule or WAF rule group. The control fails if a web ACL does not contain any WAF rules or rule groups." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with rule_group_count as ( - select - arn, - count(*) as rule_group_count - from - aws_wafv2_web_acl, - jsonb_array_elements(rules) as r - where - r -> 'Statement' -> 'RuleGroupReferenceStatement' ->> 'ARN' is not null - group by - arn - ) - select - a.arn as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when rules is null or jsonb_array_length(rules) = 0 then 'alarm' - else 'ok' - end as status, - case - when rules is null or jsonb_array_length(rules) = 0 then title || ' has no attached rules.' - else title || ' has ' || c.rule_group_count || ' rule group(s) and ' || (jsonb_array_length(rules) - c.rule_group_count) || ' rule(s) attached.' - end as reason - - , region, account_id - from - aws_wafv2_web_acl as a - left join rule_group_count as c on c.arn = a.arn; + QueryToExecute: "with rule_group_count as (\n select\n arn,\n count(*) as rule_group_count\n from\n aws_wafv2_web_acl,\n jsonb_array_elements(rules) as r\n where\n r -> 'Statement' -> 'RuleGroupReferenceStatement' ->> 'ARN' is not null\n group by\n arn\n)\nselect\n a.arn as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when rules is null or jsonb_array_length(rules) = 0 then 'alarm'\n else 'ok'\n end as status,\n case\n when rules is null or jsonb_array_length(rules) = 0 then title || ' has no attached rules.'\n else title || ' has ' || c.rule_group_count || ' rule group(s) and ' || (jsonb_array_length(rules) - c.rule_group_count) || ' rule(s) attached.'\n end as reason\n \n , region, account_id\nfrom\n aws_wafv2_web_acl as a\n left join rule_group_count as c on c.arn = a.arn;\n" PrimaryTable: aws_wafv2_web_acl ListOfTables: - - aws_wafv2_web_acl + - aws_wafv2_web_acl Parameters: [] Severity: medium Tags: aws_foundational_security: - - "true" + - "true" category: - - Compliance + - Compliance foundational_security_category: - - secure_network_configuration + - secure_network_configuration foundational_security_item_id: - - waf_10 + - waf_10 plugin: - - aws + - aws service: - - AWS/WAF + - AWS/WAF +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/aws/aws_workspaces_workspace_volume_encryption_enabled.yaml b/compliance/controls/aws/aws_workspaces_workspace_volume_encryption_enabled.yaml index 17ea990a7..551fe0649 100755 --- a/compliance/controls/aws/aws_workspaces_workspace_volume_encryption_enabled.yaml +++ b/compliance/controls/aws/aws_workspaces_workspace_volume_encryption_enabled.yaml @@ -1,35 +1,14 @@ ID: aws_workspaces_workspace_volume_encryption_enabled Title: "WorkSpaces root and user volume encryption should be enabled" Description: "To help protect data at rest, ensure encryption is enabled for your WorkSpaces root and user volumes." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when user_volume_encryption_enabled and root_volume_encryption_enabled then 'ok' - else 'alarm' - end as status, - case - when user_volume_encryption_enabled and root_volume_encryption_enabled then title || ' user and root volume encryption enabled.' - else - case - when not user_volume_encryption_enabled and not root_volume_encryption_enabled then title || ' user and root volume encryption disabled.' - when not root_volume_encryption_enabled then title || ' root volume encryption disabled.' - else title || ' user volume encryption disabled.' - end - end as reason - - - from - aws_workspaces_workspace; + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when user_volume_encryption_enabled and root_volume_encryption_enabled then 'ok'\n else 'alarm'\n end as status,\n case\n when user_volume_encryption_enabled and root_volume_encryption_enabled then title || ' user and root volume encryption enabled.'\n else\n case\n when not user_volume_encryption_enabled and not root_volume_encryption_enabled then title || ' user and root volume encryption disabled.'\n when not root_volume_encryption_enabled then title || ' root volume encryption disabled.'\n else title || ' user volume encryption disabled.'\n end\n end as reason\n \n \nfrom\n aws_workspaces_workspace;" PrimaryTable: aws_workspaces_workspace ListOfTables: - - aws_workspaces_workspace + - aws_workspaces_workspace Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/azure/azure_ad_guest_user_reviewed_monthly.yaml b/compliance/controls/azure/azure_ad_guest_user_reviewed_monthly.yaml index 08c14223e..d02079511 100755 --- a/compliance/controls/azure/azure_ad_guest_user_reviewed_monthly.yaml +++ b/compliance/controls/azure/azure_ad_guest_user_reviewed_monthly.yaml @@ -1,53 +1,33 @@ ID: azure_ad_guest_user_reviewed_monthly Title: "Ensure guest users are reviewed on a monthly basis" Description: "Guest users allow you to share your company's applications and services with users from any other organization, while maintaining control over your own corporate data. Guest users should be review on a monthly basis to ensure that inactive and unneeded accounts are removed." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - u.display_name as resource, - u.og_account_id as og_account_id, - u.og_resource_id as og_resource_id, - case - when not account_enabled then 'alarm' - when u.created_date_time::timestamp <= (current_date - interval '30' day) then 'alarm' - else 'ok' - end as status, - case - when not account_enabled then 'Guest user ''' || u.display_name || ''' inactive.' - else 'Guest user ''' || u.display_name || ''' was created ' || extract(day from current_timestamp - u.created_date_time::timestamp) || ' days ago.' - end as reason, - t.tenant_id - - from - azuread_user as u - left join azure_tenant as t on t.tenant_id = u.tenant_id - where - u.user_type = 'Guest'; + QueryToExecute: "select\n u.display_name as resource,\n u.og_account_id as og_account_id,\n u.og_resource_id as og_resource_id,\n case\n when not account_enabled then 'alarm'\n when u.created_date_time::timestamp <= (current_date - interval '30' day) then 'alarm'\n else 'ok'\n end as status,\n case\n when not account_enabled then 'Guest user ''' || u.display_name || ''' inactive.'\n else 'Guest user ''' || u.display_name || ''' was created ' || extract(day from current_timestamp - u.created_date_time::timestamp) || ' days ago.'\n end as reason,\n t.tenant_id\n \nfrom\n azuread_user as u\n left join azure_tenant as t on t.tenant_id = u.tenant_id\nwhere\n u.user_type = 'Guest';\n" PrimaryTable: azuread_user ListOfTables: - - azure_tenant - - azuread_user + - azure_tenant + - azuread_user Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "1.3" + - "1.3" cis_level: - - "1" + - "1" cis_section_id: - - "1" + - "1" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/ActiveDirectory + - Azure/ActiveDirectory +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_apimanagement_service_client_certificate_enabled.yaml b/compliance/controls/azure/azure_apimanagement_service_client_certificate_enabled.yaml index 043e6b3c6..77fc0d6b7 100755 --- a/compliance/controls/azure/azure_apimanagement_service_client_certificate_enabled.yaml +++ b/compliance/controls/azure/azure_apimanagement_service_client_certificate_enabled.yaml @@ -1,8 +1,6 @@ ID: azure_apimanagement_service_client_certificate_enabled Title: "API Management client certificate should be enabled" Description: "Ensure API Management client certificate is enabled. This control is non-compliant if API Management client certificate is disabled." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -23,8 +21,10 @@ Query: azure_subscription sub; PrimaryTable: azure_api_management ListOfTables: - - azure_api_management - - azure_subscription + - azure_api_management + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_apimanagement_service_with_virtual_network.yaml b/compliance/controls/azure/azure_apimanagement_service_with_virtual_network.yaml index c18abeca2..b9b539d5e 100755 --- a/compliance/controls/azure/azure_apimanagement_service_with_virtual_network.yaml +++ b/compliance/controls/azure/azure_apimanagement_service_with_virtual_network.yaml @@ -1,34 +1,19 @@ ID: azure_apimanagement_service_with_virtual_network Title: "API Management services should use a virtual network" Description: "Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when virtual_network_type != 'None' then 'ok' - else 'alarm' - end as status, - a.name || ' Virtual network is set to ' || virtual_network_type as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_api_management a, - azure_subscription sub; + QueryToExecute: "select\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when virtual_network_type != 'None' then 'ok'\n else 'alarm'\n end as status,\n a.name || ' Virtual network is set to ' || virtual_network_type as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_api_management a,\n azure_subscription sub;\n" PrimaryTable: azure_api_management ListOfTables: - - azure_api_management - - azure_subscription + - azure_api_management + - azure_subscription Parameters: [] Severity: medium Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/APIManagement + - Azure/APIManagement +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_app_configuration_encryption_enabled.yaml b/compliance/controls/azure/azure_app_configuration_encryption_enabled.yaml index 7db547adf..16b1dad88 100755 --- a/compliance/controls/azure/azure_app_configuration_encryption_enabled.yaml +++ b/compliance/controls/azure/azure_app_configuration_encryption_enabled.yaml @@ -1,8 +1,6 @@ ID: azure_app_configuration_encryption_enabled Title: "App Configuration encryption should be enabled" Description: "Enabling App Configuration encryption helps protect and safeguard your data to meet your organizational security and compliance commitments." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -23,8 +21,10 @@ Query: azure_subscription as sub; PrimaryTable: azure_app_configuration ListOfTables: - - azure_app_configuration - - azure_subscription + - azure_app_configuration + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_app_configuration_private_link_used.yaml b/compliance/controls/azure/azure_app_configuration_private_link_used.yaml index ecc7f0286..78f0d4ad6 100755 --- a/compliance/controls/azure/azure_app_configuration_private_link_used.yaml +++ b/compliance/controls/azure/azure_app_configuration_private_link_used.yaml @@ -1,44 +1,19 @@ ID: azure_app_configuration_private_link_used Title: "App Configuration should use private link" Description: "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - -- Only applicable to standard tier - when sku_name = 'free' then 'skip' - -- All networks, including the internet and private endpoints, can access this resource - -- Checking if all network enabled and no private endpoint then it's public access - when public_network_access = 'Enabled' and private_endpoint_connections is null then 'alarm' - when private_endpoint_connections @> '[{"privateLinkServiceConnectionStateStatus": "Approved"}]'::jsonb then 'ok' - else 'alarm' - end as status, - case - when sku_name = 'free' then a.name || ' is of ' || sku_name || ' tier.' - when public_network_access = 'Enabled' and private_endpoint_connections is null then ' using public networks.' - when private_endpoint_connections @> '[{"privateLinkServiceConnectionStateStatus": "Approved"}]'::jsonb then a.name || ' using private link.' - else a.name || ' not using private link.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_app_configuration as a, - azure_subscription as sub; + QueryToExecute: "select\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n -- Only applicable to standard tier\n when sku_name = 'free' then 'skip'\n -- All networks, including the internet and private endpoints, can access this resource\n -- Checking if all network enabled and no private endpoint then it's public access\n when public_network_access = 'Enabled' and private_endpoint_connections is null then 'alarm'\n when private_endpoint_connections @> '[{\"privateLinkServiceConnectionStateStatus\": \"Approved\"}]'::jsonb then 'ok'\n else 'alarm'\n end as status,\n case\n when sku_name = 'free' then a.name || ' is of ' || sku_name || ' tier.'\n when public_network_access = 'Enabled' and private_endpoint_connections is null then ' using public networks.'\n when private_endpoint_connections @> '[{\"privateLinkServiceConnectionStateStatus\": \"Approved\"}]'::jsonb then a.name || ' using private link.'\n else a.name || ' not using private link.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_configuration as a,\n azure_subscription as sub;\n" PrimaryTable: azure_app_configuration ListOfTables: - - azure_app_configuration - - azure_subscription + - azure_app_configuration + - azure_subscription Parameters: [] Severity: medium Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/AppConfiguration + - Azure/AppConfiguration +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_app_configuration_sku_standard.yaml b/compliance/controls/azure/azure_app_configuration_sku_standard.yaml index 9aeca2708..272de61d3 100755 --- a/compliance/controls/azure/azure_app_configuration_sku_standard.yaml +++ b/compliance/controls/azure/azure_app_configuration_sku_standard.yaml @@ -1,8 +1,6 @@ ID: azure_app_configuration_sku_standard Title: "App Configuration should use standard SKU" Description: "Ensure that App Configuration uses standard SKU tier. This control is non-compliant if App Configuration does not use standard SKU." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -20,8 +18,10 @@ Query: azure_subscription as sub; PrimaryTable: azure_app_configuration ListOfTables: - - azure_app_configuration - - azure_subscription + - azure_app_configuration + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_app_service_environment_internal_encryption_enabled.yaml b/compliance/controls/azure/azure_app_service_environment_internal_encryption_enabled.yaml index c461230c9..b72b99e1f 100755 --- a/compliance/controls/azure/azure_app_service_environment_internal_encryption_enabled.yaml +++ b/compliance/controls/azure/azure_app_service_environment_internal_encryption_enabled.yaml @@ -1,50 +1,19 @@ ID: azure_app_service_environment_internal_encryption_enabled Title: "App Service Environment should enable internal encryption" Description: "Setting InternalEncryption to true encrypts the pagefile, worker disks, and internal network traffic between the front ends and workers in an App Service Environment." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with app_service_environment as ( - select - distinct id as id - from - azure_app_service_environment, - jsonb_array_elements(cluster_settings ) as s - where - s ->> 'name' = 'InternalEncryption' - and s ->> 'value' = 'true' - ) - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when b.id is not null then 'ok' - else 'alarm' - end as status, - case - when b.id is not null then a.title || ' internal encryption enabled.' - else a.name || ' internal encryption disabled.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_app_service_environment as a - left join app_service_environment as b on a.id = b.id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with app_service_environment as (\n select\n distinct id as id\n from\n azure_app_service_environment,\n jsonb_array_elements(cluster_settings ) as s\n where\n s ->> 'name' = 'InternalEncryption'\n and s ->> 'value' = 'true'\n)\nselect\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when b.id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when b.id is not null then a.title || ' internal encryption enabled.'\n else a.name || ' internal encryption disabled.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_environment as a\n left join app_service_environment as b on a.id = b.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_app_service_environment ListOfTables: - - azure_app_service_environment - - azure_subscription + - azure_app_service_environment + - azure_subscription Parameters: [] Severity: medium Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/AppService + - Azure/AppService +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_application_gateway_waf_enabled.yaml b/compliance/controls/azure/azure_application_gateway_waf_enabled.yaml index 3cd4e8a8e..6bfcb489e 100755 --- a/compliance/controls/azure/azure_application_gateway_waf_enabled.yaml +++ b/compliance/controls/azure/azure_application_gateway_waf_enabled.yaml @@ -1,37 +1,19 @@ ID: azure_application_gateway_waf_enabled Title: "Web Application Firewall (WAF) should be enabled for Application Gateway" Description: "Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - ag.id resource, - ag.og_account_id as og_account_id, - ag.og_resource_id as og_resource_id, - case - when web_application_firewall_configuration is not null then 'ok' - else 'alarm' - end as status, - case - when web_application_firewall_configuration is not null then ag.name || ' WAF enabled.' - else ag.name || ' WAF disabled.' - end as reason - - , ag.resource_group as resource_group - , sub.display_name as subscription - from - azure_application_gateway as ag - join azure_subscription as sub on sub.subscription_id = ag.subscription_id; + QueryToExecute: "select\n ag.id resource,\n ag.og_account_id as og_account_id,\n ag.og_resource_id as og_resource_id,\n case\n when web_application_firewall_configuration is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when web_application_firewall_configuration is not null then ag.name || ' WAF enabled.'\n else ag.name || ' WAF disabled.'\n end as reason\n \n , ag.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_application_gateway as ag\n join azure_subscription as sub on sub.subscription_id = ag.subscription_id;\n" PrimaryTable: azure_application_gateway ListOfTables: - - azure_application_gateway - - azure_subscription + - azure_application_gateway + - azure_subscription Parameters: [] Severity: high Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/Network + - Azure/Network +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_application_gateway_waf_uses_specified_mode.yaml b/compliance/controls/azure/azure_application_gateway_waf_uses_specified_mode.yaml index 90e7d5fc5..9ecb84489 100755 --- a/compliance/controls/azure/azure_application_gateway_waf_uses_specified_mode.yaml +++ b/compliance/controls/azure/azure_application_gateway_waf_uses_specified_mode.yaml @@ -1,30 +1,15 @@ ID: azure_application_gateway_waf_uses_specified_mode Title: "Web Application Firewall (WAF) should use the specified mode for Application Gateway" Description: "Mandates the use of 'Detection' or 'Prevention' mode to be active on all Web Application Firewall policies for Application Gateway." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - ag.id as resource, - ag.og_account_id as og_account_id, - ag.og_resource_id as og_resource_id, - case - when (web_application_firewall_configuration::json -> 'PolicySettings' ->> 'mode') in ('Prevention','Detection') then 'ok' - else 'alarm' - end as status, - case - when (web_application_firewall_configuration::json -> 'PolicySettings' ->> 'mode') in ('Prevention','Detection') then ag.name || ' WAF mode is set to ' || (web_application_firewall_configuration::json -> 'PolicySettings' ->> 'mode') || '.' - else ag.name || ' WAF mode is not set to Prevention or Detection mode.' - end as reason - from - azure_application_gateway as ag - join azure_subscription as sub on sub.subscription_id = ag.subscription_id; + QueryToExecute: "select\n ag.id as resource,\n ag.og_account_id as og_account_id,\n ag.og_resource_id as og_resource_id,\n case\n when (web_application_firewall_configuration::json -> 'PolicySettings' ->> 'mode') in ('Prevention','Detection') then 'ok'\n else 'alarm'\n end as status,\n case\n when (web_application_firewall_configuration::json -> 'PolicySettings' ->> 'mode') in ('Prevention','Detection') then ag.name || ' WAF mode is set to ' || (web_application_firewall_configuration::json -> 'PolicySettings' ->> 'mode') || '.'\n else ag.name || ' WAF mode is not set to Prevention or Detection mode.' \n end as reason\nfrom\n azure_application_gateway as ag\n join azure_subscription as sub on sub.subscription_id = ag.subscription_id;" PrimaryTable: azure_application_gateway ListOfTables: - - azure_application_gateway - - azure_subscription + - azure_application_gateway + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_application_insights_block_log_ingestion_and_querying_from_public.yaml b/compliance/controls/azure/azure_application_insights_block_log_ingestion_and_querying_from_public.yaml index cf1cb42f3..416703de2 100755 --- a/compliance/controls/azure/azure_application_insights_block_log_ingestion_and_querying_from_public.yaml +++ b/compliance/controls/azure/azure_application_insights_block_log_ingestion_and_querying_from_public.yaml @@ -1,8 +1,6 @@ ID: azure_application_insights_block_log_ingestion_and_querying_from_public Title: "Application Insights components should block log ingestion and querying from public networks" Description: "Improve Application Insights security by blocking log ingestion and querying from public networks. Only private-link connected networks will be able to ingest and query logs of this component. Learn more at https://aka.ms/AzMonPrivateLink#configure-application-insights." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -23,8 +21,10 @@ Query: left join azure_subscription sub on sub.subscription_id = a.subscription_id; PrimaryTable: azure_application_insight ListOfTables: - - azure_application_insight - - azure_subscription + - azure_application_insight + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_appservice_api_app_client_certificates_on.yaml b/compliance/controls/azure/azure_appservice_api_app_client_certificates_on.yaml index acdf465f5..0b9cca796 100755 --- a/compliance/controls/azure/azure_appservice_api_app_client_certificates_on.yaml +++ b/compliance/controls/azure/azure_appservice_api_app_client_certificates_on.yaml @@ -1,58 +1,21 @@ ID: azure_appservice_api_app_client_certificates_on Title: "App Service apps should have Client Certificates (Incoming client certificates) enabled" Description: "Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with all_api_app as ( - select - id - from - azure_app_service_web_app - where - exists ( - select - from - unnest(regexp_split_to_array(kind, ',')) elem - where - elem like '%api' - ) - ) - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when b.id is null then 'skip' - when client_cert_enabled then 'ok' - else 'alarm' - end as status, - case - when b.id is null then a.title || ' is ' || a.kind || ' kind.' - when client_cert_enabled then a.name || ' client certificate enabled.' - else a.name || ' client certificate disabled.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_app_service_web_app as a - left join all_api_app as b on a.id = b.id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with all_api_app as (\n select\n id\n from\n azure_app_service_web_app\n where\n exists (\n select\n from\n unnest(regexp_split_to_array(kind, ',')) elem\n where\n elem like '%api'\n )\n)\nselect\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when b.id is null then 'skip'\n when client_cert_enabled then 'ok'\n else 'alarm'\n end as status,\n case\n when b.id is null then a.title || ' is ' || a.kind || ' kind.'\n when client_cert_enabled then a.name || ' client certificate enabled.'\n else a.name || ' client certificate disabled.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_web_app as a\n left join all_api_app as b on a.id = b.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: medium Tags: hipaa_hitrust_v92: - - "true" + - "true" nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/AppService + - Azure/AppService +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_appservice_api_app_cors_no_star.yaml b/compliance/controls/azure/azure_appservice_api_app_cors_no_star.yaml index e732b57b7..ee7192bd7 100755 --- a/compliance/controls/azure/azure_appservice_api_app_cors_no_star.yaml +++ b/compliance/controls/azure/azure_appservice_api_app_cors_no_star.yaml @@ -1,58 +1,21 @@ ID: azure_appservice_api_app_cors_no_star Title: "App Service apps should not have CORS configured to allow every resource to access your apps" Description: "Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with all_api_app as ( - select - id - from - azure_app_service_web_app - where - exists ( - select - from - unnest(regexp_split_to_array(kind, ',')) elem - where - elem like '%api' - ) - ) - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when b.id is null then 'skip' - when configuration -> 'properties' -> 'cors' -> 'allowedOrigins' @> '["*"]' then 'alarm' - else 'ok' - end as status, - case - when b.id is null then a.title || ' is ' || a.kind || ' kind.' - when configuration -> 'properties' -> 'cors' -> 'allowedOrigins' @> '["*"]' then a.name || ' CORS allow all domains to access the application.' - else a.name || ' CORS does not all domains to access the application.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_app_service_web_app as a - left join all_api_app as b on a.id = b.id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with all_api_app as (\n select\n id\n from\n azure_app_service_web_app\n where\n exists (\n select\n from\n unnest(regexp_split_to_array(kind, ',')) elem\n where\n elem like '%api'\n )\n)\nselect\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when b.id is null then 'skip'\n when configuration -> 'properties' -> 'cors' -> 'allowedOrigins' @> '[\"*\"]' then 'alarm'\n else 'ok'\n end as status,\n case\n when b.id is null then a.title || ' is ' || a.kind || ' kind.'\n when configuration -> 'properties' -> 'cors' -> 'allowedOrigins' @> '[\"*\"]' then a.name || ' CORS allow all domains to access the application.'\n else a.name || ' CORS does not all domains to access the application.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_web_app as a\n left join all_api_app as b on a.id = b.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: high Tags: hipaa_hitrust_v92: - - "true" + - "true" nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/AppService + - Azure/AppService +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_appservice_api_app_ftps_enabled.yaml b/compliance/controls/azure/azure_appservice_api_app_ftps_enabled.yaml index 744f30eee..ce527cf7c 100755 --- a/compliance/controls/azure/azure_appservice_api_app_ftps_enabled.yaml +++ b/compliance/controls/azure/azure_appservice_api_app_ftps_enabled.yaml @@ -1,56 +1,19 @@ ID: azure_appservice_api_app_ftps_enabled Title: "FTPS only should be required in your API App" Description: "Enable FTPS enforcement for enhanced security." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with all_api_app as ( - select - id - from - azure_app_service_web_app - where - exists ( - select - from - unnest(regexp_split_to_array(kind, ',')) elem - where - elem like '%api' - ) - ) - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when b.id is null then 'skip' - when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then 'alarm' - else 'ok' - end as status, - case - when b.id is null then a.title || ' is ' || a.kind || ' kind.' - when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then a.name || ' FTPS disabled.' - else a.name || ' FTPS enabled.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_app_service_web_app as a - left join all_api_app as b on a.id = b.id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with all_api_app as (\n select\n id\n from\n azure_app_service_web_app\n where\n exists (\n select\n from\n unnest(regexp_split_to_array(kind, ',')) elem\n where\n elem like '%api'\n )\n)\nselect\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when b.id is null then 'skip'\n when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then 'alarm'\n else 'ok'\n end as status,\n case\n when b.id is null then a.title || ' is ' || a.kind || ' kind.'\n when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then a.name || ' FTPS disabled.'\n else a.name || ' FTPS enabled.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_web_app as a\n left join all_api_app as b on a.id = b.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: medium Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/AppService + - Azure/AppService +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_appservice_api_app_latest_tls_version.yaml b/compliance/controls/azure/azure_appservice_api_app_latest_tls_version.yaml index f52839776..6fc802471 100755 --- a/compliance/controls/azure/azure_appservice_api_app_latest_tls_version.yaml +++ b/compliance/controls/azure/azure_appservice_api_app_latest_tls_version.yaml @@ -1,58 +1,21 @@ ID: azure_appservice_api_app_latest_tls_version Title: "App Service apps should use the latest TLS version" Description: "Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for App Service apps to take advantage of security fixes, if any, and/or new functionalities of the latest version." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with all_api_app as ( - select - id - from - azure_app_service_web_app - where - exists ( - select - from - unnest(regexp_split_to_array(kind, ',')) elem - where - elem like '%api' - ) - ) - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when b.id is null then 'skip' - when configuration -> 'properties' ->> 'minTlsVersion' < '1.2' then 'alarm' - else 'ok' - end as status, - case - when b.id is null then a.title || ' is ' || a.kind || ' kind.' - when configuration -> 'properties' ->> 'minTlsVersion' < '1.2' then a.name || ' not using the latest version of TLS encryption.' - else a.name || ' using the latest version of TLS encryption.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_app_service_web_app as a - left join all_api_app as b on a.id = b.id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with all_api_app as (\n select\n id\n from\n azure_app_service_web_app\n where\n exists (\n select\n from\n unnest(regexp_split_to_array(kind, ',')) elem\n where\n elem like '%api'\n )\n)\nselect\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when b.id is null then 'skip'\n when configuration -> 'properties' ->> 'minTlsVersion' < '1.2' then 'alarm'\n else 'ok'\n end as status,\n case\n when b.id is null then a.title || ' is ' || a.kind || ' kind.'\n when configuration -> 'properties' ->> 'minTlsVersion' < '1.2' then a.name || ' not using the latest version of TLS encryption.'\n else a.name || ' using the latest version of TLS encryption.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_web_app as a\n left join all_api_app as b on a.id = b.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: medium Tags: hipaa_hitrust_v92: - - "true" + - "true" nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/AppService + - Azure/AppService +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_appservice_api_app_remote_debugging_disabled.yaml b/compliance/controls/azure/azure_appservice_api_app_remote_debugging_disabled.yaml index e8c0e7a81..e9f97fec1 100755 --- a/compliance/controls/azure/azure_appservice_api_app_remote_debugging_disabled.yaml +++ b/compliance/controls/azure/azure_appservice_api_app_remote_debugging_disabled.yaml @@ -1,43 +1,21 @@ ID: azure_appservice_api_app_remote_debugging_disabled Title: "App Service apps should have remote debugging turned off" Description: "Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - app.id as resource, - app.og_account_id as og_account_id, - app.og_resource_id as og_resource_id, - case - when kind <> 'api' then 'skip' - when configuration -> 'properties' ->> 'remoteDebuggingEnabled' = 'false' then 'ok' - else 'alarm' - end as status, - case - when kind <> 'api' then name || ' is of ' || kind || ' type.' - when configuration -> 'properties' ->> 'remoteDebuggingEnabled' = 'false' then name || ' remote debugging disabled.' - else name || ' remote debugging enabled.' - end as reason - - , app.resource_group as resource_group - , sub.display_name as subscription - from - azure_app_service_web_app as app, - azure_subscription as sub - where - sub.subscription_id = app.subscription_id; + QueryToExecute: "select\n app.id as resource,\n app.og_account_id as og_account_id,\n app.og_resource_id as og_resource_id,\n case\n when kind <> 'api' then 'skip'\n when configuration -> 'properties' ->> 'remoteDebuggingEnabled' = 'false' then 'ok'\n else 'alarm'\n end as status,\n case\n when kind <> 'api' then name || ' is of ' || kind || ' type.'\n when configuration -> 'properties' ->> 'remoteDebuggingEnabled' = 'false' then name || ' remote debugging disabled.'\n else name || ' remote debugging enabled.'\n end as reason\n \n , app.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_web_app as app,\n azure_subscription as sub\nwhere\n sub.subscription_id = app.subscription_id;\n" PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: medium Tags: hipaa_hitrust_v92: - - "true" + - "true" nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/AppService + - Azure/AppService +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_appservice_api_app_use_https.yaml b/compliance/controls/azure/azure_appservice_api_app_use_https.yaml index d2b8af4d4..b002ad642 100755 --- a/compliance/controls/azure/azure_appservice_api_app_use_https.yaml +++ b/compliance/controls/azure/azure_appservice_api_app_use_https.yaml @@ -1,60 +1,23 @@ ID: azure_appservice_api_app_use_https Title: "App Service API apps should only be accessible over HTTPS" Description: "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with all_api_app as ( - select - id - from - azure_app_service_web_app - where - exists ( - select - from - unnest(regexp_split_to_array(kind, ',')) elem - where - elem like '%api' - ) - ) - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when b.id is null then 'skip' - when not https_only then 'alarm' - else 'ok' - end as status, - case - when b.id is null then a.title || ' is ' || a.kind || ' kind.' - when not https_only then a.name || ' does not redirect all HTTP traffic to HTTPS.' - else a.name || ' redirects all HTTP traffic to HTTPS.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_app_service_web_app as a - left join all_api_app as b on a.id = b.id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with all_api_app as (\n select\n id\n from\n azure_app_service_web_app\n where\n exists (\n select\n from\n unnest(regexp_split_to_array(kind, ',')) elem\n where\n elem like '%api'\n )\n)\nselect\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when b.id is null then 'skip'\n when not https_only then 'alarm'\n else 'ok'\n end as status,\n case\n when b.id is null then a.title || ' is ' || a.kind || ' kind.'\n when not https_only then a.name || ' does not redirect all HTTP traffic to HTTPS.'\n else a.name || ' redirects all HTTP traffic to HTTPS.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_web_app as a\n left join all_api_app as b on a.id = b.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: medium Tags: hipaa_hitrust_v92: - - "true" + - "true" nist_sp_800_53_rev_5: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" service: - - Azure/AppService + - Azure/AppService +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_appservice_api_app_uses_managed_identity.yaml b/compliance/controls/azure/azure_appservice_api_app_uses_managed_identity.yaml index 023d63064..c2a6111d2 100755 --- a/compliance/controls/azure/azure_appservice_api_app_uses_managed_identity.yaml +++ b/compliance/controls/azure/azure_appservice_api_app_uses_managed_identity.yaml @@ -1,63 +1,21 @@ ID: azure_appservice_api_app_uses_managed_identity Title: "Managed identity should be used in your API App" Description: "Use a managed identity for enhanced authentication security." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with all_api_app as ( - select - id - from - azure_app_service_web_app - where - exists ( - select - from - unnest(regexp_split_to_array(kind, ',')) elem - where - elem like '%api' - ) - ) - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when b.id is null then 'skip' - when - configuration -> 'properties' ->> 'xManagedServiceIdentityId' is not null - or configuration -> 'properties' ->> 'managedServiceIdentityId' is not null then 'ok' - else 'alarm' - end as status, - case - when b.id is null then a.title || ' is ' || a.kind || ' kind.' - when - configuration -> 'properties' ->> 'xManagedServiceIdentityId' is not null - or configuration -> 'properties' ->> 'managedServiceIdentityId' is not null - then a.name || ' uses managed identity.' - else a.name || ' not uses managed identity' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_app_service_web_app as a - left join all_api_app as b on a.id = b.id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with all_api_app as (\n select\n id\n from\n azure_app_service_web_app\n where\n exists (\n select\n from\n unnest(regexp_split_to_array(kind, ',')) elem\n where\n elem like '%api'\n )\n)\nselect\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when b.id is null then 'skip'\n when\n configuration -> 'properties' ->> 'xManagedServiceIdentityId' is not null\n or configuration -> 'properties' ->> 'managedServiceIdentityId' is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when b.id is null then a.title || ' is ' || a.kind || ' kind.'\n when\n configuration -> 'properties' ->> 'xManagedServiceIdentityId' is not null\n or configuration -> 'properties' ->> 'managedServiceIdentityId' is not null\n then a.name || ' uses managed identity.'\n else a.name || ' not uses managed identity'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_web_app as a\n left join all_api_app as b on a.id = b.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: medium Tags: hipaa_hitrust_v92: - - "true" + - "true" nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/AppService + - Azure/AppService +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_appservice_authentication_enabled.yaml b/compliance/controls/azure/azure_appservice_authentication_enabled.yaml index f5c4016a3..89bfad6b8 100755 --- a/compliance/controls/azure/azure_appservice_authentication_enabled.yaml +++ b/compliance/controls/azure/azure_appservice_authentication_enabled.yaml @@ -1,53 +1,33 @@ ID: azure_appservice_authentication_enabled Title: "Ensure App Service authentication is set up for apps in Azure App Service" Description: "Azure App Service authentication is a feature that can prevent anonymous HTTP requests from reaching a Web Application or authenticate those with tokens before they reach the app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - app.id as resource, - app.og_account_id as og_account_id, - app.og_resource_id as og_resource_id, - case - when not (auth_settings -> 'properties' ->> 'enabled') :: boolean then 'alarm' - else 'ok' - end as status, - case - when not (auth_settings -> 'properties' ->> 'enabled') :: boolean then name || ' authentication not set.' - else name || ' authentication set.' - end as reason - - , app.resource_group as resource_group - , sub.display_name as subscription - from - azure_app_service_web_app as app, - azure_subscription as sub - where - sub.subscription_id = app.subscription_id; + QueryToExecute: "select\n app.id as resource,\n app.og_account_id as og_account_id,\n app.og_resource_id as og_resource_id,\n case\n when not (auth_settings -> 'properties' ->> 'enabled') :: boolean then 'alarm'\n else 'ok'\n end as status,\n case\n when not (auth_settings -> 'properties' ->> 'enabled') :: boolean then name || ' authentication not set.'\n else name || ' authentication set.'\n end as reason\n \n , app.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_web_app as app,\n azure_subscription as sub\nwhere\n sub.subscription_id = app.subscription_id;\n" PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "9.1" + - "9.1" cis_level: - - "2" + - "2" cis_section_id: - - "9" + - "9" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/AppService + - Azure/AppService +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_appservice_ftp_deployment_disabled.yaml b/compliance/controls/azure/azure_appservice_ftp_deployment_disabled.yaml index f14b235eb..ea0f99184 100755 --- a/compliance/controls/azure/azure_appservice_ftp_deployment_disabled.yaml +++ b/compliance/controls/azure/azure_appservice_ftp_deployment_disabled.yaml @@ -1,77 +1,34 @@ ID: azure_appservice_ftp_deployment_disabled Title: "Ensure FTP deployments are Disabled" Description: "By default, Azure Functions, Web, and API Services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Service Apps and Functions." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - fa.id as resource, - fa.og_account_id as og_account_id, - fa.og_resource_id as og_resource_id, - 'azure_app_service_function_app' as og_table_name, - case - when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then 'alarm' - else 'ok' - end as status, - case - when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then name || ' FTP deployments enabled.' - else name || ' FTP deployments disabled.' - end as reason - - , fa.resource_group as resource_group - , sub.display_name as subscription - from - azure_app_service_function_app fa, - azure_subscription sub - where - sub.subscription_id = fa.subscription_id - union - select - wa.id as resource, - wa.og_account_id as og_account_id, - wa.og_resource_id as og_resource_id, - 'azure_app_service_web_app' as og_table_name, - case - when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then 'alarm' - else 'ok' - end as status, - case - when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then name || ' FTP deployments enabled.' - else name || ' FTP deployments disabled.' - end as reason - - , wa.resource_group as resource_group - , sub.display_name as subscription - from - azure_app_service_web_app as wa, - azure_subscription as sub - where - sub.subscription_id = wa.subscription_id; + QueryToExecute: "select\n fa.id as resource,\n fa.og_account_id as og_account_id,\n fa.og_resource_id as og_resource_id,\n 'azure_app_service_function_app' as og_table_name,\n case\n when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then 'alarm'\n else 'ok'\n end as status,\n case\n when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then name || ' FTP deployments enabled.'\n else name || ' FTP deployments disabled.'\n end as reason\n \n , fa.resource_group as resource_group\n , sub.display_name as subscription\n from\n azure_app_service_function_app fa,\n azure_subscription sub\n where\n sub.subscription_id = fa.subscription_id\nunion\n select\n wa.id as resource,\n wa.og_account_id as og_account_id,\n wa.og_resource_id as og_resource_id,\n 'azure_app_service_web_app' as og_table_name,\n case\n when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then 'alarm'\n else 'ok'\n end as status,\n case\n when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then name || ' FTP deployments enabled.'\n else name || ' FTP deployments disabled.'\n end as reason\n \n , wa.resource_group as resource_group\n , sub.display_name as subscription\n from\n azure_app_service_web_app as wa,\n azure_subscription as sub\n where\n sub.subscription_id = wa.subscription_id;\n" PrimaryTable: "" ListOfTables: - - azure_app_service_function_app - - azure_app_service_web_app - - azure_subscription + - azure_app_service_function_app + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "9.10" + - "9.10" cis_level: - - "1" + - "1" cis_section_id: - - "9" + - "9" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/AppService + - Azure/AppService +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_appservice_function_app_authentication_on.yaml b/compliance/controls/azure/azure_appservice_function_app_authentication_on.yaml index aa45816d1..6c6ea1d49 100755 --- a/compliance/controls/azure/azure_appservice_function_app_authentication_on.yaml +++ b/compliance/controls/azure/azure_appservice_function_app_authentication_on.yaml @@ -1,8 +1,6 @@ ID: azure_appservice_function_app_authentication_on Title: "Ensure App Service authentication is set up for function apps in Azure App Service" Description: "Azure App Service authentication is a feature that can prevent anonymous HTTP requests from reaching a Web Application or authenticate those with tokens before they reach the app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = fa.subscription_id; PrimaryTable: azure_app_service_function_app ListOfTables: - - azure_app_service_function_app - - azure_subscription + - azure_app_service_function_app + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_appservice_function_app_client_certificates_on.yaml b/compliance/controls/azure/azure_appservice_function_app_client_certificates_on.yaml index 2764d7704..d1b2f3b3d 100755 --- a/compliance/controls/azure/azure_appservice_function_app_client_certificates_on.yaml +++ b/compliance/controls/azure/azure_appservice_function_app_client_certificates_on.yaml @@ -1,39 +1,19 @@ ID: azure_appservice_function_app_client_certificates_on Title: "Function apps should have 'Client Certificates (Incoming client certificates)' enabled" Description: "Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - app.id as resource, - app.og_account_id as og_account_id, - app.og_resource_id as og_resource_id, - case - when client_cert_enabled then 'ok' - else 'alarm' - end as status, - case - when client_cert_enabled then app.name || ' client certificate enabled.' - else app.name || ' client certificate disabled.' - end as reason - - , app.resource_group as resource_group - , sub.display_name as subscription - from - azure_app_service_function_app as app, - azure_subscription as sub - where - sub.subscription_id = app.subscription_id; + QueryToExecute: "select\n app.id as resource,\n app.og_account_id as og_account_id,\n app.og_resource_id as og_resource_id,\n case\n when client_cert_enabled then 'ok'\n else 'alarm'\n end as status,\n case\n when client_cert_enabled then app.name || ' client certificate enabled.'\n else app.name || ' client certificate disabled.'\n end as reason\n \n , app.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_function_app as app,\n azure_subscription as sub\nwhere\n sub.subscription_id = app.subscription_id;\n" PrimaryTable: azure_app_service_function_app ListOfTables: - - azure_app_service_function_app - - azure_subscription + - azure_app_service_function_app + - azure_subscription Parameters: [] Severity: medium Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/AppService + - Azure/AppService +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_appservice_function_app_cors_no_star.yaml b/compliance/controls/azure/azure_appservice_function_app_cors_no_star.yaml index a681bcc18..6c484c530 100755 --- a/compliance/controls/azure/azure_appservice_function_app_cors_no_star.yaml +++ b/compliance/controls/azure/azure_appservice_function_app_cors_no_star.yaml @@ -1,42 +1,21 @@ ID: azure_appservice_function_app_cors_no_star Title: "Function apps should not have CORS configured to allow every resource to access your apps" Description: "Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - b.id as resource, - b.og_account_id as og_account_id, - b.og_resource_id as og_resource_id, - case - when configuration -> 'properties' -> 'cors' -> 'allowedOrigins' @> '["*"]' then 'alarm' - else 'ok' - end as status, - case - when configuration -> 'properties' -> 'cors' -> 'allowedOrigins' @> '["*"]' - then b.name || ' CORS allow all domains to access the application.' - else b.name || ' CORS does not all domains to access the application.' - end as reason - - , b.resource_group as resource_group - , sub.display_name as subscription - from - azure_app_service_function_app as b, - azure_subscription as sub - where - sub.subscription_id = b.subscription_id; + QueryToExecute: "select\n b.id as resource,\n b.og_account_id as og_account_id,\n b.og_resource_id as og_resource_id,\n case\n when configuration -> 'properties' -> 'cors' -> 'allowedOrigins' @> '[\"*\"]' then 'alarm'\n else 'ok'\n end as status,\n case\n when configuration -> 'properties' -> 'cors' -> 'allowedOrigins' @> '[\"*\"]'\n then b.name || ' CORS allow all domains to access the application.'\n else b.name || ' CORS does not all domains to access the application.'\n end as reason\n \n , b.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_function_app as b,\n azure_subscription as sub\nwhere\n sub.subscription_id = b.subscription_id;\n" PrimaryTable: azure_app_service_function_app ListOfTables: - - azure_app_service_function_app - - azure_subscription + - azure_app_service_function_app + - azure_subscription Parameters: [] Severity: high Tags: hipaa_hitrust_v92: - - "true" + - "true" nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/AppService + - Azure/AppService +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_appservice_function_app_ftps_enabled.yaml b/compliance/controls/azure/azure_appservice_function_app_ftps_enabled.yaml index 3d42f74cd..0430b25a7 100755 --- a/compliance/controls/azure/azure_appservice_function_app_ftps_enabled.yaml +++ b/compliance/controls/azure/azure_appservice_function_app_ftps_enabled.yaml @@ -1,56 +1,19 @@ ID: azure_appservice_function_app_ftps_enabled Title: "FTPS only should be required in your Function App" Description: "Enable FTPS enforcement for enhanced security." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with all_function_app as ( - select - id - from - azure_app_service_function_app - where - exists ( - select - from - unnest(regexp_split_to_array(kind, ',')) elem - where - elem like 'functionapp%' - ) - ) - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when b.id is null then 'skip' - when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then 'alarm' - else 'ok' - end as status, - case - when b.id is null then a.title || ' is ' || a.kind || ' kind.' - when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then a.name || ' FTPS disabled.' - else a.name || ' FTPS enabled.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_app_service_function_app as a - left join all_function_app as b on a.id = b.id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with all_function_app as (\n select\n id\n from\n azure_app_service_function_app\n where\n exists (\n select\n from\n unnest(regexp_split_to_array(kind, ',')) elem\n where\n elem like 'functionapp%'\n )\n)\nselect\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when b.id is null then 'skip'\n when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then 'alarm'\n else 'ok'\n end as status,\n case\n when b.id is null then a.title || ' is ' || a.kind || ' kind.'\n when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then a.name || ' FTPS disabled.'\n else a.name || ' FTPS enabled.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_function_app as a\n left join all_function_app as b on a.id = b.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_app_service_function_app ListOfTables: - - azure_app_service_function_app - - azure_subscription + - azure_app_service_function_app + - azure_subscription Parameters: [] Severity: medium Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/AppService + - Azure/AppService +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_appservice_function_app_latest_http_version.yaml b/compliance/controls/azure/azure_appservice_function_app_latest_http_version.yaml index 82aa08df4..0b83ca863 100755 --- a/compliance/controls/azure/azure_appservice_function_app_latest_http_version.yaml +++ b/compliance/controls/azure/azure_appservice_function_app_latest_http_version.yaml @@ -1,64 +1,19 @@ ID: azure_appservice_function_app_latest_http_version Title: "Ensure that 'HTTP Version' is the latest, if used to run the Function app" Description: "Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux web apps." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with all_function_app as ( - select - id - from - azure_app_service_function_app - where - exists ( - select - from - unnest(regexp_split_to_array(kind, ',')) elem - where - elem like 'functionapp%' - ) - and - exists ( - select - from - unnest(regexp_split_to_array(kind, ',')) elem - where - elem = 'linux' - ) - ) - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when b.id is null then 'skip' - when configuration -> 'properties' ->> 'http20Enabled' = 'true' then 'ok' - else 'alarm' - end as status, - case - when b.id is null then a.title || ' is not a linux function app.' - when configuration -> 'properties' ->> 'http20Enabled' = 'true' then a.name || ' using the latest HTTP version.' - else a.name || ' not using latest HTTP version.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_app_service_function_app as a - left join all_function_app as b on a.id = b.id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with all_function_app as (\n select\n id\n from\n azure_app_service_function_app\n where\n exists (\n select\n from\n unnest(regexp_split_to_array(kind, ',')) elem\n where\n elem like 'functionapp%'\n )\n and\n exists (\n select\n from\n unnest(regexp_split_to_array(kind, ',')) elem\n where\n elem = 'linux'\n )\n)\nselect\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when b.id is null then 'skip'\n when configuration -> 'properties' ->> 'http20Enabled' = 'true' then 'ok'\n else 'alarm'\n end as status,\n case\n when b.id is null then a.title || ' is not a linux function app.'\n when configuration -> 'properties' ->> 'http20Enabled' = 'true' then a.name || ' using the latest HTTP version.'\n else a.name || ' not using latest HTTP version.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_function_app as a\n left join all_function_app as b on a.id = b.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_app_service_function_app ListOfTables: - - azure_app_service_function_app - - azure_subscription + - azure_app_service_function_app + - azure_subscription Parameters: [] Severity: medium Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/AppService + - Azure/AppService +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_appservice_function_app_latest_java_version.yaml b/compliance/controls/azure/azure_appservice_function_app_latest_java_version.yaml index 42517cb4d..bf47db0d7 100755 --- a/compliance/controls/azure/azure_appservice_function_app_latest_java_version.yaml +++ b/compliance/controls/azure/azure_appservice_function_app_latest_java_version.yaml @@ -1,66 +1,19 @@ ID: azure_appservice_function_app_latest_java_version Title: "Ensure that 'Java version' is the latest, if used as a part of the Function app" Description: "Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with all_function_app as ( - select - id - from - azure_app_service_function_app - where - exists ( - select - from - unnest(regexp_split_to_array(kind, ',')) elem - where - elem like 'functionapp%' - ) - and - exists ( - select - from - unnest(regexp_split_to_array(kind, ',')) elem - where - elem = 'linux' - ) - ) - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when b.id is null then 'skip' - when configuration -> 'properties' ->> 'linuxFxVersion' not like 'Java%' then 'ok' - when configuration -> 'properties' ->> 'linuxFxVersion' like '%11' then 'ok' - else 'alarm' - end as status, - case - when b.id is null then a.title || ' is not of linux kind.' - when configuration -> 'properties' ->> 'linuxFxVersion' not like 'Java%' then a.name || ' not using JAVA version.' - when configuration -> 'properties' ->> 'linuxFxVersion' like '%11' then a.name || ' using the latest JAVA version.' - else a.name || ' not using latest JAVA version.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_app_service_function_app as a - left join all_function_app as b on a.id = b.id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with all_function_app as (\n select\n id\n from\n azure_app_service_function_app\n where\n exists (\n select\n from\n unnest(regexp_split_to_array(kind, ',')) elem\n where\n elem like 'functionapp%'\n )\n and\n exists (\n select\n from\n unnest(regexp_split_to_array(kind, ',')) elem\n where\n elem = 'linux'\n )\n)\nselect\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when b.id is null then 'skip'\n when configuration -> 'properties' ->> 'linuxFxVersion' not like 'Java%' then 'ok'\n when configuration -> 'properties' ->> 'linuxFxVersion' like '%11' then 'ok'\n else 'alarm'\n end as status,\n case\n when b.id is null then a.title || ' is not of linux kind.'\n when configuration -> 'properties' ->> 'linuxFxVersion' not like 'Java%' then a.name || ' not using JAVA version.'\n when configuration -> 'properties' ->> 'linuxFxVersion' like '%11' then a.name || ' using the latest JAVA version.'\n else a.name || ' not using latest JAVA version.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_function_app as a\n left join all_function_app as b on a.id = b.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_app_service_function_app ListOfTables: - - azure_app_service_function_app - - azure_subscription + - azure_app_service_function_app + - azure_subscription Parameters: [] Severity: medium Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/AppService + - Azure/AppService +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_appservice_function_app_latest_python_version.yaml b/compliance/controls/azure/azure_appservice_function_app_latest_python_version.yaml index 79c2eb893..8139ac744 100755 --- a/compliance/controls/azure/azure_appservice_function_app_latest_python_version.yaml +++ b/compliance/controls/azure/azure_appservice_function_app_latest_python_version.yaml @@ -1,66 +1,19 @@ ID: azure_appservice_function_app_latest_python_version Title: "Ensure that 'Python version' is the latest, if used as a part of the Function app" Description: "Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with all_function_app as ( - select - id - from - azure_app_service_function_app - where - exists ( - select - from - unnest(regexp_split_to_array(kind, ',')) elem - where - elem like 'functionapp%' - ) - and - exists ( - select - from - unnest(regexp_split_to_array(kind, ',')) elem - where - elem = 'linux' - ) - ) - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when b.id is null then 'skip' - when configuration -> 'properties' ->> 'linuxFxVersion' not like 'Python%' then 'ok' - when configuration -> 'properties' ->> 'linuxFxVersion' = 'Python|3.9' then 'ok' - else 'alarm' - end as status, - case - when b.id is null then a.title || ' is ' || a.kind || ' kind.' - when configuration -> 'properties' ->> 'linuxFxVersion' not like 'Python%' then a.name || ' not using python version.' - when configuration -> 'properties' ->> 'linuxFxVersion' = 'Python|3.9' then a.name || ' using the latest python version.' - else a.name || ' not using latest python version.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_app_service_function_app as a - left join all_function_app as b on a.id = b.id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with all_function_app as (\n select\n id\n from\n azure_app_service_function_app\n where\n exists (\n select\n from\n unnest(regexp_split_to_array(kind, ',')) elem\n where\n elem like 'functionapp%'\n )\n and\n exists (\n select\n from\n unnest(regexp_split_to_array(kind, ',')) elem\n where\n elem = 'linux'\n )\n)\nselect\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when b.id is null then 'skip'\n when configuration -> 'properties' ->> 'linuxFxVersion' not like 'Python%' then 'ok'\n when configuration -> 'properties' ->> 'linuxFxVersion' = 'Python|3.9' then 'ok'\n else 'alarm'\n end as status,\n case\n when b.id is null then a.title || ' is ' || a.kind || ' kind.'\n when configuration -> 'properties' ->> 'linuxFxVersion' not like 'Python%' then a.name || ' not using python version.'\n when configuration -> 'properties' ->> 'linuxFxVersion' = 'Python|3.9' then a.name || ' using the latest python version.'\n else a.name || ' not using latest python version.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_function_app as a\n left join all_function_app as b on a.id = b.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_app_service_function_app ListOfTables: - - azure_app_service_function_app - - azure_subscription + - azure_app_service_function_app + - azure_subscription Parameters: [] Severity: medium Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/AppService + - Azure/AppService +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_appservice_function_app_latest_tls_version.yaml b/compliance/controls/azure/azure_appservice_function_app_latest_tls_version.yaml index 1f4b12505..8d2d5ed17 100755 --- a/compliance/controls/azure/azure_appservice_function_app_latest_tls_version.yaml +++ b/compliance/controls/azure/azure_appservice_function_app_latest_tls_version.yaml @@ -1,41 +1,21 @@ ID: azure_appservice_function_app_latest_tls_version Title: "Function apps should use the latest TLS version" Description: "Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - app.id as resource, - app.og_account_id as og_account_id, - app.og_resource_id as og_resource_id, - case - when configuration -> 'properties' ->> 'minTlsVersion' < '1.2' then 'alarm' - else 'ok' - end as status, - case - when configuration -> 'properties' ->> 'minTlsVersion' < '1.2' then name || ' not using the latest version of TLS encryption.' - else name || ' using the latest version of TLS encryption.' - end as reason - - , app.resource_group as resource_group - , sub.display_name as subscription - from - azure_app_service_function_app as app, - azure_subscription as sub - where - sub.subscription_id = app.subscription_id; + QueryToExecute: "select\n app.id as resource,\n app.og_account_id as og_account_id,\n app.og_resource_id as og_resource_id,\n case\n when configuration -> 'properties' ->> 'minTlsVersion' < '1.2' then 'alarm'\n else 'ok'\n end as status,\n case\n when configuration -> 'properties' ->> 'minTlsVersion' < '1.2' then name || ' not using the latest version of TLS encryption.'\n else name || ' using the latest version of TLS encryption.'\n end as reason\n \n , app.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_function_app as app,\n azure_subscription as sub\nwhere\n sub.subscription_id = app.subscription_id;\n" PrimaryTable: azure_app_service_function_app ListOfTables: - - azure_app_service_function_app - - azure_subscription + - azure_app_service_function_app + - azure_subscription Parameters: [] Severity: medium Tags: hipaa_hitrust_v92: - - "true" + - "true" nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/AppService + - Azure/AppService +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_appservice_function_app_only_https_accessible.yaml b/compliance/controls/azure/azure_appservice_function_app_only_https_accessible.yaml index ea294fcdf..71ad1b41c 100755 --- a/compliance/controls/azure/azure_appservice_function_app_only_https_accessible.yaml +++ b/compliance/controls/azure/azure_appservice_function_app_only_https_accessible.yaml @@ -1,43 +1,23 @@ ID: azure_appservice_function_app_only_https_accessible Title: "Function apps should only be accessible over HTTPS" Description: "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - app.id as resource, - app.og_account_id as og_account_id, - app.og_resource_id as og_resource_id, - case - when https_only then 'ok' - else 'alarm' - end as status, - case - when https_only then name || ' https-only accessible enabled.' - else name || ' https-only accessible disabled.' - end as reason - - , app.resource_group as resource_group - , sub.display_name as subscription - from - azure_app_service_function_app as app, - azure_subscription as sub - where - sub.subscription_id = app.subscription_id; + QueryToExecute: "select\n app.id as resource,\n app.og_account_id as og_account_id,\n app.og_resource_id as og_resource_id,\n case\n when https_only then 'ok'\n else 'alarm'\n end as status,\n case\n when https_only then name || ' https-only accessible enabled.'\n else name || ' https-only accessible disabled.'\n end as reason\n \n , app.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_function_app as app,\n azure_subscription as sub\nwhere\n sub.subscription_id = app.subscription_id;\n" PrimaryTable: azure_app_service_function_app ListOfTables: - - azure_app_service_function_app - - azure_subscription + - azure_app_service_function_app + - azure_subscription Parameters: [] Severity: medium Tags: hipaa_hitrust_v92: - - "true" + - "true" nist_sp_800_53_rev_5: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" service: - - Azure/AppService + - Azure/AppService +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_appservice_function_app_remote_debugging_disabled.yaml b/compliance/controls/azure/azure_appservice_function_app_remote_debugging_disabled.yaml index b76ea2c6a..b6638d30d 100755 --- a/compliance/controls/azure/azure_appservice_function_app_remote_debugging_disabled.yaml +++ b/compliance/controls/azure/azure_appservice_function_app_remote_debugging_disabled.yaml @@ -1,41 +1,21 @@ ID: azure_appservice_function_app_remote_debugging_disabled Title: "Function apps should have remote debugging turned off" Description: "Remote debugging requires inbound ports to be opened on function apps. Remote debugging should be turned off." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - app.id as resource, - app.og_account_id as og_account_id, - app.og_resource_id as og_resource_id, - case - when configuration -> 'properties' ->> 'remoteDebuggingEnabled' = 'false' then 'ok' - else 'alarm' - end as status, - case - when configuration -> 'properties' ->> 'remoteDebuggingEnabled' = 'false' then name || ' remote debugging disabled.' - else name || ' remote debugging enabled.' - end as reason - - , app.resource_group as resource_group - , sub.display_name as subscription - from - azure_app_service_function_app as app, - azure_subscription as sub - where - sub.subscription_id = app.subscription_id; + QueryToExecute: "select\n app.id as resource,\n app.og_account_id as og_account_id,\n app.og_resource_id as og_resource_id,\n case\n when configuration -> 'properties' ->> 'remoteDebuggingEnabled' = 'false' then 'ok'\n else 'alarm'\n end as status,\n case\n when configuration -> 'properties' ->> 'remoteDebuggingEnabled' = 'false' then name || ' remote debugging disabled.'\n else name || ' remote debugging enabled.'\n end as reason\n \n , app.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_function_app as app,\n azure_subscription as sub\nwhere\n sub.subscription_id = app.subscription_id;\n" PrimaryTable: azure_app_service_function_app ListOfTables: - - azure_app_service_function_app - - azure_subscription + - azure_app_service_function_app + - azure_subscription Parameters: [] Severity: medium Tags: hipaa_hitrust_v92: - - "true" + - "true" nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/AppService + - Azure/AppService +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_appservice_function_app_restrict_public_acces.yaml b/compliance/controls/azure/azure_appservice_function_app_restrict_public_acces.yaml index 7ddc131d6..92be11aa2 100755 --- a/compliance/controls/azure/azure_appservice_function_app_restrict_public_acces.yaml +++ b/compliance/controls/azure/azure_appservice_function_app_restrict_public_acces.yaml @@ -1,48 +1,15 @@ ID: azure_appservice_function_app_restrict_public_acces Title: "App Service function apps public access should be restricted" Description: "Anonymous public read access to function app in Azure App Service is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a function app unless your scenario requires it." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - ```sql - with public_function_app as ( - select - id - from - azure_app_service_function_app, - jsonb_array_elements(configuration -> 'properties' -> 'ipSecurityRestrictions') as r - where - r ->> 'ipAddress' = 'Any' - and r ->> 'action' = 'Allow' - ) - select - fa.id as resource, - fa.og_account_id as og_account_id, - fa.og_resource_id as og_resource_id, - case - when p.id is null then 'ok' - else 'alarm' - end as status, - case - when p.id is null then name || ' not publicly accessible.' - else name || ' publicly accessible.' - end as reason - - - - from - azure_app_service_function_app fa - left join public_function_app as p on p.id = fa.id, - azure_subscription sub - where - sub.subscription_id = fa.subscription_id; - ``` + QueryToExecute: "```sql\nwith public_function_app as (\n select\n id\n from\n azure_app_service_function_app,\n jsonb_array_elements(configuration -> 'properties' -> 'ipSecurityRestrictions') as r\n where\n r ->> 'ipAddress' = 'Any'\n and r ->> 'action' = 'Allow'\n)\nselect\n fa.id as resource,\n fa.og_account_id as og_account_id,\n fa.og_resource_id as og_resource_id,\n case\n when p.id is null then 'ok'\n else 'alarm'\n end as status,\n case\n when p.id is null then name || ' not publicly accessible.'\n else name || ' publicly accessible.'\n end as reason\n \n \n \nfrom\n azure_app_service_function_app fa\n left join public_function_app as p on p.id = fa.id,\n azure_subscription sub\nwhere\n sub.subscription_id = fa.subscription_id;\n```" PrimaryTable: azure_app_service_function_app ListOfTables: - - azure_app_service_function_app - - azure_subscription + - azure_app_service_function_app + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_appservice_function_app_uses_managed_identity.yaml b/compliance/controls/azure/azure_appservice_function_app_uses_managed_identity.yaml index a8c65e0be..4cef67995 100755 --- a/compliance/controls/azure/azure_appservice_function_app_uses_managed_identity.yaml +++ b/compliance/controls/azure/azure_appservice_function_app_uses_managed_identity.yaml @@ -1,63 +1,21 @@ ID: azure_appservice_function_app_uses_managed_identity Title: "Function apps should use managed identity" Description: "Use a managed identity for enhanced authentication security." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with all_function_app as ( - select - id - from - azure_app_service_function_app - where - exists ( - select - from - unnest(regexp_split_to_array(kind, ',')) elem - where - elem like 'functionapp%' - ) - ) - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when b.id is null then 'skip' - when - configuration -> 'properties' ->> 'xManagedServiceIdentityId' is not null - or configuration -> 'properties' ->> 'managedServiceIdentityId' is not null then 'ok' - else 'alarm' - end as status, - case - when b.id is null then a.title || ' is ' || a.kind || ' kind.' - when - configuration -> 'properties' ->> 'xManagedServiceIdentityId' is not null - or configuration -> 'properties' ->> 'managedServiceIdentityId' is not null - then a.name || ' uses managed identity.' - else a.name || ' not uses managed identity' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_app_service_function_app as a - left join all_function_app as b on a.id = b.id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with all_function_app as (\n select\n id\n from\n azure_app_service_function_app\n where\n exists (\n select\n from\n unnest(regexp_split_to_array(kind, ',')) elem\n where\n elem like 'functionapp%'\n )\n)\nselect\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when b.id is null then 'skip'\n when\n configuration -> 'properties' ->> 'xManagedServiceIdentityId' is not null\n or configuration -> 'properties' ->> 'managedServiceIdentityId' is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when b.id is null then a.title || ' is ' || a.kind || ' kind.'\n when\n configuration -> 'properties' ->> 'xManagedServiceIdentityId' is not null\n or configuration -> 'properties' ->> 'managedServiceIdentityId' is not null\n then a.name || ' uses managed identity.'\n else a.name || ' not uses managed identity'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_function_app as a\n left join all_function_app as b on a.id = b.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_app_service_function_app ListOfTables: - - azure_app_service_function_app - - azure_subscription + - azure_app_service_function_app + - azure_subscription Parameters: [] Severity: medium Tags: hipaa_hitrust_v92: - - "true" + - "true" nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/AppService + - Azure/AppService +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_appservice_plan_minimum_sku.yaml b/compliance/controls/azure/azure_appservice_plan_minimum_sku.yaml index 74198ee8a..841f50caa 100755 --- a/compliance/controls/azure/azure_appservice_plan_minimum_sku.yaml +++ b/compliance/controls/azure/azure_appservice_plan_minimum_sku.yaml @@ -1,8 +1,6 @@ ID: azure_appservice_plan_minimum_sku Title: "Appservice plan should not use free, shared or basic SKU" Description: "The Free, Shared, and Basic plans are suitable for constrained testing and development purposes. This control is considered non-compliant when free, shared, or basic SKUs are utilized." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -23,8 +21,10 @@ Query: sub.subscription_id = a.subscription_id; PrimaryTable: azure_app_service_plan ListOfTables: - - azure_app_service_plan - - azure_subscription + - azure_app_service_plan + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_appservice_web_app_always_on.yaml b/compliance/controls/azure/azure_appservice_web_app_always_on.yaml index 54abc52a9..a67a3fbe3 100755 --- a/compliance/controls/azure/azure_appservice_web_app_always_on.yaml +++ b/compliance/controls/azure/azure_appservice_web_app_always_on.yaml @@ -1,8 +1,6 @@ ID: azure_appservice_web_app_always_on Title: "Web apps should be configured to always be on" Description: "This control ensures that a web app is configured with settings to keep it consistently active. Always On feature of Azure App Service, keeps the host process running. This allows your site to be more responsive to requests after significant idle periods." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = a.subscription_id; PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_appservice_web_app_client_certificates_on.yaml b/compliance/controls/azure/azure_appservice_web_app_client_certificates_on.yaml index 062788993..bee347f55 100755 --- a/compliance/controls/azure/azure_appservice_web_app_client_certificates_on.yaml +++ b/compliance/controls/azure/azure_appservice_web_app_client_certificates_on.yaml @@ -1,58 +1,21 @@ ID: azure_appservice_web_app_client_certificates_on Title: "App Service apps should have 'Client Certificates (Incoming client certificates)' enabled" Description: "Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with all_web_app as ( - select - id - from - azure_app_service_web_app - where - exists ( - select - from - unnest(regexp_split_to_array(kind, ',')) elem - where - elem like 'app%' - ) - ) - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when b.id is null then 'skip' - when client_cert_enabled then 'ok' - else 'alarm' - end as status, - case - when b.id is null then a.title || ' is ' || a.kind || ' kind.' - when client_cert_enabled then a.name || ' client certificate enabled.' - else a.name || ' client certificate disabled.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_app_service_web_app as a - left join all_web_app as b on a.id = b.id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with all_web_app as (\n select\n id\n from\n azure_app_service_web_app\n where\n exists (\n select\n from\n unnest(regexp_split_to_array(kind, ',')) elem\n where\n elem like 'app%'\n )\n)\nselect\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when b.id is null then 'skip'\n when client_cert_enabled then 'ok'\n else 'alarm'\n end as status,\n case\n when b.id is null then a.title || ' is ' || a.kind || ' kind.'\n when client_cert_enabled then a.name || ' client certificate enabled.'\n else a.name || ' client certificate disabled.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_web_app as a\n left join all_web_app as b on a.id = b.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: medium Tags: hipaa_hitrust_v92: - - "true" + - "true" nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/AppService + - Azure/AppService +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_appservice_web_app_cors_no_star.yaml b/compliance/controls/azure/azure_appservice_web_app_cors_no_star.yaml index 6fdf10ca3..805cab6f3 100755 --- a/compliance/controls/azure/azure_appservice_web_app_cors_no_star.yaml +++ b/compliance/controls/azure/azure_appservice_web_app_cors_no_star.yaml @@ -1,40 +1,19 @@ ID: azure_appservice_web_app_cors_no_star Title: "App Service apps should not have CORS configured to allow every resource to access your apps" Description: "Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when configuration -> 'properties' -> 'cors' -> 'allowedOrigins' @> '["*"]' then 'alarm' - else 'ok' - end as status, - case - when configuration -> 'properties' -> 'cors' -> 'allowedOrigins' @> '["*"]' - then a.name || ' CORS allow all domains to access the application.' - else a.name || ' CORS does not all domains to access the application.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_app_service_web_app as a, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "select\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when configuration -> 'properties' -> 'cors' -> 'allowedOrigins' @> '[\"*\"]' then 'alarm'\n else 'ok'\n end as status,\n case\n when configuration -> 'properties' -> 'cors' -> 'allowedOrigins' @> '[\"*\"]'\n then a.name || ' CORS allow all domains to access the application.'\n else a.name || ' CORS does not all domains to access the application.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_web_app as a,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: high Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/AppService + - Azure/AppService +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_appservice_web_app_diagnostic_logs_enabled.yaml b/compliance/controls/azure/azure_appservice_web_app_diagnostic_logs_enabled.yaml index 8a417a086..9f0ff019f 100755 --- a/compliance/controls/azure/azure_appservice_web_app_diagnostic_logs_enabled.yaml +++ b/compliance/controls/azure/azure_appservice_web_app_diagnostic_logs_enabled.yaml @@ -1,52 +1,21 @@ ID: azure_appservice_web_app_diagnostic_logs_enabled Title: "App Service apps should have resource logs enabled" Description: "Audit enabling of resource logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when (a.configuration-> 'properties' -> 'detailedErrorLoggingEnabled')::bool - and (a.configuration -> 'properties' -> 'httpLoggingEnabled')::bool - and (a.configuration-> 'properties' -> 'requestTracingEnabled')::bool - then 'ok' - else 'alarm' - end as status, - case - when (a.configuration-> 'properties' -> 'detailedErrorLoggingEnabled')::bool - and (a.configuration -> 'properties' -> 'httpLoggingEnabled')::bool - and (a.configuration-> 'properties' -> 'requestTracingEnabled')::bool - then a.name || ' diagnostic logs enabled.' - else a.title || ' diagnostic logs disabled.' - -- concat_ws(', ', - -- case when not ((a.configuration-> 'properties' -> 'detailedErrorLoggingEnabled')::bool) then 'detailed_Error_Logging_Enabled' end, - -- case when not ((a.configuration -> 'properties' -> 'httpLoggingEnabled')::bool) then 'http_logging_enabled' end, - -- case when not ((a.configuration-> 'properties' -> 'requestTracingEnabled')::bool) then 'request_tracing_enabled' end - -- ) || '.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_app_service_web_app as a, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "select\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when (a.configuration-> 'properties' -> 'detailedErrorLoggingEnabled')::bool\n and (a.configuration -> 'properties' -> 'httpLoggingEnabled')::bool\n and (a.configuration-> 'properties' -> 'requestTracingEnabled')::bool\n then 'ok'\n else 'alarm'\n end as status,\n case\n when (a.configuration-> 'properties' -> 'detailedErrorLoggingEnabled')::bool\n and (a.configuration -> 'properties' -> 'httpLoggingEnabled')::bool\n and (a.configuration-> 'properties' -> 'requestTracingEnabled')::bool\n then a.name || ' diagnostic logs enabled.'\n else a.title || ' diagnostic logs disabled.'\n -- concat_ws(', ',\n -- case when not ((a.configuration-> 'properties' -> 'detailedErrorLoggingEnabled')::bool) then 'detailed_Error_Logging_Enabled' end,\n -- case when not ((a.configuration -> 'properties' -> 'httpLoggingEnabled')::bool) then 'http_logging_enabled' end,\n -- case when not ((a.configuration-> 'properties' -> 'requestTracingEnabled')::bool) then 'request_tracing_enabled' end\n -- ) || '.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_web_app as a,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: medium Tags: hipaa_hitrust_v92: - - "true" + - "true" nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/AppService + - Azure/AppService +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_appservice_web_app_failed_request_tracing_enabled.yaml b/compliance/controls/azure/azure_appservice_web_app_failed_request_tracing_enabled.yaml index a2121e4f6..460e1ed8b 100755 --- a/compliance/controls/azure/azure_appservice_web_app_failed_request_tracing_enabled.yaml +++ b/compliance/controls/azure/azure_appservice_web_app_failed_request_tracing_enabled.yaml @@ -1,8 +1,6 @@ ID: azure_appservice_web_app_failed_request_tracing_enabled Title: "Web app failed request tracing should be enabled" Description: "Ensure that Web app enables failed request tracing. This control is non-compliant if Web app failed request tracing is disabled." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = a.subscription_id; PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_appservice_web_app_ftps_enabled.yaml b/compliance/controls/azure/azure_appservice_web_app_ftps_enabled.yaml index 11ab2ca16..57c2811f3 100755 --- a/compliance/controls/azure/azure_appservice_web_app_ftps_enabled.yaml +++ b/compliance/controls/azure/azure_appservice_web_app_ftps_enabled.yaml @@ -1,56 +1,19 @@ ID: azure_appservice_web_app_ftps_enabled Title: "FTPS should be required in your Web App" Description: "Enable FTPS enforcement for enhanced security." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with all_web_app as ( - select - id - from - azure_app_service_web_app - where - exists ( - select - from - unnest(regexp_split_to_array(kind, ',')) elem - where - elem like 'app%' - ) - ) - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when b.id is null then 'skip' - when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then 'alarm' - else 'ok' - end as status, - case - when b.id is null then a.title || ' is ' || a.kind || ' kind.' - when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then a.name || ' FTPS disabled.' - else a.name || ' FTPS enabled.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_app_service_web_app as a - left join all_web_app as b on a.id = b.id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with all_web_app as (\n select\n id\n from\n azure_app_service_web_app\n where\n exists (\n select\n from\n unnest(regexp_split_to_array(kind, ',')) elem\n where\n elem like 'app%'\n )\n)\nselect\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when b.id is null then 'skip'\n when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then 'alarm'\n else 'ok'\n end as status,\n case\n when b.id is null then a.title || ' is ' || a.kind || ' kind.'\n when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then a.name || ' FTPS disabled.'\n else a.name || ' FTPS enabled.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_web_app as a\n left join all_web_app as b on a.id = b.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: high Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/AppService + - Azure/AppService +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_appservice_web_app_health_check_enabled.yaml b/compliance/controls/azure/azure_appservice_web_app_health_check_enabled.yaml index a0c33471d..6a5b67b03 100755 --- a/compliance/controls/azure/azure_appservice_web_app_health_check_enabled.yaml +++ b/compliance/controls/azure/azure_appservice_web_app_health_check_enabled.yaml @@ -1,8 +1,6 @@ ID: azure_appservice_web_app_health_check_enabled Title: "Web apps should have health check enabled" Description: "Health check increases your application's availability by rerouting requests away from unhealthy instances and replacing instances if they remain unhealthy." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = a.subscription_id; PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_appservice_web_app_http_logs_enabled.yaml b/compliance/controls/azure/azure_appservice_web_app_http_logs_enabled.yaml index 3cd575af5..b0583cacc 100755 --- a/compliance/controls/azure/azure_appservice_web_app_http_logs_enabled.yaml +++ b/compliance/controls/azure/azure_appservice_web_app_http_logs_enabled.yaml @@ -1,8 +1,6 @@ ID: azure_appservice_web_app_http_logs_enabled Title: "Web app HTTP logs should be enabled" Description: "Ensure that Web app HTTP logs is enabled. This control is non-compliant if Web app HTTP logs is disabled." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -25,8 +23,10 @@ Query: sub.subscription_id = a.subscription_id; PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_appservice_web_app_incoming_client_cert_on.yaml b/compliance/controls/azure/azure_appservice_web_app_incoming_client_cert_on.yaml index 348e3e678..304ac0be7 100755 --- a/compliance/controls/azure/azure_appservice_web_app_incoming_client_cert_on.yaml +++ b/compliance/controls/azure/azure_appservice_web_app_incoming_client_cert_on.yaml @@ -1,53 +1,33 @@ ID: azure_appservice_web_app_incoming_client_cert_on Title: "Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'" Description: "Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - app.id as resource, - app.og_account_id as og_account_id, - app.og_resource_id as og_resource_id, - case - when not client_cert_enabled then 'alarm' - else 'ok' - end as status, - case - when not client_cert_enabled then name || ' incoming client certificates set to off.' - else name || ' incoming client certificates set to on.' - end as reason - - , app.resource_group as resource_group - , sub.display_name as subscription - from - azure_app_service_web_app as app, - azure_subscription as sub - where - sub.subscription_id = app.subscription_id; + QueryToExecute: "select\n app.id as resource,\n app.og_account_id as og_account_id,\n app.og_resource_id as og_resource_id,\n case\n when not client_cert_enabled then 'alarm'\n else 'ok'\n end as status,\n case\n when not client_cert_enabled then name || ' incoming client certificates set to off.'\n else name || ' incoming client certificates set to on.'\n end as reason\n \n , app.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_web_app as app,\n azure_subscription as sub\nwhere\n sub.subscription_id = app.subscription_id;\n" PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "9.4" + - "9.4" cis_level: - - "2" + - "2" cis_section_id: - - "9" + - "9" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/AppService + - Azure/AppService +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_appservice_web_app_latest_dotnet_framework_version.yaml b/compliance/controls/azure/azure_appservice_web_app_latest_dotnet_framework_version.yaml index 9684a7f22..d84252d26 100755 --- a/compliance/controls/azure/azure_appservice_web_app_latest_dotnet_framework_version.yaml +++ b/compliance/controls/azure/azure_appservice_web_app_latest_dotnet_framework_version.yaml @@ -1,8 +1,6 @@ ID: azure_appservice_web_app_latest_dotnet_framework_version Title: "Web app should use the latest 'Net Framework' version" Description: "Periodically, newer versions are released for Net Framework software either due to security flaws or to include additional functionality. Using the latest Net Framework for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -44,8 +42,10 @@ Query: sub.subscription_id = a.subscription_id; PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_appservice_web_app_latest_http_version.yaml b/compliance/controls/azure/azure_appservice_web_app_latest_http_version.yaml index 3dcf6f7fd..f11a7d43c 100755 --- a/compliance/controls/azure/azure_appservice_web_app_latest_http_version.yaml +++ b/compliance/controls/azure/azure_appservice_web_app_latest_http_version.yaml @@ -1,53 +1,33 @@ ID: azure_appservice_web_app_latest_http_version Title: "Ensure that 'HTTP Version' is the latest, if used to run the Web app" Description: "Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version. Currently, this policy only applies to Linux web apps." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - app.id as resource, - app.og_account_id as og_account_id, - app.og_resource_id as og_resource_id, - case - when not (configuration -> 'properties' ->> 'http20Enabled') :: boolean then 'alarm' - else 'ok' - end as status, - case - when not (configuration -> 'properties' ->> 'http20Enabled') :: boolean then name || ' HTTP version not latest.' - else name || ' HTTP version is latest.' - end as reason - - , app.resource_group as resource_group - , sub.display_name as subscription - from - azure_app_service_web_app as app, - azure_subscription as sub - where - sub.subscription_id = app.subscription_id; + QueryToExecute: "select\n app.id as resource,\n app.og_account_id as og_account_id,\n app.og_resource_id as og_resource_id,\n case\n when not (configuration -> 'properties' ->> 'http20Enabled') :: boolean then 'alarm'\n else 'ok'\n end as status,\n case\n when not (configuration -> 'properties' ->> 'http20Enabled') :: boolean then name || ' HTTP version not latest.'\n else name || ' HTTP version is latest.'\n end as reason\n \n , app.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_web_app as app,\n azure_subscription as sub\nwhere\n sub.subscription_id = app.subscription_id;\n" PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "9.9" + - "9.9" cis_level: - - "1" + - "1" cis_section_id: - - "9" + - "9" cis_type: - - manual + - manual cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/AppService + - Azure/AppService +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_appservice_web_app_latest_java_version.yaml b/compliance/controls/azure/azure_appservice_web_app_latest_java_version.yaml index ca6a5cbed..a3af1231a 100755 --- a/compliance/controls/azure/azure_appservice_web_app_latest_java_version.yaml +++ b/compliance/controls/azure/azure_appservice_web_app_latest_java_version.yaml @@ -1,66 +1,19 @@ ID: azure_appservice_web_app_latest_java_version Title: "Ensure that 'Java version' is the latest, if used as a part of the Web app" Description: "Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with all_web_app as ( - select - id - from - azure_app_service_web_app - where - exists ( - select - from - unnest(regexp_split_to_array(kind, ',')) elem - where - elem like 'app%' - ) - and - exists ( - select - from - unnest(regexp_split_to_array(kind, ',')) elem - where - elem = 'linux' - ) - ) - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when b.id is null then 'skip' - when configuration -> 'properties' ->> 'linuxFxVersion' not like 'JAVA%' then 'ok' - when configuration -> 'properties' ->> 'linuxFxVersion' like '%11' then 'ok' - else 'alarm' - end as status, - case - when b.id is null then a.title || ' is ' || a.kind || ' kind.' - when configuration -> 'properties' ->> 'linuxFxVersion' not like 'JAVA%' then a.name || ' not using JAVA version.' - when configuration -> 'properties' ->> 'linuxFxVersion' like '%11' then a.name || ' using the latest JAVA version.' - else a.name || ' not using latest JAVA version.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_app_service_web_app as a - left join all_web_app as b on a.id = b.id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with all_web_app as (\n select\n id\n from\n azure_app_service_web_app\n where\n exists (\n select\n from\n unnest(regexp_split_to_array(kind, ',')) elem\n where\n elem like 'app%'\n )\n and\n exists (\n select\n from\n unnest(regexp_split_to_array(kind, ',')) elem\n where\n elem = 'linux'\n )\n)\nselect\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when b.id is null then 'skip'\n when configuration -> 'properties' ->> 'linuxFxVersion' not like 'JAVA%' then 'ok'\n when configuration -> 'properties' ->> 'linuxFxVersion' like '%11' then 'ok'\n else 'alarm'\n end as status,\n case\n when b.id is null then a.title || ' is ' || a.kind || ' kind.'\n when configuration -> 'properties' ->> 'linuxFxVersion' not like 'JAVA%' then a.name || ' not using JAVA version.'\n when configuration -> 'properties' ->> 'linuxFxVersion' like '%11' then a.name || ' using the latest JAVA version.'\n else a.name || ' not using latest JAVA version.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_web_app as a\n left join all_web_app as b on a.id = b.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: medium Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/AppService + - Azure/AppService +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_appservice_web_app_latest_php_version.yaml b/compliance/controls/azure/azure_appservice_web_app_latest_php_version.yaml index 4cc58186b..1a09a948a 100755 --- a/compliance/controls/azure/azure_appservice_web_app_latest_php_version.yaml +++ b/compliance/controls/azure/azure_appservice_web_app_latest_php_version.yaml @@ -1,66 +1,19 @@ ID: azure_appservice_web_app_latest_php_version Title: "Ensure that 'PHP version' is the latest, if used as a part of the WEB app" Description: "Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with all_web_app as ( - select - id - from - azure_app_service_web_app - where - exists ( - select - from - unnest(regexp_split_to_array(kind, ',')) elem - where - elem like 'app%' - ) - and - exists ( - select - from - unnest(regexp_split_to_array(kind, ',')) elem - where - elem = 'linux' - ) - ) - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when b.id is null then 'skip' - when configuration -> 'properties' ->> 'linuxFxVersion' not like 'PHP%' then 'ok' - when configuration -> 'properties' ->> 'linuxFxVersion' = 'PHP|8.0' then 'ok' - else 'alarm' - end as status, - case - when b.id is null then a.title || ' is ' || a.kind || ' kind.' - when configuration -> 'properties' ->> 'linuxFxVersion' not like 'PHP%' then a.name || ' not using php version.' - when configuration -> 'properties' ->> 'linuxFxVersion' = 'PHP|8.0' then a.name || ' using the latest php version.' - else a.name || ' not using latest php version.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_app_service_web_app as a - left join all_web_app as b on a.id = b.id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with all_web_app as (\n select\n id\n from\n azure_app_service_web_app\n where\n exists (\n select\n from\n unnest(regexp_split_to_array(kind, ',')) elem\n where\n elem like 'app%'\n )\n and\n exists (\n select\n from\n unnest(regexp_split_to_array(kind, ',')) elem\n where\n elem = 'linux'\n )\n)\nselect\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when b.id is null then 'skip'\n when configuration -> 'properties' ->> 'linuxFxVersion' not like 'PHP%' then 'ok'\n when configuration -> 'properties' ->> 'linuxFxVersion' = 'PHP|8.0' then 'ok'\n else 'alarm'\n end as status,\n case\n when b.id is null then a.title || ' is ' || a.kind || ' kind.'\n when configuration -> 'properties' ->> 'linuxFxVersion' not like 'PHP%' then a.name || ' not using php version.'\n when configuration -> 'properties' ->> 'linuxFxVersion' = 'PHP|8.0' then a.name || ' using the latest php version.'\n else a.name || ' not using latest php version.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_web_app as a\n left join all_web_app as b on a.id = b.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: medium Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/AppService + - Azure/AppService +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_appservice_web_app_latest_python_version.yaml b/compliance/controls/azure/azure_appservice_web_app_latest_python_version.yaml index 2c8840b85..bf78b3836 100755 --- a/compliance/controls/azure/azure_appservice_web_app_latest_python_version.yaml +++ b/compliance/controls/azure/azure_appservice_web_app_latest_python_version.yaml @@ -1,66 +1,19 @@ ID: azure_appservice_web_app_latest_python_version Title: "Ensure that 'Python version' is the latest, if used as a part of the Web app" Description: "Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with all_web_app as ( - select - id - from - azure_app_service_web_app - where - exists ( - select - from - unnest(regexp_split_to_array(kind, ',')) elem - where - elem like 'app%' - ) - and - exists ( - select - from - unnest(regexp_split_to_array(kind, ',')) elem - where - elem = 'linux' - ) - ) - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when b.id is null then 'skip' - when configuration -> 'properties' ->> 'linuxFxVersion' not like 'PYTHON%' then 'ok' - when configuration -> 'properties' ->> 'linuxFxVersion' = 'PYTHON|3.9' then 'ok' - else 'alarm' - end as status, - case - when b.id is null then a.title || ' is not of linux kind.' - when configuration -> 'properties' ->> 'linuxFxVersion' not like 'PYTHON%' then a.name || ' not using python version.' - when configuration -> 'properties' ->> 'linuxFxVersion' = 'PYTHON|3.9' then a.name || ' using the latest python version.' - else a.name || ' not using latest python version.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_app_service_web_app as a - left join all_web_app as b on a.id = b.id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with all_web_app as (\n select\n id\n from\n azure_app_service_web_app\n where\n exists (\n select\n from\n unnest(regexp_split_to_array(kind, ',')) elem\n where\n elem like 'app%'\n )\n and\n exists (\n select\n from\n unnest(regexp_split_to_array(kind, ',')) elem\n where\n elem = 'linux'\n )\n)\nselect\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when b.id is null then 'skip'\n when configuration -> 'properties' ->> 'linuxFxVersion' not like 'PYTHON%' then 'ok'\n when configuration -> 'properties' ->> 'linuxFxVersion' = 'PYTHON|3.9' then 'ok'\n else 'alarm'\n end as status,\n case\n when b.id is null then a.title || ' is not of linux kind.'\n when configuration -> 'properties' ->> 'linuxFxVersion' not like 'PYTHON%' then a.name || ' not using python version.'\n when configuration -> 'properties' ->> 'linuxFxVersion' = 'PYTHON|3.9' then a.name || ' using the latest python version.'\n else a.name || ' not using latest python version.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_web_app as a\n left join all_web_app as b on a.id = b.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: medium Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/AppService + - Azure/AppService +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_appservice_web_app_latest_tls_version.yaml b/compliance/controls/azure/azure_appservice_web_app_latest_tls_version.yaml index 56fc470d3..758cc2c9c 100755 --- a/compliance/controls/azure/azure_appservice_web_app_latest_tls_version.yaml +++ b/compliance/controls/azure/azure_appservice_web_app_latest_tls_version.yaml @@ -1,53 +1,33 @@ ID: azure_appservice_web_app_latest_tls_version Title: "Latest TLS version should be used in your Web App" Description: "Upgrade to the latest TLS version." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - app.id as resource, - app.og_account_id as og_account_id, - app.og_resource_id as og_resource_id, - case - when configuration -> 'properties' ->> 'minTlsVersion' < '1.2' then 'alarm' - else 'ok' - end as status, - case - when configuration -> 'properties' ->> 'minTlsVersion' < '1.2' then name || ' not using the latest version of TLS encryption.' - else name || ' using the latest version of TLS encryption.' - end as reason - - , app.resource_group as resource_group - , sub.display_name as subscription - from - azure_app_service_web_app as app, - azure_subscription as sub - where - sub.subscription_id = app.subscription_id; + QueryToExecute: "select\n app.id as resource,\n app.og_account_id as og_account_id,\n app.og_resource_id as og_resource_id,\n case\n when configuration -> 'properties' ->> 'minTlsVersion' < '1.2' then 'alarm'\n else 'ok'\n end as status,\n case\n when configuration -> 'properties' ->> 'minTlsVersion' < '1.2' then name || ' not using the latest version of TLS encryption.'\n else name || ' using the latest version of TLS encryption.'\n end as reason\n \n , app.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_web_app as app,\n azure_subscription as sub\nwhere\n sub.subscription_id = app.subscription_id;\n" PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "9.3" + - "9.3" cis_level: - - "1" + - "1" cis_section_id: - - "9" + - "9" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/AppService + - Azure/AppService +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_appservice_web_app_register_with_active_directory_enabled.yaml b/compliance/controls/azure/azure_appservice_web_app_register_with_active_directory_enabled.yaml index 471e93ec2..a9a044ef0 100755 --- a/compliance/controls/azure/azure_appservice_web_app_register_with_active_directory_enabled.yaml +++ b/compliance/controls/azure/azure_appservice_web_app_register_with_active_directory_enabled.yaml @@ -1,53 +1,33 @@ ID: azure_appservice_web_app_register_with_active_directory_enabled Title: "Ensure that Register with Azure Active Directory is enabled on App Service" Description: "Managed service identity in App Service provides more security by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in App Service, the app will connect to other Azure services securely without the need for usernames and passwords." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - app.id as resource, - app.og_account_id as og_account_id, - app.og_resource_id as og_resource_id, - case - when identity = '{}' then 'alarm' - else 'ok' - end as status, - case - when identity = '{}' then name || ' register with azure active directory disabled.' - else name || ' register with azure active directory enabled.' - end as reason - - , app.resource_group as resource_group - , sub.display_name as subscription - from - azure_app_service_web_app as app, - azure_subscription as sub - where - sub.subscription_id = app.subscription_id; + QueryToExecute: "select\n app.id as resource,\n app.og_account_id as og_account_id,\n app.og_resource_id as og_resource_id,\n case\n when identity = '{}' then 'alarm'\n else 'ok'\n end as status,\n case\n when identity = '{}' then name || ' register with azure active directory disabled.'\n else name || ' register with azure active directory enabled.'\n end as reason\n \n , app.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_web_app as app,\n azure_subscription as sub\nwhere\n sub.subscription_id = app.subscription_id;\n" PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "9.5" + - "9.5" cis_level: - - "1" + - "1" cis_section_id: - - "9" + - "9" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/AppService + - Azure/AppService +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_appservice_web_app_remote_debugging_disabled.yaml b/compliance/controls/azure/azure_appservice_web_app_remote_debugging_disabled.yaml index ebcf08c10..69de0a3a2 100755 --- a/compliance/controls/azure/azure_appservice_web_app_remote_debugging_disabled.yaml +++ b/compliance/controls/azure/azure_appservice_web_app_remote_debugging_disabled.yaml @@ -1,43 +1,21 @@ ID: azure_appservice_web_app_remote_debugging_disabled Title: "Remote debugging should be turned off for Web Applications" Description: "Remote debugging requires inbound ports to be opened on a web application. Remote debugging should be turned off." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - app.id as resource, - app.og_account_id as og_account_id, - app.og_resource_id as og_resource_id, - case - when kind = 'api' then 'skip' - when configuration -> 'properties' ->> 'remoteDebuggingEnabled' = 'false' then 'ok' - else 'alarm' - end as status, - case - when kind = 'api' then name || ' is of ' || kind || ' type.' - when configuration -> 'properties' ->> 'remoteDebuggingEnabled' = 'false' then name || ' remote debugging disabled.' - else name || ' remote debugging enabled.' - end as reason - - , app.resource_group as resource_group - , sub.display_name as subscription - from - azure_app_service_web_app as app, - azure_subscription as sub - where - sub.subscription_id = app.subscription_id; + QueryToExecute: "select\n app.id as resource,\n app.og_account_id as og_account_id,\n app.og_resource_id as og_resource_id,\n case\n when kind = 'api' then 'skip'\n when configuration -> 'properties' ->> 'remoteDebuggingEnabled' = 'false' then 'ok'\n else 'alarm'\n end as status,\n case\n when kind = 'api' then name || ' is of ' || kind || ' type.'\n when configuration -> 'properties' ->> 'remoteDebuggingEnabled' = 'false' then name || ' remote debugging disabled.'\n else name || ' remote debugging enabled.'\n end as reason\n \n , app.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_web_app as app,\n azure_subscription as sub\nwhere\n sub.subscription_id = app.subscription_id;\n" PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: medium Tags: hipaa_hitrust_v92: - - "true" + - "true" nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/AppService + - Azure/AppService +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_appservice_web_app_slot_use_https.yaml b/compliance/controls/azure/azure_appservice_web_app_slot_use_https.yaml index 11b284d65..642d10a96 100755 --- a/compliance/controls/azure/azure_appservice_web_app_slot_use_https.yaml +++ b/compliance/controls/azure/azure_appservice_web_app_slot_use_https.yaml @@ -1,8 +1,6 @@ ID: azure_appservice_web_app_slot_use_https Title: "Web app slot should only be accessible over HTTPS" Description: "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = s.subscription_id; PrimaryTable: azure_app_service_web_app_slot ListOfTables: - - azure_app_service_web_app_slot - - azure_subscription + - azure_app_service_web_app_slot + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_appservice_web_app_use_https.yaml b/compliance/controls/azure/azure_appservice_web_app_use_https.yaml index a85d5ab65..bc79d2910 100755 --- a/compliance/controls/azure/azure_appservice_web_app_use_https.yaml +++ b/compliance/controls/azure/azure_appservice_web_app_use_https.yaml @@ -1,53 +1,33 @@ ID: azure_appservice_web_app_use_https Title: "Web Application should only be accessible over HTTPS" Description: "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - app.id as resource, - app.og_account_id as og_account_id, - app.og_resource_id as og_resource_id, - case - when not https_only then 'alarm' - else 'ok' - end as status, - case - when not https_only then name || ' does not redirect all HTTP traffic to HTTPS.' - else name || ' redirects all HTTP traffic to HTTPS.' - end as reason - - , app.resource_group as resource_group - , sub.display_name as subscription - from - azure_app_service_web_app as app, - azure_subscription as sub - where - sub.subscription_id = app.subscription_id; + QueryToExecute: "select\n app.id as resource,\n app.og_account_id as og_account_id,\n app.og_resource_id as og_resource_id,\n case\n when not https_only then 'alarm'\n else 'ok'\n end as status,\n case\n when not https_only then name || ' does not redirect all HTTP traffic to HTTPS.'\n else name || ' redirects all HTTP traffic to HTTPS.'\n end as reason\n \n , app.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_web_app as app,\n azure_subscription as sub\nwhere\n sub.subscription_id = app.subscription_id;\n" PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "9.2" + - "9.2" cis_level: - - "1" + - "1" cis_section_id: - - "9" + - "9" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/AppService + - Azure/AppService +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_appservice_web_app_use_virtual_service_endpoint.yaml b/compliance/controls/azure/azure_appservice_web_app_use_virtual_service_endpoint.yaml index 84cdfab7f..a4a068892 100755 --- a/compliance/controls/azure/azure_appservice_web_app_use_virtual_service_endpoint.yaml +++ b/compliance/controls/azure/azure_appservice_web_app_use_virtual_service_endpoint.yaml @@ -1,39 +1,19 @@ ID: azure_appservice_web_app_use_virtual_service_endpoint Title: "App Service apps should use a virtual network service endpoint" Description: "Use virtual network service endpoints to restrict access to your app from selected subnets from an Azure virtual network. To learn more about App Service service endpoints, visit https://aks.ms/appservice-vnet-service-endpoint." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when vnet_connection -> 'properties' -> 'vnetResourceId' is not null then 'ok' - else 'alarm' - end as status, - case - when vnet_connection -> 'properties' -> 'vnetResourceId' is not null then a.name || ' configured with virtual network service endpoint.' - else a.name || ' not configured with virtual network service endpoint.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_app_service_web_app as a, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "select\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when vnet_connection -> 'properties' -> 'vnetResourceId' is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when vnet_connection -> 'properties' -> 'vnetResourceId' is not null then a.name || ' configured with virtual network service endpoint.'\n else a.name || ' not configured with virtual network service endpoint.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_web_app as a,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: medium Tags: hipaa_hitrust_v92: - - "true" + - "true" service: - - Azure/AppService + - Azure/AppService +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_appservice_web_app_uses_managed_identity.yaml b/compliance/controls/azure/azure_appservice_web_app_uses_managed_identity.yaml index 366396130..69adcc9ea 100755 --- a/compliance/controls/azure/azure_appservice_web_app_uses_managed_identity.yaml +++ b/compliance/controls/azure/azure_appservice_web_app_uses_managed_identity.yaml @@ -1,63 +1,21 @@ ID: azure_appservice_web_app_uses_managed_identity Title: "App Service apps should use managed identity" Description: "Use a managed identity for enhanced authentication security." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with all_web_app as ( - select - id - from - azure_app_service_web_app - where - exists ( - select - from - unnest(regexp_split_to_array(kind, ',')) elem - where - elem like 'app%' - ) - ) - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when b.id is null then 'skip' - when - configuration -> 'properties' ->> 'xManagedServiceIdentityId' is not null - or configuration -> 'properties' ->> 'managedServiceIdentityId' is not null then 'ok' - else 'alarm' - end as status, - case - when b.id is null then a.title || ' is ' || a.kind || ' kind.' - when - configuration -> 'properties' ->> 'xManagedServiceIdentityId' is not null - or configuration -> 'properties' ->> 'managedServiceIdentityId' is not null - then a.name || ' uses managed identity.' - else a.name || ' not uses managed identity' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_app_service_web_app as a - left join all_web_app as b on a.id = b.id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with all_web_app as (\n select\n id\n from\n azure_app_service_web_app\n where\n exists (\n select\n from\n unnest(regexp_split_to_array(kind, ',')) elem\n where\n elem like 'app%'\n )\n)\nselect\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when b.id is null then 'skip'\n when\n configuration -> 'properties' ->> 'xManagedServiceIdentityId' is not null\n or configuration -> 'properties' ->> 'managedServiceIdentityId' is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when b.id is null then a.title || ' is ' || a.kind || ' kind.'\n when\n configuration -> 'properties' ->> 'xManagedServiceIdentityId' is not null\n or configuration -> 'properties' ->> 'managedServiceIdentityId' is not null\n then a.name || ' uses managed identity.'\n else a.name || ' not uses managed identity'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_app_service_web_app as a\n left join all_web_app as b on a.id = b.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: low Tags: hipaa_hitrust_v92: - - "true" + - "true" nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/AppService + - Azure/AppService +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_arc_compute_machine_linux_log_analytics_agent_installed.yaml b/compliance/controls/azure/azure_arc_compute_machine_linux_log_analytics_agent_installed.yaml index e01d73bbd..60d8c0163 100755 --- a/compliance/controls/azure/azure_arc_compute_machine_linux_log_analytics_agent_installed.yaml +++ b/compliance/controls/azure/azure_arc_compute_machine_linux_log_analytics_agent_installed.yaml @@ -1,55 +1,19 @@ ID: azure_arc_compute_machine_linux_log_analytics_agent_installed Title: "Log Analytics extension should be installed on your Linux Azure Arc machines" Description: "This policy audits Linux Azure Arc machines if the Log Analytics extension is not installed." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with compute_machine as( - select - id, - name, - subscription_id, - resource_group - from - azure_hybrid_compute_machine, - jsonb_array_elements(extensions) as e - where - e ->> 'name' = 'OMSAgentForLinux' - and e ->> 'provisioningState' = 'Succeeded' - ) - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when a.os_name <> 'linux' then 'skip' - when m.id is not null then 'ok' - else 'alarm' - end as status, - case - when a.os_name <> 'linux' then a.name || ' is of ' || a.os_name || ' operating system.' - when m.id is not null then a.name || ' log analytics extension installed.' - else a.name || ' log analytics extension not installed.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_hybrid_compute_machine as a - left join compute_machine as m on m.id = a.id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with compute_machine as(\n select\n id,\n name,\n subscription_id,\n resource_group\n from\n azure_hybrid_compute_machine,\n jsonb_array_elements(extensions) as e\n where\n e ->> 'name' = 'OMSAgentForLinux'\n and e ->> 'provisioningState' = 'Succeeded'\n)\nselect\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when a.os_name <> 'linux' then 'skip'\n when m.id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when a.os_name <> 'linux' then a.name || ' is of ' || a.os_name || ' operating system.'\n when m.id is not null then a.name || ' log analytics extension installed.'\n else a.name || ' log analytics extension not installed.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\nazure_hybrid_compute_machine as a\nleft join compute_machine as m on m.id = a.id,\nazure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_hybrid_compute_machine ListOfTables: - - azure_hybrid_compute_machine - - azure_subscription + - azure_hybrid_compute_machine + - azure_subscription Parameters: [] Severity: medium Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/Compute + - Azure/Compute +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_arc_compute_machine_windows_log_analytics_agent_installed.yaml b/compliance/controls/azure/azure_arc_compute_machine_windows_log_analytics_agent_installed.yaml index 3097a2810..28e490e92 100755 --- a/compliance/controls/azure/azure_arc_compute_machine_windows_log_analytics_agent_installed.yaml +++ b/compliance/controls/azure/azure_arc_compute_machine_windows_log_analytics_agent_installed.yaml @@ -1,55 +1,19 @@ ID: azure_arc_compute_machine_windows_log_analytics_agent_installed Title: "Log Analytics extension should be installed on your Windows Azure Arc machines" Description: "This policy audits Windows Azure Arc machines if the Log Analytics agent is not installed." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with compute_machine as( - select - id, - name, - subscription_id, - resource_group - from - azure_hybrid_compute_machine, - jsonb_array_elements(extensions) as e - where - e ->> 'name' = 'MicrosoftMonitoringAgent' - and e ->> 'provisioningState' = 'Succeeded' - ) - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when a.os_name <> 'windows' then 'skip' - when m.id is not null then 'ok' - else 'alarm' - end as status, - case - when a.os_name <> 'windows' then a.name || ' is of ' || a.os_name || ' operating system.' - when m.id is not null then a.name || ' log analytics extension installed.' - else a.name || ' log analytics extension not installed.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_hybrid_compute_machine as a - left join compute_machine as m on m.id = a.id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with compute_machine as(\n select\n id,\n name,\n subscription_id,\n resource_group\n from\n azure_hybrid_compute_machine,\n jsonb_array_elements(extensions) as e\n where\n e ->> 'name' = 'MicrosoftMonitoringAgent'\n and e ->> 'provisioningState' = 'Succeeded'\n)\nselect\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when a.os_name <> 'windows' then 'skip'\n when m.id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when a.os_name <> 'windows' then a.name || ' is of ' || a.os_name || ' operating system.'\n when m.id is not null then a.name || ' log analytics extension installed.'\n else a.name || ' log analytics extension not installed.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\nazure_hybrid_compute_machine as a\nleft join compute_machine as m on m.id = a.id,\nazure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_hybrid_compute_machine ListOfTables: - - azure_hybrid_compute_machine - - azure_subscription + - azure_hybrid_compute_machine + - azure_subscription Parameters: [] Severity: medium Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/Compute + - Azure/Compute +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_arc_kubernetes_cluster_azure_defender_extension_installed.yaml b/compliance/controls/azure/azure_arc_kubernetes_cluster_azure_defender_extension_installed.yaml index be2f07e8b..58f4110b9 100755 --- a/compliance/controls/azure/azure_arc_kubernetes_cluster_azure_defender_extension_installed.yaml +++ b/compliance/controls/azure/azure_arc_kubernetes_cluster_azure_defender_extension_installed.yaml @@ -1,8 +1,6 @@ ID: azure_arc_kubernetes_cluster_azure_defender_extension_installed Title: "Azure Arc enabled Kubernetes clusters should have Microsoft Defender for Cloud extension installed" Description: "Microsoft Defender for Cloud extension for Azure Arc provides threat protection for your Arc enabled Kubernetes clusters. The extension collects data from all nodes in the cluster and sends it to the Azure Defender for Kubernetes backend in the cloud for further analysis." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_audit_diagnostic_setting.yaml b/compliance/controls/azure/azure_audit_diagnostic_setting.yaml index 0e70493c6..824e79c64 100755 --- a/compliance/controls/azure/azure_audit_diagnostic_setting.yaml +++ b/compliance/controls/azure/azure_audit_diagnostic_setting.yaml @@ -1,8 +1,6 @@ ID: azure_audit_diagnostic_setting Title: "Audit diagnostic setting for selected resource types" Description: "Audit diagnostic setting for selected resource types. Be sure to select only resource types which support diagnostics settings." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_authorize_access_to_security_functions_and_information.yaml b/compliance/controls/azure/azure_authorize_access_to_security_functions_and_information.yaml index d8c3370ca..5cc245da0 100755 --- a/compliance/controls/azure/azure_authorize_access_to_security_functions_and_information.yaml +++ b/compliance/controls/azure/azure_authorize_access_to_security_functions_and_information.yaml @@ -1,8 +1,6 @@ ID: azure_authorize_access_to_security_functions_and_information Title: "Authorize access to security functions and information" Description: "CMA_0022 - Authorize access to security functions and information." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_automation_account_encrypted_with_cmk.yaml b/compliance/controls/azure/azure_automation_account_encrypted_with_cmk.yaml index 7c5e9e4ea..ada04ef58 100755 --- a/compliance/controls/azure/azure_automation_account_encrypted_with_cmk.yaml +++ b/compliance/controls/azure/azure_automation_account_encrypted_with_cmk.yaml @@ -1,8 +1,6 @@ ID: azure_automation_account_encrypted_with_cmk Title: "Azure Automation accounts should use customer-managed keys to encrypt data at rest" Description: "Use customer-managed keys to manage the encryption at rest of your Azure Automation Accounts. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/automation-cmk." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_automation_account_variable_encryption_enabled.yaml b/compliance/controls/azure/azure_automation_account_variable_encryption_enabled.yaml index 4bde2e54d..85b483e5a 100755 --- a/compliance/controls/azure/azure_automation_account_variable_encryption_enabled.yaml +++ b/compliance/controls/azure/azure_automation_account_variable_encryption_enabled.yaml @@ -1,8 +1,6 @@ ID: azure_automation_account_variable_encryption_enabled Title: "Automation account variables should be encrypted" Description: "It is important to enable encryption of Automation account variable assets when storing sensitive data" -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -25,12 +23,14 @@ Query: azure_subscription as sub; PrimaryTable: azure_automation_variable ListOfTables: - - azure_automation_variable - - azure_subscription + - azure_automation_variable + - azure_subscription Parameters: [] Severity: high Tags: pci_dss_v321: - - "true" + - "true" service: - - Azure/Automation + - Azure/Automation +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_batch_account_encrypted_with_cmk.yaml b/compliance/controls/azure/azure_batch_account_encrypted_with_cmk.yaml index d2196d77b..230269370 100755 --- a/compliance/controls/azure/azure_batch_account_encrypted_with_cmk.yaml +++ b/compliance/controls/azure/azure_batch_account_encrypted_with_cmk.yaml @@ -1,39 +1,19 @@ ID: azure_batch_account_encrypted_with_cmk Title: "Azure Batch account should use customer-managed keys to encrypt data" Description: "Use customer-managed keys to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - batch.id as resource, - batch.og_account_id as og_account_id, - batch.og_resource_id as og_resource_id, - case - when encryption ->> 'keySource' = 'Microsoft.KeyVault' then 'ok' - else 'alarm' - end as status, - case - when encryption ->> 'keySource' = 'Microsoft.KeyVault' then batch.name || ' encrypted with CMK.' - else batch.name || ' not encrypted with CMK.' - end as reason - - , batch.resource_group as resource_group - , sub.display_name as subscription - from - azure_batch_account as batch, - azure_subscription as sub - where - sub.subscription_id = batch.subscription_id; + QueryToExecute: "select\n batch.id as resource,\n batch.og_account_id as og_account_id,\n batch.og_resource_id as og_resource_id,\n case\n when encryption ->> 'keySource' = 'Microsoft.KeyVault' then 'ok'\n else 'alarm'\n end as status,\n case\n when encryption ->> 'keySource' = 'Microsoft.KeyVault' then batch.name || ' encrypted with CMK.'\n else batch.name || ' not encrypted with CMK.'\n end as reason\n \n , batch.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_batch_account as batch,\n azure_subscription as sub\nwhere\n sub.subscription_id = batch.subscription_id;\n" PrimaryTable: azure_batch_account ListOfTables: - - azure_batch_account - - azure_subscription + - azure_batch_account + - azure_subscription Parameters: [] Severity: high Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/Batch + - Azure/Batch +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_batch_account_identity_provider_enabled.yaml b/compliance/controls/azure/azure_batch_account_identity_provider_enabled.yaml index e2c0120b3..c137da312 100755 --- a/compliance/controls/azure/azure_batch_account_identity_provider_enabled.yaml +++ b/compliance/controls/azure/azure_batch_account_identity_provider_enabled.yaml @@ -1,8 +1,6 @@ ID: azure_batch_account_identity_provider_enabled Title: "Batch accounts identity provider should be enabled" Description: "Ensure that managed identity provider is enabled for the batch account. This control is non-compliant if batch account identity provider is disabled." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = b.subscription_id; PrimaryTable: azure_batch_account ListOfTables: - - azure_batch_account - - azure_subscription + - azure_batch_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_batch_account_logging_enabled.yaml b/compliance/controls/azure/azure_batch_account_logging_enabled.yaml index e7160f9e0..78755a8cc 100755 --- a/compliance/controls/azure/azure_batch_account_logging_enabled.yaml +++ b/compliance/controls/azure/azure_batch_account_logging_enabled.yaml @@ -1,69 +1,21 @@ ID: azure_batch_account_logging_enabled Title: "Resource logs in Batch accounts should be enabled" Description: "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with logging_details as ( - select - distinct name as account_name - from - azure_batch_account, - jsonb_array_elements(diagnostic_settings) setting, - jsonb_array_elements(setting -> 'properties' -> 'logs') log - where - diagnostic_settings is not null - and ( - ( - (log ->> 'enabled') :: boolean - and (log -> 'retentionPolicy' ->> 'enabled') :: boolean - and (log -> 'retentionPolicy') :: JSONB ? 'days' - ) - or - ( - (log ->> 'enabled') :: boolean - and ( - log -> 'retentionPolicy' ->> 'enabled' <> 'true' - or setting -> 'properties' ->> 'storageAccountId' = '' - ) - ) - ) - ) - select - v.id as resource, - v.og_account_id as og_account_id, - v.og_resource_id as og_resource_id, - case - when v.diagnostic_settings is null then 'alarm' - when l.account_name is null then 'alarm' - else 'ok' - end as status, - case - when v.diagnostic_settings is null then v.name || ' logging not enabled.' - when l.account_name is null then v.name || ' logging not enabled.' - else v.name || ' logging enabled.' - end as reason - - , v.resource_group as resource_group - , sub.display_name as subscription - from - azure_batch_account as v - left join logging_details as l on v.name = l.account_name, - azure_subscription as sub - where - sub.subscription_id = v.subscription_id; + QueryToExecute: "with logging_details as (\n select\n distinct name as account_name\n from\n azure_batch_account,\n jsonb_array_elements(diagnostic_settings) setting,\n jsonb_array_elements(setting -> 'properties' -> 'logs') log\n where\n diagnostic_settings is not null\n and (\n (\n (log ->> 'enabled') :: boolean\n and (log -> 'retentionPolicy' ->> 'enabled') :: boolean\n and (log -> 'retentionPolicy') :: JSONB ? 'days'\n )\n or\n (\n (log ->> 'enabled') :: boolean\n and (\n log -> 'retentionPolicy' ->> 'enabled' <> 'true'\n or setting -> 'properties' ->> 'storageAccountId' = ''\n )\n )\n )\n)\nselect\n v.id as resource,\n v.og_account_id as og_account_id,\n v.og_resource_id as og_resource_id,\n case\n when v.diagnostic_settings is null then 'alarm'\n when l.account_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when v.diagnostic_settings is null then v.name || ' logging not enabled.'\n when l.account_name is null then v.name || ' logging not enabled.'\n else v.name || ' logging enabled.'\n end as reason\n \n , v.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_batch_account as v\n left join logging_details as l on v.name = l.account_name,\n azure_subscription as sub\nwhere\n sub.subscription_id = v.subscription_id;\n" PrimaryTable: azure_batch_account ListOfTables: - - azure_batch_account - - azure_subscription + - azure_batch_account + - azure_subscription Parameters: [] Severity: medium Tags: hipaa_hitrust_v92: - - "true" + - "true" nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/Batch + - Azure/Batch +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_bot_service_encrypted_with_cmk.yaml b/compliance/controls/azure/azure_bot_service_encrypted_with_cmk.yaml index cceb479b1..051f91b3b 100755 --- a/compliance/controls/azure/azure_bot_service_encrypted_with_cmk.yaml +++ b/compliance/controls/azure/azure_bot_service_encrypted_with_cmk.yaml @@ -1,8 +1,6 @@ ID: azure_bot_service_encrypted_with_cmk Title: "Bot Service should be encrypted with a customer-managed key" Description: "Azure Bot Service automatically encrypts your resource to protect your data and meet organizational security and compliance commitments. By default, Microsoft-managed encryption keys are used. For greater flexibility in managing keys or controlling access to your subscription, select customer-managed keys, also known as bring your own key (BYOK). Learn more about Azure Bot Service encryption: https://docs.microsoft.com/azure/bot-service/bot-service-encryption." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_1_1.yaml b/compliance/controls/azure/azure_cis_v130_1_1.yaml index c8beb3a92..16ca0ed8d 100755 --- a/compliance/controls/azure/azure_cis_v130_1_1.yaml +++ b/compliance/controls/azure/azure_cis_v130_1_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_1_1 Title: "1.1 Ensure that multi-factor authentication is enabled for all privileged users" Description: "Enable multi-factor authentication for all user credentials who have write access to Azure resources. These include roles like 'Service Co-Administrators', 'Subscription Owners', 'Contributors'." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_1_10.yaml b/compliance/controls/azure/azure_cis_v130_1_10.yaml index 890b213ae..cb63beaf7 100755 --- a/compliance/controls/azure/azure_cis_v130_1_10.yaml +++ b/compliance/controls/azure/azure_cis_v130_1_10.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_1_10 Title: "1.10 Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No'" Description: "Require administrators to provide consent for the apps before use." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_1_11.yaml b/compliance/controls/azure/azure_cis_v130_1_11.yaml index dd47b78e9..0ea8ee9de 100755 --- a/compliance/controls/azure/azure_cis_v130_1_11.yaml +++ b/compliance/controls/azure/azure_cis_v130_1_11.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_1_11 Title: "1.11 Ensure that 'Users can register applications' is set to 'No'" Description: "Require administrators to register third-party applications." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_1_12.yaml b/compliance/controls/azure/azure_cis_v130_1_12.yaml index ca11d1a13..d46811747 100755 --- a/compliance/controls/azure/azure_cis_v130_1_12.yaml +++ b/compliance/controls/azure/azure_cis_v130_1_12.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_1_12 Title: "1.12 Ensure that 'Guest user permissions are limited' is set to 'Yes'" Description: "Limit guest user permissions." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_1_13.yaml b/compliance/controls/azure/azure_cis_v130_1_13.yaml index 91df5d230..bfcc801e2 100755 --- a/compliance/controls/azure/azure_cis_v130_1_13.yaml +++ b/compliance/controls/azure/azure_cis_v130_1_13.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_1_13 Title: "1.13 Ensure that 'Members can invite' is set to 'No'" Description: "Restrict invitations to administrators only." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_1_14.yaml b/compliance/controls/azure/azure_cis_v130_1_14.yaml index bcad5616f..5bd037341 100755 --- a/compliance/controls/azure/azure_cis_v130_1_14.yaml +++ b/compliance/controls/azure/azure_cis_v130_1_14.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_1_14 Title: "1.14 Ensure that 'Guests can invite' is set to 'No'" Description: "Restrict guest being able to invite other guests to collaborate with your organization." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_1_15.yaml b/compliance/controls/azure/azure_cis_v130_1_15.yaml index 01b48a478..2f4cb9b2f 100755 --- a/compliance/controls/azure/azure_cis_v130_1_15.yaml +++ b/compliance/controls/azure/azure_cis_v130_1_15.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_1_15 Title: "1.15 Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes'" Description: "Restrict access to the Azure AD administration portal to administrators only." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_1_16.yaml b/compliance/controls/azure/azure_cis_v130_1_16.yaml index a89c838cb..950520bd6 100755 --- a/compliance/controls/azure/azure_cis_v130_1_16.yaml +++ b/compliance/controls/azure/azure_cis_v130_1_16.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_1_16 Title: "1.16 Ensure that 'Restrict user ability to access groups features in the Access Pane' is set to 'No'" Description: "Restrict group creation to administrators only." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_1_17.yaml b/compliance/controls/azure/azure_cis_v130_1_17.yaml index 41ef59593..11ea8719a 100755 --- a/compliance/controls/azure/azure_cis_v130_1_17.yaml +++ b/compliance/controls/azure/azure_cis_v130_1_17.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_1_17 Title: "1.17 Ensure that 'Users can create security groups in Azure Portals' is set to 'No'" Description: "Restrict security group creation to administrators only." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_1_18.yaml b/compliance/controls/azure/azure_cis_v130_1_18.yaml index 7b5f103d4..4684092a0 100755 --- a/compliance/controls/azure/azure_cis_v130_1_18.yaml +++ b/compliance/controls/azure/azure_cis_v130_1_18.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_1_18 Title: "1.18 Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No'" Description: "Restrict security group management to administrators only." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_1_19.yaml b/compliance/controls/azure/azure_cis_v130_1_19.yaml index 36cc8b5d3..a14e96c90 100755 --- a/compliance/controls/azure/azure_cis_v130_1_19.yaml +++ b/compliance/controls/azure/azure_cis_v130_1_19.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_1_19 Title: "1.19 Ensure that 'Users can create Microsoft 365 groups in Azure Portals' is set to 'No'" Description: "Restrict Microsoft 365 group creation to administrators only." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_1_2.yaml b/compliance/controls/azure/azure_cis_v130_1_2.yaml index 71ac2d99a..7dfd8029e 100755 --- a/compliance/controls/azure/azure_cis_v130_1_2.yaml +++ b/compliance/controls/azure/azure_cis_v130_1_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_1_2 Title: "1.2 Ensure that multi-factor authentication is enabled for all non- privileged users" Description: "Enable multi-factor authentication for all non-privileged users." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_1_20.yaml b/compliance/controls/azure/azure_cis_v130_1_20.yaml index 54e616715..e52af0e66 100755 --- a/compliance/controls/azure/azure_cis_v130_1_20.yaml +++ b/compliance/controls/azure/azure_cis_v130_1_20.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_1_20 Title: "1.20 Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes'" Description: "Joining devices to the active directory should require Multi-factor authentication." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_1_21.yaml b/compliance/controls/azure/azure_cis_v130_1_21.yaml index eaa1e36bc..32d9f8c82 100755 --- a/compliance/controls/azure/azure_cis_v130_1_21.yaml +++ b/compliance/controls/azure/azure_cis_v130_1_21.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_1_21 Title: "1.21 Ensure that no custom subscription owner roles are created" Description: "Subscription ownership should not include permission to create custom owner roles. The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -46,8 +44,10 @@ Query: sub.display_name; PrimaryTable: azure_role_definition ListOfTables: - - azure_role_definition - - azure_subscription + - azure_role_definition + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_1_22.yaml b/compliance/controls/azure/azure_cis_v130_1_22.yaml index 965891635..6e74f6f9d 100755 --- a/compliance/controls/azure/azure_cis_v130_1_22.yaml +++ b/compliance/controls/azure/azure_cis_v130_1_22.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_1_22 Title: "1.22 Ensure Security Defaults is enabled on Azure Active Directory" Description: "Security defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_1_23.yaml b/compliance/controls/azure/azure_cis_v130_1_23.yaml index 6ee79f221..9f474440c 100755 --- a/compliance/controls/azure/azure_cis_v130_1_23.yaml +++ b/compliance/controls/azure/azure_cis_v130_1_23.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_1_23 Title: "1.23 Ensure Custom Role is assigned for Administering Resource Locks" Description: "Resource locking is a powerful protection mechanism that can prevent inadvertent modification/deletion of resources within Azure subscriptions/Resource Groups and is a recommended NIST configuration." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_1_3.yaml b/compliance/controls/azure/azure_cis_v130_1_3.yaml index 3ea63a0d4..baceff2be 100755 --- a/compliance/controls/azure/azure_cis_v130_1_3.yaml +++ b/compliance/controls/azure/azure_cis_v130_1_3.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_1_3 Title: "1.3 Ensure guest users are reviewed on a monthly basis" Description: "Guest users allow you to share your company's applications and services with users from any other organization, while maintaining control over your own corporate data. Guest users should be review on a monthly basis to ensure that inactive and unneeded accounts are removed." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -35,8 +33,10 @@ Query: u.user_type = 'Guest'; PrimaryTable: azuread_user ListOfTables: - - azure_tenant - - azuread_user + - azure_tenant + - azuread_user Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_1_4.yaml b/compliance/controls/azure/azure_cis_v130_1_4.yaml index eb07b2572..0c71d76ea 100755 --- a/compliance/controls/azure/azure_cis_v130_1_4.yaml +++ b/compliance/controls/azure/azure_cis_v130_1_4.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_1_4 Title: "1.4 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled'" Description: "Do not allow users to remember multi-factor authentication on devices." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_1_5.yaml b/compliance/controls/azure/azure_cis_v130_1_5.yaml index 2490bec48..61a1d637c 100755 --- a/compliance/controls/azure/azure_cis_v130_1_5.yaml +++ b/compliance/controls/azure/azure_cis_v130_1_5.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_1_5 Title: "1.5 Ensure that 'Number of methods required to reset' is set to '2'" Description: "Ensure that two alternate forms of identification are provided before allowing a password reset." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_1_6.yaml b/compliance/controls/azure/azure_cis_v130_1_6.yaml index 33be5a94b..88cdf0536 100755 --- a/compliance/controls/azure/azure_cis_v130_1_6.yaml +++ b/compliance/controls/azure/azure_cis_v130_1_6.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_1_6 Title: "1.6 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to 0" Description: "Ensure that the number of days before users are asked to re-confirm their authentication information is not set to 0." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_1_7.yaml b/compliance/controls/azure/azure_cis_v130_1_7.yaml index b3d8bdc5b..0ce2540dc 100755 --- a/compliance/controls/azure/azure_cis_v130_1_7.yaml +++ b/compliance/controls/azure/azure_cis_v130_1_7.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_1_7 Title: "1.7 Ensure that 'Notify users on password resets?' is set to 'Yes'" Description: "Ensure that users are notified on their primary and secondary emails on password resets." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_1_8.yaml b/compliance/controls/azure/azure_cis_v130_1_8.yaml index 1f02884ba..18662d818 100755 --- a/compliance/controls/azure/azure_cis_v130_1_8.yaml +++ b/compliance/controls/azure/azure_cis_v130_1_8.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_1_8 Title: "1.8 Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes'" Description: "Ensure that all administrators are notified if any other administrator resets their password." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_1_9.yaml b/compliance/controls/azure/azure_cis_v130_1_9.yaml index cf07a1237..fff9d43eb 100755 --- a/compliance/controls/azure/azure_cis_v130_1_9.yaml +++ b/compliance/controls/azure/azure_cis_v130_1_9.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_1_9 Title: "1.9 Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No'" Description: "Require administrators to provide consent for the apps before use." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_2_1.yaml b/compliance/controls/azure/azure_cis_v130_2_1.yaml index d4c9d8020..49d2cae11 100755 --- a/compliance/controls/azure/azure_cis_v130_2_1.yaml +++ b/compliance/controls/azure/azure_cis_v130_2_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_2_1 Title: "2.1 Ensure that Azure Defender is set to On for Servers" Description: "Turning on Azure Defender enables threat detection for Server, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: name = 'VirtualMachines'; PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_2_10.yaml b/compliance/controls/azure/azure_cis_v130_2_10.yaml index 95a3e34d4..0089f5711 100755 --- a/compliance/controls/azure/azure_cis_v130_2_10.yaml +++ b/compliance/controls/azure/azure_cis_v130_2_10.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_2_10 Title: "2.10 Ensure that Microsoft Cloud App Security (MCAS) integration with Security Center is selected" Description: "This setting enables Microsoft Cloud App Security (MCAS) integration with Security Center." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: name = 'MCAS'; PrimaryTable: azure_security_center_setting ListOfTables: - - azure_security_center_setting - - azure_subscription + - azure_security_center_setting + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_2_11.yaml b/compliance/controls/azure/azure_cis_v130_2_11.yaml index bcc5f4586..21b3d9ca5 100755 --- a/compliance/controls/azure/azure_cis_v130_2_11.yaml +++ b/compliance/controls/azure/azure_cis_v130_2_11.yaml @@ -1,32 +1,15 @@ ID: azure_cis_v130_2_11 Title: "2.11 Ensure that 'Automatic provisioning of monitoring agent' is set to 'On'" Description: "Enable automatic provisioning of the monitoring agent to collect security data." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - sc_prov.id as resource, - sc_prov.og_account_id as og_account_id, - sc_prov.og_resource_id as og_resource_id, - case - when auto_provision = 'On' then 'ok' - else 'alarm' - end as status, - case - when auto_provision = 'On' then 'Automatic provisioning of monitoring agent is on.' - else 'Automatic provisioning of monitoring agent is off.' - end as reason - - - from - azure_security_center_auto_provisioning sc_prov - right join azure_subscription sub on sc_prov.subscription_id = sub.subscription_id; + QueryToExecute: "select\n sc_prov.id as resource,\n sc_prov.og_account_id as og_account_id,\n sc_prov.og_resource_id as og_resource_id,\n case\n when auto_provision = 'On' then 'ok'\n else 'alarm'\n end as status,\n case\n when auto_provision = 'On' then 'Automatic provisioning of monitoring agent is on.'\n else 'Automatic provisioning of monitoring agent is off.'\n end as reason\n \n \nfrom\n azure_security_center_auto_provisioning sc_prov\n right join azure_subscription sub on sc_prov.subscription_id = sub.subscription_id;" PrimaryTable: azure_security_center_auto_provisioning ListOfTables: - - azure_security_center_auto_provisioning - - azure_subscription + - azure_security_center_auto_provisioning + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_2_12.yaml b/compliance/controls/azure/azure_cis_v130_2_12.yaml index 802220d5e..e3c8e9f99 100755 --- a/compliance/controls/azure/azure_cis_v130_2_12.yaml +++ b/compliance/controls/azure/azure_cis_v130_2_12.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_2_12 Title: "2.12 Ensure any of the ASC Default policy setting is not set to Disabled" Description: "None of the settings offered by ASC Default policy should be set to effect Disabled." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -43,8 +41,10 @@ Query: sub.display_name; PrimaryTable: azure_policy_assignment ListOfTables: - - azure_policy_assignment - - azure_subscription + - azure_policy_assignment + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_2_13.yaml b/compliance/controls/azure/azure_cis_v130_2_13.yaml index 4de7b2183..1bfd0b651 100755 --- a/compliance/controls/azure/azure_cis_v130_2_13.yaml +++ b/compliance/controls/azure/azure_cis_v130_2_13.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_2_13 Title: "2.13 Ensure 'Additional email addresses' is configured with a security contact email" Description: "Security Center emails the subscription owners whenever a high-severity alert is triggered for their subscription. You should provide a security contact email address as an additional email address." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -37,8 +35,10 @@ Query: left join contact_info ci on sub.subscription_id = ci.subscription_id; PrimaryTable: azure_security_center_contact ListOfTables: - - azure_security_center_contact - - azure_subscription + - azure_security_center_contact + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_2_14.yaml b/compliance/controls/azure/azure_cis_v130_2_14.yaml index 5ce96e715..41a9d1584 100755 --- a/compliance/controls/azure/azure_cis_v130_2_14.yaml +++ b/compliance/controls/azure/azure_cis_v130_2_14.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_2_14 Title: "2.14 Ensure that 'Notify about alerts with the following severity' is set to 'High'" Description: "Enables emailing security alerts to the subscription owner or other designated security contact." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -35,8 +33,10 @@ Query: ``` PrimaryTable: azure_subscription ListOfTables: - - azure_security_center_contact - - azure_subscription + - azure_security_center_contact + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_2_15.yaml b/compliance/controls/azure/azure_cis_v130_2_15.yaml index 32c9173a3..6c36a7b5b 100755 --- a/compliance/controls/azure/azure_cis_v130_2_15.yaml +++ b/compliance/controls/azure/azure_cis_v130_2_15.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_2_15 Title: "2.15 Ensure that 'All users with the following roles' is set to 'Owner'" Description: "Enable security alert emails to subscription owners." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -35,8 +33,10 @@ Query: ``` PrimaryTable: azure_subscription ListOfTables: - - azure_security_center_contact - - azure_subscription + - azure_security_center_contact + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_2_2.yaml b/compliance/controls/azure/azure_cis_v130_2_2.yaml index 4864907e8..e59895064 100755 --- a/compliance/controls/azure/azure_cis_v130_2_2.yaml +++ b/compliance/controls/azure/azure_cis_v130_2_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_2_2 Title: "2.2 Ensure that Azure Defender is set to On for App Service" Description: "Turning on Azure Defender enables threat detection for App Service, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: name = 'AppServices'; PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_2_3.yaml b/compliance/controls/azure/azure_cis_v130_2_3.yaml index da4158f87..50e00e417 100755 --- a/compliance/controls/azure/azure_cis_v130_2_3.yaml +++ b/compliance/controls/azure/azure_cis_v130_2_3.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_2_3 Title: "2.3 Ensure that Azure Defender is set to On for Azure SQL database servers" Description: "Turning on Azure Defender enables threat detection for Azure SQL database servers, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: name = 'SqlServers'; PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_2_4.yaml b/compliance/controls/azure/azure_cis_v130_2_4.yaml index fc259d714..dad71dda2 100755 --- a/compliance/controls/azure/azure_cis_v130_2_4.yaml +++ b/compliance/controls/azure/azure_cis_v130_2_4.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_2_4 Title: "2.4 Ensure that Azure Defender is set to On for SQL servers on machines" Description: "Turning on Azure Defender enables threat detection for SQL servers on machines, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: name = 'SqlServerVirtualMachines'; PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_2_5.yaml b/compliance/controls/azure/azure_cis_v130_2_5.yaml index 6dd6ae688..74d98d739 100755 --- a/compliance/controls/azure/azure_cis_v130_2_5.yaml +++ b/compliance/controls/azure/azure_cis_v130_2_5.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_2_5 Title: "2.5 Ensure that Azure Defender is set to On for Storage" Description: "Turning on Azure Defender enables threat detection for Storage, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: name = 'StorageAccounts'; PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_2_6.yaml b/compliance/controls/azure/azure_cis_v130_2_6.yaml index f59398f03..386d383f9 100755 --- a/compliance/controls/azure/azure_cis_v130_2_6.yaml +++ b/compliance/controls/azure/azure_cis_v130_2_6.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_2_6 Title: "2.6 Ensure that Azure Defender is set to On for Kubernetes" Description: "Turning on Azure Defender enables threat detection for Kubernetes, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: name = 'KubernetesService'; PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_2_7.yaml b/compliance/controls/azure/azure_cis_v130_2_7.yaml index 860e3ef02..281bf327c 100755 --- a/compliance/controls/azure/azure_cis_v130_2_7.yaml +++ b/compliance/controls/azure/azure_cis_v130_2_7.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_2_7 Title: "2.7 Ensure that Azure Defender is set to On for Container Registries" Description: "Turning on Azure Defender enables threat detection for Container Registries, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: name = 'ContainerRegistry'; PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_2_8.yaml b/compliance/controls/azure/azure_cis_v130_2_8.yaml index dc19e564b..a2d2721b1 100755 --- a/compliance/controls/azure/azure_cis_v130_2_8.yaml +++ b/compliance/controls/azure/azure_cis_v130_2_8.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_2_8 Title: "2.8 Ensure that Azure Defender is set to On for Key Vault" Description: "Turning on Azure Defender enables threat detection for Key Vault, providing threat intelligence, anomaly detection, and behavior analytics in the Azure Security Center." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: name = 'KeyVaults'; PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_2_9.yaml b/compliance/controls/azure/azure_cis_v130_2_9.yaml index b350b3d44..68e5ce28c 100755 --- a/compliance/controls/azure/azure_cis_v130_2_9.yaml +++ b/compliance/controls/azure/azure_cis_v130_2_9.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_2_9 Title: "2.9 Ensure that Windows Defender ATP (WDATP) integration with Security Center is selected" Description: "This setting enables Windows Defender ATP (WDATP) integration with Security Center." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: name = 'WDATP'; PrimaryTable: azure_security_center_setting ListOfTables: - - azure_security_center_setting - - azure_subscription + - azure_security_center_setting + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_3_1.yaml b/compliance/controls/azure/azure_cis_v130_3_1.yaml index abc6444f5..f68950fed 100755 --- a/compliance/controls/azure/azure_cis_v130_3_1.yaml +++ b/compliance/controls/azure/azure_cis_v130_3_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_3_1 Title: "3.1 Ensure that 'Secure transfer required' is set to 'Enabled'" Description: "Enable data encryption in transit." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = sa.subscription_id; PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_3_10.yaml b/compliance/controls/azure/azure_cis_v130_3_10.yaml index c60b429b5..5bb96ecbe 100755 --- a/compliance/controls/azure/azure_cis_v130_3_10.yaml +++ b/compliance/controls/azure/azure_cis_v130_3_10.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_3_10 Title: "3.10 Ensure Storage logging is enabled for Blob service for read, write, and delete requests" Description: "The Storage Blob service provides scalable, cost-efficient objective storage in the cloud. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the blobs. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details , concurrency information and the sizes of the request and response messages." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -34,8 +32,10 @@ Query: sub.subscription_id = sa.subscription_id; PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_3_11.yaml b/compliance/controls/azure/azure_cis_v130_3_11.yaml index b190f0933..1ea71a03c 100755 --- a/compliance/controls/azure/azure_cis_v130_3_11.yaml +++ b/compliance/controls/azure/azure_cis_v130_3_11.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_3_11 Title: "3.11 Ensure Storage logging is enabled for Table service for read, write, and delete requests" Description: "The Storage Table storage is a service that stores structure NoSQL data in the cloud, providing a key/attribute store with a schema less design. Storage Logging happens server- side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the tables. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details , concurrency information and the sizes of the request and response messages." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_3_2.yaml b/compliance/controls/azure/azure_cis_v130_3_2.yaml index 8938b7a39..37de0244a 100755 --- a/compliance/controls/azure/azure_cis_v130_3_2.yaml +++ b/compliance/controls/azure/azure_cis_v130_3_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_3_2 Title: "3.2 Ensure that storage account access keys are periodically regenerated" Description: "Regenerate storage account access keys periodically." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_3_3.yaml b/compliance/controls/azure/azure_cis_v130_3_3.yaml index e60593d46..e3f19e1b1 100755 --- a/compliance/controls/azure/azure_cis_v130_3_3.yaml +++ b/compliance/controls/azure/azure_cis_v130_3_3.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_3_3 Title: "3.3 Ensure Storage logging is enabled for Queue service for read, write, and delete requests" Description: "The Storage Queue service stores messages that may be read by any client who has access to the storage account. A queue can contain an unlimited number of messages, each of which can be up to 64KB in size using version 2011-08-18 or newer. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the queues. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details , concurrency information and the sizes of the request and response messages." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -31,8 +29,10 @@ Query: sub.subscription_id = sa.subscription_id; PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_3_4.yaml b/compliance/controls/azure/azure_cis_v130_3_4.yaml index e838300dc..ce67d8e29 100755 --- a/compliance/controls/azure/azure_cis_v130_3_4.yaml +++ b/compliance/controls/azure/azure_cis_v130_3_4.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_3_4 Title: "3.4 Ensure that shared access signature tokens expire within an hour" Description: "A shared access signature (SAS) is a URI that grants restricted access rights to Azure Storage resources. A shared access signature can be provided to clients who should not be trusted with the storage account key but for whom it may be necessary to delegate access to certain storage account resources. Providing a shared access signature URI to these clients allows them access to a resource for a specified period of time. This time should be set as low as possible and preferably no longer than an hour." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -19,4 +17,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_3_6.yaml b/compliance/controls/azure/azure_cis_v130_3_6.yaml index 6d5cce05e..f6b281f10 100755 --- a/compliance/controls/azure/azure_cis_v130_3_6.yaml +++ b/compliance/controls/azure/azure_cis_v130_3_6.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_3_6 Title: "3.6 Ensure default network access rule for Storage Accounts is set to deny" Description: "Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = sa.subscription_id; PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_3_7.yaml b/compliance/controls/azure/azure_cis_v130_3_7.yaml index 24cf50545..674387f18 100755 --- a/compliance/controls/azure/azure_cis_v130_3_7.yaml +++ b/compliance/controls/azure/azure_cis_v130_3_7.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_3_7 Title: "3.7 Ensure 'Trusted Microsoft Services' is enabled for Storage Account access" Description: "Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account. If the Allow trusted Microsoft services exception is enabled, the following services: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse (when registered in the subscription), are granted access to the storage account." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = sa.subscription_id; PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_3_8.yaml b/compliance/controls/azure/azure_cis_v130_3_8.yaml index 9ff3179ea..3b2de01ab 100755 --- a/compliance/controls/azure/azure_cis_v130_3_8.yaml +++ b/compliance/controls/azure/azure_cis_v130_3_8.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_3_8 Title: "3.8 Ensure soft delete is enabled for Azure Storage" Description: "The Azure Storage blobs contain data like ePHI, Financial, secret or personal. Erroneously modified or deleted accidentally by an application or other storage account user cause data loss or data unavailability. It is recommended the Azure Storage be made recoverable by enabling soft delete configuration. This is to save and recover data when blobs or blob snapshots are deleted." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = sa.subscription_id; PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_3_9.yaml b/compliance/controls/azure/azure_cis_v130_3_9.yaml index 5dd1661fe..3b42bb61a 100755 --- a/compliance/controls/azure/azure_cis_v130_3_9.yaml +++ b/compliance/controls/azure/azure_cis_v130_3_9.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_3_9 Title: "3.9 Ensure storage for critical data are encrypted with Customer Managed Key" Description: "Enable sensitive data encryption at rest using Customer Managed Keys rather than Microsoft Managed keys" -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = sa.subscription_id; PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_4_1_2.yaml b/compliance/controls/azure/azure_cis_v130_4_1_2.yaml index 38b5db2b3..dc9de91af 100755 --- a/compliance/controls/azure/azure_cis_v130_4_1_2.yaml +++ b/compliance/controls/azure/azure_cis_v130_4_1_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_4_1_2 Title: "4.1.2 Ensure that 'Data encryption' is set to 'On' on a SQL Database" Description: "" -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -26,8 +24,10 @@ Query: and s.name <> 'master'; PrimaryTable: azure_sql_database ListOfTables: - - azure_sql_database - - azure_subscription + - azure_sql_database + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_4_3_1.yaml b/compliance/controls/azure/azure_cis_v130_4_3_1.yaml index 145b39bf6..d03d6128a 100755 --- a/compliance/controls/azure/azure_cis_v130_4_3_1.yaml +++ b/compliance/controls/azure/azure_cis_v130_4_3_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_4_3_1 Title: "4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server" Description: "Enable SSL connection on PostgreSQL Servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = s.subscription_id; PrimaryTable: azure_postgresql_server ListOfTables: - - azure_postgresql_server - - azure_subscription + - azure_postgresql_server + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_4_3_2.yaml b/compliance/controls/azure/azure_cis_v130_4_3_2.yaml index bbec6d079..2112a4ad2 100755 --- a/compliance/controls/azure/azure_cis_v130_4_3_2.yaml +++ b/compliance/controls/azure/azure_cis_v130_4_3_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_4_3_2 Title: "4.3.2 Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server" Description: "Enable SSL connection on MYSQL Servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = s.subscription_id; PrimaryTable: azure_mysql_server ListOfTables: - - azure_mysql_server - - azure_subscription + - azure_mysql_server + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_4_3_5.yaml b/compliance/controls/azure/azure_cis_v130_4_3_5.yaml index 5107950ac..74eb1e6fc 100755 --- a/compliance/controls/azure/azure_cis_v130_4_3_5.yaml +++ b/compliance/controls/azure/azure_cis_v130_4_3_5.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_4_3_5 Title: "4.3.5 Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server" Description: "Enable log_disconnections on PostgreSQL Servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -27,8 +25,10 @@ Query: and sub.subscription_id = s.subscription_id; PrimaryTable: azure_postgresql_server ListOfTables: - - azure_postgresql_server - - azure_subscription + - azure_postgresql_server + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_4_3_8.yaml b/compliance/controls/azure/azure_cis_v130_4_3_8.yaml index efce10108..ca65388da 100755 --- a/compliance/controls/azure/azure_cis_v130_4_3_8.yaml +++ b/compliance/controls/azure/azure_cis_v130_4_3_8.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_4_3_8 Title: "4.3.8 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled" Description: "Disable access from Azure services to PostgreSQL Database Server." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_4_4.yaml b/compliance/controls/azure/azure_cis_v130_4_4.yaml index c4db678a8..5d94f687d 100755 --- a/compliance/controls/azure/azure_cis_v130_4_4.yaml +++ b/compliance/controls/azure/azure_cis_v130_4_4.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_4_4 Title: "4.4 Ensure that Azure Active Directory Admin is configured" Description: "Use Azure Active Directory Authentication for authentication with SQL Database." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = s.subscription_id; PrimaryTable: azure_sql_server ListOfTables: - - azure_sql_server - - azure_subscription + - azure_sql_server + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_5_1_1.yaml b/compliance/controls/azure/azure_cis_v130_5_1_1.yaml index e772cc100..c81286656 100755 --- a/compliance/controls/azure/azure_cis_v130_5_1_1.yaml +++ b/compliance/controls/azure/azure_cis_v130_5_1_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_5_1_1 Title: "5.1.1 Ensure that a 'Diagnostics Setting' exists" Description: "Enable Diagnostic settings for exporting activity logs. Diagnostic setting are available for each individual resources within a subscription. Settings should be configured for all appropriate resources for your environment." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_5_1_2.yaml b/compliance/controls/azure/azure_cis_v130_5_1_2.yaml index a2c16727d..9e89f4f8f 100755 --- a/compliance/controls/azure/azure_cis_v130_5_1_2.yaml +++ b/compliance/controls/azure/azure_cis_v130_5_1_2.yaml @@ -1,60 +1,15 @@ ID: azure_cis_v130_5_1_2 Title: "5.1.2 Ensure Diagnostic Setting captures appropriate categories" Description: "Enable Diagnostic settings for exporting activity logs. Diagnostic setting are available for each individual resources within a subscription. Settings should be configured for all appropriate resources for your environment." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - with enabled_settings as ( - select - name, - id, - _ctx, - resource_group, - subscription_id, - count(*) filter (where l ->> 'enabled' = 'true' - and l ->> 'category' in ('Administrative', 'Security', 'Alert', 'Policy') - ) as valid_category_count, - string_agg(l ->> 'category', ', ') filter (where l ->> 'enabled' = 'true' - and l ->> 'category' in ('Administrative', 'Security', 'Alert', 'Policy') - ) as valid_categories - from - azure_diagnostic_setting, - jsonb_array_elements(logs) as l - group by - name, - id, - _ctx, - resource_group, - subscription_id - ) - select - sett.id as resource, - sett.og_account_id as og_account_id, - sett.og_resource_id as og_resource_id, - case - when valid_category_count = 4 then 'ok' - else 'alarm' - end as status, - case - when valid_category_count = 4 - then name || ' logs enabled for required categories administrative, security, alert and policy.' - when valid_category_count > 0 - then sett.name || ' logs enabled for ' || valid_categories || ' categories.' - else sett.name || ' logs not enabled for categories administrative, security, alert and policy.' - end as reason - - - from - enabled_settings sett, - azure_subscription sub - where - sub.subscription_id = sett.subscription_id; + QueryToExecute: "with enabled_settings as (\n select\n name,\n id,\n _ctx,\n resource_group,\n subscription_id,\n count(*) filter (where l ->> 'enabled' = 'true'\n and l ->> 'category' in ('Administrative', 'Security', 'Alert', 'Policy')\n ) as valid_category_count,\n string_agg(l ->> 'category', ', ') filter (where l ->> 'enabled' = 'true'\n and l ->> 'category' in ('Administrative', 'Security', 'Alert', 'Policy')\n ) as valid_categories\n from\n azure_diagnostic_setting,\n jsonb_array_elements(logs) as l\n group by\n name,\n id,\n _ctx,\n resource_group,\n subscription_id\n)\nselect\n sett.id as resource,\n sett.og_account_id as og_account_id,\n sett.og_resource_id as og_resource_id,\n case\n when valid_category_count = 4 then 'ok'\n else 'alarm'\n end as status,\n case\n when valid_category_count = 4\n then name || ' logs enabled for required categories administrative, security, alert and policy.'\n when valid_category_count > 0\n then sett.name || ' logs enabled for ' || valid_categories || ' categories.'\n else sett.name || ' logs not enabled for categories administrative, security, alert and policy.'\n end as reason\n \n \nfrom\n enabled_settings sett,\n azure_subscription sub\nwhere\n sub.subscription_id = sett.subscription_id;" PrimaryTable: azure_diagnostic_setting ListOfTables: - - azure_diagnostic_setting - - azure_subscription + - azure_diagnostic_setting + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_5_1_3.yaml b/compliance/controls/azure/azure_cis_v130_5_1_3.yaml index 72cb3c5ec..3e01ded22 100755 --- a/compliance/controls/azure/azure_cis_v130_5_1_3.yaml +++ b/compliance/controls/azure/azure_cis_v130_5_1_3.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_5_1_3 Title: "5.1.3 Ensure the storage container storing the activity logs is not publicly accessible" Description: "The storage account container containing the activity log export should not be publicly accessible." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -27,8 +25,10 @@ Query: and sub.subscription_id = sc.subscription_id; PrimaryTable: azure_storage_container ListOfTables: - - azure_storage_container - - azure_subscription + - azure_storage_container + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_5_1_5.yaml b/compliance/controls/azure/azure_cis_v130_5_1_5.yaml index 2d8a3cfea..6c855b2f1 100755 --- a/compliance/controls/azure/azure_cis_v130_5_1_5.yaml +++ b/compliance/controls/azure/azure_cis_v130_5_1_5.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_5_1_5 Title: "5.1.5 Ensure that logging for Azure KeyVault is 'Enabled'" Description: "Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -44,8 +42,10 @@ Query: ``` PrimaryTable: azure_key_vault ListOfTables: - - azure_key_vault - - azure_subscription + - azure_key_vault + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_5_2_1.yaml b/compliance/controls/azure/azure_cis_v130_5_2_1.yaml index cfcce52b6..5df4d7900 100755 --- a/compliance/controls/azure/azure_cis_v130_5_2_1.yaml +++ b/compliance/controls/azure/azure_cis_v130_5_2_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_5_2_1 Title: "5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment" Description: "Create an activity log alert for the Create Policy Assignment event." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -46,8 +44,10 @@ Query: sub.display_name; PrimaryTable: azure_log_alert ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_5_2_2.yaml b/compliance/controls/azure/azure_cis_v130_5_2_2.yaml index 7c006041d..49ccbef05 100755 --- a/compliance/controls/azure/azure_cis_v130_5_2_2.yaml +++ b/compliance/controls/azure/azure_cis_v130_5_2_2.yaml @@ -1,54 +1,15 @@ ID: azure_cis_v130_5_2_2 Title: "5.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment" Description: "Create an activity log alert for the Delete Policy Assignment event." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - with alert_rule as ( - select - alert.id as alert_id, - alert.name as alert_name, - alert.enabled, - alert.location, - alert.subscription_id - from - azure_log_alert as alert, - jsonb_array_elements_text(scopes) as sc - where - alert.location = 'global' - and alert.enabled - and sc = '/subscriptions/' || alert.subscription_id - and alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - and alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Authorization/policyAssignments/delete"}]' - limit 1 - ) - select - sub.subscription_id as resource, - sub.og_account_id as og_account_id, - sub.og_resource_id as og_resource_id, - case - when count(a.subscription_id) > 0 then 'ok' - else 'alarm' - end as status, - case - when count(a.subscription_id) > 0 then 'Activity log alert exists for delete policy assignment event.' - else 'Activity log alert does not exists for delete policy assignment event.' - end as reason - - - from - azure_subscription sub - left join alert_rule a on sub.subscription_id = a.subscription_id - group by - sub._ctx, - sub.subscription_id, - sub.display_name; + QueryToExecute: "with alert_rule as (\n select\n alert.id as alert_id,\n alert.name as alert_name,\n alert.enabled,\n alert.location,\n alert.subscription_id\n from\n azure_log_alert as alert,\n jsonb_array_elements_text(scopes) as sc\n where\n alert.location = 'global'\n and alert.enabled\n and sc = '/subscriptions/' || alert.subscription_id\n and alert.condition -> 'allOf' @> '[{\"equals\":\"Administrative\",\"field\":\"category\"}]'\n and alert.condition -> 'allOf' @> '[{\"field\": \"operationName\", \"equals\": \"Microsoft.Authorization/policyAssignments/delete\"}]'\n limit 1\n)\nselect\n sub.subscription_id as resource,\n sub.og_account_id as og_account_id,\n sub.og_resource_id as og_resource_id,\n case\n when count(a.subscription_id) > 0 then 'ok'\n else 'alarm'\n end as status,\n case\n when count(a.subscription_id) > 0 then 'Activity log alert exists for delete policy assignment event.'\n else 'Activity log alert does not exists for delete policy assignment event.'\n end as reason\n \n \nfrom\n azure_subscription sub\n left join alert_rule a on sub.subscription_id = a.subscription_id\ngroup by\n sub._ctx,\n sub.subscription_id,\n sub.display_name;" PrimaryTable: azure_subscription ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_5_2_3.yaml b/compliance/controls/azure/azure_cis_v130_5_2_3.yaml index c0133587d..929fa6050 100755 --- a/compliance/controls/azure/azure_cis_v130_5_2_3.yaml +++ b/compliance/controls/azure/azure_cis_v130_5_2_3.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_5_2_3 Title: "5.2.3 Ensure that Activity Log Alert exists for Create or Update Network Security Group" Description: "Create an Activity Log Alert for the \\\"Create\\\" or \\\"Update Network Security Group\\\" event." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -55,8 +53,10 @@ Query: sub.display_name; PrimaryTable: azure_log_alert ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_5_2_4.yaml b/compliance/controls/azure/azure_cis_v130_5_2_4.yaml index d525fcf65..5a4fb732f 100755 --- a/compliance/controls/azure/azure_cis_v130_5_2_4.yaml +++ b/compliance/controls/azure/azure_cis_v130_5_2_4.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_5_2_4 Title: "5.2.4 Ensure that Activity Log Alert exists for Delete Network Security Group" Description: "Create an activity log alert for the Delete Network Security Group event." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -56,8 +54,10 @@ Query: sub.display_name; PrimaryTable: azure_subscription ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_5_2_5.yaml b/compliance/controls/azure/azure_cis_v130_5_2_5.yaml index a01840146..756f8b33e 100755 --- a/compliance/controls/azure/azure_cis_v130_5_2_5.yaml +++ b/compliance/controls/azure/azure_cis_v130_5_2_5.yaml @@ -1,64 +1,15 @@ ID: azure_cis_v130_5_2_5 Title: "5.2.5 Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule" Description: "Create an activity log alert for the Create or Update Network Security Group Rule event." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - with alert_rule as ( - select - alert.id as alert_id, - alert.name as alert_name, - alert.enabled, - alert.location, - alert.subscription_id - from - azure_log_alert as alert, - jsonb_array_elements_text(scopes) as sc - where - alert.location = 'global' - and alert.enabled - and sc = '/subscriptions/' || alert.subscription_id - and ( - ( - alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - and alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/networksecuritygroups/securityrules/write"}]' - ) - or - ( - alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - and alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/networksecuritygroups/securityrules"}]' - and jsonb_array_length(alert.condition -> 'allOf') = 2 - ) - ) - limit 1 - ) - select - sub.subscription_id as resource, - sub.og_account_id as og_account_id, - sub.og_resource_id as og_resource_id, - case - when count(a.subscription_id) > 0 then 'ok' - else 'alarm' - end as status, - case - when count(a.subscription_id) > 0 then 'Activity log alert exists for create or update Network Security Group Rule event.' - else 'Activity log alert does not exists for create or update Network Security Group Rule event.' - end as reason - - - from - azure_subscription sub - left join alert_rule a on sub.subscription_id = a.subscription_id - group by - sub._ctx, - sub.subscription_id, - sub.display_name; + QueryToExecute: "with alert_rule as (\n select\n alert.id as alert_id,\n alert.name as alert_name,\n alert.enabled,\n alert.location,\n alert.subscription_id\n from\n azure_log_alert as alert,\n jsonb_array_elements_text(scopes) as sc\n where\n alert.location = 'global'\n and alert.enabled\n and sc = '/subscriptions/' || alert.subscription_id\n and (\n (\n alert.condition -> 'allOf' @> '[{\"equals\":\"Administrative\",\"field\":\"category\"}]'\n and alert.condition -> 'allOf' @> '[{\"field\": \"operationName\", \"equals\": \"Microsoft.Network/networksecuritygroups/securityrules/write\"}]'\n )\n or\n (\n alert.condition -> 'allOf' @> '[{\"equals\":\"Administrative\",\"field\":\"category\"}]'\n and alert.condition -> 'allOf' @> '[{\"field\": \"resourceType\", \"equals\": \"microsoft.network/networksecuritygroups/securityrules\"}]'\n and jsonb_array_length(alert.condition -> 'allOf') = 2\n )\n )\n limit 1\n)\nselect\n sub.subscription_id as resource,\n sub.og_account_id as og_account_id,\n sub.og_resource_id as og_resource_id,\n case\n when count(a.subscription_id) > 0 then 'ok'\n else 'alarm'\n end as status,\n case\n when count(a.subscription_id) > 0 then 'Activity log alert exists for create or update Network Security Group Rule event.'\n else 'Activity log alert does not exists for create or update Network Security Group Rule event.'\n end as reason\n \n \nfrom\n azure_subscription sub\n left join alert_rule a on sub.subscription_id = a.subscription_id\ngroup by\n sub._ctx,\n sub.subscription_id,\n sub.display_name;" PrimaryTable: azure_log_alert ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_5_2_6.yaml b/compliance/controls/azure/azure_cis_v130_5_2_6.yaml index 46ea06bd9..ff96fb8da 100755 --- a/compliance/controls/azure/azure_cis_v130_5_2_6.yaml +++ b/compliance/controls/azure/azure_cis_v130_5_2_6.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_5_2_6 Title: "5.2.6 Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule" Description: "Create an activity log alert for the Create or Update Network Security Group Rule event." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -57,8 +55,10 @@ Query: ``` PrimaryTable: azure_log_alert ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_5_2_7.yaml b/compliance/controls/azure/azure_cis_v130_5_2_7.yaml index 048bb45d9..381a69918 100755 --- a/compliance/controls/azure/azure_cis_v130_5_2_7.yaml +++ b/compliance/controls/azure/azure_cis_v130_5_2_7.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_5_2_7 Title: "5.2.7 Ensure that Activity Log Alert exists for Create or Update Security Solution" Description: "Create an activity log alert for the Create or Update Security Solution event." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -57,8 +55,10 @@ Query: ``` PrimaryTable: azure_log_alert ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_5_2_8.yaml b/compliance/controls/azure/azure_cis_v130_5_2_8.yaml index 8245c1183..e83ab56fe 100755 --- a/compliance/controls/azure/azure_cis_v130_5_2_8.yaml +++ b/compliance/controls/azure/azure_cis_v130_5_2_8.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_5_2_8 Title: "5.2.8 Ensure that Activity Log Alert exists for Delete Security Solution" Description: "Create an activity log alert for the Delete Security Solution event." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -55,8 +53,10 @@ Query: sub.display_name; PrimaryTable: azure_log_alert ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_5_2_9.yaml b/compliance/controls/azure/azure_cis_v130_5_2_9.yaml index 3d6cbf6b9..e49c4d169 100755 --- a/compliance/controls/azure/azure_cis_v130_5_2_9.yaml +++ b/compliance/controls/azure/azure_cis_v130_5_2_9.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_5_2_9 Title: "5.2.9 Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule" Description: "Create an activity log alert for the Create or Update or Delete SQL Server Firewall Rule event." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -46,8 +44,10 @@ Query: sub.display_name; PrimaryTable: azure_log_alert ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_5_3.yaml b/compliance/controls/azure/azure_cis_v130_5_3.yaml index 29c28feb6..8f92670ac 100755 --- a/compliance/controls/azure/azure_cis_v130_5_3.yaml +++ b/compliance/controls/azure/azure_cis_v130_5_3.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_5_3 Title: "5.3 Ensure that Diagnostic Logs are enabled for all services which support it" Description: "Diagnostic Logs capture activity to the data access plane while the Activity log is a subscription-level log for the control plane. Resource-level diagnostic logs provide insight into operations that were performed within that resource itself. It is crucial that logging systems are correctly configured to log all relevant activities and retain those logs for a sufficient length of time." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_6_1.yaml b/compliance/controls/azure/azure_cis_v130_6_1.yaml index 6b94e70ee..482cc45d9 100755 --- a/compliance/controls/azure/azure_cis_v130_6_1.yaml +++ b/compliance/controls/azure/azure_cis_v130_6_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_6_1 Title: "6.1 Ensure that RDP access is restricted from the internet" Description: "Disable RDP access on network security groups from the Internet." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -47,8 +45,10 @@ Query: join azure_subscription sub on sub.subscription_id = sg.subscription_id; PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_subscription + - azure_network_security_group + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_6_2.yaml b/compliance/controls/azure/azure_cis_v130_6_2.yaml index e48f38d44..778251926 100755 --- a/compliance/controls/azure/azure_cis_v130_6_2.yaml +++ b/compliance/controls/azure/azure_cis_v130_6_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_6_2 Title: "6.2 Ensure that SSH access is restricted from the internet" Description: "Disable SSH access on network security groups from the Internet." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -47,8 +45,10 @@ Query: join azure_subscription sub on sub.subscription_id = sg.subscription_id; PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_subscription + - azure_network_security_group + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_6_3.yaml b/compliance/controls/azure/azure_cis_v130_6_3.yaml index fc1baae9d..aca647388 100755 --- a/compliance/controls/azure/azure_cis_v130_6_3.yaml +++ b/compliance/controls/azure/azure_cis_v130_6_3.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_6_3 Title: "6.3 Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP)" Description: "Ensure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -29,8 +27,10 @@ Query: sub.subscription_id = s.subscription_id; PrimaryTable: azure_sql_server ListOfTables: - - azure_sql_server - - azure_subscription + - azure_sql_server + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_6_6.yaml b/compliance/controls/azure/azure_cis_v130_6_6.yaml index f5b1aadf2..670270629 100755 --- a/compliance/controls/azure/azure_cis_v130_6_6.yaml +++ b/compliance/controls/azure/azure_cis_v130_6_6.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_6_6 Title: "6.6 Ensure that UDP Services are restricted from the Internet" Description: "Disable Internet exposed UDP ports on network security groups." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -52,8 +50,10 @@ Query: join azure_subscription sub on sub.subscription_id = sg.subscription_id; PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_subscription + - azure_network_security_group + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_7_1.yaml b/compliance/controls/azure/azure_cis_v130_7_1.yaml index 300a8564d..0a8144803 100755 --- a/compliance/controls/azure/azure_cis_v130_7_1.yaml +++ b/compliance/controls/azure/azure_cis_v130_7_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_7_1 Title: "7.1 Ensure Virtual Machines are utilizing Managed Disks" Description: "Migrate BLOB based VHD's to Managed Disks on Virtual Machines to exploit the default features of this configuration." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = vm.subscription_id; PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_subscription + - azure_compute_virtual_machine + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_7_2.yaml b/compliance/controls/azure/azure_cis_v130_7_2.yaml index fa13f705d..fbb43c870 100755 --- a/compliance/controls/azure/azure_cis_v130_7_2.yaml +++ b/compliance/controls/azure/azure_cis_v130_7_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_7_2 Title: "7.2 Ensure that 'OS and Data' disks are encrypted with CMK" Description: "Ensure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with CMK." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -26,8 +24,10 @@ Query: and sub.subscription_id = disk.subscription_id; PrimaryTable: azure_compute_disk ListOfTables: - - azure_compute_disk - - azure_subscription + - azure_compute_disk + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_7_3.yaml b/compliance/controls/azure/azure_cis_v130_7_3.yaml index 6e73a4614..c3718bc71 100755 --- a/compliance/controls/azure/azure_cis_v130_7_3.yaml +++ b/compliance/controls/azure/azure_cis_v130_7_3.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_7_3 Title: "7.3 Ensure that 'Unattached disks' are encrypted with CMK" Description: "Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key (CMK)." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -26,8 +24,10 @@ Query: and sub.subscription_id = disk.subscription_id; PrimaryTable: azure_compute_disk ListOfTables: - - azure_compute_disk - - azure_subscription + - azure_compute_disk + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_7_4.yaml b/compliance/controls/azure/azure_cis_v130_7_4.yaml index 02a5afed1..c652e2ebb 100755 --- a/compliance/controls/azure/azure_cis_v130_7_4.yaml +++ b/compliance/controls/azure/azure_cis_v130_7_4.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_7_4 Title: "7.4 Ensure that only approved extensions are installed" Description: "Only install organization-approved extensions on VMs." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_7_5.yaml b/compliance/controls/azure/azure_cis_v130_7_5.yaml index 8dbcae195..ba197fbf5 100755 --- a/compliance/controls/azure/azure_cis_v130_7_5.yaml +++ b/compliance/controls/azure/azure_cis_v130_7_5.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_7_5 Title: "7.5 Ensure that the latest OS Patches for all Virtual Machines are applied" Description: "Ensure that the latest OS patches for all virtual machines are applied." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_7_6.yaml b/compliance/controls/azure/azure_cis_v130_7_6.yaml index be297cc8d..f6b41f4aa 100755 --- a/compliance/controls/azure/azure_cis_v130_7_6.yaml +++ b/compliance/controls/azure/azure_cis_v130_7_6.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_7_6 Title: "7.6 Ensure that the endpoint protection for all Virtual Machines is installed" Description: "Install endpoint protection for all virtual machines." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_7_7.yaml b/compliance/controls/azure/azure_cis_v130_7_7.yaml index d0d0ee2b3..7e5dfecbf 100755 --- a/compliance/controls/azure/azure_cis_v130_7_7.yaml +++ b/compliance/controls/azure/azure_cis_v130_7_7.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_7_7 Title: "7.7 Ensure that VHD's are encrypted" Description: "VHD (Virtual Hard Disks) are stored in BLOB storage and are the old style disks that were attached to Virtual Machines, and the BLOB VHD was then leased to the VM. By Default storage accounts are not encrypted, and Azure Defender(Security Centre) would then recommend that the OS disks should be encrypted. Storage accounts can be encrypted as a whole using PMK or CMK and this should be turned on for storage accounts containing VHD's." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_8_1.yaml b/compliance/controls/azure/azure_cis_v130_8_1.yaml index 54f60bf5e..51756a7df 100755 --- a/compliance/controls/azure/azure_cis_v130_8_1.yaml +++ b/compliance/controls/azure/azure_cis_v130_8_1.yaml @@ -1,37 +1,15 @@ ID: azure_cis_v130_8_1 Title: "8.1 Ensure that the expiration date is set on all keys" Description: "Ensure that all keys in Azure Key Vault have an expiration time set." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - kvk.id as resource, - kvk.og_account_id as og_account_id, - kvk.og_resource_id as og_resource_id, - case - when enabled and expires_at is null then 'alarm' - else 'ok' - end as status, - vault_name || ' key ' || name || - case - when enabled and expires_at is null then ' expiration date not set.' - when not enabled then ' disabled.' - else ' expiration date set to ' || to_char(expires_at, 'DD-Mon-YYYY') || '.' - end as reason - - - - from - azure_key_vault_key kvk, - azure_subscription sub - where - sub.subscription_id = kvk.subscription_id; + QueryToExecute: "select\n kvk.id as resource,\n kvk.og_account_id as og_account_id,\n kvk.og_resource_id as og_resource_id,\n case\n when enabled and expires_at is null then 'alarm'\n else 'ok'\n end as status,\n vault_name || ' key ' || name ||\n case\n when enabled and expires_at is null then ' expiration date not set.'\n when not enabled then ' disabled.'\n else ' expiration date set to ' || to_char(expires_at, 'DD-Mon-YYYY') || '.'\n end as reason\n \n \n \nfrom\n azure_key_vault_key kvk,\n azure_subscription sub\nwhere\n sub.subscription_id = kvk.subscription_id;" PrimaryTable: azure_key_vault_key ListOfTables: - - azure_key_vault_key - - azure_subscription + - azure_key_vault_key + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_8_2.yaml b/compliance/controls/azure/azure_cis_v130_8_2.yaml index 1602af423..722ffffce 100755 --- a/compliance/controls/azure/azure_cis_v130_8_2.yaml +++ b/compliance/controls/azure/azure_cis_v130_8_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_8_2 Title: "8.2 Ensure that the expiration date is set on all Secrets" Description: "Ensure that all Secrets in the Azure Key Vault have an expiration time set." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -27,8 +25,10 @@ Query: sub.subscription_id = kvs.subscription_id; PrimaryTable: azure_key_vault_secret ListOfTables: - - azure_key_vault_secret - - azure_subscription + - azure_key_vault_secret + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_8_3.yaml b/compliance/controls/azure/azure_cis_v130_8_3.yaml index 5d605afba..48f887573 100755 --- a/compliance/controls/azure/azure_cis_v130_8_3.yaml +++ b/compliance/controls/azure/azure_cis_v130_8_3.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_8_3 Title: "8.3 Ensure that Resource Locks are set for mission critical Azure resources" Description: "Resource Manager Locks provide a way for administrators to lock down Azure resources to prevent deletion of, or modifications to, a resource. These locks sit outside of the Role Based Access Controls (RBAC) hierarchy and, when applied, will place restrictions on the resource for all users. These locks are very useful when there is an important resource in a subscription that users should not be able to delete or change. Locks can help prevent accidental and malicious changes or deletion." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_8_4.yaml b/compliance/controls/azure/azure_cis_v130_8_4.yaml index c16569a44..18a729ccd 100755 --- a/compliance/controls/azure/azure_cis_v130_8_4.yaml +++ b/compliance/controls/azure/azure_cis_v130_8_4.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_8_4 Title: "8.4 Ensure the key vault is recoverable" Description: "The key vault contains object keys, secrets and certificates. Accidental unavailability of a key vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the key vault objects. It is recommended the key vault be made recoverable by enabling the \\\"Do Not Purge\\\" and \\\"Soft Delete\\\" functions." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -27,8 +25,10 @@ Query: sub.subscription_id = kv.subscription_id; PrimaryTable: azure_key_vault ListOfTables: - - azure_key_vault - - azure_subscription + - azure_key_vault + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_8_5.yaml b/compliance/controls/azure/azure_cis_v130_8_5.yaml index a2e77705b..78a488332 100755 --- a/compliance/controls/azure/azure_cis_v130_8_5.yaml +++ b/compliance/controls/azure/azure_cis_v130_8_5.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_8_5 Title: "8.5 Enable role-based access control (RBAC) within Azure Kubernetes Services" Description: "Ensure that RBAC is enabled on all Azure Kubernetes Services Instances." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -27,8 +25,10 @@ Query: sub.subscription_id = kv.subscription_id; PrimaryTable: azure_key_vault ListOfTables: - - azure_key_vault - - azure_subscription + - azure_key_vault + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_9_1.yaml b/compliance/controls/azure/azure_cis_v130_9_1.yaml index 5de388b30..1f697eab9 100755 --- a/compliance/controls/azure/azure_cis_v130_9_1.yaml +++ b/compliance/controls/azure/azure_cis_v130_9_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_9_1 Title: "9.1 Ensure App Service Authentication is set on Azure App Service" Description: "Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = app.subscription_id; PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_9_11.yaml b/compliance/controls/azure/azure_cis_v130_9_11.yaml index 073adb06e..40d73d39c 100755 --- a/compliance/controls/azure/azure_cis_v130_9_11.yaml +++ b/compliance/controls/azure/azure_cis_v130_9_11.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_9_11 Title: "9.11 Ensure Azure Keyvaults are used to store secrets" Description: "Encryption keys, Certificate thumbprints and Managed Identity Credentials can be coded into the APP service, this renders them visible as part of the configuration, to maintain security of these keys it is better to store in an Azure Keyvault and reference them from the Keyvault." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_9_2.yaml b/compliance/controls/azure/azure_cis_v130_9_2.yaml index 58b5380f3..13d17efe3 100755 --- a/compliance/controls/azure/azure_cis_v130_9_2.yaml +++ b/compliance/controls/azure/azure_cis_v130_9_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_9_2 Title: "9.2 Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service" Description: "Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = app.subscription_id; PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_9_3.yaml b/compliance/controls/azure/azure_cis_v130_9_3.yaml index 8ba5b31cb..5213269c0 100755 --- a/compliance/controls/azure/azure_cis_v130_9_3.yaml +++ b/compliance/controls/azure/azure_cis_v130_9_3.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_9_3 Title: "9.3 Ensure web app is using the latest version of TLS encryption" Description: "The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = app.subscription_id; PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_9_4.yaml b/compliance/controls/azure/azure_cis_v130_9_4.yaml index 8a421fe11..8d1c6df36 100755 --- a/compliance/controls/azure/azure_cis_v130_9_4.yaml +++ b/compliance/controls/azure/azure_cis_v130_9_4.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_9_4 Title: "9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'" Description: "Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = app.subscription_id; PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_9_5.yaml b/compliance/controls/azure/azure_cis_v130_9_5.yaml index ee78b470c..9153b97e8 100755 --- a/compliance/controls/azure/azure_cis_v130_9_5.yaml +++ b/compliance/controls/azure/azure_cis_v130_9_5.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_9_5 Title: "9.5 Ensure that Register with Azure Active Directory is enabled on App Service" Description: "Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other Azure services securely without the need of username and passwords." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = app.subscription_id; PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_9_6.yaml b/compliance/controls/azure/azure_cis_v130_9_6.yaml index d23e07006..f48521a39 100755 --- a/compliance/controls/azure/azure_cis_v130_9_6.yaml +++ b/compliance/controls/azure/azure_cis_v130_9_6.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_9_6 Title: "9.6 Ensure that 'PHP version' is the latest, if used to run the web app" Description: "Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_9_7.yaml b/compliance/controls/azure/azure_cis_v130_9_7.yaml index 88d4d084e..9992634c7 100755 --- a/compliance/controls/azure/azure_cis_v130_9_7.yaml +++ b/compliance/controls/azure/azure_cis_v130_9_7.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_9_7 Title: "9.7 Ensure that 'Python version' is the latest, if used to run the web app" Description: "Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_9_8.yaml b/compliance/controls/azure/azure_cis_v130_9_8.yaml index 9761756e4..c8df64156 100755 --- a/compliance/controls/azure/azure_cis_v130_9_8.yaml +++ b/compliance/controls/azure/azure_cis_v130_9_8.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_9_8 Title: "9.8 Ensure that 'Java version' is the latest, if used to run the web app" Description: "Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the newer version." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v130_9_9.yaml b/compliance/controls/azure/azure_cis_v130_9_9.yaml index ee3a4c1f9..53ccd404e 100755 --- a/compliance/controls/azure/azure_cis_v130_9_9.yaml +++ b/compliance/controls/azure/azure_cis_v130_9_9.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v130_9_9 Title: "9.9 Ensure that 'HTTP Version' is the latest, if used to run the web app" Description: "Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = app.subscription_id; PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_1_1.yaml b/compliance/controls/azure/azure_cis_v140_1_1.yaml index 6aede4d99..ea42ec5cf 100755 --- a/compliance/controls/azure/azure_cis_v140_1_1.yaml +++ b/compliance/controls/azure/azure_cis_v140_1_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_1_1 Title: "1.1 Ensure that multi-factor authentication status is enabled for all privileged users" Description: "Enable multi-factor authentication for all user credentials who have write access to Azure resources. These include roles like 'Service Co-Administrators', 'Subscription Owners', 'Contributors'." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_1_10.yaml b/compliance/controls/azure/azure_cis_v140_1_10.yaml index 61afdb995..27c66af01 100755 --- a/compliance/controls/azure/azure_cis_v140_1_10.yaml +++ b/compliance/controls/azure/azure_cis_v140_1_10.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_1_10 Title: "1.10 Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No'" Description: "Require administrators to provide consent for the apps before use." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_1_11.yaml b/compliance/controls/azure/azure_cis_v140_1_11.yaml index fbff43fff..a55df5d87 100755 --- a/compliance/controls/azure/azure_cis_v140_1_11.yaml +++ b/compliance/controls/azure/azure_cis_v140_1_11.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_1_11 Title: "1.11 Ensure that 'Users can register applications' is set to 'No'" Description: "Require administrators to register third-party applications." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_1_12.yaml b/compliance/controls/azure/azure_cis_v140_1_12.yaml index 8c76fbaa7..b9da209be 100755 --- a/compliance/controls/azure/azure_cis_v140_1_12.yaml +++ b/compliance/controls/azure/azure_cis_v140_1_12.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_1_12 Title: "1.12 Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'" Description: "Limit guest user permissions." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_1_13.yaml b/compliance/controls/azure/azure_cis_v140_1_13.yaml index a724ce212..f3c800984 100755 --- a/compliance/controls/azure/azure_cis_v140_1_13.yaml +++ b/compliance/controls/azure/azure_cis_v140_1_13.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_1_13 Title: "1.13 Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'" Description: "Restrict invitations to users with specific admin roles only." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_1_14.yaml b/compliance/controls/azure/azure_cis_v140_1_14.yaml index c6378ccd4..0196f2bbd 100755 --- a/compliance/controls/azure/azure_cis_v140_1_14.yaml +++ b/compliance/controls/azure/azure_cis_v140_1_14.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_1_14 Title: "1.14 Ensure That 'Restrict access to Azure AD administration portal' is set to 'Yes'" Description: "Restrict access to the Azure AD administration portal to administrators only." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_1_15.yaml b/compliance/controls/azure/azure_cis_v140_1_15.yaml index 6eb39e586..ab3f4d33f 100755 --- a/compliance/controls/azure/azure_cis_v140_1_15.yaml +++ b/compliance/controls/azure/azure_cis_v140_1_15.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_1_15 Title: "1.15 Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes'" Description: "Restricts group creation to administrators with permissions only." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_1_16.yaml b/compliance/controls/azure/azure_cis_v140_1_16.yaml index 76a8ca1e3..869561b00 100755 --- a/compliance/controls/azure/azure_cis_v140_1_16.yaml +++ b/compliance/controls/azure/azure_cis_v140_1_16.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_1_16 Title: "1.16 Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'" Description: "Restrict security group creation to administrators only." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_1_17.yaml b/compliance/controls/azure/azure_cis_v140_1_17.yaml index e6cc0e3b4..7954f4aef 100755 --- a/compliance/controls/azure/azure_cis_v140_1_17.yaml +++ b/compliance/controls/azure/azure_cis_v140_1_17.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_1_17 Title: "1.17 Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No'" Description: "Restrict security group management to administrators only." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_1_18.yaml b/compliance/controls/azure/azure_cis_v140_1_18.yaml index f0082d736..a64ca4f3d 100755 --- a/compliance/controls/azure/azure_cis_v140_1_18.yaml +++ b/compliance/controls/azure/azure_cis_v140_1_18.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_1_18 Title: "1.18 Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'" Description: "Restrict Microsoft 365 group creation to administrators only." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_1_19.yaml b/compliance/controls/azure/azure_cis_v140_1_19.yaml index 668913331..bfd1ac5c3 100755 --- a/compliance/controls/azure/azure_cis_v140_1_19.yaml +++ b/compliance/controls/azure/azure_cis_v140_1_19.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_1_19 Title: "1.19 Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes'" Description: "Joining or registering devices to the active directory should require Multi-factor authentication." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_1_2.yaml b/compliance/controls/azure/azure_cis_v140_1_2.yaml index c4da64b99..13a83a7dd 100755 --- a/compliance/controls/azure/azure_cis_v140_1_2.yaml +++ b/compliance/controls/azure/azure_cis_v140_1_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_1_2 Title: "1.2 Ensure that multi-factor authentication status is enabled for all non- privileged users" Description: "Enable multi-factor authentication for all non-privileged users." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_1_20.yaml b/compliance/controls/azure/azure_cis_v140_1_20.yaml index ba0d7f9a5..a7e819454 100755 --- a/compliance/controls/azure/azure_cis_v140_1_20.yaml +++ b/compliance/controls/azure/azure_cis_v140_1_20.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_1_20 Title: "1.20 Ensure that no custom subscription owner roles are created" Description: "Subscription ownership should not include permission to create custom owner roles. The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -46,8 +44,10 @@ Query: sub.display_name; PrimaryTable: azure_role_definition ListOfTables: - - azure_role_definition - - azure_subscription + - azure_role_definition + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_1_21.yaml b/compliance/controls/azure/azure_cis_v140_1_21.yaml index de6bfc228..c80795abf 100755 --- a/compliance/controls/azure/azure_cis_v140_1_21.yaml +++ b/compliance/controls/azure/azure_cis_v140_1_21.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_1_21 Title: "1.21 Ensure Security Defaults is enabled on Azure Active Directory" Description: "Security defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_1_22.yaml b/compliance/controls/azure/azure_cis_v140_1_22.yaml index 9d960e792..667fe5680 100755 --- a/compliance/controls/azure/azure_cis_v140_1_22.yaml +++ b/compliance/controls/azure/azure_cis_v140_1_22.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_1_22 Title: "1.22 Ensure Custom Role is assigned for Administering Resource Locks" Description: "Resource locking is a powerful protection mechanism that can prevent inadvertent modification/deletion of resources within Azure subscriptions/Resource Groups and is a recommended NIST configuration." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_1_3.yaml b/compliance/controls/azure/azure_cis_v140_1_3.yaml index e1becae83..1f7055d44 100755 --- a/compliance/controls/azure/azure_cis_v140_1_3.yaml +++ b/compliance/controls/azure/azure_cis_v140_1_3.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_1_3 Title: "1.3 Ensure guest users are reviewed on a monthly basis" Description: "Guest users allow you to share your company's applications and services with users from any other organization, while maintaining control over your own corporate data. Guest users should be review on a monthly basis to ensure that inactive and unneeded accounts are removed." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -35,8 +33,10 @@ Query: u.user_type = 'Guest'; PrimaryTable: azuread_user ListOfTables: - - azure_tenant - - azuread_user + - azure_tenant + - azuread_user Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_1_4.yaml b/compliance/controls/azure/azure_cis_v140_1_4.yaml index b5c69cdf0..d82282bc3 100755 --- a/compliance/controls/azure/azure_cis_v140_1_4.yaml +++ b/compliance/controls/azure/azure_cis_v140_1_4.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_1_4 Title: "1.4 Ensure that 'Restore multi-factor authentication on all remembered devices' is enabled" Description: "Do not allow users to remember multi-factor authentication on devices." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_1_5.yaml b/compliance/controls/azure/azure_cis_v140_1_5.yaml index 1437a38e2..199f24264 100755 --- a/compliance/controls/azure/azure_cis_v140_1_5.yaml +++ b/compliance/controls/azure/azure_cis_v140_1_5.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_1_5 Title: "1.5 Ensure that 'Number of methods required to reset' is set to '2'" Description: "Ensure that two alternate forms of identification are provided before allowing a password reset." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_1_7.yaml b/compliance/controls/azure/azure_cis_v140_1_7.yaml index 53681a322..542b77f62 100755 --- a/compliance/controls/azure/azure_cis_v140_1_7.yaml +++ b/compliance/controls/azure/azure_cis_v140_1_7.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_1_7 Title: "1.7 Ensure that 'Notify users on password resets?' is set to 'Yes'" Description: "Ensure that users are notified on their primary and secondary emails on password resets." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_1_9.yaml b/compliance/controls/azure/azure_cis_v140_1_9.yaml index 6995a61b8..52d741200 100755 --- a/compliance/controls/azure/azure_cis_v140_1_9.yaml +++ b/compliance/controls/azure/azure_cis_v140_1_9.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_1_9 Title: "1.9 Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No'" Description: "Require administrators to provide consent for the apps before use." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_2_1.yaml b/compliance/controls/azure/azure_cis_v140_2_1.yaml index d8721e5c7..eb3538cb5 100755 --- a/compliance/controls/azure/azure_cis_v140_2_1.yaml +++ b/compliance/controls/azure/azure_cis_v140_2_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_2_1 Title: "2.1 Ensure that Microsoft Defender for Servers is set to 'On'" Description: "Turning on Microsoft Defender for Servers enables threat detection for Servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: name = 'VirtualMachines'; PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_2_10.yaml b/compliance/controls/azure/azure_cis_v140_2_10.yaml index b0da4753e..d9405c133 100755 --- a/compliance/controls/azure/azure_cis_v140_2_10.yaml +++ b/compliance/controls/azure/azure_cis_v140_2_10.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_2_10 Title: "2.10 Ensure that Microsoft Defender for Cloud Apps (MCAS) Integration with Microsoft Defender for Cloud is Selected" Description: "This setting enables Microsoft Defender for Cloud Apps (MCAS) integration with Microsoft Defender for Cloud." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: name = 'MCAS'; PrimaryTable: azure_security_center_setting ListOfTables: - - azure_security_center_setting - - azure_subscription + - azure_security_center_setting + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_2_11.yaml b/compliance/controls/azure/azure_cis_v140_2_11.yaml index e3ea92a63..45e8359e9 100755 --- a/compliance/controls/azure/azure_cis_v140_2_11.yaml +++ b/compliance/controls/azure/azure_cis_v140_2_11.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_2_11 Title: "2.11 Ensure That Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'" Description: "Enable automatic provisioning of the monitoring agent to collect security data." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -23,8 +21,10 @@ Query: right join azure_subscription sub on sc_prov.subscription_id = sub.subscription_id; PrimaryTable: azure_security_center_auto_provisioning ListOfTables: - - azure_security_center_auto_provisioning - - azure_subscription + - azure_security_center_auto_provisioning + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_2_12.yaml b/compliance/controls/azure/azure_cis_v140_2_12.yaml index 90c205af5..539067890 100755 --- a/compliance/controls/azure/azure_cis_v140_2_12.yaml +++ b/compliance/controls/azure/azure_cis_v140_2_12.yaml @@ -1,52 +1,15 @@ ID: azure_cis_v140_2_12 Title: "2.12 Ensure Any of the ASC Default Policy Setting is Not Set to 'Disabled'" Description: "None of the settings offered by ASC Default policy should be set to effect \\\"Disabled\\\"." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with policy_assignment_parameters as ( - select - id, - name, - key, - parameters -> key ->> 'value' as value, - subscription_id - from - azure_policy_assignment, - jsonb_object_keys(parameters) as key - where - name = 'SecurityCenterBuiltIn' - ) - select - sub.id as resource, - sub.og_account_id as og_account_id, - sub.og_resource_id as og_resource_id, - case - when count(value = 'Disabled') > 0 then 'alarm' - else 'ok' - end as status, - case - when count(value = 'Disabled') > 0 then 'Settings disabled for ' || count(*) filter (where value = 'Disabled') || ' parameters.' - else 'Settings enabled for all the parameters.' - end as reason - - - from - policy_assignment_parameters pol_assignment - right join azure_subscription sub on pol_assignment.subscription_id = sub.subscription_id - group by - sub.id, - pol_assignment.id, - sub._ctx, - sub.subscription_id, - pol_assignment.subscription_id, - sub.display_name; + QueryToExecute: "with policy_assignment_parameters as (\n select\n id,\n name,\n key,\n parameters -> key ->> 'value' as value,\n subscription_id\n from\n azure_policy_assignment,\n jsonb_object_keys(parameters) as key\n where\n name = 'SecurityCenterBuiltIn'\n)\nselect\n sub.id as resource,\n sub.og_account_id as og_account_id,\n sub.og_resource_id as og_resource_id,\n case\n when count(value = 'Disabled') > 0 then 'alarm'\n else 'ok'\n end as status,\n case\n when count(value = 'Disabled') > 0 then 'Settings disabled for ' || count(*) filter (where value = 'Disabled') || ' parameters.'\n else 'Settings enabled for all the parameters.'\n end as reason\n \n \nfrom\n policy_assignment_parameters pol_assignment\n right join azure_subscription sub on pol_assignment.subscription_id = sub.subscription_id\ngroup by\n sub.id,\n pol_assignment.id,\n sub._ctx,\n sub.subscription_id,\n pol_assignment.subscription_id,\n sub.display_name;\n" PrimaryTable: azure_policy_assignment ListOfTables: - - azure_policy_assignment - - azure_subscription + - azure_policy_assignment + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_2_13.yaml b/compliance/controls/azure/azure_cis_v140_2_13.yaml index 3e903500a..f887d144f 100755 --- a/compliance/controls/azure/azure_cis_v140_2_13.yaml +++ b/compliance/controls/azure/azure_cis_v140_2_13.yaml @@ -1,46 +1,15 @@ ID: azure_cis_v140_2_13 Title: "2.13 Ensure 'Additional email addresses' is Configured with a Security Contact Email" Description: "Microsoft Defender for Cloud emails the subscription owners whenever a high-severity alert is triggered for their subscription. You should provide a security contact email address as an additional email address." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - with contact_info as ( - select - jsonb_agg(email) filter (where name = 'default' and email != '') as default_email, - count(*) filter (where name != 'default') as non_default_count, - count(*) filter (where name = 'default') as default_count, - subscription_id - from - azure_security_center_contact - group by - subscription_id - limit 1 - ) - select - sub.subscription_id as resource, - sub.og_account_id as og_account_id, - sub.og_resource_id as og_resource_id, - case - when non_default_count > 0 then 'ok' - when default_count = 1 and jsonb_array_length(default_email) != 0 then 'ok' - else 'alarm' - end as status, - case - when non_default_count > 0 then 'Additional email addresses configured.' - when default_count = 1 and default_email is not null then'Additional email addresses configured.' - else 'Additional email addresses not configured.' - end as reason - - - from - azure_subscription sub - left join contact_info ci on sub.subscription_id = ci.subscription_id; + QueryToExecute: "with contact_info as (\n select\n jsonb_agg(email) filter (where name = 'default' and email != '') as default_email,\n count(*) filter (where name != 'default') as non_default_count,\n count(*) filter (where name = 'default') as default_count,\n subscription_id\n from\n azure_security_center_contact\n group by\n subscription_id\n limit 1\n)\nselect\n sub.subscription_id as resource,\n sub.og_account_id as og_account_id,\n sub.og_resource_id as og_resource_id,\n case\n when non_default_count > 0 then 'ok'\n when default_count = 1 and jsonb_array_length(default_email) != 0 then 'ok'\n else 'alarm'\n end as status,\n case\n when non_default_count > 0 then 'Additional email addresses configured.'\n when default_count = 1 and default_email is not null then'Additional email addresses configured.'\n else 'Additional email addresses not configured.'\n end as reason\n \n \nfrom\n azure_subscription sub\n left join contact_info ci on sub.subscription_id = ci.subscription_id;" PrimaryTable: azure_security_center_contact ListOfTables: - - azure_security_center_contact - - azure_subscription + - azure_security_center_contact + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_2_14.yaml b/compliance/controls/azure/azure_cis_v140_2_14.yaml index e0727c657..5f631f600 100755 --- a/compliance/controls/azure/azure_cis_v140_2_14.yaml +++ b/compliance/controls/azure/azure_cis_v140_2_14.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_2_14 Title: "2.14 Ensure that 'Notify about alerts with the following severity' is set to 'High'" Description: "Enables emailing security alerts to the subscription owner or other designated security contact." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -33,8 +31,10 @@ Query: left join contact_info ci on sub.subscription_id = ci.subscription_id; PrimaryTable: azure_subscription ListOfTables: - - azure_security_center_contact - - azure_subscription + - azure_security_center_contact + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_2_15.yaml b/compliance/controls/azure/azure_cis_v140_2_15.yaml index b105bc933..51b0cb946 100755 --- a/compliance/controls/azure/azure_cis_v140_2_15.yaml +++ b/compliance/controls/azure/azure_cis_v140_2_15.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_2_15 Title: "2.15 Ensure that 'All users with the following roles' is set to 'Owner'" Description: "Enable security alert emails to subscription owners." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -35,8 +33,10 @@ Query: ``` PrimaryTable: azure_subscription ListOfTables: - - azure_security_center_contact - - azure_subscription + - azure_security_center_contact + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_2_2.yaml b/compliance/controls/azure/azure_cis_v140_2_2.yaml index 90a4bbd4f..81cfc615d 100755 --- a/compliance/controls/azure/azure_cis_v140_2_2.yaml +++ b/compliance/controls/azure/azure_cis_v140_2_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_2_2 Title: "2.2 Ensure that Microsoft Defender for App Service is set to 'On'" Description: "Turning on Microsoft Defender for App Service enables threat detection for App Service, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: name = 'AppServices'; PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_2_3.yaml b/compliance/controls/azure/azure_cis_v140_2_3.yaml index d94df8942..1cba20276 100755 --- a/compliance/controls/azure/azure_cis_v140_2_3.yaml +++ b/compliance/controls/azure/azure_cis_v140_2_3.yaml @@ -1,34 +1,15 @@ ID: azure_cis_v140_2_3 Title: "2.3 Ensure that Microsoft Defender for Azure SQL Databases is set to 'On'" Description: "Turning on Microsoft Defender for Azure SQL Databases enables threat detection for Azure SQL database servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - sub_pricing.id as resource, - sub_pricing.og_account_id as og_account_id, - sub_pricing.og_resource_id as og_resource_id, - case - when pricing_tier = 'Standard' then 'ok' - else 'alarm' - end as status, - case - when pricing_tier = 'Standard' then 'Azure Defender on for SQL database servers.' - else 'Azure Defender off for SQL database servers.' - end as reason - - - from - azure_security_center_subscription_pricing sub_pricing - right join azure_subscription sub on sub_pricing.subscription_id = sub.subscription_id - where - name = 'SqlServers'; + QueryToExecute: "select\n sub_pricing.id as resource,\n sub_pricing.og_account_id as og_account_id,\n sub_pricing.og_resource_id as og_resource_id,\n case\n when pricing_tier = 'Standard' then 'ok'\n else 'alarm'\n end as status,\n case\n when pricing_tier = 'Standard' then 'Azure Defender on for SQL database servers.'\n else 'Azure Defender off for SQL database servers.'\n end as reason\n \n \nfrom\n azure_security_center_subscription_pricing sub_pricing\n right join azure_subscription sub on sub_pricing.subscription_id = sub.subscription_id\nwhere\n name = 'SqlServers';" PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_2_4.yaml b/compliance/controls/azure/azure_cis_v140_2_4.yaml index 2f67c0296..44973c5a5 100755 --- a/compliance/controls/azure/azure_cis_v140_2_4.yaml +++ b/compliance/controls/azure/azure_cis_v140_2_4.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_2_4 Title: "2.4 Ensure that Microsoft Defender for SQL servers on machines is set to 'On'" Description: "Turning on Microsoft Defender for SQL servers on machines enables threat detection for SQL servers on machines, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -18,7 +16,7 @@ Query: when pricing_tier = 'Standard' then 'Azure Defender on for SQL servers on machines.' else 'Azure Defender off for SQL servers on machines.' end as reason - + from azure_security_center_subscription_pricing sub_pricing right join azure_subscription sub on sub_pricing.subscription_id = sub.subscription_id @@ -26,8 +24,10 @@ Query: name = 'SqlServerVirtualMachines'; PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_2_5.yaml b/compliance/controls/azure/azure_cis_v140_2_5.yaml index 69ec7dedd..3f7cf6669 100755 --- a/compliance/controls/azure/azure_cis_v140_2_5.yaml +++ b/compliance/controls/azure/azure_cis_v140_2_5.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_2_5 Title: "2.5 Ensure that Microsoft Defender for Storage is set to 'On'" Description: "Turning on Microsoft Defender for Storage enables threat detection for Storage, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: name = 'StorageAccounts'; PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_2_6.yaml b/compliance/controls/azure/azure_cis_v140_2_6.yaml index 85f36e526..943bbe4c8 100755 --- a/compliance/controls/azure/azure_cis_v140_2_6.yaml +++ b/compliance/controls/azure/azure_cis_v140_2_6.yaml @@ -1,34 +1,15 @@ ID: azure_cis_v140_2_6 Title: "2.6 Ensure that Microsoft Defender for Kubernetes is set to 'On'" Description: "Turning on Microsoft Defender for Kubernetes enables threat detection for Kubernetes, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - sub_pricing.id as resource, - sub_pricing.og_account_id as og_account_id, - sub_pricing.og_resource_id as og_resource_id, - case - when pricing_tier = 'Standard' then 'ok' - else 'alarm' - end as status, - case - when pricing_tier = 'Standard' then 'Azure Defender on for Kubernetes.' - else 'Azure Defender off for Kubernetes.' - end as reason - - - from - azure_security_center_subscription_pricing sub_pricing - right join azure_subscription sub on sub_pricing.subscription_id = sub.subscription_id - where - name = 'KubernetesService'; + QueryToExecute: "select\n sub_pricing.id as resource,\n sub_pricing.og_account_id as og_account_id,\n sub_pricing.og_resource_id as og_resource_id,\n case\n when pricing_tier = 'Standard' then 'ok'\n else 'alarm'\n end as status,\n case\n when pricing_tier = 'Standard' then 'Azure Defender on for Kubernetes.'\n else 'Azure Defender off for Kubernetes.'\n end as reason\n \n \nfrom\n azure_security_center_subscription_pricing sub_pricing\n right join azure_subscription sub on sub_pricing.subscription_id = sub.subscription_id\nwhere\n name = 'KubernetesService';" PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_2_7.yaml b/compliance/controls/azure/azure_cis_v140_2_7.yaml index 5608a0d87..75725a72a 100755 --- a/compliance/controls/azure/azure_cis_v140_2_7.yaml +++ b/compliance/controls/azure/azure_cis_v140_2_7.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_2_7 Title: "2.7 Ensure that Microsoft Defender for Container Registries is set to 'On'" Description: "Turning on Microsoft Defender for Container Registries enables threat detection for Container Registries, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: name = 'ContainerRegistry'; PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_2_8.yaml b/compliance/controls/azure/azure_cis_v140_2_8.yaml index 245fde944..b783bcf4a 100755 --- a/compliance/controls/azure/azure_cis_v140_2_8.yaml +++ b/compliance/controls/azure/azure_cis_v140_2_8.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_2_8 Title: "2.8 Ensure that Microsoft Defender for Key Vault is set to 'On'" Description: "Turning on Microsoft Defender for Key Vault enables threat detection for Key Vault, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: name = 'KeyVaults'; PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_2_9.yaml b/compliance/controls/azure/azure_cis_v140_2_9.yaml index 4b167588b..4cd3fb66e 100755 --- a/compliance/controls/azure/azure_cis_v140_2_9.yaml +++ b/compliance/controls/azure/azure_cis_v140_2_9.yaml @@ -1,34 +1,15 @@ ID: azure_cis_v140_2_9 Title: "2.9 Ensure that Microsoft Defender for Endpoint (WDATP) integration with Microsoft Defender for Cloud is selected" Description: "This setting enables Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - sc_sett.id as resource, - sc_sett.og_account_id as og_account_id, - sc_sett.og_resource_id as og_resource_id, - case - when enabled then 'ok' - else 'alarm' - end as status, - case - when enabled then 'Microsoft Cloud App Security (MCAS) integrated with Security Center.' - else 'Microsoft Cloud App Security (MCAS) not integrated with Security Center.' - end as reason - - - from - azure_security_center_setting sc_sett - right join azure_subscription sub on sc_sett.subscription_id = sub.subscription_id - where - name = 'WDATP'; + QueryToExecute: "select\n sc_sett.id as resource,\n sc_sett.og_account_id as og_account_id,\n sc_sett.og_resource_id as og_resource_id,\n case\n when enabled then 'ok'\n else 'alarm'\n end as status,\n case\n when enabled then 'Microsoft Cloud App Security (MCAS) integrated with Security Center.'\n else 'Microsoft Cloud App Security (MCAS) not integrated with Security Center.'\n end as reason\n \n \nfrom\n azure_security_center_setting sc_sett\n right join azure_subscription sub on sc_sett.subscription_id = sub.subscription_id\nwhere\n name = 'WDATP';" PrimaryTable: azure_security_center_setting ListOfTables: - - azure_security_center_setting - - azure_subscription + - azure_security_center_setting + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_3_1.yaml b/compliance/controls/azure/azure_cis_v140_3_1.yaml index de33b5de1..475713ef0 100755 --- a/compliance/controls/azure/azure_cis_v140_3_1.yaml +++ b/compliance/controls/azure/azure_cis_v140_3_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_3_1 Title: "3.1 Ensure that 'Secure transfer required' is set to 'Enabled'" Description: "Enable data encryption in transit." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = sa.subscription_id; PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_3_10.yaml b/compliance/controls/azure/azure_cis_v140_3_10.yaml index a5de35cbd..06eaa319c 100755 --- a/compliance/controls/azure/azure_cis_v140_3_10.yaml +++ b/compliance/controls/azure/azure_cis_v140_3_10.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_3_10 Title: "3.10 Ensure Storage logging is enabled for Blob service for 'Read', 'Write', and 'Delete' requests" Description: "The Storage Blob service provides scalable, cost-efficient objective storage in the cloud. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the blobs. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details , concurrency information and the sizes of the request and response messages." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -34,8 +32,10 @@ Query: sub.subscription_id = sa.subscription_id; PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_3_11.yaml b/compliance/controls/azure/azure_cis_v140_3_11.yaml index 2ca977271..b6557d6bd 100755 --- a/compliance/controls/azure/azure_cis_v140_3_11.yaml +++ b/compliance/controls/azure/azure_cis_v140_3_11.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_3_11 Title: "3.11 Ensure Storage logging is enabled for Table service for 'Read', 'Write', and 'Delete' requests" Description: "The Storage Table storage is a service that stores structure NoSQL data in the cloud, providing a key/attribute store with a schema less design. Storage Logging happens server- side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the tables. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details , concurrency information and the sizes of the request and response messages." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_3_12.yaml b/compliance/controls/azure/azure_cis_v140_3_12.yaml index 43e82f75d..91fc56765 100755 --- a/compliance/controls/azure/azure_cis_v140_3_12.yaml +++ b/compliance/controls/azure/azure_cis_v140_3_12.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_3_12 Title: "3.12 Ensure the 'Minimum TLS version' is set to 'Version 1.2'" Description: "Azure Storage sets the minimum TLS version to be version 1.0 by default. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to be later protocols such as TLS 1.2." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -27,8 +25,10 @@ Query: sub.subscription_id = sa.subscription_id; PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_3_2.yaml b/compliance/controls/azure/azure_cis_v140_3_2.yaml index 3af5e005a..022b8da57 100755 --- a/compliance/controls/azure/azure_cis_v140_3_2.yaml +++ b/compliance/controls/azure/azure_cis_v140_3_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_3_2 Title: "3.2 Ensure that storage account access keys are periodically regenerated" Description: "Regenerate storage account access keys periodically." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_3_3.yaml b/compliance/controls/azure/azure_cis_v140_3_3.yaml index f3125878a..a70a34a8f 100755 --- a/compliance/controls/azure/azure_cis_v140_3_3.yaml +++ b/compliance/controls/azure/azure_cis_v140_3_3.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_3_3 Title: "3.3 Ensure Storage logging is enabled for Queue service for 'Read', 'Write', and 'Delete' requests" Description: "The Storage Queue service stores messages that may be read by any client who has access to the storage account. A queue can contain an unlimited number of messages, each of which can be up to 64KB in size using version 2011-08-18 or newer. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the queues. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details , concurrency information and the sizes of the request and response messages." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -31,8 +29,10 @@ Query: sub.subscription_id = sa.subscription_id; PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_3_4.yaml b/compliance/controls/azure/azure_cis_v140_3_4.yaml index 1dc0baee3..bfc220e25 100755 --- a/compliance/controls/azure/azure_cis_v140_3_4.yaml +++ b/compliance/controls/azure/azure_cis_v140_3_4.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_3_4 Title: "3.4 Ensure that shared access signature tokens expire within an hour" Description: "A shared access signature (SAS) is a URI that grants restricted access rights to Azure Storage resources. A shared access signature can be provided to clients who should not be trusted with the storage account key but for whom it may be necessary to delegate access to certain storage account resources. Providing a shared access signature URI to these clients allows them access to a resource for a specified period of time. This time should be set as low as possible and preferably no longer than an hour." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_3_6.yaml b/compliance/controls/azure/azure_cis_v140_3_6.yaml index fc7f0c250..50e646994 100755 --- a/compliance/controls/azure/azure_cis_v140_3_6.yaml +++ b/compliance/controls/azure/azure_cis_v140_3_6.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_3_6 Title: "3.6 Ensure default network access rule for Storage Accounts is set to deny" Description: "Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = sa.subscription_id; PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_3_7.yaml b/compliance/controls/azure/azure_cis_v140_3_7.yaml index c1aca8faa..f85576f7e 100755 --- a/compliance/controls/azure/azure_cis_v140_3_7.yaml +++ b/compliance/controls/azure/azure_cis_v140_3_7.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_3_7 Title: "3.7 Ensure 'Trusted Microsoft Services' is enabled for Storage Account access" Description: "Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules. These services will then use strong authentication to access the storage account. If the Allow trusted Microsoft services exception is enabled, the following services: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor and Azure SQL Data Warehouse (when registered in the subscription), are granted access to the storage account." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = sa.subscription_id; PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_3_8.yaml b/compliance/controls/azure/azure_cis_v140_3_8.yaml index 7d89552c2..8b6113987 100755 --- a/compliance/controls/azure/azure_cis_v140_3_8.yaml +++ b/compliance/controls/azure/azure_cis_v140_3_8.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_3_8 Title: "3.8 Ensure soft delete is enabled for Azure Storage" Description: "The Azure Storage blobs contain data like ePHI, Financial, secret or personal. Erroneously modified or deleted accidentally by an application or other storage account user cause data loss or data unavailability. It is recommended the Azure Storage be made recoverable by enabling soft delete configuration. This is to save and recover data when blobs or blob snapshots are deleted." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = sa.subscription_id; PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_3_9.yaml b/compliance/controls/azure/azure_cis_v140_3_9.yaml index fa70406b0..f13f7c5d2 100755 --- a/compliance/controls/azure/azure_cis_v140_3_9.yaml +++ b/compliance/controls/azure/azure_cis_v140_3_9.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_3_9 Title: "3.9 Ensure storage for critical data are encrypted with Customer Managed Key" Description: "Enable sensitive data encryption at rest using Customer Managed Keys rather than Microsoft Managed keys" -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = sa.subscription_id; PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_4_1_2.yaml b/compliance/controls/azure/azure_cis_v140_4_1_2.yaml index f0e2d491e..065061f42 100755 --- a/compliance/controls/azure/azure_cis_v140_4_1_2.yaml +++ b/compliance/controls/azure/azure_cis_v140_4_1_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_4_1_2 Title: "4.1.2 Ensure that 'Data encryption' is set to 'On' on a SQL Database" Description: "" -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -26,8 +24,10 @@ Query: and s.name <> 'master'; PrimaryTable: azure_sql_database ListOfTables: - - azure_sql_database - - azure_subscription + - azure_sql_database + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_4_3_1.yaml b/compliance/controls/azure/azure_cis_v140_4_3_1.yaml index 160fdaec9..3784212f5 100755 --- a/compliance/controls/azure/azure_cis_v140_4_3_1.yaml +++ b/compliance/controls/azure/azure_cis_v140_4_3_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_4_3_1 Title: "4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server" Description: "Enable SSL connection on PostgreSQL Servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = s.subscription_id; PrimaryTable: azure_postgresql_server ListOfTables: - - azure_postgresql_server - - azure_subscription + - azure_postgresql_server + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_4_3_7.yaml b/compliance/controls/azure/azure_cis_v140_4_3_7.yaml index 4ba1af4b9..04657f85b 100755 --- a/compliance/controls/azure/azure_cis_v140_4_3_7.yaml +++ b/compliance/controls/azure/azure_cis_v140_4_3_7.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_4_3_7 Title: "4.3.7 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled" Description: "Disable access from Azure services to PostgreSQL Database Server." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_4_3_8.yaml b/compliance/controls/azure/azure_cis_v140_4_3_8.yaml index 8696a7772..e03fa47a4 100755 --- a/compliance/controls/azure/azure_cis_v140_4_3_8.yaml +++ b/compliance/controls/azure/azure_cis_v140_4_3_8.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_4_3_8 Title: "4.3.8 Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled'" Description: "Enable encryption at rest for PostgreSQL Databases." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = s.subscription_id; PrimaryTable: azure_postgresql_server ListOfTables: - - azure_postgresql_server - - azure_subscription + - azure_postgresql_server + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_4_4_1.yaml b/compliance/controls/azure/azure_cis_v140_4_4_1.yaml index ae048fbf8..d98dd1dfc 100755 --- a/compliance/controls/azure/azure_cis_v140_4_4_1.yaml +++ b/compliance/controls/azure/azure_cis_v140_4_4_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_4_4_1 Title: "4.4.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server" Description: "Enable SSL connection on MYSQL Servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = s.subscription_id; PrimaryTable: azure_mysql_server ListOfTables: - - azure_mysql_server - - azure_subscription + - azure_mysql_server + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_4_4_2.yaml b/compliance/controls/azure/azure_cis_v140_4_4_2.yaml index 40d73a031..4f4d233f0 100755 --- a/compliance/controls/azure/azure_cis_v140_4_4_2.yaml +++ b/compliance/controls/azure/azure_cis_v140_4_4_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_4_4_2 Title: "4.4.2 Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server" Description: "Ensure TLS version on MySQL flexible servers is set to the default value." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -27,8 +25,10 @@ Query: sub.subscription_id = s.subscription_id; PrimaryTable: azure_mysql_server ListOfTables: - - azure_mysql_server - - azure_subscription + - azure_mysql_server + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_4_5.yaml b/compliance/controls/azure/azure_cis_v140_4_5.yaml index 67d70ae30..8d13d1920 100755 --- a/compliance/controls/azure/azure_cis_v140_4_5.yaml +++ b/compliance/controls/azure/azure_cis_v140_4_5.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_4_5 Title: "4.5 Ensure that Azure Active Directory Admin is configured" Description: "Use Azure Active Directory Authentication for authentication with SQL Database." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = s.subscription_id; PrimaryTable: azure_sql_server ListOfTables: - - azure_sql_server - - azure_subscription + - azure_sql_server + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_5_1_1.yaml b/compliance/controls/azure/azure_cis_v140_5_1_1.yaml index d1bf7efe2..9d021d978 100755 --- a/compliance/controls/azure/azure_cis_v140_5_1_1.yaml +++ b/compliance/controls/azure/azure_cis_v140_5_1_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_5_1_1 Title: "5.1.1 Ensure that a 'Diagnostics Setting' exists" Description: "Enable Diagnostic settings for exporting activity logs. Diagnostic setting are available for each individual resources within a subscription. Settings should be configured for all appropriate resources for your environment." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_5_1_2.yaml b/compliance/controls/azure/azure_cis_v140_5_1_2.yaml index 44475af28..9d568b4ae 100755 --- a/compliance/controls/azure/azure_cis_v140_5_1_2.yaml +++ b/compliance/controls/azure/azure_cis_v140_5_1_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_5_1_2 Title: "5.1.2 Ensure Diagnostic Setting captures appropriate categories" Description: "Enable Diagnostic settings for exporting activity logs. Diagnostic setting are available for each individual resources within a subscription. Settings should be configured for all appropriate resources for your environment." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -51,8 +49,10 @@ Query: sub.subscription_id = sett.subscription_id; PrimaryTable: azure_diagnostic_setting ListOfTables: - - azure_diagnostic_setting - - azure_subscription + - azure_diagnostic_setting + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_5_1_3.yaml b/compliance/controls/azure/azure_cis_v140_5_1_3.yaml index b764622db..4e6aeb709 100755 --- a/compliance/controls/azure/azure_cis_v140_5_1_3.yaml +++ b/compliance/controls/azure/azure_cis_v140_5_1_3.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_5_1_3 Title: "5.1.3 Ensure the storage container storing the activity logs is not publicly accessible" Description: "The storage account container containing the activity log export should not be publicly accessible." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -27,8 +25,10 @@ Query: and sub.subscription_id = sc.subscription_id; PrimaryTable: azure_storage_container ListOfTables: - - azure_storage_container - - azure_subscription + - azure_storage_container + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_5_1_5.yaml b/compliance/controls/azure/azure_cis_v140_5_1_5.yaml index 8c6862f35..b940d048c 100755 --- a/compliance/controls/azure/azure_cis_v140_5_1_5.yaml +++ b/compliance/controls/azure/azure_cis_v140_5_1_5.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_5_1_5 Title: "5.1.5 Ensure that logging for Azure KeyVault is 'Enabled'" Description: "Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -42,8 +40,10 @@ Query: sub.subscription_id = v.subscription_id; PrimaryTable: azure_key_vault ListOfTables: - - azure_key_vault - - azure_subscription + - azure_key_vault + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_5_2_1.yaml b/compliance/controls/azure/azure_cis_v140_5_2_1.yaml index 94c829585..7b08447de 100755 --- a/compliance/controls/azure/azure_cis_v140_5_2_1.yaml +++ b/compliance/controls/azure/azure_cis_v140_5_2_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_5_2_1 Title: "5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment" Description: "Create an activity log alert for the Create Policy Assignment event." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -46,8 +44,10 @@ Query: sub.display_name; PrimaryTable: azure_log_alert ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_5_2_2.yaml b/compliance/controls/azure/azure_cis_v140_5_2_2.yaml index 2ce0a42c8..7bb1d91f4 100755 --- a/compliance/controls/azure/azure_cis_v140_5_2_2.yaml +++ b/compliance/controls/azure/azure_cis_v140_5_2_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_5_2_2 Title: "5.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment" Description: "Create an activity log alert for the Delete Policy Assignment event." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -45,8 +43,10 @@ Query: sub.display_name; PrimaryTable: azure_log_alert ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_5_2_3.yaml b/compliance/controls/azure/azure_cis_v140_5_2_3.yaml index f52b5a3a2..e6e75056e 100755 --- a/compliance/controls/azure/azure_cis_v140_5_2_3.yaml +++ b/compliance/controls/azure/azure_cis_v140_5_2_3.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_5_2_3 Title: "5.2.3 Ensure that Activity Log Alert exists for Create or Update Network Security Group" Description: "Create an Activity Log Alert for the \\\"Create\\\" or \\\"Update Network Security Group\\\" event." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -57,8 +55,10 @@ Query: ``` PrimaryTable: azure_subscription ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_5_2_4.yaml b/compliance/controls/azure/azure_cis_v140_5_2_4.yaml index f742fe5e5..44d3fd0aa 100755 --- a/compliance/controls/azure/azure_cis_v140_5_2_4.yaml +++ b/compliance/controls/azure/azure_cis_v140_5_2_4.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_5_2_4 Title: "5.2.4 Ensure that Activity Log Alert exists for Delete Network Security Group" Description: "Create an activity log alert for the Delete Network Security Group event." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -58,8 +56,10 @@ Query: ``` PrimaryTable: azure_subscription ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_5_2_5.yaml b/compliance/controls/azure/azure_cis_v140_5_2_5.yaml index 9e2397825..f7b88fa6f 100755 --- a/compliance/controls/azure/azure_cis_v140_5_2_5.yaml +++ b/compliance/controls/azure/azure_cis_v140_5_2_5.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_5_2_5 Title: "5.2.5 Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule" Description: "Create an activity log alert for the Create or Update Network Security Group Rule event." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -55,8 +53,10 @@ Query: sub.display_name; PrimaryTable: azure_log_alert ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_5_2_6.yaml b/compliance/controls/azure/azure_cis_v140_5_2_6.yaml index 3f1aa8d52..96110f273 100755 --- a/compliance/controls/azure/azure_cis_v140_5_2_6.yaml +++ b/compliance/controls/azure/azure_cis_v140_5_2_6.yaml @@ -1,64 +1,15 @@ ID: azure_cis_v140_5_2_6 Title: "5.2.6 Ensure that Activity Log Alert exists for Delete Network Security Group Rule" Description: "Create an activity log alert for the Delete Network Security Group Rule event." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - with alert_rule as ( - select - alert.id as alert_id, - alert.name as alert_name, - alert.enabled, - alert.location, - alert.subscription_id - from - azure_log_alert as alert, - jsonb_array_elements_text(scopes) as sc - where - alert.location = 'global' - and alert.enabled - and sc = '/subscriptions/' || alert.subscription_id - and ( - ( - alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - and alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/networksecuritygroups/securityrules/delete"}]' - ) - or - ( - alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - and alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/networksecuritygroups/securityrules"}]' - and jsonb_array_length(alert.condition -> 'allOf') = 2 - ) - ) - limit 1 - ) - select - sub.subscription_id as resource, - sub.og_account_id as og_account_id, - sub.og_resource_id as og_resource_id, - case - when count(a.subscription_id) > 0 then 'ok' - else 'alarm' - end as status, - case - when count(a.subscription_id) > 0 then 'Activity log alert exists for delete Network Security Group Rule event.' - else 'Activity log alert does not exists for delete Network Security Group Rule event.' - end as reason - - - from - azure_subscription sub - left join alert_rule a on sub.subscription_id = a.subscription_id - group by - sub._ctx, - sub.subscription_id, - sub.display_name; + QueryToExecute: "with alert_rule as (\n select\n alert.id as alert_id,\n alert.name as alert_name,\n alert.enabled,\n alert.location,\n alert.subscription_id\n from\n azure_log_alert as alert,\n jsonb_array_elements_text(scopes) as sc\n where\n alert.location = 'global'\n and alert.enabled\n and sc = '/subscriptions/' || alert.subscription_id\n and (\n (\n alert.condition -> 'allOf' @> '[{\"equals\":\"Administrative\",\"field\":\"category\"}]'\n and alert.condition -> 'allOf' @> '[{\"field\": \"operationName\", \"equals\": \"Microsoft.Network/networksecuritygroups/securityrules/delete\"}]'\n )\n or\n (\n alert.condition -> 'allOf' @> '[{\"equals\":\"Administrative\",\"field\":\"category\"}]'\n and alert.condition -> 'allOf' @> '[{\"field\": \"resourceType\", \"equals\": \"microsoft.network/networksecuritygroups/securityrules\"}]'\n and jsonb_array_length(alert.condition -> 'allOf') = 2\n )\n )\n limit 1\n)\nselect\n sub.subscription_id as resource,\n sub.og_account_id as og_account_id,\n sub.og_resource_id as og_resource_id,\n case\n when count(a.subscription_id) > 0 then 'ok'\n else 'alarm'\n end as status,\n case\n when count(a.subscription_id) > 0 then 'Activity log alert exists for delete Network Security Group Rule event.'\n else 'Activity log alert does not exists for delete Network Security Group Rule event.'\n end as reason\n \n \nfrom\n azure_subscription sub\n left join alert_rule a on sub.subscription_id = a.subscription_id\ngroup by\n sub._ctx,\n sub.subscription_id,\n sub.display_name;" PrimaryTable: azure_log_alert ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_5_2_7.yaml b/compliance/controls/azure/azure_cis_v140_5_2_7.yaml index 1bf7d7d2b..e9e67f5dd 100755 --- a/compliance/controls/azure/azure_cis_v140_5_2_7.yaml +++ b/compliance/controls/azure/azure_cis_v140_5_2_7.yaml @@ -1,64 +1,15 @@ ID: azure_cis_v140_5_2_7 Title: "5.2.7 Ensure that Activity Log Alert exists for Create or Update Security Solution" Description: "Create an activity log alert for the Create or Update Security Solution event." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - with alert_rule as ( - select - alert.id as alert_id, - alert.name as alert_name, - alert.enabled, - alert.location, - alert.subscription_id - from - azure_log_alert as alert, - jsonb_array_elements_text(scopes) as sc - where - alert.location = 'global' - and alert.enabled - and sc = '/subscriptions/' || alert.subscription_id - and ( - ( - alert.condition -> 'allOf' @> '[{"equals":"Security","field":"category"}]' - and alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Security/securitySolutions/write"}]' - ) - or - ( - alert.condition -> 'allOf' @> '[{"equals":"Security","field":"category"}]' - and alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.security/securitysolutions"}]' - and jsonb_array_length(alert.condition -> 'allOf') = 2 - ) - ) - limit 1 - ) - select - sub.subscription_id as resource, - sub.og_account_id as og_account_id, - sub.og_resource_id as og_resource_id, - case - when count(a.subscription_id) > 0 then 'ok' - else 'alarm' - end as status, - case - when count(a.subscription_id) > 0 then 'Activity log alert exists for create or update Security Solution event.' - else 'Activity log alert does not exists for create or update Security Solution event.' - end as reason - - - from - azure_subscription sub - left join alert_rule a on sub.subscription_id = a.subscription_id - group by - sub._ctx, - sub.subscription_id, - sub.display_name; + QueryToExecute: "with alert_rule as (\n select\n alert.id as alert_id,\n alert.name as alert_name,\n alert.enabled,\n alert.location,\n alert.subscription_id\n from\n azure_log_alert as alert,\n jsonb_array_elements_text(scopes) as sc\n where\n alert.location = 'global'\n and alert.enabled\n and sc = '/subscriptions/' || alert.subscription_id\n and (\n (\n alert.condition -> 'allOf' @> '[{\"equals\":\"Security\",\"field\":\"category\"}]'\n and alert.condition -> 'allOf' @> '[{\"field\": \"operationName\", \"equals\": \"Microsoft.Security/securitySolutions/write\"}]'\n )\n or\n (\n alert.condition -> 'allOf' @> '[{\"equals\":\"Security\",\"field\":\"category\"}]'\n and alert.condition -> 'allOf' @> '[{\"field\": \"resourceType\", \"equals\": \"microsoft.security/securitysolutions\"}]'\n and jsonb_array_length(alert.condition -> 'allOf') = 2\n )\n )\n limit 1\n)\nselect\n sub.subscription_id as resource,\n sub.og_account_id as og_account_id,\n sub.og_resource_id as og_resource_id,\n case\n when count(a.subscription_id) > 0 then 'ok'\n else 'alarm'\n end as status,\n case\n when count(a.subscription_id) > 0 then 'Activity log alert exists for create or update Security Solution event.'\n else 'Activity log alert does not exists for create or update Security Solution event.'\n end as reason\n \n \nfrom\n azure_subscription sub\n left join alert_rule a on sub.subscription_id = a.subscription_id\ngroup by\n sub._ctx,\n sub.subscription_id,\n sub.display_name;" PrimaryTable: azure_log_alert ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_5_2_8.yaml b/compliance/controls/azure/azure_cis_v140_5_2_8.yaml index 39aff9369..7ae35acf9 100755 --- a/compliance/controls/azure/azure_cis_v140_5_2_8.yaml +++ b/compliance/controls/azure/azure_cis_v140_5_2_8.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_5_2_8 Title: "5.2.8 Ensure that Activity Log Alert exists for Delete Security Solution" Description: "Create an activity log alert for the Delete Security Solution event." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -55,8 +53,10 @@ Query: sub.display_name; PrimaryTable: azure_subscription ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_5_2_9.yaml b/compliance/controls/azure/azure_cis_v140_5_2_9.yaml index 7b7291385..afb5ce2bd 100755 --- a/compliance/controls/azure/azure_cis_v140_5_2_9.yaml +++ b/compliance/controls/azure/azure_cis_v140_5_2_9.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_5_2_9 Title: "5.2.9 Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule" Description: "Create an activity log alert for the Create or Update or Delete SQL Server Firewall Rule event." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -46,8 +44,10 @@ Query: sub.display_name; PrimaryTable: azure_log_alert ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_5_3.yaml b/compliance/controls/azure/azure_cis_v140_5_3.yaml index 7d81654ea..097f9151c 100755 --- a/compliance/controls/azure/azure_cis_v140_5_3.yaml +++ b/compliance/controls/azure/azure_cis_v140_5_3.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_5_3 Title: "5.3 Ensure that Diagnostic Logs are enabled for all services which support it" Description: "Diagnostic Logs capture activity to the data access plane while the Activity log is a subscription-level log for the control plane. Resource-level diagnostic logs provide insight into operations that were performed within that resource itself. It is crucial that logging systems are correctly configured to log all relevant activities and retain those logs for a sufficient length of time." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_6_1.yaml b/compliance/controls/azure/azure_cis_v140_6_1.yaml index 0a72f5a5b..1c88340f8 100755 --- a/compliance/controls/azure/azure_cis_v140_6_1.yaml +++ b/compliance/controls/azure/azure_cis_v140_6_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_6_1 Title: "6.1 Ensure that RDP access is restricted from the internet" Description: "Disable RDP access on network security groups from the Internet." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -47,8 +45,10 @@ Query: join azure_subscription sub on sub.subscription_id = sg.subscription_id; PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_subscription + - azure_network_security_group + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_6_2.yaml b/compliance/controls/azure/azure_cis_v140_6_2.yaml index f7b7895fc..2e581ca7d 100755 --- a/compliance/controls/azure/azure_cis_v140_6_2.yaml +++ b/compliance/controls/azure/azure_cis_v140_6_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_6_2 Title: "6.2 Ensure that SSH access is restricted from the internet" Description: "Disable SSH access on network security groups from the Internet." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -47,8 +45,10 @@ Query: join azure_subscription sub on sub.subscription_id = sg.subscription_id; PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_subscription + - azure_network_security_group + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_6_3.yaml b/compliance/controls/azure/azure_cis_v140_6_3.yaml index ac343b1b8..8a9c689d0 100755 --- a/compliance/controls/azure/azure_cis_v140_6_3.yaml +++ b/compliance/controls/azure/azure_cis_v140_6_3.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_6_3 Title: "6.3 Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP)" Description: "Ensure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -29,8 +27,10 @@ Query: sub.subscription_id = s.subscription_id; PrimaryTable: azure_sql_server ListOfTables: - - azure_sql_server - - azure_subscription + - azure_sql_server + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_6_6.yaml b/compliance/controls/azure/azure_cis_v140_6_6.yaml index a929f9420..53b23e381 100755 --- a/compliance/controls/azure/azure_cis_v140_6_6.yaml +++ b/compliance/controls/azure/azure_cis_v140_6_6.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_6_6 Title: "6.6 Ensure that UDP Services are restricted from the Internet" Description: "Disable Internet exposed UDP ports on network security groups." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -52,8 +50,10 @@ Query: join azure_subscription sub on sub.subscription_id = sg.subscription_id; PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_subscription + - azure_network_security_group + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_7_1.yaml b/compliance/controls/azure/azure_cis_v140_7_1.yaml index 9ca28146c..4642a6e01 100755 --- a/compliance/controls/azure/azure_cis_v140_7_1.yaml +++ b/compliance/controls/azure/azure_cis_v140_7_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_7_1 Title: "7.1 Ensure Virtual Machines are utilizing Managed Disks" Description: "Migrate BLOB based VHD's to Managed Disks on Virtual Machines to exploit the default features of this configuration." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = vm.subscription_id; PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_subscription + - azure_compute_virtual_machine + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_7_2.yaml b/compliance/controls/azure/azure_cis_v140_7_2.yaml index 4ad0b7845..e700ad273 100755 --- a/compliance/controls/azure/azure_cis_v140_7_2.yaml +++ b/compliance/controls/azure/azure_cis_v140_7_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_7_2 Title: "7.2 Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)" Description: "Ensure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with CMK (Customer Managed Keys). Customer Managed keys can be either ADE or Server Side Encryption(SSE)." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -26,8 +24,10 @@ Query: and sub.subscription_id = disk.subscription_id; PrimaryTable: azure_compute_disk ListOfTables: - - azure_compute_disk - - azure_subscription + - azure_compute_disk + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_7_3.yaml b/compliance/controls/azure/azure_cis_v140_7_3.yaml index b90d819de..6d53d8915 100755 --- a/compliance/controls/azure/azure_cis_v140_7_3.yaml +++ b/compliance/controls/azure/azure_cis_v140_7_3.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_7_3 Title: "7.3 Ensure that 'Unattached disks' are encrypted with CMK" Description: "Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key (CMK)." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -26,8 +24,10 @@ Query: and sub.subscription_id = disk.subscription_id; PrimaryTable: azure_compute_disk ListOfTables: - - azure_compute_disk - - azure_subscription + - azure_compute_disk + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_7_4.yaml b/compliance/controls/azure/azure_cis_v140_7_4.yaml index 83572e6c3..eb323939c 100755 --- a/compliance/controls/azure/azure_cis_v140_7_4.yaml +++ b/compliance/controls/azure/azure_cis_v140_7_4.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_7_4 Title: "7.4 Ensure that only approved extensions are installed" Description: "For added security only install organization-approved extensions on VMs." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_7_5.yaml b/compliance/controls/azure/azure_cis_v140_7_5.yaml index dfd703faf..b5e32e6be 100755 --- a/compliance/controls/azure/azure_cis_v140_7_5.yaml +++ b/compliance/controls/azure/azure_cis_v140_7_5.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_7_5 Title: "7.5 Ensure that the latest OS Patches for all Virtual Machines are applied" Description: "Ensure that the latest OS patches for all virtual machines are applied." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_7_6.yaml b/compliance/controls/azure/azure_cis_v140_7_6.yaml index 4491147ae..eaefd4d4c 100755 --- a/compliance/controls/azure/azure_cis_v140_7_6.yaml +++ b/compliance/controls/azure/azure_cis_v140_7_6.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_7_6 Title: "7.6 Ensure that the endpoint protection for all Virtual Machines is installed" Description: "Install endpoint protection for all virtual machines." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_7_7.yaml b/compliance/controls/azure/azure_cis_v140_7_7.yaml index c68de01e2..74f467973 100755 --- a/compliance/controls/azure/azure_cis_v140_7_7.yaml +++ b/compliance/controls/azure/azure_cis_v140_7_7.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_7_7 Title: "7.7 Ensure that VHD's are encrypted" Description: "VHD (Virtual Hard Disks) are stored in BLOB storage and are the old style disks that were attached to Virtual Machines, and the BLOB VHD was then leased to the VM. By Default storage accounts are not encrypted, and Azure Defender(Security Centre) would then recommend that the OS disks should be encrypted. Storage accounts can be encrypted as a whole using PMK or CMK and this should be turned on for storage accounts containing VHD's." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_8_1.yaml b/compliance/controls/azure/azure_cis_v140_8_1.yaml index b4de2989b..5c71a4445 100755 --- a/compliance/controls/azure/azure_cis_v140_8_1.yaml +++ b/compliance/controls/azure/azure_cis_v140_8_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_8_1 Title: "8.1 Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults" Description: "Ensure that all Keys in Role Based Access Control (RBAC) Azure Key Vaults have an expiration time set." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -37,9 +35,11 @@ Query: sub.subscription_id = kvk.subscription_id; PrimaryTable: azure_key_vault_key ListOfTables: - - azure_key_vault - - azure_key_vault_key - - azure_subscription + - azure_key_vault + - azure_key_vault_key + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_8_2.yaml b/compliance/controls/azure/azure_cis_v140_8_2.yaml index 6b0aaa9f0..f1eb46dba 100755 --- a/compliance/controls/azure/azure_cis_v140_8_2.yaml +++ b/compliance/controls/azure/azure_cis_v140_8_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_8_2 Title: "8.2 Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults" Description: "Ensure that all Keys in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration time set." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -37,9 +35,11 @@ Query: sub.subscription_id = kvk.subscription_id; PrimaryTable: azure_key_vault_key ListOfTables: - - azure_key_vault - - azure_key_vault_key - - azure_subscription + - azure_key_vault + - azure_key_vault_key + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_8_3.yaml b/compliance/controls/azure/azure_cis_v140_8_3.yaml index 171e67d8b..30ee01962 100755 --- a/compliance/controls/azure/azure_cis_v140_8_3.yaml +++ b/compliance/controls/azure/azure_cis_v140_8_3.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_8_3 Title: "8.3 Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults" Description: "Ensure that all Secrets in Role Based Access Control (RBAC) Azure Key Vaults have an expiration time set" -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -37,9 +35,11 @@ Query: sub.subscription_id = kvs.subscription_id; PrimaryTable: azure_key_vault_secret ListOfTables: - - azure_key_vault - - azure_key_vault_secret - - azure_subscription + - azure_key_vault + - azure_key_vault_secret + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_8_4.yaml b/compliance/controls/azure/azure_cis_v140_8_4.yaml index 29064a157..1b94598cc 100755 --- a/compliance/controls/azure/azure_cis_v140_8_4.yaml +++ b/compliance/controls/azure/azure_cis_v140_8_4.yaml @@ -1,48 +1,16 @@ ID: azure_cis_v140_8_4 Title: "8.4 Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults" Description: "Ensure that all Secrets in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration time set." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with non_rbac_vault as ( - select - name - from - azure_key_vault - where not enable_rbac_authorization - ) - select - kvs.id as resource, - kvs.og_account_id as og_account_id, - kvs.og_resource_id as og_resource_id, - case - when v.name is null then 'skip' - when enabled and expires_at is null then 'alarm' - else 'ok' - end as status, - vault_name || ' key ' || kvs.name || - case - when v.name is null then ' RBAC enabled vault.' - when enabled and expires_at is null then ' expiration date not set.' - when not enabled then ' disabled.' - else ' expiration date set to ' || to_char(expires_at, 'DD-Mon-YYYY') || '.' - end as reason - - - - from - azure_key_vault_secret kvs - left join non_rbac_vault as v on v.name = kvs.vault_name, - azure_subscription sub - where - sub.subscription_id = kvs.subscription_id; + QueryToExecute: "with non_rbac_vault as (\n select\n name\n from\n azure_key_vault\n where not enable_rbac_authorization\n)\nselect\n kvs.id as resource,\n kvs.og_account_id as og_account_id,\n kvs.og_resource_id as og_resource_id,\n case\n when v.name is null then 'skip'\n when enabled and expires_at is null then 'alarm'\n else 'ok'\n end as status,\n vault_name || ' key ' || kvs.name ||\n case\n when v.name is null then ' RBAC enabled vault.'\n when enabled and expires_at is null then ' expiration date not set.'\n when not enabled then ' disabled.'\n else ' expiration date set to ' || to_char(expires_at, 'DD-Mon-YYYY') || '.'\n end as reason\n \n \n \nfrom\n azure_key_vault_secret kvs\n left join non_rbac_vault as v on v.name = kvs.vault_name,\n azure_subscription sub\nwhere\n sub.subscription_id = kvs.subscription_id;\n" PrimaryTable: azure_key_vault_secret ListOfTables: - - azure_key_vault - - azure_key_vault_secret - - azure_subscription + - azure_key_vault + - azure_key_vault_secret + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_8_5.yaml b/compliance/controls/azure/azure_cis_v140_8_5.yaml index 1dd7fe67e..5be1ee4db 100755 --- a/compliance/controls/azure/azure_cis_v140_8_5.yaml +++ b/compliance/controls/azure/azure_cis_v140_8_5.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_8_5 Title: "8.5 Ensure that Resource Locks are set for mission critical Azure resources" Description: "Resource Manager Locks provide a way for administrators to lock down Azure resources to prevent deletion of, or modifications to, a resource. These locks sit outside of the Role Based Access Controls (RBAC) hierarchy and, when applied, will place restrictions on the resource for all users. These locks are very useful when there is an important resource in a subscription that users should not be able to delete or change. Locks can help prevent accidental and malicious changes or deletion." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_8_6.yaml b/compliance/controls/azure/azure_cis_v140_8_6.yaml index 54f1dcb20..399944129 100755 --- a/compliance/controls/azure/azure_cis_v140_8_6.yaml +++ b/compliance/controls/azure/azure_cis_v140_8_6.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_8_6 Title: "8.6 Ensure the key vault is recoverable" Description: "The key vault contains object keys, secrets and certificates. Accidental unavailability of a key vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the key vault objects. It is recommended the key vault be made recoverable by enabling the \\\"Do Not Purge\\\" and \\\"Soft Delete\\\" functions." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -27,8 +25,10 @@ Query: sub.subscription_id = kv.subscription_id; PrimaryTable: azure_key_vault ListOfTables: - - azure_key_vault - - azure_subscription + - azure_key_vault + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_8_7.yaml b/compliance/controls/azure/azure_cis_v140_8_7.yaml index e3ec58011..e57ad825d 100755 --- a/compliance/controls/azure/azure_cis_v140_8_7.yaml +++ b/compliance/controls/azure/azure_cis_v140_8_7.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_8_7 Title: "8.7 Enable role-based access control (RBAC) within Azure Kubernetes Services" Description: "Ensure that RBAC is enabled on all Azure Kubernetes Services Instances." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -27,8 +25,10 @@ Query: sub.subscription_id = kv.subscription_id; PrimaryTable: azure_key_vault ListOfTables: - - azure_key_vault - - azure_subscription + - azure_key_vault + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_9_1.yaml b/compliance/controls/azure/azure_cis_v140_9_1.yaml index f7628894f..6c88e54da 100755 --- a/compliance/controls/azure/azure_cis_v140_9_1.yaml +++ b/compliance/controls/azure/azure_cis_v140_9_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_9_1 Title: "9.1 Ensure App Service Authentication is set up for apps in Azure App Service" Description: "Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = app.subscription_id; PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_9_11.yaml b/compliance/controls/azure/azure_cis_v140_9_11.yaml index 2a1438e02..5bab62b87 100755 --- a/compliance/controls/azure/azure_cis_v140_9_11.yaml +++ b/compliance/controls/azure/azure_cis_v140_9_11.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_9_11 Title: "9.11 Ensure Azure Keyvaults are used to store secrets" Description: "Encryption keys, Certificate thumbprints and Managed Identity Credentials can be coded into the APP service, this renders them visible as part of the configuration, to maintain security of these keys it is better to store in an Azure Keyvault and reference them from the Keyvault." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_9_2.yaml b/compliance/controls/azure/azure_cis_v140_9_2.yaml index 20d294e9b..c7af9f875 100755 --- a/compliance/controls/azure/azure_cis_v140_9_2.yaml +++ b/compliance/controls/azure/azure_cis_v140_9_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_9_2 Title: "9.2 Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service" Description: "Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = app.subscription_id; PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_9_3.yaml b/compliance/controls/azure/azure_cis_v140_9_3.yaml index b8876d1de..47d8c491c 100755 --- a/compliance/controls/azure/azure_cis_v140_9_3.yaml +++ b/compliance/controls/azure/azure_cis_v140_9_3.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_9_3 Title: "9.3 Ensure web app is using the latest version of TLS encryption" Description: "The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = app.subscription_id; PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_9_4.yaml b/compliance/controls/azure/azure_cis_v140_9_4.yaml index 9331ae6c4..a122de338 100755 --- a/compliance/controls/azure/azure_cis_v140_9_4.yaml +++ b/compliance/controls/azure/azure_cis_v140_9_4.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_9_4 Title: "9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'" Description: "Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = app.subscription_id; PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_9_5.yaml b/compliance/controls/azure/azure_cis_v140_9_5.yaml index 78c948cac..bc09f90b6 100755 --- a/compliance/controls/azure/azure_cis_v140_9_5.yaml +++ b/compliance/controls/azure/azure_cis_v140_9_5.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_9_5 Title: "9.5 Ensure that Register with Azure Active Directory is enabled on App Service" Description: "Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other Azure services securely without the need of username and passwords." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = app.subscription_id; PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_9_6.yaml b/compliance/controls/azure/azure_cis_v140_9_6.yaml index a6c3f9edd..e82021dcf 100755 --- a/compliance/controls/azure/azure_cis_v140_9_6.yaml +++ b/compliance/controls/azure/azure_cis_v140_9_6.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_9_6 Title: "9.6 Ensure that 'PHP version' is the latest, if used to run the web app" Description: "Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_9_7.yaml b/compliance/controls/azure/azure_cis_v140_9_7.yaml index b67c77358..dc431aa46 100755 --- a/compliance/controls/azure/azure_cis_v140_9_7.yaml +++ b/compliance/controls/azure/azure_cis_v140_9_7.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_9_7 Title: "9.7 Ensure that 'Python version' is the latest, if used to run the web app" Description: "Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_9_8.yaml b/compliance/controls/azure/azure_cis_v140_9_8.yaml index e193b90de..75b21f1d9 100755 --- a/compliance/controls/azure/azure_cis_v140_9_8.yaml +++ b/compliance/controls/azure/azure_cis_v140_9_8.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_9_8 Title: "9.8 Ensure that 'Java version' is the latest, if used to run the web app" Description: "Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the newer version." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v140_9_9.yaml b/compliance/controls/azure/azure_cis_v140_9_9.yaml index c3b9db374..1f98a618e 100755 --- a/compliance/controls/azure/azure_cis_v140_9_9.yaml +++ b/compliance/controls/azure/azure_cis_v140_9_9.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_9_9 Title: "9.9 Ensure that 'HTTP Version' is the latest, if used to run the web app" Description: "Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = app.subscription_id; PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_10_1.yaml b/compliance/controls/azure/azure_cis_v150_10_1.yaml index ad23ccd48..ea716458f 100755 --- a/compliance/controls/azure/azure_cis_v150_10_1.yaml +++ b/compliance/controls/azure/azure_cis_v150_10_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_10_1 Title: "10.1 Ensure that Resource Locks are set for Mission-Critical Azure Resources" Description: "Resource Manager Locks provide a way for administrators to lock down Azure resources to prevent deletion of, or modifications to, a resource. These locks sit outside of the Role Based Access Controls (RBAC) hierarchy and, when applied, will place restrictions on the resource for all users. These locks are very useful when there is an important resource in a subscription that users should not be able to delete or change. Locks can help prevent accidental and malicious changes or deletion." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_1_10.yaml b/compliance/controls/azure/azure_cis_v150_1_10.yaml index 2c2222cda..c04bcca40 100755 --- a/compliance/controls/azure/azure_cis_v150_1_10.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_10.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_1_10 Title: "1.10 Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes'" Description: "Ensure that all administrators are notified if any other administrator resets their password." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_1_11.yaml b/compliance/controls/azure/azure_cis_v150_1_11.yaml index 6f31a7150..7e2b5bcb9 100755 --- a/compliance/controls/azure/azure_cis_v150_1_11.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_11.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_1_11 Title: "1.11 Ensure That ‘Users Can Consent to Apps Accessing Company Data on Their Behalf’ Is Set To ‘Allow for Verified Publishers’" Description: "Allow users to provide consent for selected permissions when a request is coming from a verified publisher." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_1_12.yaml b/compliance/controls/azure/azure_cis_v150_1_12.yaml index 5a34323e7..cb1b74194 100755 --- a/compliance/controls/azure/azure_cis_v150_1_12.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_12.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_1_12 Title: "1.12 Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No'" Description: "Require administrators to provide consent for the apps before use." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_1_14.yaml b/compliance/controls/azure/azure_cis_v150_1_14.yaml index 55d4e423c..c92b386c2 100755 --- a/compliance/controls/azure/azure_cis_v150_1_14.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_14.yaml @@ -1,40 +1,15 @@ ID: azure_cis_v150_1_14 Title: "1.14 Ensure That ‘Users Can Register Applications’ Is Set to ‘No’" Description: "Require administrators or appropriately delegated users to register third-party applications." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - with distinct_tenant as ( - select - distinct tenant_id, - subscription_id, - _ctx - from - azure_tenant - ) - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when a.default_user_role_permissions ->> 'allowedToCreateApps' = 'false' then 'ok' - else 'alarm' - end as status, - case - when a.default_user_role_permissions ->> 'allowedToCreateApps' = 'false' then a.display_name || ' does not allow user to register applications.' - else a.display_name || ' allows user to register applications.' - end as reason, - t.tenant_id - - from - distinct_tenant as t, - azuread_authorization_policy as a; + QueryToExecute: "with distinct_tenant as (\n select\n distinct tenant_id,\n subscription_id,\n _ctx\n from\n azure_tenant\n)\nselect\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when a.default_user_role_permissions ->> 'allowedToCreateApps' = 'false' then 'ok'\n else 'alarm'\n end as status,\n case\n when a.default_user_role_permissions ->> 'allowedToCreateApps' = 'false' then a.display_name || ' does not allow user to register applications.'\n else a.display_name || ' allows user to register applications.'\n end as reason,\n t.tenant_id\n \nfrom\n distinct_tenant as t,\n azuread_authorization_policy as a;" PrimaryTable: azuread_authorization_policy ListOfTables: - - azure_tenant - - azuread_authorization_policy + - azure_tenant + - azuread_authorization_policy Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_1_15.yaml b/compliance/controls/azure/azure_cis_v150_1_15.yaml index 090209071..4795f9d8a 100755 --- a/compliance/controls/azure/azure_cis_v150_1_15.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_15.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_1_15 Title: "1.15 Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'" Description: "Limit guest user permissions." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_1_16.yaml b/compliance/controls/azure/azure_cis_v150_1_16.yaml index 6d6384ce8..a37d03928 100755 --- a/compliance/controls/azure/azure_cis_v150_1_16.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_16.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_1_16 Title: "1.16 Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'" Description: "Restrict invitations to users with specific administrative roles only." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_1_17.yaml b/compliance/controls/azure/azure_cis_v150_1_17.yaml index 80c2e6d14..18376dc03 100755 --- a/compliance/controls/azure/azure_cis_v150_1_17.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_17.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_1_17 Title: "1.17 Ensure That 'Restrict access to Azure AD administration portal' is Set to 'Yes'" Description: "Restrict access to the Azure AD administration portal to administrators only." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_1_19.yaml b/compliance/controls/azure/azure_cis_v150_1_19.yaml index a9f4f1778..43086fc24 100755 --- a/compliance/controls/azure/azure_cis_v150_1_19.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_19.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_1_19 Title: "1.19 Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'" Description: "Restrict security group creation to administrators only." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -32,8 +30,10 @@ Query: azuread_authorization_policy as a; PrimaryTable: azuread_authorization_policy ListOfTables: - - azure_tenant - - azuread_authorization_policy + - azure_tenant + - azuread_authorization_policy Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_1_1_1.yaml b/compliance/controls/azure/azure_cis_v150_1_1_1.yaml index eea281f1b..77bee39f1 100755 --- a/compliance/controls/azure/azure_cis_v150_1_1_1.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_1_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_1_1_1 Title: "1.1.1 Ensure Security Defaults is enabled on Azure Active Directory" Description: "Security defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks. Microsoft is making security defaults available to everyone. The goal is to ensure that all organizations have a basic level of security enabled at no extra cost. You may turn on security defaults in the Azure portal." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_1_1_2.yaml b/compliance/controls/azure/azure_cis_v150_1_1_2.yaml index 22b0d8a24..19767fadc 100755 --- a/compliance/controls/azure/azure_cis_v150_1_1_2.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_1_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_1_1_2 Title: "1.1.2 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users" Description: "Enable multi-factor authentication for all roles, groups, and users that have write access or permissions to Azure resources." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_1_1_3.yaml b/compliance/controls/azure/azure_cis_v150_1_1_3.yaml index 46af9639b..577ebea60 100755 --- a/compliance/controls/azure/azure_cis_v150_1_1_3.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_1_3.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_1_1_3 Title: "1.1.3 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users" Description: "Enable multi-factor authentication for all non-privileged users." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_1_1_4.yaml b/compliance/controls/azure/azure_cis_v150_1_1_4.yaml index 9704f57e7..b50cdad7e 100755 --- a/compliance/controls/azure/azure_cis_v150_1_1_4.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_1_4.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_1_1_4 Title: "1.1.4 Ensure that 'Restore multi-factor authentication on all remembered devices' is Enabled" Description: "Do not allow users to remember multi-factor authentication on devices." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_1_20.yaml b/compliance/controls/azure/azure_cis_v150_1_20.yaml index de030a7f5..2018ffbf1 100755 --- a/compliance/controls/azure/azure_cis_v150_1_20.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_20.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_1_20 Title: "1.20 Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No'" Description: "Restrict security group management to administrators only." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_1_21.yaml b/compliance/controls/azure/azure_cis_v150_1_21.yaml index 29572e2e4..5a694acbc 100755 --- a/compliance/controls/azure/azure_cis_v150_1_21.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_21.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_1_21 Title: "1.21 Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'" Description: "Restrict Microsoft 365 group creation to administrators only." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_1_22.yaml b/compliance/controls/azure/azure_cis_v150_1_22.yaml index 413612912..3d3bee758 100755 --- a/compliance/controls/azure/azure_cis_v150_1_22.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_22.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_1_22 Title: "1.22 Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes'" Description: "Joining or registering devices to the active directory should require Multi-factor authentication." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_1_23.yaml b/compliance/controls/azure/azure_cis_v150_1_23.yaml index 9b6774b17..2dd3739ce 100755 --- a/compliance/controls/azure/azure_cis_v150_1_23.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_23.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_1_23 Title: "1.23 Ensure That No Custom Subscription Owner Roles Are Created" Description: "Subscription ownership should not include permission to create custom owner roles. The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -46,8 +44,10 @@ Query: sub.display_name; PrimaryTable: azure_role_definition ListOfTables: - - azure_role_definition - - azure_subscription + - azure_role_definition + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_1_24.yaml b/compliance/controls/azure/azure_cis_v150_1_24.yaml index ac8df8ce8..b154d1c6a 100755 --- a/compliance/controls/azure/azure_cis_v150_1_24.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_24.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_1_24 Title: "1.24 Ensure a Custom Role is Assigned Permissions for Administering Resource Locks" Description: "Resource locking is a powerful protection mechanism that can prevent inadvertent modification/deletion of resources within Azure subscriptions/Resource Groups and is a recommended NIST configuration." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_1_25.yaml b/compliance/controls/azure/azure_cis_v150_1_25.yaml index d53fd28c3..357642e5e 100755 --- a/compliance/controls/azure/azure_cis_v150_1_25.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_25.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_1_25 Title: "1.25 Ensure That ‘Subscription Entering AAD Directory’ and ‘Subscription Leaving AAD Directory’ Is Set To ‘Permit No One’" Description: "Users who are set as subscription owners are able to make administrative changes to the subscriptions and move them into and out of Azure Active Directories." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_1_2_1.yaml b/compliance/controls/azure/azure_cis_v150_1_2_1.yaml index 5d5681909..800d695f5 100755 --- a/compliance/controls/azure/azure_cis_v150_1_2_1.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_2_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_1_2_1 Title: "1.2.1 Ensure Trusted Locations Are Defined" Description: "Azure Active Directory Conditional Access allows an organization to configure Named locations and configure whether those locations are trusted or untrusted. These settings provide organizations the means to specify Geographical locations for use in conditional access policies, or define actual IP addresses and IP ranges and whether or not those IP addresses and/or ranges are trusted by the organization." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_1_2_2.yaml b/compliance/controls/azure/azure_cis_v150_1_2_2.yaml index bf2068af6..7623a74a6 100755 --- a/compliance/controls/azure/azure_cis_v150_1_2_2.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_2_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_1_2_2 Title: "1.2.2 Ensure that an exclusionary Geographic Access Policy is considered" Description: "Conditional Access Policies can be used to block access from geographic locations that are deemed out-of-scope for your organization or application. The scope and variables for this policy should be carefully examined and defined." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_1_2_3.yaml b/compliance/controls/azure/azure_cis_v150_1_2_3.yaml index 641da5a5a..e537f3316 100755 --- a/compliance/controls/azure/azure_cis_v150_1_2_3.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_2_3.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_1_2_3 Title: "1.2.3 Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups" Description: "For designated users, they will be prompted to use their multi-factor authentication (MFA) process on login." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_1_2_4.yaml b/compliance/controls/azure/azure_cis_v150_1_2_4.yaml index 6de1f4e4e..a8bfa4d53 100755 --- a/compliance/controls/azure/azure_cis_v150_1_2_4.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_2_4.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_1_2_4 Title: "1.2.4 Ensure that A Multi-factor Authentication Policy Exists for All Users" Description: "For designated users, they will be prompted to use their multi-factor authentication (MFA) process on logins." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_1_2_5.yaml b/compliance/controls/azure/azure_cis_v150_1_2_5.yaml index bb394885e..281eeffc9 100755 --- a/compliance/controls/azure/azure_cis_v150_1_2_5.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_2_5.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_1_2_5 Title: "1.2.5 Ensure Multi-factor Authentication is Required for Risky Sign-ins" Description: "For designated users, they will be prompted to use their multi-factor authentication (MFA) process on login." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_1_2_6.yaml b/compliance/controls/azure/azure_cis_v150_1_2_6.yaml index d74f9805d..4b7f4f865 100755 --- a/compliance/controls/azure/azure_cis_v150_1_2_6.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_2_6.yaml @@ -1,40 +1,15 @@ ID: azure_cis_v150_1_2_6 Title: "1.2.6 Ensure Multi-factor Authentication is Required for Azure Management" Description: "For designated users, they will be prompted to use their multi-factor authentication(MFA) process on logins." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - with distinct_tenant as ( - select - distinct tenant_id, - subscription_id, - _ctx - from - azure_tenant - ) - select - p.id as resource, - p.og_account_id as og_account_id, - p.og_resource_id as og_resource_id, - case - when p.built_in_controls @> '["mfa"]' then 'ok' - else 'alarm' - end as status, - case - when p.built_in_controls @> '["mfa"]' then p.display_name || ' MFA enabled.' - else p.display_name || ' MFA disabled.' - end as reason, - t.tenant_id - - from - distinct_tenant as t, - azuread_conditional_access_policy as p; + QueryToExecute: "with distinct_tenant as (\n select\n distinct tenant_id,\n subscription_id,\n _ctx\n from\n azure_tenant\n)\nselect\n p.id as resource,\n p.og_account_id as og_account_id,\n p.og_resource_id as og_resource_id,\n case\n when p.built_in_controls @> '[\"mfa\"]' then 'ok'\n else 'alarm'\n end as status,\n case\n when p.built_in_controls @> '[\"mfa\"]' then p.display_name || ' MFA enabled.'\n else p.display_name || ' MFA disabled.'\n end as reason,\n t.tenant_id\n \nfrom\n distinct_tenant as t,\n azuread_conditional_access_policy as p;" PrimaryTable: azuread_conditional_access_policy ListOfTables: - - azure_tenant - - azuread_conditional_access_policy + - azure_tenant + - azuread_conditional_access_policy Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_1_3.yaml b/compliance/controls/azure/azure_cis_v150_1_3.yaml index ea677d5c4..3cede1027 100755 --- a/compliance/controls/azure/azure_cis_v150_1_3.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_3.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_1_3 Title: "1.3 Ensure Access Review is Set Up for External Users in Azure AD Privileged Identity Management" Description: "This recommendation extends guest access review by utilizing the Azure AD Privileged Identity Management feature provided in Azure AD Premium P2. Azure AD is extended to include Azure AD B2B collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account and sign in with their own work, school, or social identities. Guest users allow you to share your company's applications and services with users from any other organization, while maintaining control over your own corporate data. Work with external partners, large or small, even if they don't have Azure AD or an IT department. A simple invitation and redemption process lets partners use their own credentials to access your company's resources a a guest user." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_1_4.yaml b/compliance/controls/azure/azure_cis_v150_1_4.yaml index c95cd7195..6af207c1b 100755 --- a/compliance/controls/azure/azure_cis_v150_1_4.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_4.yaml @@ -1,43 +1,15 @@ ID: azure_cis_v150_1_4 Title: "1.4 Ensure Guest Users Are Reviewed on a Regular Basis" Description: "Azure AD is extended to include Azure AD B2B collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account and sign in with their own work, school, or social identities. Guest users allow you to share your company's applications and services with users from any other organization, while maintaining control over your own corporate data. Work with external partners, large or small, even if they don't have Azure AD or an IT department. A simple invitation and redemption process lets partners use their own credentials to access your company's resources as a guest user. Guest users in every subscription should be review on a regular basis to ensure that inactive and unneeded accounts are removed." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - with distinct_tenant as ( - select - distinct tenant_id, - subscription_id, - _ctx - from - azure_tenant - ) - select - u.display_name as resource, - u.og_account_id as og_account_id, - u.og_resource_id as og_resource_id, - case - when not account_enabled then 'alarm' - when u.created_date_time::timestamp <= (current_date - interval '30' day) then 'alarm' - else 'ok' - end as status, - case - when not account_enabled then 'Guest user ''' || u.display_name || ''' inactive.' - else 'Guest user ''' || u.display_name || ''' was created ' || extract(day from current_timestamp - u.created_date_time::timestamp) || ' days ago.' - end as reason, - t.tenant_id - - from - azuread_user as u - left join distinct_tenant as t on t.tenant_id = u.tenant_id - where - u.user_type = 'Guest'; + QueryToExecute: "with distinct_tenant as (\n select\n distinct tenant_id,\n subscription_id,\n _ctx\n from\n azure_tenant\n)\nselect\n u.display_name as resource,\n u.og_account_id as og_account_id,\n u.og_resource_id as og_resource_id,\n case\n when not account_enabled then 'alarm'\n when u.created_date_time::timestamp <= (current_date - interval '30' day) then 'alarm'\n else 'ok'\n end as status,\n case\n when not account_enabled then 'Guest user ''' || u.display_name || ''' inactive.'\n else 'Guest user ''' || u.display_name || ''' was created ' || extract(day from current_timestamp - u.created_date_time::timestamp) || ' days ago.'\n end as reason,\n t.tenant_id\n \nfrom\n azuread_user as u\n left join distinct_tenant as t on t.tenant_id = u.tenant_id\nwhere\n u.user_type = 'Guest';" PrimaryTable: azuread_user ListOfTables: - - azuread_user - - azure_tenant + - azuread_user + - azure_tenant Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_1_5.yaml b/compliance/controls/azure/azure_cis_v150_1_5.yaml index 6d95a4705..4eb41eba8 100755 --- a/compliance/controls/azure/azure_cis_v150_1_5.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_5.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_1_5 Title: "1.5 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled'" Description: "Do not allow users to remember multi-factor authentication on devices." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_1_6.yaml b/compliance/controls/azure/azure_cis_v150_1_6.yaml index 5db9d23db..665ed45a2 100755 --- a/compliance/controls/azure/azure_cis_v150_1_6.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_6.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_1_6 Title: "1.6 Ensure That 'Number of methods required to reset' is set to '2'" Description: "Ensures that two alternate forms of identification are provided before allowing a password reset." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_1_7.yaml b/compliance/controls/azure/azure_cis_v150_1_7.yaml index 081cd1038..ebc1f1c74 100755 --- a/compliance/controls/azure/azure_cis_v150_1_7.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_7.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_1_7 Title: "1.7 Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization" Description: "Microsoft Azure creates a default bad password policy that is already applied to Azure administrative and normal user accounts. This is not applied to user accounts that are synced from an on-premise Active Directory unless Azure AD Connect is used and you enable EnforceCloudPasswordPolicyForPasswordSyncedUsers. Please see the list in default values on the specifics of this policy." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_1_8.yaml b/compliance/controls/azure/azure_cis_v150_1_8.yaml index 452f5835e..abf80f620 100755 --- a/compliance/controls/azure/azure_cis_v150_1_8.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_8.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_1_8 Title: "1.8 Ensure that 'Number of days before users are asked to reconfirm their authentication information' is not set to '0'" Description: "Ensure that the number of days before users are asked to re-confirm their authentication information is not set to 0." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_1_9.yaml b/compliance/controls/azure/azure_cis_v150_1_9.yaml index 1b67d1c52..8aceab698 100755 --- a/compliance/controls/azure/azure_cis_v150_1_9.yaml +++ b/compliance/controls/azure/azure_cis_v150_1_9.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_1_9 Title: "1.9 Ensure that 'Notify users on password resets?' is set to 'Yes'" Description: "Ensure that users are notified on their primary and secondary emails on password resets." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_2_1_1.yaml b/compliance/controls/azure/azure_cis_v150_2_1_1.yaml index 82f7a2a42..d1b55d5dd 100755 --- a/compliance/controls/azure/azure_cis_v150_2_1_1.yaml +++ b/compliance/controls/azure/azure_cis_v150_2_1_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_2_1_1 Title: "2.1.1 Ensure That Microsoft Defender for Servers Is Set to 'On'" Description: "Turning on Microsoft Defender for Servers enables threat detection for Servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: name = 'VirtualMachines'; PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_2_1_10.yaml b/compliance/controls/azure/azure_cis_v150_2_1_10.yaml index 7258a39b9..ba95c4eba 100755 --- a/compliance/controls/azure/azure_cis_v150_2_1_10.yaml +++ b/compliance/controls/azure/azure_cis_v150_2_1_10.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_2_1_10 Title: "2.1.10 Ensure That Microsoft Defender for Key Vault Is Set To 'On'" Description: "Turning on Microsoft Defender for Key Vault enables threat detection for Key Vault, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: name = 'KeyVaults'; PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_2_1_11.yaml b/compliance/controls/azure/azure_cis_v150_2_1_11.yaml index 088376691..f6b369384 100755 --- a/compliance/controls/azure/azure_cis_v150_2_1_11.yaml +++ b/compliance/controls/azure/azure_cis_v150_2_1_11.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_2_1_11 Title: "2.1.11 Ensure That Microsoft Defender for DNS Is Set To 'On'" Description: "Microsoft Defender for DNS scans all network traffic exiting from within a subscription." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: name = 'Dns'; PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_2_1_12.yaml b/compliance/controls/azure/azure_cis_v150_2_1_12.yaml index 24ff6f69e..c889a5c1c 100755 --- a/compliance/controls/azure/azure_cis_v150_2_1_12.yaml +++ b/compliance/controls/azure/azure_cis_v150_2_1_12.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_2_1_12 Title: "2.1.12 Ensure That Microsoft Defender for IoT Is Set To 'On'" Description: "Microsoft Defender for IoT acts as a central security hub for IoT devices within your organization." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_2_1_13.yaml b/compliance/controls/azure/azure_cis_v150_2_1_13.yaml index ff90f1f0a..50665bc28 100755 --- a/compliance/controls/azure/azure_cis_v150_2_1_13.yaml +++ b/compliance/controls/azure/azure_cis_v150_2_1_13.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_2_1_13 Title: "2.1.13 Ensure That Microsoft Defender for Resource Manager Is Set To 'On'" Description: "Microsoft Defender for Resource Manager scans incoming administrative requests to change your infrastructure from both CLI and the Azure portal." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: name = 'Arm'; PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_2_1_2.yaml b/compliance/controls/azure/azure_cis_v150_2_1_2.yaml index b2eecff0b..6c22fbc3e 100755 --- a/compliance/controls/azure/azure_cis_v150_2_1_2.yaml +++ b/compliance/controls/azure/azure_cis_v150_2_1_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_2_1_2 Title: "2.1.2 Ensure That Microsoft Defender for App Services Is Set To 'On'" Description: "Turning on Microsoft Defender for App Service enables threat detection for App Service, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: name = 'AppServices'; PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_2_1_3.yaml b/compliance/controls/azure/azure_cis_v150_2_1_3.yaml index f08d19fc9..6c0404eea 100755 --- a/compliance/controls/azure/azure_cis_v150_2_1_3.yaml +++ b/compliance/controls/azure/azure_cis_v150_2_1_3.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_2_1_3 Title: "2.1.3 Ensure That Microsoft Defender for Databases Is Set To 'On'" Description: "Turning on Microsoft Defender for Databases enables threat detection for the instances running your database software. This provides threat intelligence, anomaly detection, and behavior analytics in the Azure Microsoft Defender for Cloud. Instead of being enabled on services like Platform as a Service (PaaS), this implementation will run within your instances as Infrastructure as a Service (IaaS) on the Operating Systems hosting your databases." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -44,8 +42,10 @@ Query: left join defender_list as l on l.subscription_id = sub.subscription_id; PrimaryTable: azure_subscription ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_2_1_4.yaml b/compliance/controls/azure/azure_cis_v150_2_1_4.yaml index d2fd2d682..310a840ca 100755 --- a/compliance/controls/azure/azure_cis_v150_2_1_4.yaml +++ b/compliance/controls/azure/azure_cis_v150_2_1_4.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_2_1_4 Title: "2.1.4 Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On'" Description: "Turning on Microsoft Defender for Azure SQL Databases enables threat detection for Azure SQL database servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: name = 'SqlServers'; PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_2_1_5.yaml b/compliance/controls/azure/azure_cis_v150_2_1_5.yaml index 95fba3ad8..c7f8314a1 100755 --- a/compliance/controls/azure/azure_cis_v150_2_1_5.yaml +++ b/compliance/controls/azure/azure_cis_v150_2_1_5.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_2_1_5 Title: "2.1.5 Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'" Description: "Turning on Microsoft Defender for SQL servers on machines enables threat detection for SQL servers on machines, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: name = 'SqlServerVirtualMachines'; PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_2_1_6.yaml b/compliance/controls/azure/azure_cis_v150_2_1_6.yaml index a82e3540a..f3f4f2fd2 100755 --- a/compliance/controls/azure/azure_cis_v150_2_1_6.yaml +++ b/compliance/controls/azure/azure_cis_v150_2_1_6.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_2_1_6 Title: "2.1.6 Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On'" Description: "Turning on Microsoft Defender for Open-source relational databases enables threat detection for Open-source relational databases, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: name = 'OpenSourceRelationalDatabases'; PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_2_1_7.yaml b/compliance/controls/azure/azure_cis_v150_2_1_7.yaml index d168865aa..4f87b352e 100755 --- a/compliance/controls/azure/azure_cis_v150_2_1_7.yaml +++ b/compliance/controls/azure/azure_cis_v150_2_1_7.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_2_1_7 Title: "2.1.7 Ensure That Microsoft Defender for Storage Is Set To 'On'" Description: "Turning on Microsoft Defender for Storage enables threat detection for Storage, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: name = 'StorageAccounts'; PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_2_1_8.yaml b/compliance/controls/azure/azure_cis_v150_2_1_8.yaml index e8baf7136..e85c1e61b 100755 --- a/compliance/controls/azure/azure_cis_v150_2_1_8.yaml +++ b/compliance/controls/azure/azure_cis_v150_2_1_8.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_2_1_8 Title: "2.1.8 Ensure That Microsoft Defender for Containers Is Set To 'On'" Description: "Turning on Microsoft Defender for Containers enables threat detection for Container Registries including Kubernetes, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -25,8 +23,10 @@ Query: name = 'ContainerRegistry'; PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_2_1_9.yaml b/compliance/controls/azure/azure_cis_v150_2_1_9.yaml index 11f5390d3..59c3e230f 100755 --- a/compliance/controls/azure/azure_cis_v150_2_1_9.yaml +++ b/compliance/controls/azure/azure_cis_v150_2_1_9.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_2_1_9 Title: "2.1.9 Ensure That Microsoft Defender for Cosmos DB Is Set To 'On'" Description: "Microsoft Defender for Cosmos DB scans all incoming network requests for changes to your virtual machine." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: name = 'CosmosDbs'; PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_2_2_1.yaml b/compliance/controls/azure/azure_cis_v150_2_2_1.yaml index 3bebf6ba5..3ed211d7e 100755 --- a/compliance/controls/azure/azure_cis_v150_2_2_1.yaml +++ b/compliance/controls/azure/azure_cis_v150_2_2_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_2_2_1 Title: "2.2.1 Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'" Description: "Enable automatic provisioning of the monitoring agent to collect security data." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -23,8 +21,10 @@ Query: right join azure_subscription sub on sc_prov.subscription_id = sub.subscription_id; PrimaryTable: azure_security_center_auto_provisioning ListOfTables: - - azure_security_center_auto_provisioning - - azure_subscription + - azure_security_center_auto_provisioning + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_2_2_2.yaml b/compliance/controls/azure/azure_cis_v150_2_2_2.yaml index 651b6919d..e4975bfcf 100755 --- a/compliance/controls/azure/azure_cis_v150_2_2_2.yaml +++ b/compliance/controls/azure/azure_cis_v150_2_2_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_2_2_2 Title: "2.2.2 Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On'" Description: "Enable automatic provisioning of vulnerability assessment for machines on both Azure and hybrid (Arc enabled) machines." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_2_2_3.yaml b/compliance/controls/azure/azure_cis_v150_2_2_3.yaml index 798c78db0..bcedfc4ae 100755 --- a/compliance/controls/azure/azure_cis_v150_2_2_3.yaml +++ b/compliance/controls/azure/azure_cis_v150_2_2_3.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_2_2_3 Title: "2.2.3 Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On'" Description: "Enable automatic provisioning of the Microsoft Defender for Containers components." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_2_3_1.yaml b/compliance/controls/azure/azure_cis_v150_2_3_1.yaml index b4028fbff..a27ff2067 100755 --- a/compliance/controls/azure/azure_cis_v150_2_3_1.yaml +++ b/compliance/controls/azure/azure_cis_v150_2_3_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_2_3_1 Title: "2.3.1 Ensure That 'All users with the following roles' is set to 'Owner'" Description: "Enable security alert emails to subscription owners." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -35,8 +33,10 @@ Query: ``` PrimaryTable: azure_subscription ListOfTables: - - azure_security_center_contact - - azure_subscription + - azure_security_center_contact + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_2_3_2.yaml b/compliance/controls/azure/azure_cis_v150_2_3_2.yaml index 4421a1e50..c4dce3d45 100755 --- a/compliance/controls/azure/azure_cis_v150_2_3_2.yaml +++ b/compliance/controls/azure/azure_cis_v150_2_3_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_2_3_2 Title: "2.3.2 Ensure 'Additional email addresses' is Configured with a Security Contact Email" Description: "Microsoft Defender for Cloud emails the subscription owners whenever a high-severity alert is triggered for their subscription. You should provide a security contact email address as an additional email address." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -39,8 +37,10 @@ Query: ``` PrimaryTable: azure_security_center_contact ListOfTables: - - azure_security_center_contact - - azure_subscription + - azure_security_center_contact + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_2_3_3.yaml b/compliance/controls/azure/azure_cis_v150_2_3_3.yaml index bf61ab7e0..5204c3aa1 100755 --- a/compliance/controls/azure/azure_cis_v150_2_3_3.yaml +++ b/compliance/controls/azure/azure_cis_v150_2_3_3.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_2_3_3 Title: "2.3.3 Ensure That 'Notify about alerts with the following severity' is Set to 'High'" Description: "Enables emailing security alerts to the subscription owner or other designated security contact." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -33,8 +31,10 @@ Query: left join contact_info ci on sub.subscription_id = ci.subscription_id; PrimaryTable: azure_subscription ListOfTables: - - azure_security_center_contact - - azure_subscription + - azure_security_center_contact + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_2_4_1.yaml b/compliance/controls/azure/azure_cis_v150_2_4_1.yaml index cd65e6b50..7a83fc120 100755 --- a/compliance/controls/azure/azure_cis_v150_2_4_1.yaml +++ b/compliance/controls/azure/azure_cis_v150_2_4_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_2_4_1 Title: "2.4.1 Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected" Description: "This integration setting enables Microsoft Defender for Cloud Apps (formerly 'Microsoft Cloud App Security' or 'MCAS' - see additional info) to communicate with Microsoft Defender for Cloud." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: name = 'MCAS'; PrimaryTable: azure_security_center_setting ListOfTables: - - azure_security_center_setting - - azure_subscription + - azure_security_center_setting + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_2_4_2.yaml b/compliance/controls/azure/azure_cis_v150_2_4_2.yaml index a16dcf0b4..c4ac7f129 100755 --- a/compliance/controls/azure/azure_cis_v150_2_4_2.yaml +++ b/compliance/controls/azure/azure_cis_v150_2_4_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_2_4_2 Title: "2.4.2 Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected" Description: "This integration setting enables Microsoft Defender for Endpoint (formerly 'Advanced Threat Protection' or 'ATP' or 'WDATP' - see additional info) to communicate with Microsoft Defender for Cloud." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: name = 'WDATP'; PrimaryTable: azure_security_center_setting ListOfTables: - - azure_security_center_setting - - azure_subscription + - azure_security_center_setting + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_2_5.yaml b/compliance/controls/azure/azure_cis_v150_2_5.yaml index e84ce769d..9ee163d07 100755 --- a/compliance/controls/azure/azure_cis_v150_2_5.yaml +++ b/compliance/controls/azure/azure_cis_v150_2_5.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_2_5 Title: "2.5 Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'" Description: "Ensure that the latest OS patches for all virtual machines are applied." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_2_6.yaml b/compliance/controls/azure/azure_cis_v150_2_6.yaml index a06ee3fcb..7e21b7547 100755 --- a/compliance/controls/azure/azure_cis_v150_2_6.yaml +++ b/compliance/controls/azure/azure_cis_v150_2_6.yaml @@ -1,52 +1,15 @@ ID: azure_cis_v150_2_6 Title: "2.6 Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled'" Description: "None of the settings offered by ASC Default policy should be set to effect Disabled." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - with policy_assignment_parameters as ( - select - id, - name, - key, - parameters -> key ->> 'value' as value, - subscription_id - from - azure_policy_assignment, - jsonb_object_keys(parameters) as key - where - name = 'SecurityCenterBuiltIn' - ) - select - sub.id as resource, - sub.og_account_id as og_account_id, - sub.og_resource_id as og_resource_id, - case - when count(value = 'Disabled') > 0 then 'alarm' - else 'ok' - end as status, - case - when count(value = 'Disabled') > 0 then 'Settings disabled for ' || count(*) filter (where value = 'Disabled') || ' parameters.' - else 'Settings enabled for all the parameters.' - end as reason - - - from - policy_assignment_parameters pol_assignment - right join azure_subscription sub on pol_assignment.subscription_id = sub.subscription_id - group by - sub.id, - pol_assignment.id, - sub._ctx, - sub.subscription_id, - pol_assignment.subscription_id, - sub.display_name; + QueryToExecute: "with policy_assignment_parameters as (\n select\n id,\n name,\n key,\n parameters -> key ->> 'value' as value,\n subscription_id\n from\n azure_policy_assignment,\n jsonb_object_keys(parameters) as key\n where\n name = 'SecurityCenterBuiltIn'\n)\nselect\n sub.id as resource,\n sub.og_account_id as og_account_id,\n sub.og_resource_id as og_resource_id,\n case\n when count(value = 'Disabled') > 0 then 'alarm'\n else 'ok'\n end as status,\n case\n when count(value = 'Disabled') > 0 then 'Settings disabled for ' || count(*) filter (where value = 'Disabled') || ' parameters.'\n else 'Settings enabled for all the parameters.'\n end as reason\n \n \nfrom\n policy_assignment_parameters pol_assignment\n right join azure_subscription sub on pol_assignment.subscription_id = sub.subscription_id\ngroup by\n sub.id,\n pol_assignment.id,\n sub._ctx,\n sub.subscription_id,\n pol_assignment.subscription_id,\n sub.display_name;" PrimaryTable: azure_policy_assignment ListOfTables: - - azure_policy_assignment - - azure_subscription + - azure_policy_assignment + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_3_1.yaml b/compliance/controls/azure/azure_cis_v150_3_1.yaml index 167adf1a3..a4e4456cf 100755 --- a/compliance/controls/azure/azure_cis_v150_3_1.yaml +++ b/compliance/controls/azure/azure_cis_v150_3_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_3_1 Title: "3.1 Ensure that 'Secure transfer required' is set to 'Enabled'" Description: "Enable data encryption in transit." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = sa.subscription_id; PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_3_10.yaml b/compliance/controls/azure/azure_cis_v150_3_10.yaml index 39622a3cd..84fe85f36 100755 --- a/compliance/controls/azure/azure_cis_v150_3_10.yaml +++ b/compliance/controls/azure/azure_cis_v150_3_10.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_3_10 Title: "3.10 Ensure Private Endpoints are used to access Storage Accounts" Description: "Use private endpoints for your Azure Storage accounts to allow clients and services to securely access data located over a network via an encrypted Private Link. To do this, the private endpoint uses an IP address from the VNet for each service. Network traffic between disparate services securely traverses encrypted over the VNet. This VNet can also link addressing space, extending your network and accessing resources on it. Similarly, it can be a tunnel through public networks to connect remote infrastructures together. This creates further security through segmenting network traffic and preventing outside sources from accessing it." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -35,8 +33,10 @@ Query: sub.subscription_id = a.subscription_id; PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_3_11.yaml b/compliance/controls/azure/azure_cis_v150_3_11.yaml index 07787ffd5..92c3db765 100755 --- a/compliance/controls/azure/azure_cis_v150_3_11.yaml +++ b/compliance/controls/azure/azure_cis_v150_3_11.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_3_11 Title: "3.11 Ensure Soft Delete is Enabled for Azure Containers and Blob Storage" Description: "The Azure Storage blobs contain data like ePHI or Financial, which can be secret or personal. Data that is erroneously modified or deleted by an application or other storage account user will cause data loss or unavailability. It is recommended that both Azure Containers with attached Blob Storage and standalone containers with Blob Storage be made recoverable by enabling the soft delete configuration. This is to save and recover data when blobs or blob snapshots are deleted." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -25,8 +23,10 @@ Query: sub.subscription_id = sa.subscription_id; PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_3_12.yaml b/compliance/controls/azure/azure_cis_v150_3_12.yaml index ccc768570..5e204be4b 100755 --- a/compliance/controls/azure/azure_cis_v150_3_12.yaml +++ b/compliance/controls/azure/azure_cis_v150_3_12.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_3_12 Title: "3.12 Ensure Storage for Critical Data are Encrypted with Customer Managed Keys" Description: "Enable sensitive data encryption at rest using Customer Managed Keys rather than Microsoft Managed keys." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = sa.subscription_id; PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_3_14.yaml b/compliance/controls/azure/azure_cis_v150_3_14.yaml index 4ad3b5af2..b55488528 100755 --- a/compliance/controls/azure/azure_cis_v150_3_14.yaml +++ b/compliance/controls/azure/azure_cis_v150_3_14.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_3_14 Title: "3.14 Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests" Description: "Azure Table storage is a service that stores structured NoSQL data in the cloud, providing a key/attribute store with a schema-less design. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the tables. Storage Logging log entries contain the following information about individual requests: timing information such as start time, end-to-end latency, and server latency; authentication details; concurrency information; and the sizes of the request and response messages." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -31,8 +29,10 @@ Query: sub.subscription_id = sa.subscription_id; PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_3_15.yaml b/compliance/controls/azure/azure_cis_v150_3_15.yaml index 061d870bc..5c41b265e 100755 --- a/compliance/controls/azure/azure_cis_v150_3_15.yaml +++ b/compliance/controls/azure/azure_cis_v150_3_15.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_3_15 Title: "3.15 Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'" Description: "In some cases, Azure Storage sets the minimum TLS version to be version 1.0 by default. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to be later protocols such as TLS 1.2." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -27,8 +25,10 @@ Query: sub.subscription_id = sa.subscription_id; PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_3_2.yaml b/compliance/controls/azure/azure_cis_v150_3_2.yaml index c510b4693..4f6aa776f 100755 --- a/compliance/controls/azure/azure_cis_v150_3_2.yaml +++ b/compliance/controls/azure/azure_cis_v150_3_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_3_2 Title: "3.2 Ensure that 'Enable Infrastructure Encryption' for Each Storage Account in Azure Storage is Set to ‘enabled’" Description: "Enabling double encryption at the hardware level on top of the default software encryption for Storage Accounts accessing Azure storage solutions." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = s.subscription_id; PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_3_3.yaml b/compliance/controls/azure/azure_cis_v150_3_3.yaml index 5fd2d3cf8..b82c908ec 100755 --- a/compliance/controls/azure/azure_cis_v150_3_3.yaml +++ b/compliance/controls/azure/azure_cis_v150_3_3.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_3_3 Title: "3.3 Ensure that 'Enable key rotation reminders' is enabled for each Storage Account" Description: "Access Keys authenticate application access requests to data contained in Storage Accounts. A periodic rotation of these keys is recommended to ensure that potentially compromised keys cannot result in a long-term exploitable credential. The Rotation Reminder is an automatic reminder feature for a manual procedure." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_3_4.yaml b/compliance/controls/azure/azure_cis_v150_3_4.yaml index 773983242..da4d9983f 100755 --- a/compliance/controls/azure/azure_cis_v150_3_4.yaml +++ b/compliance/controls/azure/azure_cis_v150_3_4.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_3_4 Title: "3.4 Ensure that Storage Account Access Keys are Periodically Regenerated" Description: "For increased security, regenerate storage account access keys periodically." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_3_5.yaml b/compliance/controls/azure/azure_cis_v150_3_5.yaml index d88a6e915..1bdb93166 100755 --- a/compliance/controls/azure/azure_cis_v150_3_5.yaml +++ b/compliance/controls/azure/azure_cis_v150_3_5.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_3_5 Title: "3.5 Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' request" Description: "The Storage Queue service stores messages that may be read by any client who has access to the storage account. A queue can contain an unlimited number of messages, each of which can be up to 64KB in size using version 2011-08-18 or newer. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the queues. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details, concurrency information, and the sizes of the request and response messages." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -31,8 +29,10 @@ Query: sub.subscription_id = sa.subscription_id; PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_3_6.yaml b/compliance/controls/azure/azure_cis_v150_3_6.yaml index c90093d70..95d4def50 100755 --- a/compliance/controls/azure/azure_cis_v150_3_6.yaml +++ b/compliance/controls/azure/azure_cis_v150_3_6.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_3_6 Title: "3.6 Ensure that Shared Access Signature Tokens Expire Within an Hour" Description: "Expire shared access signature tokens within an hour." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_3_7.yaml b/compliance/controls/azure/azure_cis_v150_3_7.yaml index da34b3e1f..d3f8f534f 100755 --- a/compliance/controls/azure/azure_cis_v150_3_7.yaml +++ b/compliance/controls/azure/azure_cis_v150_3_7.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_3_7 Title: "3.7 Ensure that 'Public access level' is disabled for storage accounts with blob containers" Description: "Disallowing public access for a storage account overrides the public access settings for individual containers in that storage account." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,9 +23,11 @@ Query: join azure_subscription sub on sub.subscription_id = account.subscription_id; PrimaryTable: azure_storage_container ListOfTables: - - azure_storage_container - - azure_storage_account - - azure_subscription + - azure_storage_container + - azure_storage_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_3_8.yaml b/compliance/controls/azure/azure_cis_v150_3_8.yaml index 1b370e82c..90d706441 100755 --- a/compliance/controls/azure/azure_cis_v150_3_8.yaml +++ b/compliance/controls/azure/azure_cis_v150_3_8.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_3_8 Title: "3.8 Ensure Default Network Access Rule for Storage Accounts is Set to Deny" Description: "Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = sa.subscription_id; PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_3_9.yaml b/compliance/controls/azure/azure_cis_v150_3_9.yaml index 4f65ed61d..18b75183a 100755 --- a/compliance/controls/azure/azure_cis_v150_3_9.yaml +++ b/compliance/controls/azure/azure_cis_v150_3_9.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_3_9 Title: "3.9 Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access" Description: "Some Azure services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Azure services to bypass the network rules. These services will then use strong authentication to access the storage account. If the Allow trusted Azure services exception is enabled, the following services are granted access to the storage account: Azure Backup, Azure Site Recovery, Azure DevTest Labs, Azure Event Grid, Azure Event Hubs, Azure Networking, Azure Monitor, and Azure SQL Data Warehouse (when registered in the subscription)." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = sa.subscription_id; PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_4_1_2.yaml b/compliance/controls/azure/azure_cis_v150_4_1_2.yaml index 19f6f91a6..f1548bb6d 100755 --- a/compliance/controls/azure/azure_cis_v150_4_1_2.yaml +++ b/compliance/controls/azure/azure_cis_v150_4_1_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_4_1_2 Title: "4.1.2 Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)" Description: "Ensure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -29,8 +27,10 @@ Query: sub.subscription_id = s.subscription_id; PrimaryTable: azure_sql_server ListOfTables: - - azure_sql_server - - azure_subscription + - azure_sql_server + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_4_1_4.yaml b/compliance/controls/azure/azure_cis_v150_4_1_4.yaml index 3681be9e4..4deb22cb6 100755 --- a/compliance/controls/azure/azure_cis_v150_4_1_4.yaml +++ b/compliance/controls/azure/azure_cis_v150_4_1_4.yaml @@ -1,33 +1,15 @@ ID: azure_cis_v150_4_1_4 Title: "4.1.4 Ensure that Azure Active Directory Admin is Configured for SQL Servers" Description: "Use Azure Active Directory Authentication for authentication with SQL Database to manage credentials in a single place." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - s.id as resource, - s.og_account_id as og_account_id, - s.og_resource_id as og_resource_id, - case - when server_azure_ad_administrator is null then 'alarm' - else 'ok' - end as status, - case - when server_azure_ad_administrator is null then name || ' Azure AD authentication not configured.' - else name || ' Azure AD authentication configured.' - end as reason - - from - azure_sql_server s, - azure_subscription sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n s.og_account_id as og_account_id,\n s.og_resource_id as og_resource_id,\n case\n when server_azure_ad_administrator is null then 'alarm'\n else 'ok'\n end as status,\n case\n when server_azure_ad_administrator is null then name || ' Azure AD authentication not configured.'\n else name || ' Azure AD authentication configured.'\n end as reason\n \nfrom\n azure_sql_server s,\n azure_subscription sub\nwhere\n sub.subscription_id = s.subscription_id;" PrimaryTable: azure_sql_server ListOfTables: - - azure_sql_server - - azure_subscription + - azure_sql_server + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_4_1_5.yaml b/compliance/controls/azure/azure_cis_v150_4_1_5.yaml index 729803f20..79437ac40 100755 --- a/compliance/controls/azure/azure_cis_v150_4_1_5.yaml +++ b/compliance/controls/azure/azure_cis_v150_4_1_5.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_4_1_5 Title: "4.1.5 Ensure that 'Data encryption' is set to 'On' on a SQL Database" Description: "Enable Transparent Data Encryption on every SQL server." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -26,8 +24,10 @@ Query: and s.name <> 'master'; PrimaryTable: azure_sql_database ListOfTables: - - azure_sql_database - - azure_subscription + - azure_sql_database + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_4_3_1.yaml b/compliance/controls/azure/azure_cis_v150_4_3_1.yaml index 8204a7314..b00b7021d 100755 --- a/compliance/controls/azure/azure_cis_v150_4_3_1.yaml +++ b/compliance/controls/azure/azure_cis_v150_4_3_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_4_3_1 Title: "4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server" Description: "Enable SSL connection on PostgreSQL Servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = s.subscription_id; PrimaryTable: azure_postgresql_server ListOfTables: - - azure_postgresql_server - - azure_subscription + - azure_postgresql_server + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_4_3_7.yaml b/compliance/controls/azure/azure_cis_v150_4_3_7.yaml index 36eeba24f..f70eb042a 100755 --- a/compliance/controls/azure/azure_cis_v150_4_3_7.yaml +++ b/compliance/controls/azure/azure_cis_v150_4_3_7.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_4_3_7 Title: "4.3.7 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled" Description: "Disable access from Azure services to PostgreSQL Database Server." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_4_3_8.yaml b/compliance/controls/azure/azure_cis_v150_4_3_8.yaml index 745072e90..c01f7373d 100755 --- a/compliance/controls/azure/azure_cis_v150_4_3_8.yaml +++ b/compliance/controls/azure/azure_cis_v150_4_3_8.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_4_3_8 Title: "4.3.8 Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled'" Description: "Enable encryption at rest for PostgreSQL Databases." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = s.subscription_id; PrimaryTable: azure_postgresql_server ListOfTables: - - azure_postgresql_server - - azure_subscription + - azure_postgresql_server + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_4_4_1.yaml b/compliance/controls/azure/azure_cis_v150_4_4_1.yaml index 1a9f58c7c..85787dbf0 100755 --- a/compliance/controls/azure/azure_cis_v150_4_4_1.yaml +++ b/compliance/controls/azure/azure_cis_v150_4_4_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_4_4_1 Title: "4.4.1 Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server" Description: "Enable SSL connection on MySQL Servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = s.subscription_id; PrimaryTable: azure_mysql_server ListOfTables: - - azure_mysql_server - - azure_subscription + - azure_mysql_server + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_4_4_2.yaml b/compliance/controls/azure/azure_cis_v150_4_4_2.yaml index a85805025..88689155b 100755 --- a/compliance/controls/azure/azure_cis_v150_4_4_2.yaml +++ b/compliance/controls/azure/azure_cis_v150_4_4_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_4_4_2 Title: "4.4.2 Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server" Description: "Ensure TLS version on MySQL flexible servers is set to the default value." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -27,8 +25,10 @@ Query: sub.subscription_id = s.subscription_id; PrimaryTable: azure_mysql_server ListOfTables: - - azure_mysql_server - - azure_subscription + - azure_mysql_server + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_4_4_3.yaml b/compliance/controls/azure/azure_cis_v150_4_4_3.yaml index c3cb4ce06..a00ac2a5d 100755 --- a/compliance/controls/azure/azure_cis_v150_4_4_3.yaml +++ b/compliance/controls/azure/azure_cis_v150_4_4_3.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_4_4_3 Title: "4.4.3 Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL Database Server" Description: "Enable audit_log_enabled on MySQL Servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -27,8 +25,10 @@ Query: and sub.subscription_id = s.subscription_id; PrimaryTable: azure_mysql_server ListOfTables: - - azure_mysql_server - - azure_subscription + - azure_mysql_server + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_4_5_1.yaml b/compliance/controls/azure/azure_cis_v150_4_5_1.yaml index f96aa8807..b5a5d0d9a 100755 --- a/compliance/controls/azure/azure_cis_v150_4_5_1.yaml +++ b/compliance/controls/azure/azure_cis_v150_4_5_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_4_5_1 Title: "4.5.1 Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks" Description: "" -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -27,8 +25,10 @@ Query: sub.subscription_id = a.subscription_id; PrimaryTable: azure_cosmosdb_account ListOfTables: - - azure_cosmosdb_account - - azure_subscription + - azure_cosmosdb_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_4_5_2.yaml b/compliance/controls/azure/azure_cis_v150_4_5_2.yaml index 315f149aa..2d4af8f45 100755 --- a/compliance/controls/azure/azure_cis_v150_4_5_2.yaml +++ b/compliance/controls/azure/azure_cis_v150_4_5_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_4_5_2 Title: "4.5.2 Ensure That Private Endpoints Are Used Where Possible" Description: "Based on business needs or criticality of data/databases hosted a SQL server, it is recommended that the TDE protector is encrypted by a key that is managed by the data owner (Customer-managed key)." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -35,8 +33,10 @@ Query: sub.subscription_id = a.subscription_id; PrimaryTable: azure_cosmosdb_account ListOfTables: - - azure_cosmosdb_account - - azure_subscription + - azure_cosmosdb_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_5_1_1.yaml b/compliance/controls/azure/azure_cis_v150_5_1_1.yaml index ba9dea5cf..b859f0a06 100755 --- a/compliance/controls/azure/azure_cis_v150_5_1_1.yaml +++ b/compliance/controls/azure/azure_cis_v150_5_1_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_5_1_1 Title: "5.1.1 Ensure that a 'Diagnostics Setting' exists" Description: "Enable Diagnostic settings for exporting activity logs. Diagnostic settings are available for each individual resource within a subscription. Settings should be configured for all appropriate resources for your environment." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_5_1_2.yaml b/compliance/controls/azure/azure_cis_v150_5_1_2.yaml index b9f61aa43..6d7768466 100755 --- a/compliance/controls/azure/azure_cis_v150_5_1_2.yaml +++ b/compliance/controls/azure/azure_cis_v150_5_1_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_5_1_2 Title: "5.1.2 Ensure Diagnostic Setting captures appropriate categories" Description: "A Diagnostic Setting must exist. If a Diagnostic Setting does not exist, the navigation and options within this recommendation will not be available. Please review the recommendation at the beginning of this subsection titled: 'Ensure that a 'Diagnostic Setting' exists.' The diagnostic setting should be configured to log the appropriate activities from the control/management plane." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -51,8 +49,10 @@ Query: sub.subscription_id = sett.subscription_id; PrimaryTable: azure_diagnostic_setting ListOfTables: - - azure_diagnostic_setting - - azure_subscription + - azure_diagnostic_setting + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_5_1_3.yaml b/compliance/controls/azure/azure_cis_v150_5_1_3.yaml index 2843f5b55..545558e4a 100755 --- a/compliance/controls/azure/azure_cis_v150_5_1_3.yaml +++ b/compliance/controls/azure/azure_cis_v150_5_1_3.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_5_1_3 Title: "5.1.3 Ensure the storage container storing the activity logs is not publicly accessible" Description: "The storage account container containing the activity log export should not be publicly accessible." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -27,8 +25,10 @@ Query: and sub.subscription_id = sc.subscription_id; PrimaryTable: azure_storage_container ListOfTables: - - azure_storage_container - - azure_subscription + - azure_storage_container + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_5_1_5.yaml b/compliance/controls/azure/azure_cis_v150_5_1_5.yaml index 9f02242cd..9886604ec 100755 --- a/compliance/controls/azure/azure_cis_v150_5_1_5.yaml +++ b/compliance/controls/azure/azure_cis_v150_5_1_5.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_5_1_5 Title: "5.1.5 Ensure that logging for Azure KeyVault is 'Enabled'" Description: "Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -42,8 +40,10 @@ Query: sub.subscription_id = v.subscription_id; PrimaryTable: azure_key_vault ListOfTables: - - azure_key_vault - - azure_subscription + - azure_key_vault + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_5_1_6.yaml b/compliance/controls/azure/azure_cis_v150_5_1_6.yaml index ceb9451ba..78d4dc3e6 100755 --- a/compliance/controls/azure/azure_cis_v150_5_1_6.yaml +++ b/compliance/controls/azure/azure_cis_v150_5_1_6.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_5_1_6 Title: "5.1.6 Ensure that Network Security Group Flow logs are captured and sent to Log Analytics" Description: "Ensure that network flow logs are captured and fed into a central log analytics workspace." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_5_1_7.yaml b/compliance/controls/azure/azure_cis_v150_5_1_7.yaml index 0144746ab..0685bf116 100755 --- a/compliance/controls/azure/azure_cis_v150_5_1_7.yaml +++ b/compliance/controls/azure/azure_cis_v150_5_1_7.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_5_1_7 Title: "5.1.7 Ensure that logging for Azure AppService 'AppServiceHTTPLogs' is enabled." Description: "Enable AppServiceHTTPLogs diagnostic log category for Azure App Service instances to ensure all http requests are captured and centrally logged." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_5_2_1.yaml b/compliance/controls/azure/azure_cis_v150_5_2_1.yaml index c0fea9efc..8e0826ea4 100755 --- a/compliance/controls/azure/azure_cis_v150_5_2_1.yaml +++ b/compliance/controls/azure/azure_cis_v150_5_2_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_5_2_1 Title: "5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment" Description: "Create an activity log alert for the Create Policy Assignment event." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -46,8 +44,10 @@ Query: sub.display_name; PrimaryTable: azure_log_alert ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_5_2_10.yaml b/compliance/controls/azure/azure_cis_v150_5_2_10.yaml index d77b7c4df..f3ff1487d 100755 --- a/compliance/controls/azure/azure_cis_v150_5_2_10.yaml +++ b/compliance/controls/azure/azure_cis_v150_5_2_10.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_5_2_10 Title: "5.2.10 Ensure that Activity Log Alert exists for Delete Public IP Address rule" Description: "Create an activity log alert for the Delete Public IP Address rule." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -55,8 +53,10 @@ Query: sub.display_name; PrimaryTable: azure_subscription ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_5_2_2.yaml b/compliance/controls/azure/azure_cis_v150_5_2_2.yaml index 9d47d74c4..d5058c9cd 100755 --- a/compliance/controls/azure/azure_cis_v150_5_2_2.yaml +++ b/compliance/controls/azure/azure_cis_v150_5_2_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_5_2_2 Title: "5.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment" Description: "Create an activity log alert for the Delete Policy Assignment event." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -45,8 +43,10 @@ Query: sub.display_name; PrimaryTable: azure_log_alert ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_5_2_3.yaml b/compliance/controls/azure/azure_cis_v150_5_2_3.yaml index 4cf3b3211..02ace3c7a 100755 --- a/compliance/controls/azure/azure_cis_v150_5_2_3.yaml +++ b/compliance/controls/azure/azure_cis_v150_5_2_3.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_5_2_3 Title: "5.2.3 Ensure that Activity Log Alert exists for Create or Update Network Security Group" Description: "Create an Activity Log Alert for the Create or Update Network Security Group event." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -55,8 +53,10 @@ Query: sub.display_name; PrimaryTable: azure_log_alert ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_5_2_4.yaml b/compliance/controls/azure/azure_cis_v150_5_2_4.yaml index ef94c3322..886e34afc 100755 --- a/compliance/controls/azure/azure_cis_v150_5_2_4.yaml +++ b/compliance/controls/azure/azure_cis_v150_5_2_4.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_5_2_4 Title: "5.2.4 Ensure that Activity Log Alert exists for Delete Network Security Group" Description: "Create an activity log alert for the Delete Network Security Group event." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -56,8 +54,10 @@ Query: sub.display_name; PrimaryTable: azure_log_alert ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_5_2_5.yaml b/compliance/controls/azure/azure_cis_v150_5_2_5.yaml index f22da2474..af8fffedf 100755 --- a/compliance/controls/azure/azure_cis_v150_5_2_5.yaml +++ b/compliance/controls/azure/azure_cis_v150_5_2_5.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_5_2_5 Title: "5.2.5 Ensure that Activity Log Alert exists for Create or Update Security Solution" Description: "Create an activity log alert for the Create or Update Security Solution event." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -55,8 +53,10 @@ Query: sub.display_name; PrimaryTable: azure_subscription ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_5_2_6.yaml b/compliance/controls/azure/azure_cis_v150_5_2_6.yaml index 91be9314b..af8b2c8ac 100755 --- a/compliance/controls/azure/azure_cis_v150_5_2_6.yaml +++ b/compliance/controls/azure/azure_cis_v150_5_2_6.yaml @@ -1,63 +1,15 @@ ID: azure_cis_v150_5_2_6 Title: "5.2.6 Ensure that Activity Log Alert exists for Delete Security Solution" Description: "Create an activity log alert for the Delete Security Solution event." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - with alert_rule as ( - select - alert.id as alert_id, - alert.name as alert_name, - alert.enabled, - alert.location, - alert.subscription_id - from - azure_log_alert as alert, - jsonb_array_elements_text(scopes) as sc - where - alert.location = 'global' - and alert.enabled - and sc = '/subscriptions/' || alert.subscription_id - and ( - ( - alert.condition -> 'allOf' @> '[{"equals":"Security","field":"category"}]' - and alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Security/securitySolutions/delete"}]' - ) - or - ( - alert.condition -> 'allOf' @> '[{"equals":"Security","field":"category"}]' - and alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.security/securitysolutions"}]' - and jsonb_array_length(alert.condition -> 'allOf') = 2 - ) - ) - limit 1 - ) - select - sub.subscription_id as resource, - sub.og_account_id as og_account_id, - sub.og_resource_id as og_resource_id, - case - when count(a.subscription_id) > 0 then 'ok' - else 'alarm' - end as status, - case - when count(a.subscription_id) > 0 then 'Activity log alert exists for delete Security Solution event.' - else 'Activity log alert does not exists for delete Security Solution event.' - end as reason - - from - azure_subscription sub - left join alert_rule a on sub.subscription_id = a.subscription_id - group by - sub._ctx, - sub.subscription_id, - sub.display_name; + QueryToExecute: "with alert_rule as (\n select\n alert.id as alert_id,\n alert.name as alert_name,\n alert.enabled,\n alert.location,\n alert.subscription_id\n from\n azure_log_alert as alert,\n jsonb_array_elements_text(scopes) as sc\n where\n alert.location = 'global'\n and alert.enabled\n and sc = '/subscriptions/' || alert.subscription_id\n and (\n (\n alert.condition -> 'allOf' @> '[{\"equals\":\"Security\",\"field\":\"category\"}]'\n and alert.condition -> 'allOf' @> '[{\"field\": \"operationName\", \"equals\": \"Microsoft.Security/securitySolutions/delete\"}]'\n )\n or\n (\n alert.condition -> 'allOf' @> '[{\"equals\":\"Security\",\"field\":\"category\"}]'\n and alert.condition -> 'allOf' @> '[{\"field\": \"resourceType\", \"equals\": \"microsoft.security/securitysolutions\"}]'\n and jsonb_array_length(alert.condition -> 'allOf') = 2\n )\n )\n limit 1\n)\nselect\n sub.subscription_id as resource,\n sub.og_account_id as og_account_id,\n sub.og_resource_id as og_resource_id,\n case\n when count(a.subscription_id) > 0 then 'ok'\n else 'alarm'\n end as status,\n case\n when count(a.subscription_id) > 0 then 'Activity log alert exists for delete Security Solution event.'\n else 'Activity log alert does not exists for delete Security Solution event.'\n end as reason\n \nfrom\n azure_subscription sub\n left join alert_rule a on sub.subscription_id = a.subscription_id\ngroup by\n sub._ctx,\n sub.subscription_id,\n sub.display_name;" PrimaryTable: azure_log_alert ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_5_2_7.yaml b/compliance/controls/azure/azure_cis_v150_5_2_7.yaml index 1f1d3d60b..cd4d2e88e 100755 --- a/compliance/controls/azure/azure_cis_v150_5_2_7.yaml +++ b/compliance/controls/azure/azure_cis_v150_5_2_7.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_5_2_7 Title: "5.2.7 Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule" Description: "Create an activity log alert for the Create or Update SQL Server Firewall Rule event." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -56,8 +54,10 @@ Query: sub.display_name; PrimaryTable: azure_log_alert ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_5_2_8.yaml b/compliance/controls/azure/azure_cis_v150_5_2_8.yaml index 133053c30..67e5a0a5d 100755 --- a/compliance/controls/azure/azure_cis_v150_5_2_8.yaml +++ b/compliance/controls/azure/azure_cis_v150_5_2_8.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_5_2_8 Title: "5.2.8 Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule" Description: "Create an activity log alert for the 'Delete SQL Server Firewall Rule.'" -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -54,8 +52,10 @@ Query: sub.display_name; PrimaryTable: azure_subscription ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_5_2_9.yaml b/compliance/controls/azure/azure_cis_v150_5_2_9.yaml index f9fde0ad3..9dc997d64 100755 --- a/compliance/controls/azure/azure_cis_v150_5_2_9.yaml +++ b/compliance/controls/azure/azure_cis_v150_5_2_9.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_5_2_9 Title: "5.2.9 Ensure that Activity Log Alert exists for Create or Update Public IP Address rule" Description: "Create an activity log alert for the Create or Update Public IP Addresses rule." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -58,8 +56,10 @@ Query: ``` PrimaryTable: azure_log_alert ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_5_3.yaml b/compliance/controls/azure/azure_cis_v150_5_3.yaml index bd25868a1..9253b3e5e 100755 --- a/compliance/controls/azure/azure_cis_v150_5_3.yaml +++ b/compliance/controls/azure/azure_cis_v150_5_3.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_5_3 Title: "5.3 Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it" Description: "Resource Logs capture activity to the data access plane while the Activity log is a subscription-level log for the control plane. Resource-level diagnostic logs provide insight into operations that were performed within that resource itself; for example, reading or updating a secret from a Key Vault." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_6_1.yaml b/compliance/controls/azure/azure_cis_v150_6_1.yaml index e87206148..0511ec9da 100755 --- a/compliance/controls/azure/azure_cis_v150_6_1.yaml +++ b/compliance/controls/azure/azure_cis_v150_6_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_6_1 Title: "6.1 Ensure that RDP from the internet access is evaluated and restricted" Description: "Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -47,8 +45,10 @@ Query: join azure_subscription sub on sub.subscription_id = sg.subscription_id; PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_subscription + - azure_network_security_group + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_6_2.yaml b/compliance/controls/azure/azure_cis_v150_6_2.yaml index 385a277be..c29128d78 100755 --- a/compliance/controls/azure/azure_cis_v150_6_2.yaml +++ b/compliance/controls/azure/azure_cis_v150_6_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_6_2 Title: "6.2 Ensure that SSH access from the internet is evaluated and restricted" Description: "Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -47,8 +45,10 @@ Query: join azure_subscription sub on sub.subscription_id = sg.subscription_id; PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_subscription + - azure_network_security_group + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_6_3.yaml b/compliance/controls/azure/azure_cis_v150_6_3.yaml index eae1a1e49..2bdb163a1 100755 --- a/compliance/controls/azure/azure_cis_v150_6_3.yaml +++ b/compliance/controls/azure/azure_cis_v150_6_3.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_6_3 Title: "6.3 Ensure that UDP access from the Internet is evaluated and restricted" Description: "Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -52,8 +50,10 @@ Query: join azure_subscription sub on sub.subscription_id = sg.subscription_id; PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_subscription + - azure_network_security_group + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_6_4.yaml b/compliance/controls/azure/azure_cis_v150_6_4.yaml index c0fbeb0fb..5b5d19965 100755 --- a/compliance/controls/azure/azure_cis_v150_6_4.yaml +++ b/compliance/controls/azure/azure_cis_v150_6_4.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_6_4 Title: "6.4 Ensure that HTTP(S) access from the Internet is evaluated and restricted" Description: "Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required and narrowly configured." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -61,8 +59,10 @@ Query: join azure_subscription sub on sub.subscription_id = sg.subscription_id; PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_subscription + - azure_network_security_group + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_7_1.yaml b/compliance/controls/azure/azure_cis_v150_7_1.yaml index 7fe314720..1756bdfc1 100755 --- a/compliance/controls/azure/azure_cis_v150_7_1.yaml +++ b/compliance/controls/azure/azure_cis_v150_7_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_7_1 Title: "7.1 Ensure Virtual Machines are utilizing Managed Disks" Description: "Migrate BLOB based VHD's to Managed Disks on Virtual Machines to exploit the default features of this configuration." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = vm.subscription_id; PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_subscription + - azure_compute_virtual_machine + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_7_2.yaml b/compliance/controls/azure/azure_cis_v150_7_2.yaml index 01679aa7e..a4554488a 100755 --- a/compliance/controls/azure/azure_cis_v150_7_2.yaml +++ b/compliance/controls/azure/azure_cis_v150_7_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_7_2 Title: "7.2 Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)" Description: "Ensure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with CMK (Customer Managed Keys). Customer Managed keys can be either ADE or Server Side Encryption(SSE)." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -26,8 +24,10 @@ Query: and sub.subscription_id = disk.subscription_id; PrimaryTable: azure_compute_disk ListOfTables: - - azure_compute_disk - - azure_subscription + - azure_compute_disk + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_7_3.yaml b/compliance/controls/azure/azure_cis_v150_7_3.yaml index f8b209ba5..d1b0abca3 100755 --- a/compliance/controls/azure/azure_cis_v150_7_3.yaml +++ b/compliance/controls/azure/azure_cis_v150_7_3.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_7_3 Title: "7.3 Ensure that 'Unattached disks' are encrypted with CMK" Description: "Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key (CMK)." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -26,8 +24,10 @@ Query: and sub.subscription_id = disk.subscription_id; PrimaryTable: azure_compute_disk ListOfTables: - - azure_compute_disk - - azure_subscription + - azure_compute_disk + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_7_4.yaml b/compliance/controls/azure/azure_cis_v150_7_4.yaml index 2259760f4..91ef34e5d 100755 --- a/compliance/controls/azure/azure_cis_v150_7_4.yaml +++ b/compliance/controls/azure/azure_cis_v150_7_4.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_7_4 Title: "7.4 Ensure that only approved extensions are installed" Description: "For added security only install organization-approved extensions on VMs." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_7_5.yaml b/compliance/controls/azure/azure_cis_v150_7_5.yaml index 5fbf79b1f..7246f6468 100755 --- a/compliance/controls/azure/azure_cis_v150_7_5.yaml +++ b/compliance/controls/azure/azure_cis_v150_7_5.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_7_5 Title: "7.5 Ensure that the endpoint protection for all Virtual Machines is installed" Description: "Install endpoint protection for all virtual machines." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_7_6.yaml b/compliance/controls/azure/azure_cis_v150_7_6.yaml index 262425a83..7af4f5ca3 100755 --- a/compliance/controls/azure/azure_cis_v150_7_6.yaml +++ b/compliance/controls/azure/azure_cis_v150_7_6.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_7_6 Title: "7.6 Ensure that VHD's are encrypted" Description: "VHD (Virtual Hard Disks) are stored in blob storage and are the old-style disks that were attached to Virtual Machines. The blob VHD was then leased to the VM. By default, storage accounts are not encrypted, and Microsoft Defender will then recommend that the OS disks should be encrypted. Storage accounts can be encrypted as a whole using PMK or CMK. This should be turned on for storage accounts containing VHDs." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_8_1.yaml b/compliance/controls/azure/azure_cis_v150_8_1.yaml index 3515fa28c..e93c730ab 100755 --- a/compliance/controls/azure/azure_cis_v150_8_1.yaml +++ b/compliance/controls/azure/azure_cis_v150_8_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_8_1 Title: "8.1 Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults" Description: "Ensure that all Keys in Role Based Access Control (RBAC) Azure Key Vaults have an expiration time set." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -37,9 +35,11 @@ Query: sub.subscription_id = kvk.subscription_id; PrimaryTable: azure_key_vault_key ListOfTables: - - azure_key_vault - - azure_key_vault_key - - azure_subscription + - azure_key_vault + - azure_key_vault_key + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_8_2.yaml b/compliance/controls/azure/azure_cis_v150_8_2.yaml index 0125e2081..67bcf187c 100755 --- a/compliance/controls/azure/azure_cis_v150_8_2.yaml +++ b/compliance/controls/azure/azure_cis_v150_8_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_8_2 Title: "8.2 Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults" Description: "Ensure that all Keys in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration time set." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -37,9 +35,11 @@ Query: sub.subscription_id = kvk.subscription_id; PrimaryTable: azure_key_vault_key ListOfTables: - - azure_key_vault - - azure_key_vault_key - - azure_subscription + - azure_key_vault + - azure_key_vault_key + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_8_3.yaml b/compliance/controls/azure/azure_cis_v150_8_3.yaml index a8cb816d9..04306adbf 100755 --- a/compliance/controls/azure/azure_cis_v150_8_3.yaml +++ b/compliance/controls/azure/azure_cis_v150_8_3.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_8_3 Title: "8.3 Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults" Description: "Ensure that all Secrets in Role Based Access Control (RBAC) Azure Key Vaults have an expiration time set." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -37,9 +35,11 @@ Query: sub.subscription_id = kvs.subscription_id; PrimaryTable: azure_key_vault_secret ListOfTables: - - azure_key_vault - - azure_key_vault_secret - - azure_subscription + - azure_key_vault + - azure_key_vault_secret + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_8_4.yaml b/compliance/controls/azure/azure_cis_v150_8_4.yaml index 2f817e81b..f40c91e03 100755 --- a/compliance/controls/azure/azure_cis_v150_8_4.yaml +++ b/compliance/controls/azure/azure_cis_v150_8_4.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_8_4 Title: "8.4 Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults" Description: "Ensure that all Secrets in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration time set." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -37,9 +35,11 @@ Query: sub.subscription_id = kvs.subscription_id; PrimaryTable: azure_key_vault_secret ListOfTables: - - azure_key_vault - - azure_key_vault_secret - - azure_subscription + - azure_key_vault + - azure_key_vault_secret + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_8_5.yaml b/compliance/controls/azure/azure_cis_v150_8_5.yaml index dea65f44f..3915c7a00 100755 --- a/compliance/controls/azure/azure_cis_v150_8_5.yaml +++ b/compliance/controls/azure/azure_cis_v150_8_5.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_8_5 Title: "8.5 Ensure the key vault is recoverable" Description: "The key vault contains object keys, secrets and certificates. Accidental unavailability of a key vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the key vault objects. It is recommended the key vault be made recoverable by enabling the \\\"Do Not Purge\\\" and \\\"Soft Delete\\\" functions." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -27,8 +25,10 @@ Query: sub.subscription_id = kv.subscription_id; PrimaryTable: azure_key_vault ListOfTables: - - azure_key_vault - - azure_subscription + - azure_key_vault + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_8_6.yaml b/compliance/controls/azure/azure_cis_v150_8_6.yaml index c85513fa1..7fb4b7dc1 100755 --- a/compliance/controls/azure/azure_cis_v150_8_6.yaml +++ b/compliance/controls/azure/azure_cis_v150_8_6.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_8_6 Title: "8.6 Enable Role Based Access Control for Azure Key Vault" Description: "Role assignments disappear when a Key Vault has been deleted (soft- delete) and recovered. Afterwards it will be required to recreate all role assignments. This is a limitation of the soft-delete feature across all Azure services." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = kv.subscription_id; PrimaryTable: azure_key_vault ListOfTables: - - azure_key_vault - - azure_subscription + - azure_key_vault + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_8_8.yaml b/compliance/controls/azure/azure_cis_v150_8_8.yaml index 0da9b2a14..e8c72a09b 100755 --- a/compliance/controls/azure/azure_cis_v150_8_8.yaml +++ b/compliance/controls/azure/azure_cis_v150_8_8.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_8_8 Title: "8.8 Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services" Description: "Automatic Key Rotation is available in Public Preview. The currently supported applications are Key Vault, Managed Disks, and Storage accounts accessing keys within Key Vault. The number of supported applications will incrementally increased." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_9_1.yaml b/compliance/controls/azure/azure_cis_v150_9_1.yaml index cfcabd22c..493729a3a 100755 --- a/compliance/controls/azure/azure_cis_v150_9_1.yaml +++ b/compliance/controls/azure/azure_cis_v150_9_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_9_1 Title: "9.1 Ensure App Service Authentication is set up for apps in Azure App Service" Description: "Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = app.subscription_id; PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_9_11.yaml b/compliance/controls/azure/azure_cis_v150_9_11.yaml index 3dae515bd..6db7633c3 100755 --- a/compliance/controls/azure/azure_cis_v150_9_11.yaml +++ b/compliance/controls/azure/azure_cis_v150_9_11.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_9_11 Title: "9.11 Ensure Azure Keyvaults are used to store secrets" Description: "Encryption keys, Certificate thumbprints and Managed Identity Credentials can be coded into the APP service, this renders them visible as part of the configuration, to maintain security of these keys it is better to store in an Azure Keyvault and reference them from the Keyvault." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_9_2.yaml b/compliance/controls/azure/azure_cis_v150_9_2.yaml index a80f3a101..3e0544523 100755 --- a/compliance/controls/azure/azure_cis_v150_9_2.yaml +++ b/compliance/controls/azure/azure_cis_v150_9_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_9_2 Title: "9.2 Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service" Description: "Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = app.subscription_id; PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_9_4.yaml b/compliance/controls/azure/azure_cis_v150_9_4.yaml index a7d6dc120..8c68c1d3d 100755 --- a/compliance/controls/azure/azure_cis_v150_9_4.yaml +++ b/compliance/controls/azure/azure_cis_v150_9_4.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_9_4 Title: "9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'" Description: "Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = app.subscription_id; PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_9_5.yaml b/compliance/controls/azure/azure_cis_v150_9_5.yaml index 9b131aff0..01dbdd451 100755 --- a/compliance/controls/azure/azure_cis_v150_9_5.yaml +++ b/compliance/controls/azure/azure_cis_v150_9_5.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_9_5 Title: "9.5 Ensure that Register with Azure Active Directory is enabled on App Service" Description: "Managed service identity in App Service makes the app more secure by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in the app service, the app will connect to other Azure services securely without the need of username and passwords." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = app.subscription_id; PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_9_6.yaml b/compliance/controls/azure/azure_cis_v150_9_6.yaml index f738e49c0..12be606a5 100755 --- a/compliance/controls/azure/azure_cis_v150_9_6.yaml +++ b/compliance/controls/azure/azure_cis_v150_9_6.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_9_6 Title: "9.6 Ensure that 'PHP version' is the latest, if used to run the web app" Description: "Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_9_7.yaml b/compliance/controls/azure/azure_cis_v150_9_7.yaml index b27d456a0..d96f230b7 100755 --- a/compliance/controls/azure/azure_cis_v150_9_7.yaml +++ b/compliance/controls/azure/azure_cis_v150_9_7.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_9_7 Title: "9.7 Ensure that 'Python version' is the latest stable version, if used to run the web app" Description: "Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_9_8.yaml b/compliance/controls/azure/azure_cis_v150_9_8.yaml index 093ebfb1f..8d768c087 100755 --- a/compliance/controls/azure/azure_cis_v150_9_8.yaml +++ b/compliance/controls/azure/azure_cis_v150_9_8.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_9_8 Title: "9.8 Ensure that 'Java version' is the latest, if used to run the web app" Description: "Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the newer version." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v150_9_9.yaml b/compliance/controls/azure/azure_cis_v150_9_9.yaml index ffd658dd2..0539568ed 100755 --- a/compliance/controls/azure/azure_cis_v150_9_9.yaml +++ b/compliance/controls/azure/azure_cis_v150_9_9.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_9_9 Title: "9.9 Ensure that 'HTTP Version' is the latest, if used to run the web app" Description: "Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = app.subscription_id; PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_10_1.yaml b/compliance/controls/azure/azure_cis_v200_10_1.yaml index 27b453739..7c328974e 100755 --- a/compliance/controls/azure/azure_cis_v200_10_1.yaml +++ b/compliance/controls/azure/azure_cis_v200_10_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_10_1 Title: "10.1 Ensure that Resource Locks are set for Mission-Critical Azure Resources" Description: "Resource Manager Locks provide a way for administrators to lock down Azure resources to prevent deletion of, or modifications to, a resource. These locks sit outside of the Role Based Access Controls (RBAC) hierarchy and, when applied, will place restrictions on the resource for all users." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_1_10.yaml b/compliance/controls/azure/azure_cis_v200_1_10.yaml index 957b27b24..f48e230f4 100755 --- a/compliance/controls/azure/azure_cis_v200_1_10.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_10.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_1_10 Title: "1.10 Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes'" Description: "Ensure that all Global Administrators are notified if any other administrator resets their password." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_1_12.yaml b/compliance/controls/azure/azure_cis_v200_1_12.yaml index 2d6cbda8c..edc2bfe88 100755 --- a/compliance/controls/azure/azure_cis_v200_1_12.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_12.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_1_12 Title: "1.12 Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers'" Description: "Allow users to provide consent for selected permissions when a request is coming from a verified publisher." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_1_13.yaml b/compliance/controls/azure/azure_cis_v200_1_13.yaml index cc4c8ec3b..f5161d264 100755 --- a/compliance/controls/azure/azure_cis_v200_1_13.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_13.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_1_13 Title: "1.13 Ensure that 'Users can add gallery apps to My Apps' is set to 'No'" Description: "Require administrators to provide consent for the apps before use." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_1_14.yaml b/compliance/controls/azure/azure_cis_v200_1_14.yaml index 1923b72d2..34a07f9a7 100755 --- a/compliance/controls/azure/azure_cis_v200_1_14.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_14.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_1_14 Title: "1.14 Ensure That 'Users Can Register Applications' Is Set to 'No'" Description: "Require administrators or appropriately delegated users to register third-party applications." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -32,8 +30,10 @@ Query: azuread_authorization_policy as a; PrimaryTable: azuread_authorization_policy ListOfTables: - - azure_tenant - - azuread_authorization_policy + - azure_tenant + - azuread_authorization_policy Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_1_15.yaml b/compliance/controls/azure/azure_cis_v200_1_15.yaml index 762e2a6cb..e9ea96c80 100755 --- a/compliance/controls/azure/azure_cis_v200_1_15.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_15.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_1_15 Title: "1.15 Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'" Description: "Limit guest user permissions." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_1_16.yaml b/compliance/controls/azure/azure_cis_v200_1_16.yaml index d009bd2e5..3a9abcc4c 100755 --- a/compliance/controls/azure/azure_cis_v200_1_16.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_16.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_1_16 Title: "1.16 Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'" Description: "Restrict invitations to users with specific administrative roles only." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_1_17.yaml b/compliance/controls/azure/azure_cis_v200_1_17.yaml index 2b9bb71d4..37e808012 100755 --- a/compliance/controls/azure/azure_cis_v200_1_17.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_17.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_1_17 Title: "1.17 Ensure That 'Restrict access to Azure AD administration portal' is Set to 'Yes'" Description: "Restrict access to the Azure AD administration portal to administrators only." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_1_18.yaml b/compliance/controls/azure/azure_cis_v200_1_18.yaml index f36af2946..9dfd7cdc7 100755 --- a/compliance/controls/azure/azure_cis_v200_1_18.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_18.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_1_18 Title: "1.18 Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes'" Description: "Restricts group creation to administrators with permissions only." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_1_19.yaml b/compliance/controls/azure/azure_cis_v200_1_19.yaml index f86c4b1b7..4aba3bc43 100755 --- a/compliance/controls/azure/azure_cis_v200_1_19.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_19.yaml @@ -1,39 +1,15 @@ ID: azure_cis_v200_1_19 Title: "1.19 Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'" Description: "Restrict security group creation to administrators only." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - with distinct_tenant as ( - select - distinct tenant_id, - subscription_id, - _ctx - from - azure_tenant - ) - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when a.default_user_role_permissions ->> 'allowedToCreateSecurityGroups' = 'false' then 'ok' - else 'alarm' - end as status, - case - when a.default_user_role_permissions ->> 'allowedToCreateSecurityGroups' = 'false' then a.display_name || ' does not allow user to create security groups.' - else a.display_name || ' allows user to create security groups.' - end as reason, - t.tenant_id - from - distinct_tenant as t, - azuread_authorization_policy as a; + QueryToExecute: "with distinct_tenant as (\n select\n distinct tenant_id,\n subscription_id,\n _ctx\n from\n azure_tenant\n)\nselect\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when a.default_user_role_permissions ->> 'allowedToCreateSecurityGroups' = 'false' then 'ok'\n else 'alarm'\n end as status,\n case\n when a.default_user_role_permissions ->> 'allowedToCreateSecurityGroups' = 'false' then a.display_name || ' does not allow user to create security groups.'\n else a.display_name || ' allows user to create security groups.'\n end as reason,\n t.tenant_id \nfrom\n distinct_tenant as t,\n azuread_authorization_policy as a;" PrimaryTable: azuread_authorization_policy ListOfTables: - - azure_tenant - - azuread_authorization_policy + - azure_tenant + - azuread_authorization_policy Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_1_1_1.yaml b/compliance/controls/azure/azure_cis_v200_1_1_1.yaml index a19072bc5..0de107580 100755 --- a/compliance/controls/azure/azure_cis_v200_1_1_1.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_1_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_1_1_1 Title: "1.1.1 Ensure Security Defaults is enabled on Azure Active Directory" Description: "Security defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks. Security defaults is available to everyone. The goal is to ensure that all organizations have a basic level of security enabled at no extra cost. You may turn on security defaults in the Azure portal." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_1_1_2.yaml b/compliance/controls/azure/azure_cis_v200_1_1_2.yaml index 6b52abae3..b41e86c95 100755 --- a/compliance/controls/azure/azure_cis_v200_1_1_2.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_1_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_1_1_2 Title: "1.1.2 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users" Description: "Enable multi-factor authentication for all roles, groups, and users that have write access or permissions to Azure resources." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_1_1_3.yaml b/compliance/controls/azure/azure_cis_v200_1_1_3.yaml index 4749b3726..e7f09fd35 100755 --- a/compliance/controls/azure/azure_cis_v200_1_1_3.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_1_3.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_1_1_3 Title: "1.1.3 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users" Description: "Enable multi-factor authentication for all non-privileged users." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_1_1_4.yaml b/compliance/controls/azure/azure_cis_v200_1_1_4.yaml index 78667c5ff..4172afcfd 100755 --- a/compliance/controls/azure/azure_cis_v200_1_1_4.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_1_4.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_1_1_4 Title: "1.1.4 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled" Description: "Do not allow users to remember multi-factor authentication on devices." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_1_20.yaml b/compliance/controls/azure/azure_cis_v200_1_20.yaml index 9c22aceb4..342b66c6d 100755 --- a/compliance/controls/azure/azure_cis_v200_1_20.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_20.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_1_20 Title: "1.20 Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No'" Description: "Restrict security group management to administrators only." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_1_21.yaml b/compliance/controls/azure/azure_cis_v200_1_21.yaml index adca91f69..e2b5bea45 100755 --- a/compliance/controls/azure/azure_cis_v200_1_21.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_21.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_1_21 Title: "1.21 Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'" Description: "Restrict Microsoft 365 group creation to administrators only." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_1_22.yaml b/compliance/controls/azure/azure_cis_v200_1_22.yaml index 66410cff2..b03101f65 100755 --- a/compliance/controls/azure/azure_cis_v200_1_22.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_22.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_1_22 Title: "1.22 Ensure that 'Require Multi-Factor Authentication to register or join devices with Azure AD' is set to 'Yes'" Description: "Joining or registering devices to the active directory should require Multi-factor authentication." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_1_23.yaml b/compliance/controls/azure/azure_cis_v200_1_23.yaml index 63396220a..fb4b85ecc 100755 --- a/compliance/controls/azure/azure_cis_v200_1_23.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_23.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_1_23 Title: "1.23 Ensure That No Custom Subscription Administrator Roles Exist" Description: "The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -46,8 +44,10 @@ Query: sub.display_name; PrimaryTable: azure_role_definition ListOfTables: - - azure_role_definition - - azure_subscription + - azure_role_definition + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_1_24.yaml b/compliance/controls/azure/azure_cis_v200_1_24.yaml index 984c3b9a2..23a5e11e8 100755 --- a/compliance/controls/azure/azure_cis_v200_1_24.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_24.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_1_24 Title: "1.24 Ensure a Custom Role is Assigned Permissions for Administering Resource Locks" Description: "Resource locking is a powerful protection mechanism that can prevent inadvertent modification/deletion of resources within Azure subscriptions/Resource Groups and is a recommended NIST configuration." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_1_25.yaml b/compliance/controls/azure/azure_cis_v200_1_25.yaml index bd51648fb..c8d0496e3 100755 --- a/compliance/controls/azure/azure_cis_v200_1_25.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_25.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_1_25 Title: "1.25 Ensure That 'Subscription Entering AAD Directory' and 'Subscription Leaving AAD Directory' Is Set To 'Permit No One'" Description: "Users who are set as subscription owners are able to make administrative changes to the subscriptions and move them into and out of Azure Active Directories." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_1_2_1.yaml b/compliance/controls/azure/azure_cis_v200_1_2_1.yaml index d4ba8402a..20b460a44 100755 --- a/compliance/controls/azure/azure_cis_v200_1_2_1.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_2_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_1_2_1 Title: "1.2.1 Ensure Trusted Locations Are Defined" Description: "Azure Active Directory Conditional Access allows an organization to configure Named locations and configure whether those locations are trusted or untrusted. These settings provide organizations the means to specify Geographical locations for use in conditional access policies, or define actual IP addresses and IP ranges and whether or not those IP addresses and/or ranges are trusted by the organization." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_1_2_2.yaml b/compliance/controls/azure/azure_cis_v200_1_2_2.yaml index 2ac255eca..7e8b5557f 100755 --- a/compliance/controls/azure/azure_cis_v200_1_2_2.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_2_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_1_2_2 Title: "1.2.2 Ensure that an exclusionary Geographic Access Policy is considered" Description: "Conditional Access Policies can be used to block access from geographic locations that are deemed out-of-scope for your organization or application. The scope and variables for this policy should be carefully examined and defined." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_1_2_3.yaml b/compliance/controls/azure/azure_cis_v200_1_2_3.yaml index 37f25d4ad..3e19fd344 100755 --- a/compliance/controls/azure/azure_cis_v200_1_2_3.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_2_3.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_1_2_3 Title: "1.2.3 Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups" Description: "For designated users, they will be prompted to use their multi-factor authentication (MFA) process on login." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_1_2_4.yaml b/compliance/controls/azure/azure_cis_v200_1_2_4.yaml index cb3262c87..03f3b5fac 100755 --- a/compliance/controls/azure/azure_cis_v200_1_2_4.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_2_4.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_1_2_4 Title: "1.2.4 Ensure that A Multi-factor Authentication Policy Exists for All Users" Description: "For designated users, they will be prompted to use their multi-factor authentication (MFA) process on logins." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_1_2_5.yaml b/compliance/controls/azure/azure_cis_v200_1_2_5.yaml index 9b1fbd1e6..5298d1bb9 100755 --- a/compliance/controls/azure/azure_cis_v200_1_2_5.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_2_5.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_1_2_5 Title: "1.2.5 Ensure Multi-factor Authentication is Required for Risky Sign-ins" Description: "For designated users, they will be prompted to use their multi-factor authentication (MFA) process on login." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_1_2_6.yaml b/compliance/controls/azure/azure_cis_v200_1_2_6.yaml index 0d40bb313..1b32fede0 100755 --- a/compliance/controls/azure/azure_cis_v200_1_2_6.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_2_6.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_1_2_6 Title: "1.2.6 Ensure Multi-factor Authentication is Required for Azure Management" Description: "For designated users, they will be prompted to use their multi-factor authentication (MFA) process on logins." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -32,8 +30,10 @@ Query: azuread_conditional_access_policy as p; PrimaryTable: azuread_conditional_access_policy ListOfTables: - - azure_tenant - - azuread_conditional_access_policy + - azure_tenant + - azuread_conditional_access_policy Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_1_3.yaml b/compliance/controls/azure/azure_cis_v200_1_3.yaml index 6fe196e0c..b26d07a51 100755 --- a/compliance/controls/azure/azure_cis_v200_1_3.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_3.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_1_3 Title: "1.3 Ensure that 'Users can create Azure AD Tenants' is set to 'No'" Description: "Require administrators or appropriately delegated users to create new tenants." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_1_4.yaml b/compliance/controls/azure/azure_cis_v200_1_4.yaml index 4bf51e633..e7af67250 100755 --- a/compliance/controls/azure/azure_cis_v200_1_4.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_4.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_1_4 Title: "1.4 Ensure Access Review is Set Up for External Users in Azure AD Privileged Identity Management" Description: "This recommendation extends guest access review by utilizing the Azure AD Privileged Identity Management feature provided in Azure AD Premium P2. Azure AD is extended to include Azure AD B2B collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account and sign in with their own work, school, or social identities." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_1_5.yaml b/compliance/controls/azure/azure_cis_v200_1_5.yaml index a464dde73..3b0214295 100755 --- a/compliance/controls/azure/azure_cis_v200_1_5.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_5.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_1_5 Title: "1.5 Ensure Guest Users Are Reviewed on a Regular Basis" Description: "Azure AD is extended to include Azure AD B2B collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account and sign in with their own work, school, or social identities. Guest users allow you to share your company's applications and services with users from any other organization, while maintaining control over your own corporate data. Work with external partners, large or small, even if they don't have Azure AD or an IT department. A simple invitation and redemption process lets partners use their own credentials to access your company's resources as a guest user. Guest users in every subscription should be review on a regular basis to ensure that inactive and unneeded accounts are removed." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -35,8 +33,10 @@ Query: u.user_type = 'Guest'; PrimaryTable: azuread_user ListOfTables: - - azure_tenant - - azuread_user + - azure_tenant + - azuread_user Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_1_6.yaml b/compliance/controls/azure/azure_cis_v200_1_6.yaml index 8fb75eb71..7e4518223 100755 --- a/compliance/controls/azure/azure_cis_v200_1_6.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_6.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_1_6 Title: "1.6 Ensure That 'Number of methods required to reset' is set to '2'" Description: "Ensures that two alternate forms of identification are provided before allowing a password reset." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_1_7.yaml b/compliance/controls/azure/azure_cis_v200_1_7.yaml index b357f660c..bf600b790 100755 --- a/compliance/controls/azure/azure_cis_v200_1_7.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_7.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_1_7 Title: "1.7 Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization" Description: "Microsoft Azure provides a Global Banned Password policy that applies to Azure administrative and normal user accounts. This is not applied to user accounts that are synced from an on-premise Active Directory unless Azure AD Connect is used and you enable EnforceCloudPasswordPolicyForPasswordSyncedUsers. Please see the list in default values on the specifics of this policy. To further password security, it is recommended to further define a custom banned password policy." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_1_8.yaml b/compliance/controls/azure/azure_cis_v200_1_8.yaml index 4484deea1..6178994bf 100755 --- a/compliance/controls/azure/azure_cis_v200_1_8.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_8.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_1_8 Title: "1.8 Ensure that 'Number of days before users are asked to re- confirm their authentication information' is not set to '0'" Description: "Ensure that the number of days before users are asked to re-confirm their authentication information is not set to 0." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_1_9.yaml b/compliance/controls/azure/azure_cis_v200_1_9.yaml index c70f856a7..5211eedda 100755 --- a/compliance/controls/azure/azure_cis_v200_1_9.yaml +++ b/compliance/controls/azure/azure_cis_v200_1_9.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_1_9 Title: "1.9 Ensure that 'Notify users on password resets?' is set to 'Yes'" Description: "Ensure that users are notified on their primary and secondary emails on password resets." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_2_1_1.yaml b/compliance/controls/azure/azure_cis_v200_2_1_1.yaml index 57fc8d8db..9d9ca5f82 100755 --- a/compliance/controls/azure/azure_cis_v200_2_1_1.yaml +++ b/compliance/controls/azure/azure_cis_v200_2_1_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_2_1_1 Title: "2.1.1 Ensure That Microsoft Defender for Servers Is Set to 'On'" Description: "Turning on Microsoft Defender for Servers enables threat detection for Servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: name = 'VirtualMachines'; PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_2_1_11.yaml b/compliance/controls/azure/azure_cis_v200_2_1_11.yaml index 7cef716f3..661a61eb3 100755 --- a/compliance/controls/azure/azure_cis_v200_2_1_11.yaml +++ b/compliance/controls/azure/azure_cis_v200_2_1_11.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_2_1_11 Title: "2.1.11 Ensure That Microsoft Defender for DNS Is Set To 'On'" Description: "Microsoft Defender for DNS scans all network traffic exiting from within a subscription." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: name = 'Dns'; PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_2_1_12.yaml b/compliance/controls/azure/azure_cis_v200_2_1_12.yaml index 5b9bb28e7..04dee9a36 100755 --- a/compliance/controls/azure/azure_cis_v200_2_1_12.yaml +++ b/compliance/controls/azure/azure_cis_v200_2_1_12.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_2_1_12 Title: "2.1.12 Ensure That Microsoft Defender for Resource Manager Is Set To 'On'" Description: "Microsoft Defender for Resource Manager scans incoming administrative requests to change your infrastructure from both CLI and the Azure portal." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_2_1_13.yaml b/compliance/controls/azure/azure_cis_v200_2_1_13.yaml index 21f4e7773..04ac40aa9 100755 --- a/compliance/controls/azure/azure_cis_v200_2_1_13.yaml +++ b/compliance/controls/azure/azure_cis_v200_2_1_13.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_2_1_13 Title: "2.1.13 Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'" Description: "Ensure that the latest OS patches for all virtual machines are applied." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_2_1_14.yaml b/compliance/controls/azure/azure_cis_v200_2_1_14.yaml index 5cd7a70b5..66e20b120 100755 --- a/compliance/controls/azure/azure_cis_v200_2_1_14.yaml +++ b/compliance/controls/azure/azure_cis_v200_2_1_14.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_2_1_14 Title: "2.1.14 Ensure Any of the ASC Default Policy Settings are Not Set to 'Disabled'" Description: "None of the settings offered by ASC Default policy should be set to effect Disabled." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -45,8 +43,10 @@ Query: sub.og_resource_id; PrimaryTable: azure_policy_assignment ListOfTables: - - azure_policy_assignment - - azure_subscription + - azure_policy_assignment + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_2_1_15.yaml b/compliance/controls/azure/azure_cis_v200_2_1_15.yaml index d71cb258b..4f3d9c73f 100755 --- a/compliance/controls/azure/azure_cis_v200_2_1_15.yaml +++ b/compliance/controls/azure/azure_cis_v200_2_1_15.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_2_1_15 Title: "2.1.15 Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'" Description: "Enable automatic provisioning of the monitoring agent to collect security data." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -23,8 +21,10 @@ Query: right join azure_subscription sub on sc_prov.subscription_id = sub.subscription_id; PrimaryTable: azure_security_center_auto_provisioning ListOfTables: - - azure_security_center_auto_provisioning - - azure_subscription + - azure_security_center_auto_provisioning + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_2_1_16.yaml b/compliance/controls/azure/azure_cis_v200_2_1_16.yaml index 49158b32a..ae47f2ad9 100755 --- a/compliance/controls/azure/azure_cis_v200_2_1_16.yaml +++ b/compliance/controls/azure/azure_cis_v200_2_1_16.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_2_1_16 Title: "2.1.16 Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On'" Description: "Enable automatic provisioning of vulnerability assessment for machines on both Azure and hybrid (Arc enabled) machines." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_2_1_17.yaml b/compliance/controls/azure/azure_cis_v200_2_1_17.yaml index ab4ec8267..049ef6c0f 100755 --- a/compliance/controls/azure/azure_cis_v200_2_1_17.yaml +++ b/compliance/controls/azure/azure_cis_v200_2_1_17.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_2_1_17 Title: "2.1.17 Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On'" Description: "Enable automatic provisioning of the Microsoft Defender for Containers components." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_2_1_18.yaml b/compliance/controls/azure/azure_cis_v200_2_1_18.yaml index eba13b705..0dd9b57a0 100755 --- a/compliance/controls/azure/azure_cis_v200_2_1_18.yaml +++ b/compliance/controls/azure/azure_cis_v200_2_1_18.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_2_1_18 Title: "2.1.18 Ensure That 'All users with the following roles' is set to 'Owner'" Description: "Enable security alert emails to subscription owners." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -33,8 +31,10 @@ Query: left join contact_info ci on sub.subscription_id = ci.subscription_id; PrimaryTable: azure_subscription ListOfTables: - - azure_security_center_contact - - azure_subscription + - azure_security_center_contact + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_2_1_19.yaml b/compliance/controls/azure/azure_cis_v200_2_1_19.yaml index 260e4267e..25a126075 100755 --- a/compliance/controls/azure/azure_cis_v200_2_1_19.yaml +++ b/compliance/controls/azure/azure_cis_v200_2_1_19.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_2_1_19 Title: "2.1.19 Ensure 'Additional email addresses' is Configured with a Security Contact Email" Description: "Microsoft Defender for Cloud emails the subscription owners whenever a high-severity alert is triggered for their subscription. You should provide a security contact email address as an additional email address." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -37,8 +35,10 @@ Query: left join contact_info ci on sub.subscription_id = ci.subscription_id; PrimaryTable: azure_subscription ListOfTables: - - azure_security_center_contact - - azure_subscription + - azure_security_center_contact + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_2_1_2.yaml b/compliance/controls/azure/azure_cis_v200_2_1_2.yaml index ed44b5b5b..f5f81946a 100755 --- a/compliance/controls/azure/azure_cis_v200_2_1_2.yaml +++ b/compliance/controls/azure/azure_cis_v200_2_1_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_2_1_2 Title: "2.1.2 Ensure That Microsoft Defender for App Services Is Set To 'On'" Description: "Turning on Microsoft Defender for App Service enables threat detection for App Service, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: name = 'AppServices'; PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_2_1_20.yaml b/compliance/controls/azure/azure_cis_v200_2_1_20.yaml index 7fe40af45..8020b387c 100755 --- a/compliance/controls/azure/azure_cis_v200_2_1_20.yaml +++ b/compliance/controls/azure/azure_cis_v200_2_1_20.yaml @@ -1,42 +1,15 @@ ID: azure_cis_v200_2_1_20 Title: "2.1.20 Ensure That 'Notify about alerts with the following severity' is Set to 'High'" Description: "Enables emailing security alerts to the subscription owner or other designated security contact." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - with contact_info as ( - select - count(*) filter (where alert_notifications = 'On') as notification_alert_count, - subscription_id - from - azure_security_center_contact - group by - subscription_id - limit 1 - ) - select - sub.subscription_id as resource, - sub.og_account_id as og_account_id, - sub.og_resource_id as og_resource_id, - case - when notification_alert_count > 0 then 'ok' - else 'alarm' - end as status, - case - when notification_alert_count > 0 then '"Notify about alerts with the following severity" set to High.' - else '"Notify about alerts with the following severity" not set to High.' - end as reason - - - from - azure_subscription sub - left join contact_info ci on sub.subscription_id = ci.subscription_id; + QueryToExecute: "with contact_info as (\n select\n count(*) filter (where alert_notifications = 'On') as notification_alert_count,\n subscription_id\n from\n azure_security_center_contact\n group by\n subscription_id\n limit 1\n)\nselect\n sub.subscription_id as resource,\n sub.og_account_id as og_account_id,\n sub.og_resource_id as og_resource_id,\n case\n when notification_alert_count > 0 then 'ok'\n else 'alarm'\n end as status,\n case\n when notification_alert_count > 0 then '\"Notify about alerts with the following severity\" set to High.'\n else '\"Notify about alerts with the following severity\" not set to High.'\n end as reason\n \n \nfrom\n azure_subscription sub\n left join contact_info ci on sub.subscription_id = ci.subscription_id;" PrimaryTable: azure_subscription ListOfTables: - - azure_security_center_contact - - azure_subscription + - azure_security_center_contact + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_2_1_21.yaml b/compliance/controls/azure/azure_cis_v200_2_1_21.yaml index 219d2e3b2..441321bb6 100755 --- a/compliance/controls/azure/azure_cis_v200_2_1_21.yaml +++ b/compliance/controls/azure/azure_cis_v200_2_1_21.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_2_1_21 Title: "2.1.21 Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected" Description: "This integration setting enables Microsoft Defender for Cloud Apps (formerly 'Microsoft Cloud App Security' or 'MCAS' - see additional info) to communicate with Microsoft Defender for Cloud." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: name = 'MCAS'; PrimaryTable: azure_security_center_setting ListOfTables: - - azure_security_center_setting - - azure_subscription + - azure_security_center_setting + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_2_1_22.yaml b/compliance/controls/azure/azure_cis_v200_2_1_22.yaml index 1b7662630..64ba9a20d 100755 --- a/compliance/controls/azure/azure_cis_v200_2_1_22.yaml +++ b/compliance/controls/azure/azure_cis_v200_2_1_22.yaml @@ -1,33 +1,15 @@ ID: azure_cis_v200_2_1_22 Title: "2.1.22 Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected" Description: "This integration setting enables Microsoft Defender for Endpoint (formerly 'Advanced Threat Protection' or 'ATP' or 'WDATP' - see additional info) to communicate with Microsoft Defender for Cloud." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - sc_sett.id as resource, - sc_sett.og_account_id as og_account_id, - sc_sett.og_resource_id as og_resource_id, - case - when enabled then 'ok' - else 'alarm' - end as status, - case - when enabled then 'Microsoft Cloud App Security (MCAS) integrated with Security Center.' - else 'Microsoft Cloud App Security (MCAS) not integrated with Security Center.' - end as reason - - from - azure_security_center_setting sc_sett - right join azure_subscription sub on sc_sett.subscription_id = sub.subscription_id - where - name = 'WDATP'; + QueryToExecute: "select\n sc_sett.id as resource,\n sc_sett.og_account_id as og_account_id,\n sc_sett.og_resource_id as og_resource_id,\n case\n when enabled then 'ok'\n else 'alarm'\n end as status,\n case\n when enabled then 'Microsoft Cloud App Security (MCAS) integrated with Security Center.'\n else 'Microsoft Cloud App Security (MCAS) not integrated with Security Center.'\n end as reason\n \nfrom\n azure_security_center_setting sc_sett\n right join azure_subscription sub on sc_sett.subscription_id = sub.subscription_id\nwhere\n name = 'WDATP';" PrimaryTable: azure_security_center_setting ListOfTables: - - azure_security_center_setting - - azure_subscription + - azure_security_center_setting + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_2_1_3.yaml b/compliance/controls/azure/azure_cis_v200_2_1_3.yaml index 3729ea447..985171ed8 100755 --- a/compliance/controls/azure/azure_cis_v200_2_1_3.yaml +++ b/compliance/controls/azure/azure_cis_v200_2_1_3.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_2_1_3 Title: "2.1.3 Ensure That Microsoft Defender for Databases Is Set To 'On'" Description: "Turning on Microsoft Defender for Databases enables threat detection for the instances running your database software. This provides threat intelligence, anomaly detection, and behavior analytics in the Azure Microsoft Defender for Cloud. Instead of being enabled on services like Platform as a Service (PaaS), this implementation will run within your instances as Infrastructure as a Service (IaaS) on the Operating Systems hosting your databases." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -44,8 +42,10 @@ Query: left join defender_list as l on l.subscription_id = sub.subscription_id; PrimaryTable: azure_subscription ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_2_1_4.yaml b/compliance/controls/azure/azure_cis_v200_2_1_4.yaml index f9c67fe07..59fcaff56 100755 --- a/compliance/controls/azure/azure_cis_v200_2_1_4.yaml +++ b/compliance/controls/azure/azure_cis_v200_2_1_4.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_2_1_4 Title: "2.1.4 Ensure That Microsoft Defender for Azure SQL Databases Is Set To 'On'" Description: "Turning on Microsoft Defender for Azure SQL Databases enables threat detection for Azure SQL database servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: name = 'SqlServers'; PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_2_1_5.yaml b/compliance/controls/azure/azure_cis_v200_2_1_5.yaml index becb33a5c..49aa2ef43 100755 --- a/compliance/controls/azure/azure_cis_v200_2_1_5.yaml +++ b/compliance/controls/azure/azure_cis_v200_2_1_5.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_2_1_5 Title: "2.1.5 Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'" Description: "Turning on Microsoft Defender for SQL servers on machines enables threat detection for SQL servers on machines, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: name = 'SqlServerVirtualMachines'; PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_2_1_6.yaml b/compliance/controls/azure/azure_cis_v200_2_1_6.yaml index da381c115..6506cb645 100755 --- a/compliance/controls/azure/azure_cis_v200_2_1_6.yaml +++ b/compliance/controls/azure/azure_cis_v200_2_1_6.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_2_1_6 Title: "2.1.6 Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On'" Description: "Turning on Microsoft Defender for Open-source relational databases enables threat detection for Open-source relational databases, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: name = 'OpenSourceRelationalDatabases'; PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_2_1_7.yaml b/compliance/controls/azure/azure_cis_v200_2_1_7.yaml index fd8eb3a33..66e85915a 100755 --- a/compliance/controls/azure/azure_cis_v200_2_1_7.yaml +++ b/compliance/controls/azure/azure_cis_v200_2_1_7.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_2_1_7 Title: "2.1.7 Ensure That Microsoft Defender for Storage Is Set To 'On'" Description: "Turning on Microsoft Defender for Storage enables threat detection for Storage, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: name = 'StorageAccounts'; PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_2_1_8.yaml b/compliance/controls/azure/azure_cis_v200_2_1_8.yaml index 74c7afad0..a7dc4a191 100755 --- a/compliance/controls/azure/azure_cis_v200_2_1_8.yaml +++ b/compliance/controls/azure/azure_cis_v200_2_1_8.yaml @@ -1,34 +1,15 @@ ID: azure_cis_v200_2_1_8 Title: "2.1.8 Ensure That Microsoft Defender for Containers Is Set To 'On'" Description: "Turning on Microsoft Defender for Containers enables threat detection for Container Registries including Kubernetes, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - sub_pricing.id as resource, - sub_pricing.og_account_id as og_account_id, - sub_pricing.og_resource_id as og_resource_id, - case - when pricing_tier = 'Standard' then 'ok' - else 'alarm' - end as status, - case - when pricing_tier = 'Standard' then 'Azure Defender on for Container Registry.' - else 'Azure Defender off for Container Registry.' - end as reason - - - from - azure_security_center_subscription_pricing sub_pricing - right join azure_subscription sub on sub_pricing.subscription_id = sub.subscription_id - where - name = 'ContainerRegistry'; + QueryToExecute: "select\n sub_pricing.id as resource,\n sub_pricing.og_account_id as og_account_id,\n sub_pricing.og_resource_id as og_resource_id,\n case\n when pricing_tier = 'Standard' then 'ok'\n else 'alarm'\n end as status,\n case\n when pricing_tier = 'Standard' then 'Azure Defender on for Container Registry.'\n else 'Azure Defender off for Container Registry.'\n end as reason\n \n \nfrom\n azure_security_center_subscription_pricing sub_pricing\n right join azure_subscription sub on sub_pricing.subscription_id = sub.subscription_id\nwhere\n name = 'ContainerRegistry';" PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_2_1_9.yaml b/compliance/controls/azure/azure_cis_v200_2_1_9.yaml index f3d4760cb..3b961afd7 100755 --- a/compliance/controls/azure/azure_cis_v200_2_1_9.yaml +++ b/compliance/controls/azure/azure_cis_v200_2_1_9.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_2_1_9 Title: "2.1.9 Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On'" Description: "Microsoft Defender for Azure Cosmos DB scans all incoming network requests for threats to your Azure Cosmos DB resources." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: name = 'CosmosDbs'; PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_2_2_1.yaml b/compliance/controls/azure/azure_cis_v200_2_2_1.yaml index 10e9d330a..e6731cecc 100755 --- a/compliance/controls/azure/azure_cis_v200_2_2_1.yaml +++ b/compliance/controls/azure/azure_cis_v200_2_2_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_2_2_1 Title: "2.2.1 Ensure That Microsoft Defender for IoT Hub Is Set To 'On'" Description: "Microsoft Defender for IoT acts as a central security hub for IoT devices within your organization." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_3_1.yaml b/compliance/controls/azure/azure_cis_v200_3_1.yaml index 5f642eb3e..cd3cda3e8 100755 --- a/compliance/controls/azure/azure_cis_v200_3_1.yaml +++ b/compliance/controls/azure/azure_cis_v200_3_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_3_1 Title: "3.1 Ensure that 'Secure transfer required' is set to 'Enabled'" Description: "Enable data encryption in transit." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = sa.subscription_id; PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_3_10.yaml b/compliance/controls/azure/azure_cis_v200_3_10.yaml index 74782005d..22b7dd00b 100755 --- a/compliance/controls/azure/azure_cis_v200_3_10.yaml +++ b/compliance/controls/azure/azure_cis_v200_3_10.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_3_10 Title: "3.10 Ensure Private Endpoints are used to access Storage Accounts" Description: "Use private endpoints for your Azure Storage accounts to allow clients and services to securely access data located over a network via an encrypted Private Link. To do this, the private endpoint uses an IP address from the VNet for each service. Network traffic between disparate services securely traverses encrypted over the VNet." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -35,8 +33,10 @@ Query: sub.subscription_id = a.subscription_id; PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_3_11.yaml b/compliance/controls/azure/azure_cis_v200_3_11.yaml index baa49a37e..286489d44 100755 --- a/compliance/controls/azure/azure_cis_v200_3_11.yaml +++ b/compliance/controls/azure/azure_cis_v200_3_11.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_3_11 Title: "3.11 Ensure Soft Delete is Enabled for Azure Containers and Blob Storage" Description: "The Azure Storage blobs contain data like ePHI or Financial, which can be secret or personal. Data that is erroneously modified or deleted by an application or other storage account user will cause data loss or unavailability." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = sa.subscription_id; PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_3_12.yaml b/compliance/controls/azure/azure_cis_v200_3_12.yaml index 769e27598..df4e9dc70 100755 --- a/compliance/controls/azure/azure_cis_v200_3_12.yaml +++ b/compliance/controls/azure/azure_cis_v200_3_12.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_3_12 Title: "3.12 Ensure Storage for Critical Data are Encrypted with Customer Managed Keys" Description: "Enable sensitive data encryption at rest using Customer Managed Keys rather than Microsoft Managed keys." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = sa.subscription_id; PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_3_14.yaml b/compliance/controls/azure/azure_cis_v200_3_14.yaml index 8c413373f..a70bf5ced 100755 --- a/compliance/controls/azure/azure_cis_v200_3_14.yaml +++ b/compliance/controls/azure/azure_cis_v200_3_14.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_3_14 Title: "3.14 Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests" Description: "Azure Table storage is a service that stores structured NoSQL data in the cloud, providing a key/attribute store with a schema-less design. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the tables. Storage Logging log entries contain the following information about individual requests: timing information such as start time, end-to-end latency, and server latency; authentication details; concurrency information; and the sizes of the request and response messages." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -31,8 +29,10 @@ Query: sub.subscription_id = sa.subscription_id; PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_3_15.yaml b/compliance/controls/azure/azure_cis_v200_3_15.yaml index b749dce2d..6cc555511 100755 --- a/compliance/controls/azure/azure_cis_v200_3_15.yaml +++ b/compliance/controls/azure/azure_cis_v200_3_15.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_3_15 Title: "3.15 Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'" Description: "In some cases, Azure Storage sets the minimum TLS version to be version 1.0 by default. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to be later protocols such as TLS 1.2." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -27,8 +25,10 @@ Query: sub.subscription_id = sa.subscription_id; PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_3_2.yaml b/compliance/controls/azure/azure_cis_v200_3_2.yaml index 455023525..8f369a686 100755 --- a/compliance/controls/azure/azure_cis_v200_3_2.yaml +++ b/compliance/controls/azure/azure_cis_v200_3_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_3_2 Title: "3.2 Ensure that 'Enable Infrastructure Encryption' for Each Storage Account in Azure Storage is Set to 'enabled'" Description: "Enabling encryption at the hardware level on top of the default software encryption for Storage Accounts accessing Azure storage solutions." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = s.subscription_id; PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_3_3.yaml b/compliance/controls/azure/azure_cis_v200_3_3.yaml index b90d27a79..b39f0c311 100755 --- a/compliance/controls/azure/azure_cis_v200_3_3.yaml +++ b/compliance/controls/azure/azure_cis_v200_3_3.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_3_3 Title: "3.3 Ensure that 'Enable key rotation reminders' is enabled for each Storage Account" Description: "Access Keys authenticate application access requests to data contained in Storage Accounts. A periodic rotation of these keys is recommended to ensure that potentially compromised keys cannot result in a long-term exploitable credential. The 'Rotation Reminder' is an automatic reminder feature for a manual procedure." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_3_4.yaml b/compliance/controls/azure/azure_cis_v200_3_4.yaml index 3c259e12d..68a6e1346 100755 --- a/compliance/controls/azure/azure_cis_v200_3_4.yaml +++ b/compliance/controls/azure/azure_cis_v200_3_4.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_3_4 Title: "3.4 Ensure that Storage Account Access Keys are Periodically Regenerated" Description: "For increased security, regenerate storage account access keys periodically." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_3_5.yaml b/compliance/controls/azure/azure_cis_v200_3_5.yaml index 6c852472e..f5b287711 100755 --- a/compliance/controls/azure/azure_cis_v200_3_5.yaml +++ b/compliance/controls/azure/azure_cis_v200_3_5.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_3_5 Title: "3.5 Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests" Description: "The Storage Queue service stores messages that may be read by any client who has access to the storage account. A queue can contain an unlimited number of messages, each of which can be up to 64KB in size using version 2011-08-18 or newer. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -31,8 +29,10 @@ Query: sub.subscription_id = sa.subscription_id; PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_3_6.yaml b/compliance/controls/azure/azure_cis_v200_3_6.yaml index f3ac9b902..6de00a5b0 100755 --- a/compliance/controls/azure/azure_cis_v200_3_6.yaml +++ b/compliance/controls/azure/azure_cis_v200_3_6.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_3_6 Title: "3.6 Ensure that Shared Access Signature Tokens Expire Within an Hour" Description: "Expire shared access signature tokens within an hour." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_3_8.yaml b/compliance/controls/azure/azure_cis_v200_3_8.yaml index 36e26804d..6cf8b8fa5 100755 --- a/compliance/controls/azure/azure_cis_v200_3_8.yaml +++ b/compliance/controls/azure/azure_cis_v200_3_8.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_3_8 Title: "3.8 Ensure Default Network Access Rule for Storage Accounts is Set to Deny" Description: "Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = sa.subscription_id; PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_3_9.yaml b/compliance/controls/azure/azure_cis_v200_3_9.yaml index 83a3c40d1..40afcf422 100755 --- a/compliance/controls/azure/azure_cis_v200_3_9.yaml +++ b/compliance/controls/azure/azure_cis_v200_3_9.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_3_9 Title: "3.9 Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access" Description: "Some Azure services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Azure services to bypass the network rules. These services will then use strong authentication to access the storage account." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = sa.subscription_id; PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_4_1_2.yaml b/compliance/controls/azure/azure_cis_v200_4_1_2.yaml index 8d3aac041..6eeaa0420 100755 --- a/compliance/controls/azure/azure_cis_v200_4_1_2.yaml +++ b/compliance/controls/azure/azure_cis_v200_4_1_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_4_1_2 Title: "4.1.2 Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)" Description: "Ensure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -29,8 +27,10 @@ Query: sub.subscription_id = s.subscription_id; PrimaryTable: azure_sql_server ListOfTables: - - azure_sql_server - - azure_subscription + - azure_sql_server + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_4_1_4.yaml b/compliance/controls/azure/azure_cis_v200_4_1_4.yaml index a44d60527..ed17034a9 100755 --- a/compliance/controls/azure/azure_cis_v200_4_1_4.yaml +++ b/compliance/controls/azure/azure_cis_v200_4_1_4.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_4_1_4 Title: "4.1.4 Ensure that Azure Active Directory Admin is Configured for SQL Servers" Description: "Use Azure Active Directory Authentication for authentication with SQL Database to manage credentials in a single place." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = s.subscription_id; PrimaryTable: azure_sql_server ListOfTables: - - azure_sql_server - - azure_subscription + - azure_sql_server + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_4_3_1.yaml b/compliance/controls/azure/azure_cis_v200_4_3_1.yaml index 41eaeb0bd..f6e1b7282 100755 --- a/compliance/controls/azure/azure_cis_v200_4_3_1.yaml +++ b/compliance/controls/azure/azure_cis_v200_4_3_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_4_3_1 Title: "4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server" Description: "Enable SSL connection on PostgreSQL Servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = s.subscription_id; PrimaryTable: azure_postgresql_server ListOfTables: - - azure_postgresql_server - - azure_subscription + - azure_postgresql_server + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_4_3_5.yaml b/compliance/controls/azure/azure_cis_v200_4_3_5.yaml index b0f066579..55ad57445 100755 --- a/compliance/controls/azure/azure_cis_v200_4_3_5.yaml +++ b/compliance/controls/azure/azure_cis_v200_4_3_5.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_4_3_5 Title: "4.3.5 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server" Description: "Enable connection_throttling on PostgreSQL Servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -27,8 +25,10 @@ Query: and sub.subscription_id = s.subscription_id; PrimaryTable: azure_postgresql_server ListOfTables: - - azure_postgresql_server - - azure_subscription + - azure_postgresql_server + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_4_3_7.yaml b/compliance/controls/azure/azure_cis_v200_4_3_7.yaml index 32f2c12d8..3d3dd01ff 100755 --- a/compliance/controls/azure/azure_cis_v200_4_3_7.yaml +++ b/compliance/controls/azure/azure_cis_v200_4_3_7.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_4_3_7 Title: "4.3.7 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled" Description: "Disable access from Azure services to PostgreSQL Database Server." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -36,8 +34,10 @@ Query: sub.subscription_id = s.subscription_id; PrimaryTable: azure_postgresql_server ListOfTables: - - azure_postgresql_server - - azure_subscription + - azure_postgresql_server + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_4_3_8.yaml b/compliance/controls/azure/azure_cis_v200_4_3_8.yaml index f7c727587..5168789c2 100755 --- a/compliance/controls/azure/azure_cis_v200_4_3_8.yaml +++ b/compliance/controls/azure/azure_cis_v200_4_3_8.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_4_3_8 Title: "4.3.8 Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled'" Description: "Azure Database for PostgreSQL servers should be created with 'infrastructure double encryption' enabled." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = s.subscription_id; PrimaryTable: azure_postgresql_server ListOfTables: - - azure_postgresql_server - - azure_subscription + - azure_postgresql_server + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_4_4_1.yaml b/compliance/controls/azure/azure_cis_v200_4_4_1.yaml index f704d2129..4a226123a 100755 --- a/compliance/controls/azure/azure_cis_v200_4_4_1.yaml +++ b/compliance/controls/azure/azure_cis_v200_4_4_1.yaml @@ -1,33 +1,15 @@ ID: azure_cis_v200_4_4_1 Title: "4.4.1 Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server" Description: "Enable SSL connection on MySQL Servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - s.id as resource, - s.og_account_id as og_account_id, - s.og_resource_id as og_resource_id, - case - when ssl_enforcement = 'Disabled' then 'alarm' - else 'ok' - end as status, - case - when ssl_enforcement = 'Disabled' then s.name || ' SSL connection disabled.' - else s.name || ' SSL connection enabled.' - end as reason - - from - azure_mysql_server as s, - azure_subscription as sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n s.og_account_id as og_account_id,\n s.og_resource_id as og_resource_id,\n case\n when ssl_enforcement = 'Disabled' then 'alarm'\n else 'ok'\n end as status,\n case\n when ssl_enforcement = 'Disabled' then s.name || ' SSL connection disabled.'\n else s.name || ' SSL connection enabled.'\n end as reason\n \nfrom\n azure_mysql_server as s,\n azure_subscription as sub\nwhere\n sub.subscription_id = s.subscription_id;" PrimaryTable: azure_mysql_server ListOfTables: - - azure_mysql_server - - azure_subscription + - azure_mysql_server + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_4_4_2.yaml b/compliance/controls/azure/azure_cis_v200_4_4_2.yaml index 2e1d99928..2613c829f 100755 --- a/compliance/controls/azure/azure_cis_v200_4_4_2.yaml +++ b/compliance/controls/azure/azure_cis_v200_4_4_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_4_4_2 Title: "4.4.2 Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server" Description: "Ensure TLS version on MySQL flexible servers is set to the default value." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -27,8 +25,10 @@ Query: sub.subscription_id = s.subscription_id; PrimaryTable: azure_mysql_server ListOfTables: - - azure_mysql_server - - azure_subscription + - azure_mysql_server + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_4_5_1.yaml b/compliance/controls/azure/azure_cis_v200_4_5_1.yaml index 5b902090f..734cdd975 100755 --- a/compliance/controls/azure/azure_cis_v200_4_5_1.yaml +++ b/compliance/controls/azure/azure_cis_v200_4_5_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_4_5_1 Title: "4.5.1 Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks" Description: "Limiting your Cosmos DB to only communicate on whitelisted networks lowers its attack footprint." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -27,8 +25,10 @@ Query: sub.subscription_id = a.subscription_id; PrimaryTable: azure_cosmosdb_account ListOfTables: - - azure_cosmosdb_account - - azure_subscription + - azure_cosmosdb_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_4_5_2.yaml b/compliance/controls/azure/azure_cis_v200_4_5_2.yaml index 4b68c7278..6f51b0992 100755 --- a/compliance/controls/azure/azure_cis_v200_4_5_2.yaml +++ b/compliance/controls/azure/azure_cis_v200_4_5_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_4_5_2 Title: "4.5.2 Ensure That Private Endpoints Are Used Where Possible" Description: "Private endpoints limit network traffic to approved sources." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -35,8 +33,10 @@ Query: sub.subscription_id = a.subscription_id; PrimaryTable: azure_cosmosdb_account ListOfTables: - - azure_cosmosdb_account - - azure_subscription + - azure_cosmosdb_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_4_5_3.yaml b/compliance/controls/azure/azure_cis_v200_4_5_3.yaml index eb5305dd7..ccfd0f677 100755 --- a/compliance/controls/azure/azure_cis_v200_4_5_3.yaml +++ b/compliance/controls/azure/azure_cis_v200_4_5_3.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_4_5_3 Title: "4.5.3 Use Azure Active Directory (AAD) Client Authentication and Azure RBAC where possible" Description: "Cosmos DB can use tokens or AAD for client authentication which in turn will use Azure RBAC for authorization. Using AAD is significantly more secure because AAD handles the credentials and allows for MFA and centralized management, and the Azure RBAC better integrated with the rest of Azure." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_5_1_1.yaml b/compliance/controls/azure/azure_cis_v200_5_1_1.yaml index 1d3175f3d..d83a0f549 100755 --- a/compliance/controls/azure/azure_cis_v200_5_1_1.yaml +++ b/compliance/controls/azure/azure_cis_v200_5_1_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_5_1_1 Title: "5.1.1 Ensure that a 'Diagnostic Setting' exists" Description: "Enable Diagnostic settings for exporting activity logs. Diagnostic settings are available for each individual resource within a subscription. Settings should be configured for all appropriate resources for your environment." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_5_1_2.yaml b/compliance/controls/azure/azure_cis_v200_5_1_2.yaml index 09edda05f..9148b3860 100755 --- a/compliance/controls/azure/azure_cis_v200_5_1_2.yaml +++ b/compliance/controls/azure/azure_cis_v200_5_1_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_5_1_2 Title: "5.1.2 Ensure Diagnostic Setting captures appropriate categories" Description: "A Diagnostic Setting must exist. If a Diagnostic Setting does not exist, the navigation and options within this recommendation will not be available. Please review the recommendation at the beginning of this subsection titled: 'Ensure that a 'Diagnostic Setting' exists.' The diagnostic setting should be configured to log the appropriate activities from the control/management plane." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -55,8 +53,10 @@ Query: sub.subscription_id = sett.subscription_id; PrimaryTable: azure_diagnostic_setting ListOfTables: - - azure_diagnostic_setting - - azure_subscription + - azure_diagnostic_setting + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_5_1_3.yaml b/compliance/controls/azure/azure_cis_v200_5_1_3.yaml index 97536a33b..5ec2db155 100755 --- a/compliance/controls/azure/azure_cis_v200_5_1_3.yaml +++ b/compliance/controls/azure/azure_cis_v200_5_1_3.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_5_1_3 Title: "5.1.3 Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible" Description: "The storage account container containing the activity log export should not be publicly accessible." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -27,8 +25,10 @@ Query: and sub.subscription_id = sc.subscription_id; PrimaryTable: azure_storage_container ListOfTables: - - azure_storage_container - - azure_subscription + - azure_storage_container + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_5_1_5.yaml b/compliance/controls/azure/azure_cis_v200_5_1_5.yaml index 4bfa75f22..e97f236b8 100755 --- a/compliance/controls/azure/azure_cis_v200_5_1_5.yaml +++ b/compliance/controls/azure/azure_cis_v200_5_1_5.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_5_1_5 Title: "5.1.5 Ensure that logging for Azure Key Vault is 'Enabled'" Description: "Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -42,8 +40,10 @@ Query: sub.subscription_id = v.subscription_id; PrimaryTable: azure_key_vault ListOfTables: - - azure_key_vault - - azure_subscription + - azure_key_vault + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_5_1_6.yaml b/compliance/controls/azure/azure_cis_v200_5_1_6.yaml index e7d5ad3ab..e42b6ccd6 100755 --- a/compliance/controls/azure/azure_cis_v200_5_1_6.yaml +++ b/compliance/controls/azure/azure_cis_v200_5_1_6.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_5_1_6 Title: "5.1.6 Ensure that Network Security Group Flow logs are captured and sent to Log Analytics" Description: "Ensure that network flow logs are captured and fed into a central log analytics workspace." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_5_1_7.yaml b/compliance/controls/azure/azure_cis_v200_5_1_7.yaml index d2c83c537..048552dee 100755 --- a/compliance/controls/azure/azure_cis_v200_5_1_7.yaml +++ b/compliance/controls/azure/azure_cis_v200_5_1_7.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_5_1_7 Title: "5.1.7 Ensure that logging for Azure AppService 'HTTP logs' is enabled" Description: "Enable AppServiceHTTPLogs diagnostic log category for Azure App Service instances to ensure all http requests are captured and centrally logged." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_5_2_1.yaml b/compliance/controls/azure/azure_cis_v200_5_2_1.yaml index 47495af7c..c7a6835d8 100755 --- a/compliance/controls/azure/azure_cis_v200_5_2_1.yaml +++ b/compliance/controls/azure/azure_cis_v200_5_2_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_5_2_1 Title: "5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment" Description: "Create an activity log alert for the Create Policy Assignment event." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -50,8 +48,10 @@ Query: a.og_resource_id; PrimaryTable: azure_log_alert ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_5_2_10.yaml b/compliance/controls/azure/azure_cis_v200_5_2_10.yaml index 12c2058f7..011b7a8c8 100755 --- a/compliance/controls/azure/azure_cis_v200_5_2_10.yaml +++ b/compliance/controls/azure/azure_cis_v200_5_2_10.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_5_2_10 Title: "5.2.10 Ensure that Activity Log Alert exists for Delete Public IP Address rule" Description: "Create an activity log alert for the Delete Public IP Address rule." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -57,8 +55,10 @@ Query: sub.og_resource_id; PrimaryTable: azure_subscription ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_5_2_2.yaml b/compliance/controls/azure/azure_cis_v200_5_2_2.yaml index a724d2f1c..21703bd8d 100755 --- a/compliance/controls/azure/azure_cis_v200_5_2_2.yaml +++ b/compliance/controls/azure/azure_cis_v200_5_2_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_5_2_2 Title: "5.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment" Description: "Create an activity log alert for the Delete Policy Assignment event." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -47,8 +45,10 @@ Query: sub.og_resource_id; PrimaryTable: azure_subscription ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_5_2_3.yaml b/compliance/controls/azure/azure_cis_v200_5_2_3.yaml index 6c7c053bb..809d899bc 100755 --- a/compliance/controls/azure/azure_cis_v200_5_2_3.yaml +++ b/compliance/controls/azure/azure_cis_v200_5_2_3.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_5_2_3 Title: "5.2.3 Ensure that Activity Log Alert exists for Create or Update Network Security Group" Description: "Create an Activity Log Alert for the Create or Update Network Security Group event." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -57,8 +55,10 @@ Query: sub.og_resource_id; PrimaryTable: azure_subscription ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_5_2_4.yaml b/compliance/controls/azure/azure_cis_v200_5_2_4.yaml index 1002fd384..13d561737 100755 --- a/compliance/controls/azure/azure_cis_v200_5_2_4.yaml +++ b/compliance/controls/azure/azure_cis_v200_5_2_4.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_5_2_4 Title: "5.2.4 Ensure that Activity Log Alert exists for Delete Network Security Group" Description: "Create an activity log alert for the Delete Network Security Group event." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -47,7 +45,7 @@ Query: when count(a.subscription_id) > 0 then 'Activity log alert exists for delete Network Security Group event.' else 'Activity log alert does not exists for delete Network Security Group event.' end as reason - + from azure_subscription sub left join alert_rule a on sub.subscription_id = a.subscription_id @@ -59,8 +57,10 @@ Query: sub.og_resource_id; PrimaryTable: azure_subscription ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_5_2_5.yaml b/compliance/controls/azure/azure_cis_v200_5_2_5.yaml index adf086ec2..23f598ffa 100755 --- a/compliance/controls/azure/azure_cis_v200_5_2_5.yaml +++ b/compliance/controls/azure/azure_cis_v200_5_2_5.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_5_2_5 Title: "5.2.5 Ensure that Activity Log Alert exists for Create or Update Security Solution" Description: "Create an activity log alert for the Create or Update Security Solution event." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -57,8 +55,10 @@ Query: sub.og_resource_id; PrimaryTable: azure_subscription ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_5_2_6.yaml b/compliance/controls/azure/azure_cis_v200_5_2_6.yaml index 68a5ea072..7b5909a03 100755 --- a/compliance/controls/azure/azure_cis_v200_5_2_6.yaml +++ b/compliance/controls/azure/azure_cis_v200_5_2_6.yaml @@ -1,66 +1,15 @@ ID: azure_cis_v200_5_2_6 Title: "5.2.6 Ensure that Activity Log Alert exists for Delete Security Solution" Description: "Create an activity log alert for the Delete Security Solution event." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - with alert_rule as ( - select - alert.id as alert_id, - alert.name as alert_name, - alert.enabled, - alert.location, - alert.subscription_id - from - azure_log_alert as alert, - jsonb_array_elements_text(scopes) as sc - where - alert.location = 'global' - and alert.enabled - and sc = '/subscriptions/' || alert.subscription_id - and ( - ( - alert.condition -> 'allOf' @> '[{"equals":"Security","field":"category"}]' - and alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Security/securitySolutions/delete"}]' - ) - or - ( - alert.condition -> 'allOf' @> '[{"equals":"Security","field":"category"}]' - and alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.security/securitysolutions"}]' - and jsonb_array_length(alert.condition -> 'allOf') = 2 - ) - ) - limit 1 - ) - select - sub.subscription_id as resource, - sub.og_account_id as og_account_id, - sub.og_resource_id as og_resource_id, - case - when count(a.subscription_id) > 0 then 'ok' - else 'alarm' - end as status, - case - when count(a.subscription_id) > 0 then 'Activity log alert exists for delete Security Solution event.' - else 'Activity log alert does not exists for delete Security Solution event.' - end as reason - - - from - azure_subscription sub - left join alert_rule a on sub.subscription_id = a.subscription_id - group by - sub._ctx, - sub.subscription_id, - sub.display_name, - sub.og_account_id, - sub.og_resource_id; + QueryToExecute: "with alert_rule as (\n select\n alert.id as alert_id,\n alert.name as alert_name,\n alert.enabled,\n alert.location,\n alert.subscription_id\n from\n azure_log_alert as alert,\n jsonb_array_elements_text(scopes) as sc\n where\n alert.location = 'global'\n and alert.enabled\n and sc = '/subscriptions/' || alert.subscription_id\n and (\n (\n alert.condition -> 'allOf' @> '[{\"equals\":\"Security\",\"field\":\"category\"}]'\n and alert.condition -> 'allOf' @> '[{\"field\": \"operationName\", \"equals\": \"Microsoft.Security/securitySolutions/delete\"}]'\n )\n or\n (\n alert.condition -> 'allOf' @> '[{\"equals\":\"Security\",\"field\":\"category\"}]'\n and alert.condition -> 'allOf' @> '[{\"field\": \"resourceType\", \"equals\": \"microsoft.security/securitysolutions\"}]'\n and jsonb_array_length(alert.condition -> 'allOf') = 2\n )\n )\n limit 1\n)\nselect\n sub.subscription_id as resource,\n sub.og_account_id as og_account_id,\n sub.og_resource_id as og_resource_id,\n case\n when count(a.subscription_id) > 0 then 'ok'\n else 'alarm'\n end as status,\n case\n when count(a.subscription_id) > 0 then 'Activity log alert exists for delete Security Solution event.'\n else 'Activity log alert does not exists for delete Security Solution event.'\n end as reason\n \n \nfrom\n azure_subscription sub\n left join alert_rule a on sub.subscription_id = a.subscription_id\ngroup by\n sub._ctx,\n sub.subscription_id,\n sub.display_name,\n sub.og_account_id,\n sub.og_resource_id;" PrimaryTable: azure_subscription ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_5_2_7.yaml b/compliance/controls/azure/azure_cis_v200_5_2_7.yaml index 5a1bb850e..eab82e944 100755 --- a/compliance/controls/azure/azure_cis_v200_5_2_7.yaml +++ b/compliance/controls/azure/azure_cis_v200_5_2_7.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_5_2_7 Title: "5.2.7 Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule" Description: "Create an activity log alert for the Create or Update SQL Server Firewall Rule event." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -58,8 +56,10 @@ Query: sub.og_resource_id; PrimaryTable: azure_log_alert ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_5_2_8.yaml b/compliance/controls/azure/azure_cis_v200_5_2_8.yaml index 1a664e860..c8b69f58c 100755 --- a/compliance/controls/azure/azure_cis_v200_5_2_8.yaml +++ b/compliance/controls/azure/azure_cis_v200_5_2_8.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_5_2_8 Title: "5.2.8 Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule" Description: "Create an activity log alert for the 'Delete SQL Server Firewall Rule.'" -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -56,8 +54,10 @@ Query: sub.og_resource_id; PrimaryTable: azure_log_alert ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_5_2_9.yaml b/compliance/controls/azure/azure_cis_v200_5_2_9.yaml index f5777e20e..334c103f3 100755 --- a/compliance/controls/azure/azure_cis_v200_5_2_9.yaml +++ b/compliance/controls/azure/azure_cis_v200_5_2_9.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_5_2_9 Title: "5.2.9 Ensure that Activity Log Alert exists for Create or Update Public IP Address rule" Description: "Create an activity log alert for the Create or Update Public IP Addresses rule." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -58,8 +56,10 @@ Query: sub.og_resource_id; PrimaryTable: azure_log_alert ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_5_3_1.yaml b/compliance/controls/azure/azure_cis_v200_5_3_1.yaml index 935e84f7d..9e58e6ee8 100755 --- a/compliance/controls/azure/azure_cis_v200_5_3_1.yaml +++ b/compliance/controls/azure/azure_cis_v200_5_3_1.yaml @@ -1,41 +1,15 @@ ID: azure_cis_v200_5_3_1 Title: "5.3.1 Ensure Application Insights are Configured" Description: "Application Insights within Azure act as an Application Performance Monitoring solution providing valuable data into how well an application performs and additional information when performing incident response. The types of log data collected include application metrics, telemetry data, and application trace logging data providing organizations with detailed information about application activity and application transactions." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - with application_insights as ( - select - subscription_id, - count(*) as no_application_insight - from - azure_application_insight - group by - subscription_id - ) - select - sub.id as resource, - sub.og_account_id as og_account_id, - sub.og_resource_id as og_resource_id, - case - when i.subscription_id is null then 'alarm' - else 'ok' - end as status, - case - when i.subscription_id is null then sub.display_name || ' does not have application insights configured.' - else sub.display_name || ' has ' || no_application_insight || ' application insights configured.' - end as reason - - - from - azure_subscription as sub - left join application_insights as i on i.subscription_id = sub.subscription_id; + QueryToExecute: "with application_insights as (\n select\n subscription_id,\n count(*) as no_application_insight\n from\n azure_application_insight\n group by\n subscription_id\n)\nselect\n sub.id as resource,\n sub.og_account_id as og_account_id,\n sub.og_resource_id as og_resource_id,\n case\n when i.subscription_id is null then 'alarm'\n else 'ok'\n end as status,\n case\n when i.subscription_id is null then sub.display_name || ' does not have application insights configured.'\n else sub.display_name || ' has ' || no_application_insight || ' application insights configured.'\n end as reason\n \n \nfrom\n azure_subscription as sub\n left join application_insights as i on i.subscription_id = sub.subscription_id;" PrimaryTable: azure_application_insight ListOfTables: - - azure_application_insight - - azure_subscription + - azure_application_insight + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_5_4.yaml b/compliance/controls/azure/azure_cis_v200_5_4.yaml index 7c9f12a38..4cd462ced 100755 --- a/compliance/controls/azure/azure_cis_v200_5_4.yaml +++ b/compliance/controls/azure/azure_cis_v200_5_4.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_5_4 Title: "5.4 Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it" Description: "Resource Logs capture activity to the data access plane while the Activity log is a subscription-level log for the control plane. Resource-level diagnostic logs provide insight into operations that were performed within that resource itself; for example, reading or updating a secret from a Key Vault." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_6_1.yaml b/compliance/controls/azure/azure_cis_v200_6_1.yaml index a1c2ee4cc..3f33609f7 100755 --- a/compliance/controls/azure/azure_cis_v200_6_1.yaml +++ b/compliance/controls/azure/azure_cis_v200_6_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_6_1 Title: "6.1 Ensure that RDP access from the Internet is evaluated and restricted" Description: "Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -47,8 +45,10 @@ Query: join azure_subscription sub on sub.subscription_id = sg.subscription_id; PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_subscription + - azure_network_security_group + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_6_2.yaml b/compliance/controls/azure/azure_cis_v200_6_2.yaml index 6211810df..7488b8146 100755 --- a/compliance/controls/azure/azure_cis_v200_6_2.yaml +++ b/compliance/controls/azure/azure_cis_v200_6_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_6_2 Title: "6.2 Ensure that SSH access from the Internet is evaluated and restricted" Description: "Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -47,8 +45,10 @@ Query: join azure_subscription sub on sub.subscription_id = sg.subscription_id; PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_subscription + - azure_network_security_group + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_6_3.yaml b/compliance/controls/azure/azure_cis_v200_6_3.yaml index 964c8be68..e89ddec3a 100755 --- a/compliance/controls/azure/azure_cis_v200_6_3.yaml +++ b/compliance/controls/azure/azure_cis_v200_6_3.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_6_3 Title: "6.3 Ensure that UDP access from the Internet is evaluated and restricted" Description: "Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -52,8 +50,10 @@ Query: join azure_subscription sub on sub.subscription_id = sg.subscription_id; PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_subscription + - azure_network_security_group + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_6_4.yaml b/compliance/controls/azure/azure_cis_v200_6_4.yaml index dddf15516..65ea63d9d 100755 --- a/compliance/controls/azure/azure_cis_v200_6_4.yaml +++ b/compliance/controls/azure/azure_cis_v200_6_4.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_6_4 Title: "6.4 Ensure that HTTP(S) access from the Internet is evaluated and restricted" Description: "Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required and narrowly configured." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -61,8 +59,10 @@ Query: join azure_subscription sub on sub.subscription_id = sg.subscription_id; PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_subscription + - azure_network_security_group + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_6_7.yaml b/compliance/controls/azure/azure_cis_v200_6_7.yaml index e0836b5fe..1da48ad78 100755 --- a/compliance/controls/azure/azure_cis_v200_6_7.yaml +++ b/compliance/controls/azure/azure_cis_v200_6_7.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_6_7 Title: "6.7 Ensure that Public IP addresses are Evaluated on a Periodic Basis" Description: "Public IP Addresses provide tenant accounts with Internet connectivity for resources contained within the tenant. During the creation of certain resources in Azure, a Public IP Address may be created. All Public IP Addresses within the tenant should be periodically reviewed for accuracy and necessity." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_7_1.yaml b/compliance/controls/azure/azure_cis_v200_7_1.yaml index 167debb46..c64ebd61a 100755 --- a/compliance/controls/azure/azure_cis_v200_7_1.yaml +++ b/compliance/controls/azure/azure_cis_v200_7_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_7_1 Title: "7.1 Ensure an Azure Bastion Host Exists" Description: "The Azure Bastion service allows secure remote access to Azure Virtual Machines over the Internet without exposing remote access protocol ports and services directly to the Internet. The Azure Bastion service provides this access using TLS over 443/TCP, and subscribes to hardened configurations within an organization's Azure Active Directory service." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -38,8 +36,10 @@ Query: left join bastion_hosts as i on i.subscription_id = sub.subscription_id; PrimaryTable: azure_bastion_host ListOfTables: - - azure_bastion_host - - azure_subscription + - azure_bastion_host + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_7_2.yaml b/compliance/controls/azure/azure_cis_v200_7_2.yaml index 73d1b21d1..d43778be6 100755 --- a/compliance/controls/azure/azure_cis_v200_7_2.yaml +++ b/compliance/controls/azure/azure_cis_v200_7_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_7_2 Title: "7.2 Ensure Virtual Machines are utilizing Managed Disks" Description: "Migrate blob-based VHDs to Managed Disks on Virtual Machines to exploit the default features of this configuration." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = vm.subscription_id; PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_subscription + - azure_compute_virtual_machine + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_7_3.yaml b/compliance/controls/azure/azure_cis_v200_7_3.yaml index 7868facf2..4c8514882 100755 --- a/compliance/controls/azure/azure_cis_v200_7_3.yaml +++ b/compliance/controls/azure/azure_cis_v200_7_3.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_7_3 Title: "7.3 Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)" Description: "Ensure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with CMK (Customer Managed Keys). Customer Managed keys can be either ADE or Server Side Encryption(SSE)." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -26,8 +24,10 @@ Query: and sub.subscription_id = disk.subscription_id; PrimaryTable: azure_compute_disk ListOfTables: - - azure_compute_disk - - azure_subscription + - azure_compute_disk + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_7_4.yaml b/compliance/controls/azure/azure_cis_v200_7_4.yaml index d4b4a3f32..76a2fad9b 100755 --- a/compliance/controls/azure/azure_cis_v200_7_4.yaml +++ b/compliance/controls/azure/azure_cis_v200_7_4.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_7_4 Title: "7.4 Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK)" Description: "Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key (CMK)." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -26,8 +24,10 @@ Query: and sub.subscription_id = disk.subscription_id; PrimaryTable: azure_compute_disk ListOfTables: - - azure_compute_disk - - azure_subscription + - azure_compute_disk + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_7_5.yaml b/compliance/controls/azure/azure_cis_v200_7_5.yaml index fd0b930e4..4b133c864 100755 --- a/compliance/controls/azure/azure_cis_v200_7_5.yaml +++ b/compliance/controls/azure/azure_cis_v200_7_5.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_7_5 Title: "7.5 Ensure that Only Approved Extensions Are Installed" Description: "For added security, only install organization-approved extensions on VMs." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_7_6.yaml b/compliance/controls/azure/azure_cis_v200_7_6.yaml index 6780b0f38..34ba7a31c 100755 --- a/compliance/controls/azure/azure_cis_v200_7_6.yaml +++ b/compliance/controls/azure/azure_cis_v200_7_6.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_7_6 Title: "7.6 Ensure that Endpoint Protection for all Virtual Machines is installed" Description: "Install endpoint protection for all virtual machines." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_7_7.yaml b/compliance/controls/azure/azure_cis_v200_7_7.yaml index 618c61fc9..6fd131702 100755 --- a/compliance/controls/azure/azure_cis_v200_7_7.yaml +++ b/compliance/controls/azure/azure_cis_v200_7_7.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_7_7 Title: "7.7 Ensure that VHDs are Encrypted" Description: "VHD (Virtual Hard Disks) are stored in blob storage and are the old-style disks that were attached to Virtual Machines. The blob VHD was then leased to the VM. By default, storage accounts are not encrypted, and Microsoft Defender will then recommend that the OS disks should be encrypted. Storage accounts can be encrypted as a whole using PMK or CMK. This should be turned on for storage accounts containing VHDs." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_8_1.yaml b/compliance/controls/azure/azure_cis_v200_8_1.yaml index 6dda3539e..1e53695e4 100755 --- a/compliance/controls/azure/azure_cis_v200_8_1.yaml +++ b/compliance/controls/azure/azure_cis_v200_8_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_8_1 Title: "8.1 Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults" Description: "Ensure that all Keys in Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -37,9 +35,11 @@ Query: sub.subscription_id = kvk.subscription_id; PrimaryTable: azure_key_vault_key ListOfTables: - - azure_key_vault - - azure_key_vault_key - - azure_subscription + - azure_key_vault + - azure_key_vault_key + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_8_2.yaml b/compliance/controls/azure/azure_cis_v200_8_2.yaml index 3ccea117c..00989fed5 100755 --- a/compliance/controls/azure/azure_cis_v200_8_2.yaml +++ b/compliance/controls/azure/azure_cis_v200_8_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_8_2 Title: "8.2 Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults" Description: "Ensure that all Keys in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -37,9 +35,11 @@ Query: sub.subscription_id = kvk.subscription_id; PrimaryTable: azure_key_vault_key ListOfTables: - - azure_key_vault - - azure_key_vault_key - - azure_subscription + - azure_key_vault + - azure_key_vault_key + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_8_3.yaml b/compliance/controls/azure/azure_cis_v200_8_3.yaml index 3db715a62..cd082c3ae 100755 --- a/compliance/controls/azure/azure_cis_v200_8_3.yaml +++ b/compliance/controls/azure/azure_cis_v200_8_3.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_8_3 Title: "8.3 Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults" Description: "Ensure that all Secrets in Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -37,9 +35,11 @@ Query: sub.subscription_id = kvs.subscription_id; PrimaryTable: azure_key_vault_secret ListOfTables: - - azure_key_vault - - azure_key_vault_secret - - azure_subscription + - azure_key_vault + - azure_key_vault_secret + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_8_4.yaml b/compliance/controls/azure/azure_cis_v200_8_4.yaml index 45c098371..d38a8b437 100755 --- a/compliance/controls/azure/azure_cis_v200_8_4.yaml +++ b/compliance/controls/azure/azure_cis_v200_8_4.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_8_4 Title: "8.4 Ensure that the Expiration Date is set for all Secrets in Non- RBAC Key Vaults" Description: "Ensure that all Secrets in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -37,9 +35,11 @@ Query: sub.subscription_id = kvs.subscription_id; PrimaryTable: azure_key_vault_secret ListOfTables: - - azure_key_vault - - azure_key_vault_secret - - azure_subscription + - azure_key_vault + - azure_key_vault_secret + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_8_5.yaml b/compliance/controls/azure/azure_cis_v200_8_5.yaml index ddeb4daf9..47088f936 100755 --- a/compliance/controls/azure/azure_cis_v200_8_5.yaml +++ b/compliance/controls/azure/azure_cis_v200_8_5.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_8_5 Title: "8.5 Ensure the Key Vault is Recoverable" Description: "The key vault contains object keys, secrets and certificates. Accidental unavailability of a key vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the key vault objects. It is recommended the key vault be made recoverable by enabling the \\\"Do Not Purge\\\" and \\\"Soft Delete\\\" functions." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -27,8 +25,10 @@ Query: sub.subscription_id = kv.subscription_id; PrimaryTable: azure_key_vault ListOfTables: - - azure_key_vault - - azure_subscription + - azure_key_vault + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_8_6.yaml b/compliance/controls/azure/azure_cis_v200_8_6.yaml index e3c6fd4ed..2b79a105e 100755 --- a/compliance/controls/azure/azure_cis_v200_8_6.yaml +++ b/compliance/controls/azure/azure_cis_v200_8_6.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_8_6 Title: "8.6 Enable Role Based Access Control for Azure Key Vault" Description: "Role assignments disappear when a Key Vault has been deleted (soft- delete) and recovered. Afterwards it will be required to recreate all role assignments. This is a limitation of the soft-delete feature across all Azure services." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = kv.subscription_id; PrimaryTable: azure_key_vault ListOfTables: - - azure_key_vault - - azure_subscription + - azure_key_vault + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_8_8.yaml b/compliance/controls/azure/azure_cis_v200_8_8.yaml index 612973486..e6ad9b43a 100755 --- a/compliance/controls/azure/azure_cis_v200_8_8.yaml +++ b/compliance/controls/azure/azure_cis_v200_8_8.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_8_8 Title: "8.8 Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services" Description: "Automatic Key Rotation is available in Public Preview. The currently supported applications are Key Vault, Managed Disks, and Storage accounts accessing keys within Key Vault. The number of supported applications will incrementally increased." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_9_1.yaml b/compliance/controls/azure/azure_cis_v200_9_1.yaml index 03a2c3474..fd310f243 100755 --- a/compliance/controls/azure/azure_cis_v200_9_1.yaml +++ b/compliance/controls/azure/azure_cis_v200_9_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_9_1 Title: "9.1 Ensure App Service Authentication is set up for apps in Azure App Service" Description: "Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching a Web Application or authenticate those with tokens before they reach the app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = app.subscription_id; PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_9_11.yaml b/compliance/controls/azure/azure_cis_v200_9_11.yaml index 8c398df01..3d36c7cce 100755 --- a/compliance/controls/azure/azure_cis_v200_9_11.yaml +++ b/compliance/controls/azure/azure_cis_v200_9_11.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_9_11 Title: "9.11 Ensure Azure Key Vaults are Used to Store Secrets" Description: "Azure Key Vault will store multiple types of sensitive information such as encryption keys, certificate thumbprints, and Managed Identity Credentials. Access to these 'Secrets' can be controlled through granular permissions." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_9_2.yaml b/compliance/controls/azure/azure_cis_v200_9_2.yaml index 1bb6b8d8a..4b1730ee6 100755 --- a/compliance/controls/azure/azure_cis_v200_9_2.yaml +++ b/compliance/controls/azure/azure_cis_v200_9_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_9_2 Title: "9.2 Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service" Description: "Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = app.subscription_id; PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_9_3.yaml b/compliance/controls/azure/azure_cis_v200_9_3.yaml index f0eb8f493..67b9d9ed8 100755 --- a/compliance/controls/azure/azure_cis_v200_9_3.yaml +++ b/compliance/controls/azure/azure_cis_v200_9_3.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_9_3 Title: "9.3 Ensure Web App is using the latest version of TLS encryption" Description: "The TLS (Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards such as PCI DSS." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = app.subscription_id; PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_9_4.yaml b/compliance/controls/azure/azure_cis_v200_9_4.yaml index 0fbc831fc..21d377690 100755 --- a/compliance/controls/azure/azure_cis_v200_9_4.yaml +++ b/compliance/controls/azure/azure_cis_v200_9_4.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_9_4 Title: "9.4 Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'" Description: "Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = app.subscription_id; PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_9_5.yaml b/compliance/controls/azure/azure_cis_v200_9_5.yaml index 676caef18..a387078dc 100755 --- a/compliance/controls/azure/azure_cis_v200_9_5.yaml +++ b/compliance/controls/azure/azure_cis_v200_9_5.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_9_5 Title: "9.5 Ensure that Register with Azure Active Directory is enabled on App Service" Description: "Managed service identity in App Service provides more security by eliminating secrets from the app, such as credentials in the connection strings. When registering with Azure Active Directory in App Service, the app will connect to other Azure services securely without the need for usernames and passwords." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = app.subscription_id; PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_9_6.yaml b/compliance/controls/azure/azure_cis_v200_9_6.yaml index 0f4689ba4..d6f597101 100755 --- a/compliance/controls/azure/azure_cis_v200_9_6.yaml +++ b/compliance/controls/azure/azure_cis_v200_9_6.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_9_6 Title: "9.6 Ensure That 'PHP version' is the Latest, If Used to Run the Web App" Description: "Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_9_7.yaml b/compliance/controls/azure/azure_cis_v200_9_7.yaml index ee4f18814..5508ab671 100755 --- a/compliance/controls/azure/azure_cis_v200_9_7.yaml +++ b/compliance/controls/azure/azure_cis_v200_9_7.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_9_7 Title: "9.7 Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App" Description: "Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_9_8.yaml b/compliance/controls/azure/azure_cis_v200_9_8.yaml index a0ea51a18..2e5dea912 100755 --- a/compliance/controls/azure/azure_cis_v200_9_8.yaml +++ b/compliance/controls/azure/azure_cis_v200_9_8.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_9_8 Title: "9.8 Ensure that 'Java version' is the latest, if used to run the Web App" Description: "Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the newer version." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v200_9_9.yaml b/compliance/controls/azure/azure_cis_v200_9_9.yaml index 5f58e39ba..2ea625d8f 100755 --- a/compliance/controls/azure/azure_cis_v200_9_9.yaml +++ b/compliance/controls/azure/azure_cis_v200_9_9.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_9_9 Title: "9.9 Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App" Description: "Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -25,8 +23,10 @@ Query: sub.subscription_id = app.subscription_id; PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_10_1.yaml b/compliance/controls/azure/azure_cis_v210_10_1.yaml index f0cc9ea3f..74bc0fd51 100755 --- a/compliance/controls/azure/azure_cis_v210_10_1.yaml +++ b/compliance/controls/azure/azure_cis_v210_10_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_10_1 Title: "10.1 Ensure that Resource Locks are set for Mission-Critical Azure Resources" Description: "Resource Manager Locks provide a way for administrators to lock down Azure resources to prevent deletion of, or modifications to, a resource. These locks sit outside of the Role Based Access Controls (RBAC) hierarchy and, when applied, will place restrictions on the resource for all users." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_1_10.yaml b/compliance/controls/azure/azure_cis_v210_1_10.yaml index d7b73e89c..61a015b5c 100755 --- a/compliance/controls/azure/azure_cis_v210_1_10.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_10.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_1_10 Title: "1.10 Ensure 'User consent for applications' is set to 'Do not allow user consent'" Description: "Require administrators to provide consent for applications before use." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_1_11.yaml b/compliance/controls/azure/azure_cis_v210_1_11.yaml index f0118be67..1333dea4b 100755 --- a/compliance/controls/azure/azure_cis_v210_1_11.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_11.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_1_11 Title: "1.11 Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers'" Description: "Allow users to provide consent for selected permissions when a request is coming from a verified publisher." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_1_12.yaml b/compliance/controls/azure/azure_cis_v210_1_12.yaml index ab86a4019..b3c371901 100755 --- a/compliance/controls/azure/azure_cis_v210_1_12.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_12.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_1_12 Title: "1.12 Ensure that 'Users can add gallery apps to My Apps' is set to 'No'" Description: "Require administrators to provide consent for the apps before use." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_1_13.yaml b/compliance/controls/azure/azure_cis_v210_1_13.yaml index 77dda9ea3..18dbf54c2 100755 --- a/compliance/controls/azure/azure_cis_v210_1_13.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_13.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_1_13 Title: "1.13 Ensure That 'Users Can Register Applications' Is Set to 'No'" Description: "Require administrators or appropriately delegated users to register third-party applications." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -32,8 +30,10 @@ Query: azuread_authorization_policy as a; PrimaryTable: azuread_authorization_policy ListOfTables: - - azure_tenant - - azuread_authorization_policy + - azure_tenant + - azuread_authorization_policy Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_1_14.yaml b/compliance/controls/azure/azure_cis_v210_1_14.yaml index cc32de47a..a5392be53 100755 --- a/compliance/controls/azure/azure_cis_v210_1_14.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_14.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_1_14 Title: "1.14 Ensure That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'" Description: "Limit guest user permissions." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_1_15.yaml b/compliance/controls/azure/azure_cis_v210_1_15.yaml index 6fc568411..bf90b4e37 100755 --- a/compliance/controls/azure/azure_cis_v210_1_15.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_15.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_1_15 Title: "1.15 Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'" Description: "Restrict invitations to users with specific administrative roles only." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_1_16.yaml b/compliance/controls/azure/azure_cis_v210_1_16.yaml index b16150f3b..ba0873714 100755 --- a/compliance/controls/azure/azure_cis_v210_1_16.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_16.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_1_16 Title: "1.16 Ensure That 'Restrict access to Microsoft Entra admin center' is Set to 'Yes'" Description: "Restrict access to the Azure AD administration portal to administrators only." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_1_17.yaml b/compliance/controls/azure/azure_cis_v210_1_17.yaml index 865c7fa7a..dae858039 100755 --- a/compliance/controls/azure/azure_cis_v210_1_17.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_17.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_1_17 Title: "1.17 Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes'" Description: "Restricts group creation to administrators with permissions only." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_1_18.yaml b/compliance/controls/azure/azure_cis_v210_1_18.yaml index 7f3ad3116..477787d05 100755 --- a/compliance/controls/azure/azure_cis_v210_1_18.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_18.yaml @@ -1,40 +1,15 @@ ID: azure_cis_v210_1_18 Title: "1.18 Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'" Description: "Restrict security group creation to administrators only." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - with distinct_tenant as ( - select - distinct tenant_id, - subscription_id, - _ctx - from - azure_tenant - ) - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when a.default_user_role_permissions ->> 'allowedToCreateSecurityGroups' = 'false' then 'ok' - else 'alarm' - end as status, - case - when a.default_user_role_permissions ->> 'allowedToCreateSecurityGroups' = 'false' then a.display_name || ' does not allow user to create security groups.' - else a.display_name || ' allows user to create security groups.' - end as reason, - t.tenant_id - - from - distinct_tenant as t, - azuread_authorization_policy as a; + QueryToExecute: "with distinct_tenant as (\n select\n distinct tenant_id,\n subscription_id,\n _ctx\n from\n azure_tenant\n)\nselect\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when a.default_user_role_permissions ->> 'allowedToCreateSecurityGroups' = 'false' then 'ok'\n else 'alarm'\n end as status,\n case\n when a.default_user_role_permissions ->> 'allowedToCreateSecurityGroups' = 'false' then a.display_name || ' does not allow user to create security groups.'\n else a.display_name || ' allows user to create security groups.'\n end as reason,\n t.tenant_id\n \nfrom\n distinct_tenant as t,\n azuread_authorization_policy as a;" PrimaryTable: azuread_authorization_policy ListOfTables: - - azure_tenant - - azuread_authorization_policy + - azure_tenant + - azuread_authorization_policy Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_1_19.yaml b/compliance/controls/azure/azure_cis_v210_1_19.yaml index 3a7659014..ad01caf84 100755 --- a/compliance/controls/azure/azure_cis_v210_1_19.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_19.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_1_19 Title: "1.19 Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No'" Description: "Restrict security group management to administrators only." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_1_1_1.yaml b/compliance/controls/azure/azure_cis_v210_1_1_1.yaml index 5af426183..3b4a8140e 100755 --- a/compliance/controls/azure/azure_cis_v210_1_1_1.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_1_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_1_1_1 Title: "1.1.1 Ensure Security Defaults is enabled on Microsoft Entra ID" Description: "Security defaults in Microsoft Entra ID make it easier to be secure and help protect your organization. Security defaults contain preconfigured security settings for common attacks. Security defaults is available to everyone. The goal is to ensure that all organizations have a basic level of security enabled at no extra cost. You may turn on security defaults in the Azure portal." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_1_1_2.yaml b/compliance/controls/azure/azure_cis_v210_1_1_2.yaml index 67f16d096..5e9dea102 100755 --- a/compliance/controls/azure/azure_cis_v210_1_1_2.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_1_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_1_1_2 Title: "1.1.2 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Privileged Users" Description: "Enable multi-factor authentication for all roles, groups, and users that have write access or permissions to Azure resources." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_1_1_3.yaml b/compliance/controls/azure/azure_cis_v210_1_1_3.yaml index da64e56ef..a7060df41 100755 --- a/compliance/controls/azure/azure_cis_v210_1_1_3.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_1_3.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_1_1_3 Title: "1.1.3 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users" Description: "Enable multi-factor authentication for all non-privileged users." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_1_1_4.yaml b/compliance/controls/azure/azure_cis_v210_1_1_4.yaml index 9c86d90a4..6c6f7b9e5 100755 --- a/compliance/controls/azure/azure_cis_v210_1_1_4.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_1_4.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_1_1_4 Title: "1.1.4 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is Disabled" Description: "Do not allow users to remember multi-factor authentication on devices." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_1_20.yaml b/compliance/controls/azure/azure_cis_v210_1_20.yaml index ff83aa882..d297a046c 100755 --- a/compliance/controls/azure/azure_cis_v210_1_20.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_20.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_1_20 Title: "1.20 Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No'" Description: "Restrict Microsoft 365 group creation to administrators only." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_1_21.yaml b/compliance/controls/azure/azure_cis_v210_1_21.yaml index e17457dc4..0bd6d8a64 100755 --- a/compliance/controls/azure/azure_cis_v210_1_21.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_21.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_1_21 Title: "1.21 Ensure that 'Require Multi-Factor Authentication to register or join devices with Microsoft Entra ID' is set to 'Yes'" Description: "Joining or registering devices to the active directory should require Multi-factor authentication." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_1_22.yaml b/compliance/controls/azure/azure_cis_v210_1_22.yaml index d7039e59d..d5569d2cd 100755 --- a/compliance/controls/azure/azure_cis_v210_1_22.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_22.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_1_22 Title: "1.22 Ensure That No Custom Subscription Administrator Roles Exist" Description: "The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -50,8 +48,10 @@ Query: cr.og_resource_id; PrimaryTable: azure_role_definition ListOfTables: - - azure_role_definition - - azure_subscription + - azure_role_definition + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_1_23.yaml b/compliance/controls/azure/azure_cis_v210_1_23.yaml index a9f1a2737..25dab7312 100755 --- a/compliance/controls/azure/azure_cis_v210_1_23.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_23.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_1_23 Title: "1.23 Ensure a Custom Role is Assigned Permissions for Administering Resource Locks" Description: "Resource locking is a powerful protection mechanism that can prevent inadvertent modification/deletion of resources within Azure subscriptions/Resource Groups and is a recommended NIST configuration." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_1_24.yaml b/compliance/controls/azure/azure_cis_v210_1_24.yaml index 49661bfad..306507200 100755 --- a/compliance/controls/azure/azure_cis_v210_1_24.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_24.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_1_24 Title: "1.24 Ensure That `Subscription leaving Microsoft Entra ID directory` and `Subscription entering Microsoft Entra ID directory` Is Set To 'Permit No One'" Description: "Users who are set as subscription owners are able to make administrative changes to the subscriptions and move them into and out of Azure Active Directories." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_1_25.yaml b/compliance/controls/azure/azure_cis_v210_1_25.yaml index adb34007c..8cf6e0a69 100755 --- a/compliance/controls/azure/azure_cis_v210_1_25.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_25.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_1_25 Title: "1.25 Ensure fewer than 5 users have global administrator assignment" Description: "This recommendation aims to maintain a balance between security and operational efficiency by ensuring that a minimum of 2 and a maximum of 4 users are assigned the Global Administrator role in Microsoft Entra ID. Having at least two Global Administrators ensures redundancy, while limiting the number to four reduces the risk of excessive privileged access." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -34,8 +32,10 @@ Query: display_name = 'Global Administrator' PrimaryTable: azuread_directory_role ListOfTables: - - azure_tenant - - azuread_directory_role + - azure_tenant + - azuread_directory_role Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_1_2_1.yaml b/compliance/controls/azure/azure_cis_v210_1_2_1.yaml index 630e5673b..eb794aec4 100755 --- a/compliance/controls/azure/azure_cis_v210_1_2_1.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_2_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_1_2_1 Title: "1.2.1 Ensure Trusted Locations Are Defined" Description: "Microsoft Entra ID Conditional Access allows an organization to configure Named locations and configure whether those locations are trusted or untrusted. These settings provide organizations the means to specify Geographical locations for use in conditional access policies, or define actual IP addresses and IP ranges and whether or not those IP addresses and/or ranges are trusted by the organization." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_1_2_2.yaml b/compliance/controls/azure/azure_cis_v210_1_2_2.yaml index f16727eec..4eab436be 100755 --- a/compliance/controls/azure/azure_cis_v210_1_2_2.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_2_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_1_2_2 Title: "1.2.2 Ensure that an exclusionary Geographic Access Policy is considered" Description: "Conditional Access Policies can be used to block access from geographic locations that are deemed out-of-scope for your organization or application. The scope and variables for this policy should be carefully examined and defined." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_1_2_3.yaml b/compliance/controls/azure/azure_cis_v210_1_2_3.yaml index 4f61a2334..3f72a860f 100755 --- a/compliance/controls/azure/azure_cis_v210_1_2_3.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_2_3.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_1_2_3 Title: "1.2.3 Ensure that A Multi-factor Authentication Policy Exists for Administrative Groups" Description: "For designated users, they will be prompted to use their multi-factor authentication (MFA) process on login." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_1_2_4.yaml b/compliance/controls/azure/azure_cis_v210_1_2_4.yaml index 0cacde54e..e35b30e50 100755 --- a/compliance/controls/azure/azure_cis_v210_1_2_4.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_2_4.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_1_2_4 Title: "1.2.4 Ensure that A Multi-factor Authentication Policy Exists for All Users" Description: "For designated users, they will be prompted to use their multi-factor authentication (MFA) process on logins." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_1_2_5.yaml b/compliance/controls/azure/azure_cis_v210_1_2_5.yaml index 99af7fc05..dfb8bcd6d 100755 --- a/compliance/controls/azure/azure_cis_v210_1_2_5.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_2_5.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_1_2_5 Title: "1.2.5 Ensure Multi-factor Authentication is Required for Risky Sign-ins" Description: "For designated users, they will be prompted to use their multi-factor authentication (MFA) process on login." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_1_2_6.yaml b/compliance/controls/azure/azure_cis_v210_1_2_6.yaml index 3484b936f..736c726d2 100755 --- a/compliance/controls/azure/azure_cis_v210_1_2_6.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_2_6.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_1_2_6 Title: "1.2.6 Ensure Multifactor Authentication is Required for Windows Azure Service Management API" Description: "This recommendation ensures that users accessing the Windows Azure Service Management API (i.e. Azure Powershell, Azure CLI, Azure Resource Manager API, etc.) are required to use multifactor authentication (MFA) credentials when accessing resources through the Windows Azure Service Management API." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -32,8 +30,10 @@ Query: azuread_conditional_access_policy as p; PrimaryTable: azuread_conditional_access_policy ListOfTables: - - azure_tenant - - azuread_conditional_access_policy + - azure_tenant + - azuread_conditional_access_policy Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_1_2_7.yaml b/compliance/controls/azure/azure_cis_v210_1_2_7.yaml index b1e7f59a1..b1eb4dab4 100755 --- a/compliance/controls/azure/azure_cis_v210_1_2_7.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_2_7.yaml @@ -1,44 +1,17 @@ ID: azure_cis_v210_1_2_7 Title: "1.2.7 Ensure Multifactor Authentication is Required to access Microsoft Admin Portals" Description: "This recommendation ensures that users accessing Microsoft Admin Portals (i.e. Microsoft 365 Admin, Microsoft 365 Defender, Exchange Admin Center, Azure Portal, etc.) are required to use multifactor authentication (MFA) credentials when logging into an Admin Portal." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - with distinct_tenant as ( - select - u.id, - tenant_id - from - azuread_user as u - left join azure_role_assignment as a on a.principal_id = u.id - left join azure_role_definition as d on d.id = a.role_definition_id - where role_type = 'BuiltInRole' and (role_name like '%Administrator%' or role_name = 'Owner') - ) - select - p.id as resource, - p.og_account_id as og_account_id, - p.og_resource_id as og_resource_id, - case - when p.built_in_controls @> '["mfa"]' then 'ok' - else 'alarm' - end as status, - case - when p.built_in_controls @> '["mfa"]' then p.display_name || ' MFA enabled.' - else p.display_name || ' MFA disabled.' - end as reason, - t.tenant_id - - from - distinct_tenant as t, - azuread_conditional_access_policy as p; + QueryToExecute: "with distinct_tenant as (\n select\n u.id,\n tenant_id\n from\n azuread_user as u\n left join azure_role_assignment as a on a.principal_id = u.id\n left join azure_role_definition as d on d.id = a.role_definition_id\n where role_type = 'BuiltInRole' and (role_name like '%Administrator%' or role_name = 'Owner')\n)\nselect\n p.id as resource,\np.og_account_id as og_account_id,\np.og_resource_id as og_resource_id,\n case\n when p.built_in_controls @> '[\"mfa\"]' then 'ok'\n else 'alarm'\n end as status,\n case\n when p.built_in_controls @> '[\"mfa\"]' then p.display_name || ' MFA enabled.'\n else p.display_name || ' MFA disabled.'\n end as reason,\n t.tenant_id\n \nfrom\n distinct_tenant as t,\n azuread_conditional_access_policy as p;" PrimaryTable: azuread_conditional_access_policy ListOfTables: - - azuread_user - - azure_role_assignment - - azure_role_definition - - azuread_conditional_access_policy + - azuread_user + - azure_role_assignment + - azure_role_definition + - azuread_conditional_access_policy Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_1_4.yaml b/compliance/controls/azure/azure_cis_v210_1_4.yaml index cbb157077..1869d2c95 100755 --- a/compliance/controls/azure/azure_cis_v210_1_4.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_4.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_1_4 Title: "1.4 Ensure Guest Users Are Reviewed on a Regular Basis" Description: "Microsoft Entra ID is extended to include Azure AD B2B collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account and sign in with their own work, school, or social identities. Guest users allow you to share your company's applications and services with users from any other organization, while maintaining control over your own corporate data. Work with external partners, large or small, even if they don't have Azure AD or an IT department. A simple invitation and redemption process lets partners use their own credentials to access your company's resources as a guest user. Guest users in every subscription should be review on a regular basis to ensure that inactive and unneeded accounts are removed." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -35,8 +33,10 @@ Query: u.user_type = 'Guest'; PrimaryTable: azuread_user ListOfTables: - - azure_tenant - - azuread_user + - azure_tenant + - azuread_user Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_1_5.yaml b/compliance/controls/azure/azure_cis_v210_1_5.yaml index e94f800ba..83405599b 100755 --- a/compliance/controls/azure/azure_cis_v210_1_5.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_5.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_1_5 Title: "1.5 Ensure That 'Number of methods required to reset' is set to '2'" Description: "Ensures that two alternate forms of identification are provided before allowing a password reset." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_1_6.yaml b/compliance/controls/azure/azure_cis_v210_1_6.yaml index 44fdf5bba..eb0d3a18d 100755 --- a/compliance/controls/azure/azure_cis_v210_1_6.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_6.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_1_6 Title: "1.6 Ensure that a Custom Bad Password List is set to 'Enforce' for your Organization" Description: "Microsoft Azure provides a Global Banned Password policy that applies to Azure administrative and normal user accounts. This is not applied to user accounts that are synced from an on-premise Active Directory unless Azure AD Connect is used and you enable EnforceCloudPasswordPolicyForPasswordSyncedUsers. Please see the list in default values on the specifics of this policy. To further password security, it is recommended to further define a custom banned password policy." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_1_7.yaml b/compliance/controls/azure/azure_cis_v210_1_7.yaml index 04b261bba..f850d1e12 100755 --- a/compliance/controls/azure/azure_cis_v210_1_7.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_7.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_1_7 Title: "1.7 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0'" Description: "Ensure that the number of days before users are asked to re-confirm their authentication information is not set to 0." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_1_8.yaml b/compliance/controls/azure/azure_cis_v210_1_8.yaml index 73e3279d5..5f1e0d8f1 100755 --- a/compliance/controls/azure/azure_cis_v210_1_8.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_8.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_1_8 Title: "1.8 Ensure that 'Notify users on password resets?' is set to 'Yes'" Description: "Ensure that users are notified on their primary and secondary emails on password resets." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_1_9.yaml b/compliance/controls/azure/azure_cis_v210_1_9.yaml index 5e2c9138e..c250b1288 100755 --- a/compliance/controls/azure/azure_cis_v210_1_9.yaml +++ b/compliance/controls/azure/azure_cis_v210_1_9.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_1_9 Title: "1.9 Ensure That 'Notify all admins when other admins reset their password?' is set to 'Yes'" Description: "Ensure that all Global Administrators are notified if any other administrator resets their password." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -16,4 +14,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_2_1_1.yaml b/compliance/controls/azure/azure_cis_v210_2_1_1.yaml index 485dd424f..a82497c52 100755 --- a/compliance/controls/azure/azure_cis_v210_2_1_1.yaml +++ b/compliance/controls/azure/azure_cis_v210_2_1_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_2_1_1 Title: "2.1.1 Ensure That Microsoft Defender for Servers Is Set to 'On'" Description: "Turning on Microsoft Defender for Servers enables threat detection for Servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: name = 'VirtualMachines'; PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_2_1_10.yaml b/compliance/controls/azure/azure_cis_v210_2_1_10.yaml index 5162586c3..cf653e3ce 100755 --- a/compliance/controls/azure/azure_cis_v210_2_1_10.yaml +++ b/compliance/controls/azure/azure_cis_v210_2_1_10.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_2_1_10 Title: "2.1.10 [LEGACY] Ensure That Microsoft Defender for DNS Is Set To 'On'" Description: "Microsoft Defender for DNS scans all network traffic exiting from within a subscription." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: name = 'Dns'; PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_2_1_11.yaml b/compliance/controls/azure/azure_cis_v210_2_1_11.yaml index 77571408d..fa8b63aa9 100755 --- a/compliance/controls/azure/azure_cis_v210_2_1_11.yaml +++ b/compliance/controls/azure/azure_cis_v210_2_1_11.yaml @@ -1,34 +1,15 @@ ID: azure_cis_v210_2_1_11 Title: "2.1.11 Ensure That Microsoft Defender for Resource Manager Is Set To 'On'" Description: "Microsoft Defender for Resource Manager scans incoming administrative requests to change your infrastructure from both CLI and the Azure portal." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - sub_pricing.id as resource, - sub_pricing.og_account_id as og_account_id, - sub_pricing.og_resource_id as og_resource_id, - case - when pricing_tier = 'Standard' then 'ok' - else 'alarm' - end as status, - case - when pricing_tier = 'Standard' then 'Azure Defender on for Resource Manager.' - else 'Azure Defender off for Resource Manager.' - end as reason - - - from - azure_security_center_subscription_pricing sub_pricing - right join azure_subscription sub on sub_pricing.subscription_id = sub.subscription_id - where - name = 'Arm'; + QueryToExecute: "select\n sub_pricing.id as resource,\n sub_pricing.og_account_id as og_account_id,\n sub_pricing.og_resource_id as og_resource_id,\n case\n when pricing_tier = 'Standard' then 'ok'\n else 'alarm'\n end as status,\n case\n when pricing_tier = 'Standard' then 'Azure Defender on for Resource Manager.'\n else 'Azure Defender off for Resource Manager.'\n end as reason\n \n \nfrom\n azure_security_center_subscription_pricing sub_pricing\n right join azure_subscription sub on sub_pricing.subscription_id = sub.subscription_id\nwhere\n name = 'Arm';" PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_2_1_12.yaml b/compliance/controls/azure/azure_cis_v210_2_1_12.yaml index 96558830e..7d2329579 100755 --- a/compliance/controls/azure/azure_cis_v210_2_1_12.yaml +++ b/compliance/controls/azure/azure_cis_v210_2_1_12.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_2_1_12 Title: "2.1.12 Ensure that Microsoft Defender Recommendation for 'Apply system updates' status is 'Completed'" Description: "Ensure that the latest OS patches for all virtual machines are applied." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_2_1_13.yaml b/compliance/controls/azure/azure_cis_v210_2_1_13.yaml index 04c4a36ec..1ab780322 100755 --- a/compliance/controls/azure/azure_cis_v210_2_1_13.yaml +++ b/compliance/controls/azure/azure_cis_v210_2_1_13.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_2_1_13 Title: "2.1.13 Ensure that Microsoft Cloud Security Benchmark policies are not set to 'Disabled'" Description: "The Microsoft Cloud Security Benchmark (or 'MCSB') is an Azure Policy Initiative containing many security policies to evaluate resource configuration against best practice recommendations. If a policy in the MCSB is set with effect type Disabled, it is not evaluated and may prevent administrators from being informed of valuable security recommendations." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_2_1_14.yaml b/compliance/controls/azure/azure_cis_v210_2_1_14.yaml index fc4f93890..93c388bcb 100755 --- a/compliance/controls/azure/azure_cis_v210_2_1_14.yaml +++ b/compliance/controls/azure/azure_cis_v210_2_1_14.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_2_1_14 Title: "2.1.14 Ensure that Auto provisioning of 'Log Analytics agent for Azure VMs' is Set to 'On'" Description: "Enable automatic provisioning of the monitoring agent to collect security data." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -23,8 +21,10 @@ Query: right join azure_subscription sub on sc_prov.subscription_id = sub.subscription_id; PrimaryTable: azure_security_center_auto_provisioning ListOfTables: - - azure_security_center_auto_provisioning - - azure_subscription + - azure_security_center_auto_provisioning + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_2_1_15.yaml b/compliance/controls/azure/azure_cis_v210_2_1_15.yaml index 690ef4a2e..51245f57b 100755 --- a/compliance/controls/azure/azure_cis_v210_2_1_15.yaml +++ b/compliance/controls/azure/azure_cis_v210_2_1_15.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_2_1_15 Title: "2.1.15 Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On'" Description: "Enable automatic provisioning of vulnerability assessment for machines on both Azure and hybrid (Arc enabled) machines." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_2_1_16.yaml b/compliance/controls/azure/azure_cis_v210_2_1_16.yaml index 405d87eaf..55b28958e 100755 --- a/compliance/controls/azure/azure_cis_v210_2_1_16.yaml +++ b/compliance/controls/azure/azure_cis_v210_2_1_16.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_2_1_16 Title: "2.1.16 Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On'" Description: "Enable automatic provisioning of the Microsoft Defender for Containers components." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: name = 'Containers'; PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_2_1_17.yaml b/compliance/controls/azure/azure_cis_v210_2_1_17.yaml index 81aee7b96..de011ce89 100755 --- a/compliance/controls/azure/azure_cis_v210_2_1_17.yaml +++ b/compliance/controls/azure/azure_cis_v210_2_1_17.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_2_1_17 Title: "2.1.17 Ensure That 'All users with the following roles' is set to 'Owner'" Description: "Enable security alert emails to subscription owners." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -33,8 +31,10 @@ Query: left join contact_info ci on sub.subscription_id = ci.subscription_id; PrimaryTable: azure_subscription ListOfTables: - - azure_security_center_contact - - azure_subscription + - azure_security_center_contact + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_2_1_18.yaml b/compliance/controls/azure/azure_cis_v210_2_1_18.yaml index 08ad977cb..6c674c318 100755 --- a/compliance/controls/azure/azure_cis_v210_2_1_18.yaml +++ b/compliance/controls/azure/azure_cis_v210_2_1_18.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_2_1_18 Title: "2.1.18 Ensure 'Additional email addresses' is Configured with a Security Contact Email" Description: "Microsoft Defender for Cloud emails the subscription owners whenever a high-severity alert is triggered for their subscription. You should provide a security contact email address as an additional email address." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -37,8 +35,10 @@ Query: left join contact_info ci on sub.subscription_id = ci.subscription_id; PrimaryTable: azure_security_center_contact ListOfTables: - - azure_security_center_contact - - azure_subscription + - azure_security_center_contact + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_2_1_19.yaml b/compliance/controls/azure/azure_cis_v210_2_1_19.yaml index e4103e7e5..d6ac6e836 100755 --- a/compliance/controls/azure/azure_cis_v210_2_1_19.yaml +++ b/compliance/controls/azure/azure_cis_v210_2_1_19.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_2_1_19 Title: "2.1.19 Ensure That 'Notify about alerts with the following severity' is Set to 'High'" Description: "Enables emailing security alerts to the subscription owner or other designated security contact." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -33,8 +31,10 @@ Query: left join contact_info ci on sub.subscription_id = ci.subscription_id; PrimaryTable: azure_subscription ListOfTables: - - azure_security_center_contact - - azure_subscription + - azure_security_center_contact + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_2_1_2.yaml b/compliance/controls/azure/azure_cis_v210_2_1_2.yaml index b1c090a4c..cc35aca8e 100755 --- a/compliance/controls/azure/azure_cis_v210_2_1_2.yaml +++ b/compliance/controls/azure/azure_cis_v210_2_1_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_2_1_2 Title: "2.1.2 Ensure That Microsoft Defender for App Services Is Set To 'On'" Description: "Turning on Microsoft Defender for App Service enables threat detection for App Service, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: name = 'AppServices'; PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_2_1_20.yaml b/compliance/controls/azure/azure_cis_v210_2_1_20.yaml index aa95e6897..1268aa575 100755 --- a/compliance/controls/azure/azure_cis_v210_2_1_20.yaml +++ b/compliance/controls/azure/azure_cis_v210_2_1_20.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_2_1_20 Title: "2.1.20 Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected" Description: "This integration setting enables Microsoft Defender for Cloud Apps (formerly 'Microsoft Cloud App Security' or 'MCAS' - see additional info) to communicate with Microsoft Defender for Cloud." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: name = 'MCAS'; PrimaryTable: azure_security_center_setting ListOfTables: - - azure_security_center_setting - - azure_subscription + - azure_security_center_setting + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_2_1_21.yaml b/compliance/controls/azure/azure_cis_v210_2_1_21.yaml index 597ac24bd..f3592a3f9 100755 --- a/compliance/controls/azure/azure_cis_v210_2_1_21.yaml +++ b/compliance/controls/azure/azure_cis_v210_2_1_21.yaml @@ -1,34 +1,15 @@ ID: azure_cis_v210_2_1_21 Title: "2.1.21 Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected" Description: "This integration setting enables Microsoft Defender for Endpoint (formerly 'Advanced Threat Protection' or 'ATP' or 'WDATP' - see additional info) to communicate with Microsoft Defender for Cloud." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - sc_sett.id as resource, - sc_sett.og_account_id as og_account_id, - sc_sett.og_resource_id as og_resource_id, - case - when enabled then 'ok' - else 'alarm' - end as status, - case - when enabled then 'Microsoft Cloud App Security (MCAS) integrated with Security Center.' - else 'Microsoft Cloud App Security (MCAS) not integrated with Security Center.' - end as reason - - - from - azure_security_center_setting sc_sett - right join azure_subscription sub on sc_sett.subscription_id = sub.subscription_id - where - name = 'WDATP'; + QueryToExecute: "select\n sc_sett.id as resource,\n sc_sett.og_account_id as og_account_id,\n sc_sett.og_resource_id as og_resource_id,\n case\n when enabled then 'ok'\n else 'alarm'\n end as status,\n case\n when enabled then 'Microsoft Cloud App Security (MCAS) integrated with Security Center.'\n else 'Microsoft Cloud App Security (MCAS) not integrated with Security Center.'\n end as reason\n \n \nfrom\n azure_security_center_setting sc_sett\n right join azure_subscription sub on sc_sett.subscription_id = sub.subscription_id\nwhere\n name = 'WDATP';" PrimaryTable: azure_security_center_setting ListOfTables: - - azure_security_center_setting - - azure_subscription + - azure_security_center_setting + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_2_1_22.yaml b/compliance/controls/azure/azure_cis_v210_2_1_22.yaml index 75ab7f6a2..e9af18f6e 100755 --- a/compliance/controls/azure/azure_cis_v210_2_1_22.yaml +++ b/compliance/controls/azure/azure_cis_v210_2_1_22.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_2_1_22 Title: "2.1.22 Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled" Description: "An organization's attack surface is the collection of assets with a public network identifier or URI that an external threat actor can see or access from outside your cloud. It is the set of points on the boundary of a system, a system element, system component, or an environment where an attacker can try to enter, cause an effect on, or extract data from, that system, system element, system component, or environment. The larger the attack surface, the harder it is to protect." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_2_1_3.yaml b/compliance/controls/azure/azure_cis_v210_2_1_3.yaml index c809ca80b..09ba99bdd 100755 --- a/compliance/controls/azure/azure_cis_v210_2_1_3.yaml +++ b/compliance/controls/azure/azure_cis_v210_2_1_3.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_2_1_3 Title: "2.1.3 Ensure That Microsoft Defender for (Managed Instance) Azure SQL Databases Is Set To 'On'" Description: "Turning on Microsoft Defender for Azure SQL Databases enables threat detection for Azure SQL database servers, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: name = 'SqlServers'; PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_2_1_4.yaml b/compliance/controls/azure/azure_cis_v210_2_1_4.yaml index f3a5c816a..0aa44fc33 100755 --- a/compliance/controls/azure/azure_cis_v210_2_1_4.yaml +++ b/compliance/controls/azure/azure_cis_v210_2_1_4.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_2_1_4 Title: "2.1.4 Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On'" Description: "Turning on Microsoft Defender for SQL servers on machines enables threat detection for SQL servers on machines, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: name = 'SqlServerVirtualMachines'; PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_2_1_5.yaml b/compliance/controls/azure/azure_cis_v210_2_1_5.yaml index 4d83d0097..1ef2a9a24 100755 --- a/compliance/controls/azure/azure_cis_v210_2_1_5.yaml +++ b/compliance/controls/azure/azure_cis_v210_2_1_5.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_2_1_5 Title: "2.1.5 Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On'" Description: "Turning on Microsoft Defender for Open-source relational databases enables threat detection for Open-source relational databases, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: name = 'OpenSourceRelationalDatabases'; PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_2_1_6.yaml b/compliance/controls/azure/azure_cis_v210_2_1_6.yaml index 70257f0b0..fdf9af72d 100755 --- a/compliance/controls/azure/azure_cis_v210_2_1_6.yaml +++ b/compliance/controls/azure/azure_cis_v210_2_1_6.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_2_1_6 Title: "2.1.6 Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On'" Description: "Microsoft Defender for Azure Cosmos DB scans all incoming network requests for threats to your Azure Cosmos DB resources." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: name = 'CosmosDbs'; PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_2_1_7.yaml b/compliance/controls/azure/azure_cis_v210_2_1_7.yaml index f513e7f7e..087042ac6 100755 --- a/compliance/controls/azure/azure_cis_v210_2_1_7.yaml +++ b/compliance/controls/azure/azure_cis_v210_2_1_7.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_2_1_7 Title: "2.1.7 Ensure That Microsoft Defender for Storage Is Set To 'On'" Description: "Turning on Microsoft Defender for Storage enables threat detection for Storage, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: name = 'StorageAccounts'; PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_2_1_8.yaml b/compliance/controls/azure/azure_cis_v210_2_1_8.yaml index 4fbf6aa32..e1e1dda18 100755 --- a/compliance/controls/azure/azure_cis_v210_2_1_8.yaml +++ b/compliance/controls/azure/azure_cis_v210_2_1_8.yaml @@ -1,34 +1,15 @@ ID: azure_cis_v210_2_1_8 Title: "2.1.8 Ensure That Microsoft Defender for Containers Is Set To 'On'" Description: "Turning on Microsoft Defender for Containers enables threat detection for Container Registries including Kubernetes, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - sub_pricing.id as resource, - sub_pricing.og_account_id as og_account_id, - sub_pricing.og_resource_id as og_resource_id, - case - when pricing_tier = 'Standard' then 'ok' - else 'alarm' - end as status, - case - when pricing_tier = 'Standard' then 'Azure Defender on for Container Registry.' - else 'Azure Defender off for Container Registry.' - end as reason - - - from - azure_security_center_subscription_pricing sub_pricing - right join azure_subscription sub on sub_pricing.subscription_id = sub.subscription_id - where - name = 'ContainerRegistry'; + QueryToExecute: "select\n sub_pricing.id as resource,\n sub_pricing.og_account_id as og_account_id,\n sub_pricing.og_resource_id as og_resource_id,\n case\n when pricing_tier = 'Standard' then 'ok'\n else 'alarm'\n end as status,\n case\n when pricing_tier = 'Standard' then 'Azure Defender on for Container Registry.'\n else 'Azure Defender off for Container Registry.'\n end as reason\n \n \nfrom\n azure_security_center_subscription_pricing sub_pricing\n right join azure_subscription sub on sub_pricing.subscription_id = sub.subscription_id\nwhere\n name = 'ContainerRegistry';" PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_2_2_1.yaml b/compliance/controls/azure/azure_cis_v210_2_2_1.yaml index 24e6d7b9d..7f92cca36 100755 --- a/compliance/controls/azure/azure_cis_v210_2_2_1.yaml +++ b/compliance/controls/azure/azure_cis_v210_2_2_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_2_2_1 Title: "2.2.1 Ensure That Microsoft Defender for IoT Hub Is Set To 'On'" Description: "Microsoft Defender for IoT acts as a central security hub for IoT devices within your organization." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_3_1.yaml b/compliance/controls/azure/azure_cis_v210_3_1.yaml index 24a6482dc..c310eaf65 100755 --- a/compliance/controls/azure/azure_cis_v210_3_1.yaml +++ b/compliance/controls/azure/azure_cis_v210_3_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_3_1 Title: "3.1 Ensure that 'Secure transfer required' is set to 'Enabled'" Description: "Enable data encryption in transit." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = sa.subscription_id; PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_3_10.yaml b/compliance/controls/azure/azure_cis_v210_3_10.yaml index 2c7046e91..67b9c9769 100755 --- a/compliance/controls/azure/azure_cis_v210_3_10.yaml +++ b/compliance/controls/azure/azure_cis_v210_3_10.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_3_10 Title: "3.10 Ensure Private Endpoints are used to access Storage Accounts" Description: "Use private endpoints for your Azure Storage accounts to allow clients and services to securely access data located over a network via an encrypted Private Link. To do this, the private endpoint uses an IP address from the VNet for each service. Network traffic between disparate services securely traverses encrypted over the VNet." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -35,8 +33,10 @@ Query: sub.subscription_id = a.subscription_id; PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_3_11.yaml b/compliance/controls/azure/azure_cis_v210_3_11.yaml index 028d6482c..f6474475e 100755 --- a/compliance/controls/azure/azure_cis_v210_3_11.yaml +++ b/compliance/controls/azure/azure_cis_v210_3_11.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_3_11 Title: "3.11 Ensure Soft Delete is Enabled for Azure Containers and Blob Storage" Description: "The Azure Storage blobs contain data like ePHI or Financial, which can be secret or personal. Data that is erroneously modified or deleted by an application or other storage account user will cause data loss or unavailability." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = sa.subscription_id; PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_3_12.yaml b/compliance/controls/azure/azure_cis_v210_3_12.yaml index f499bd727..7af726ec0 100755 --- a/compliance/controls/azure/azure_cis_v210_3_12.yaml +++ b/compliance/controls/azure/azure_cis_v210_3_12.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_3_12 Title: "3.12 Ensure Storage for Critical Data are Encrypted with Customer Managed Keys" Description: "Enable sensitive data encryption at rest using Customer Managed Keys rather than Microsoft Managed keys." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = sa.subscription_id; PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_3_13.yaml b/compliance/controls/azure/azure_cis_v210_3_13.yaml index 80e889f76..012a1b7cb 100755 --- a/compliance/controls/azure/azure_cis_v210_3_13.yaml +++ b/compliance/controls/azure/azure_cis_v210_3_13.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_3_13 Title: "3.13 Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests" Description: "The Storage Blob service provides scalable, cost-efficient object storage in the cloud. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the blobs. Storage Logging log entries contain the following information about individual requests: timing information such as start time, end-to-end latency, and server latency; authentication details; concurrency information; and the sizes of the request and response messages." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -34,8 +32,10 @@ Query: sub.subscription_id = sa.subscription_id; PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_3_14.yaml b/compliance/controls/azure/azure_cis_v210_3_14.yaml index 4eb30db81..0ee4350e2 100755 --- a/compliance/controls/azure/azure_cis_v210_3_14.yaml +++ b/compliance/controls/azure/azure_cis_v210_3_14.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_3_14 Title: "3.14 Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests" Description: "Azure Table storage is a service that stores structured NoSQL data in the cloud, providing a key/attribute store with a schema-less design. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the tables. Storage Logging log entries contain the following information about individual requests: timing information such as start time, end-to-end latency, and server latency; authentication details; concurrency information; and the sizes of the request and response messages." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -31,8 +29,10 @@ Query: sub.subscription_id = sa.subscription_id; PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_3_15.yaml b/compliance/controls/azure/azure_cis_v210_3_15.yaml index fc9e19eb2..5b7a1866a 100755 --- a/compliance/controls/azure/azure_cis_v210_3_15.yaml +++ b/compliance/controls/azure/azure_cis_v210_3_15.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_3_15 Title: "3.15 Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'" Description: "In some cases, Azure Storage sets the minimum TLS version to be version 1.0 by default. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to be later protocols such as TLS 1.2." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -27,8 +25,10 @@ Query: sub.subscription_id = sa.subscription_id; PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_3_16.yaml b/compliance/controls/azure/azure_cis_v210_3_16.yaml index a8421875c..3f001f9c2 100755 --- a/compliance/controls/azure/azure_cis_v210_3_16.yaml +++ b/compliance/controls/azure/azure_cis_v210_3_16.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_3_16 Title: "3.16 Ensure 'Cross Tenant Replication' is not enabled" Description: "Cross Tenant Replication in Azure allows data to be replicated across multiple Azure tenants. While this feature can be beneficial for data sharing and availability, it also poses a significant security risk if not properly managed. Unauthorized data access, data leakage, and compliance violations are potential risks. Disabling Cross Tenant Replication ensures that data is not inadvertently replicated across different tenant boundaries without explicit authorization." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_3_2.yaml b/compliance/controls/azure/azure_cis_v210_3_2.yaml index c44d94906..5bf9dc010 100755 --- a/compliance/controls/azure/azure_cis_v210_3_2.yaml +++ b/compliance/controls/azure/azure_cis_v210_3_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_3_2 Title: "3.2 Ensure that 'Enable Infrastructure Encryption' for Each Storage Account in Azure Storage is Set to 'enabled'" Description: "Enabling encryption at the hardware level on top of the default software encryption for Storage Accounts accessing Azure storage solutions." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = s.subscription_id; PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_3_3.yaml b/compliance/controls/azure/azure_cis_v210_3_3.yaml index 501c29573..ea4583ea7 100755 --- a/compliance/controls/azure/azure_cis_v210_3_3.yaml +++ b/compliance/controls/azure/azure_cis_v210_3_3.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_3_3 Title: "3.3 Ensure that 'Enable key rotation reminders' is enabled for each Storage Account" Description: "Access Keys authenticate application access requests to data contained in Storage Accounts. A periodic rotation of these keys is recommended to ensure that potentially compromised keys cannot result in a long-term exploitable credential. The 'Rotation Reminder' is an automatic reminder feature for a manual procedure." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_3_4.yaml b/compliance/controls/azure/azure_cis_v210_3_4.yaml index ece929dbd..3640d38ec 100755 --- a/compliance/controls/azure/azure_cis_v210_3_4.yaml +++ b/compliance/controls/azure/azure_cis_v210_3_4.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_3_4 Title: "3.4 Ensure that Storage Account Access Keys are Periodically Regenerated" Description: "For increased security, regenerate storage account access keys periodically." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_3_5.yaml b/compliance/controls/azure/azure_cis_v210_3_5.yaml index 4eba1dd43..20cd84c83 100755 --- a/compliance/controls/azure/azure_cis_v210_3_5.yaml +++ b/compliance/controls/azure/azure_cis_v210_3_5.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_3_5 Title: "3.5 Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests" Description: "The Storage Queue service stores messages that may be read by any client who has access to the storage account. A queue can contain an unlimited number of messages, each of which can be up to 64KB in size using version 2011-08-18 or newer. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -31,8 +29,10 @@ Query: sub.subscription_id = sa.subscription_id; PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_3_6.yaml b/compliance/controls/azure/azure_cis_v210_3_6.yaml index 52b5c561c..b3b708532 100755 --- a/compliance/controls/azure/azure_cis_v210_3_6.yaml +++ b/compliance/controls/azure/azure_cis_v210_3_6.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_3_6 Title: "3.6 Ensure that Shared Access Signature Tokens Expire Within an Hour" Description: "Expire shared access signature tokens within an hour." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_3_7.yaml b/compliance/controls/azure/azure_cis_v210_3_7.yaml index 7ecd6f6d3..a4a79cc9b 100755 --- a/compliance/controls/azure/azure_cis_v210_3_7.yaml +++ b/compliance/controls/azure/azure_cis_v210_3_7.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_3_7 Title: "3.7 Ensure that 'Public Network Access' is `Disabled' for storage accounts" Description: "Disallowing public network access for a storage account overrides the public access settings for individual containers in that storage account for Azure Resource Manager Deployment Model storage accounts. Azure Storage accounts that use the classic deployment model will be retired on August 31, 2024." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = sa.subscription_id; PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_3_8.yaml b/compliance/controls/azure/azure_cis_v210_3_8.yaml index 7d206e4b1..d66ee5519 100755 --- a/compliance/controls/azure/azure_cis_v210_3_8.yaml +++ b/compliance/controls/azure/azure_cis_v210_3_8.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_3_8 Title: "3.8 Ensure Default Network Access Rule for Storage Accounts is Set to Deny" Description: "Restricting default network access helps to provide a new layer of security, since storage accounts accept connections from clients on any network. To limit access to selected networks, the default action must be changed." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = sa.subscription_id; PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_3_9.yaml b/compliance/controls/azure/azure_cis_v210_3_9.yaml index 6025f5993..12777170e 100755 --- a/compliance/controls/azure/azure_cis_v210_3_9.yaml +++ b/compliance/controls/azure/azure_cis_v210_3_9.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_3_9 Title: "3.9 Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access" Description: "Some Azure services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Azure services to bypass the network rules. These services will then use strong authentication to access the storage account." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = sa.subscription_id; PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_4_1_2.yaml b/compliance/controls/azure/azure_cis_v210_4_1_2.yaml index 18e93f321..763216802 100755 --- a/compliance/controls/azure/azure_cis_v210_4_1_2.yaml +++ b/compliance/controls/azure/azure_cis_v210_4_1_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_4_1_2 Title: "4.1.2 Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)" Description: "Ensure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -29,8 +27,10 @@ Query: sub.subscription_id = s.subscription_id; PrimaryTable: azure_sql_server ListOfTables: - - azure_sql_server - - azure_subscription + - azure_sql_server + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_4_1_4.yaml b/compliance/controls/azure/azure_cis_v210_4_1_4.yaml index bc559753a..2a0faa404 100755 --- a/compliance/controls/azure/azure_cis_v210_4_1_4.yaml +++ b/compliance/controls/azure/azure_cis_v210_4_1_4.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_4_1_4 Title: "4.1.4 Ensure that Microsoft Entra authentication is Configured for SQL Servers" Description: "Use Azure Active Directory Authentication for authentication with SQL Database to manage credentials in a single place." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = s.subscription_id; PrimaryTable: azure_sql_server ListOfTables: - - azure_sql_server - - azure_subscription + - azure_sql_server + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_4_1_5.yaml b/compliance/controls/azure/azure_cis_v210_4_1_5.yaml index 9c9e4fd9d..fa569ea29 100755 --- a/compliance/controls/azure/azure_cis_v210_4_1_5.yaml +++ b/compliance/controls/azure/azure_cis_v210_4_1_5.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_4_1_5 Title: "4.1.5 Ensure that 'Data encryption' is set to 'On' on a SQL Database" Description: "Enable Transparent Data Encryption on every SQL server." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -26,8 +24,10 @@ Query: and s.name <> 'master'; PrimaryTable: azure_sql_database ListOfTables: - - azure_sql_database - - azure_subscription + - azure_sql_database + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_4_3_1.yaml b/compliance/controls/azure/azure_cis_v210_4_3_1.yaml index 28d048989..cbe71ebc0 100755 --- a/compliance/controls/azure/azure_cis_v210_4_3_1.yaml +++ b/compliance/controls/azure/azure_cis_v210_4_3_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_4_3_1 Title: "4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server" Description: "Enable SSL connection on PostgreSQL Servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = s.subscription_id; PrimaryTable: azure_postgresql_server ListOfTables: - - azure_postgresql_server - - azure_subscription + - azure_postgresql_server + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_4_3_7.yaml b/compliance/controls/azure/azure_cis_v210_4_3_7.yaml index 595ae1b0e..0f4006800 100755 --- a/compliance/controls/azure/azure_cis_v210_4_3_7.yaml +++ b/compliance/controls/azure/azure_cis_v210_4_3_7.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_4_3_7 Title: "4.3.7 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled" Description: "Disable access from Azure services to PostgreSQL Database Server." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -36,8 +34,10 @@ Query: sub.subscription_id = s.subscription_id; PrimaryTable: azure_postgresql_server ListOfTables: - - azure_postgresql_server - - azure_subscription + - azure_postgresql_server + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_4_3_8.yaml b/compliance/controls/azure/azure_cis_v210_4_3_8.yaml index abe510e68..5c76c22ff 100755 --- a/compliance/controls/azure/azure_cis_v210_4_3_8.yaml +++ b/compliance/controls/azure/azure_cis_v210_4_3_8.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_4_3_8 Title: "4.3.8 Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled'" Description: "Azure Database for PostgreSQL servers should be created with 'infrastructure double encryption' enabled." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = s.subscription_id; PrimaryTable: azure_postgresql_server ListOfTables: - - azure_postgresql_server - - azure_subscription + - azure_postgresql_server + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_4_4_1.yaml b/compliance/controls/azure/azure_cis_v210_4_4_1.yaml index 624a4d2f5..f91e9d21d 100755 --- a/compliance/controls/azure/azure_cis_v210_4_4_1.yaml +++ b/compliance/controls/azure/azure_cis_v210_4_4_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_4_4_1 Title: "4.4.1 Ensure 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server" Description: "Enable SSL connection on MySQL Servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = s.subscription_id; PrimaryTable: azure_mysql_server ListOfTables: - - azure_mysql_server - - azure_subscription + - azure_mysql_server + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_4_4_2.yaml b/compliance/controls/azure/azure_cis_v210_4_4_2.yaml index 3c1f952bb..5a7827ac5 100755 --- a/compliance/controls/azure/azure_cis_v210_4_4_2.yaml +++ b/compliance/controls/azure/azure_cis_v210_4_4_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_4_4_2 Title: "4.4.2 Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server" Description: "Ensure TLS version on MySQL flexible servers is set to use TLS version 1.2 or higher." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -27,8 +25,10 @@ Query: sub.subscription_id = s.subscription_id; PrimaryTable: azure_mysql_server ListOfTables: - - azure_mysql_server - - azure_subscription + - azure_mysql_server + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_4_5_1.yaml b/compliance/controls/azure/azure_cis_v210_4_5_1.yaml index 61661792d..a12a3bdc5 100755 --- a/compliance/controls/azure/azure_cis_v210_4_5_1.yaml +++ b/compliance/controls/azure/azure_cis_v210_4_5_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_4_5_1 Title: "4.5.1 Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks" Description: "Limiting your Cosmos DB to only communicate on whitelisted networks lowers its attack footprint." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -27,8 +25,10 @@ Query: sub.subscription_id = a.subscription_id; PrimaryTable: azure_cosmosdb_account ListOfTables: - - azure_cosmosdb_account - - azure_subscription + - azure_cosmosdb_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_4_5_2.yaml b/compliance/controls/azure/azure_cis_v210_4_5_2.yaml index 2edd6dd55..366e5e136 100755 --- a/compliance/controls/azure/azure_cis_v210_4_5_2.yaml +++ b/compliance/controls/azure/azure_cis_v210_4_5_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_4_5_2 Title: "4.5.2 Ensure That Private Endpoints Are Used Where Possible" Description: "Private endpoints limit network traffic to approved sources." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -35,8 +33,10 @@ Query: sub.subscription_id = a.subscription_id; PrimaryTable: azure_cosmosdb_account ListOfTables: - - azure_cosmosdb_account - - azure_subscription + - azure_cosmosdb_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_4_5_3.yaml b/compliance/controls/azure/azure_cis_v210_4_5_3.yaml index b9de676d4..0a51aab88 100755 --- a/compliance/controls/azure/azure_cis_v210_4_5_3.yaml +++ b/compliance/controls/azure/azure_cis_v210_4_5_3.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_4_5_3 Title: "4.5.3 Use Entra ID Client Authentication and Azure RBAC where possible" Description: "Cosmos DB can use tokens or AAD for client authentication which in turn will use Azure RBAC for authorization. Using AAD is significantly more secure because AAD handles the credentials and allows for MFA and centralized management, and the Azure RBAC better integrated with the rest of Azure." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_5_1_1.yaml b/compliance/controls/azure/azure_cis_v210_5_1_1.yaml index 00d646c78..9893a697d 100755 --- a/compliance/controls/azure/azure_cis_v210_5_1_1.yaml +++ b/compliance/controls/azure/azure_cis_v210_5_1_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_5_1_1 Title: "5.1.1 Ensure that a 'Diagnostic Setting' exists for Subscription Activity Logs" Description: "Enable Diagnostic settings for exporting activity logs. Diagnostic settings are available for each individual resource within a subscription. Settings should be configured for all appropriate resources for your environment." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_5_1_2.yaml b/compliance/controls/azure/azure_cis_v210_5_1_2.yaml index 92fb601ca..2ee720d65 100755 --- a/compliance/controls/azure/azure_cis_v210_5_1_2.yaml +++ b/compliance/controls/azure/azure_cis_v210_5_1_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_5_1_2 Title: "5.1.2 Ensure Diagnostic Setting captures appropriate categories" Description: "A Diagnostic Setting must exist. If a Diagnostic Setting does not exist, the navigation and options within this recommendation will not be available. Please review the recommendation at the beginning of this subsection titled: 'Ensure that a 'Diagnostic Setting' exists.' The diagnostic setting should be configured to log the appropriate activities from the control/management plane." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -55,8 +53,10 @@ Query: sub.subscription_id = sett.subscription_id; PrimaryTable: azure_diagnostic_setting ListOfTables: - - azure_diagnostic_setting - - azure_subscription + - azure_diagnostic_setting + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_5_1_3.yaml b/compliance/controls/azure/azure_cis_v210_5_1_3.yaml index b1c502378..278bf5c55 100755 --- a/compliance/controls/azure/azure_cis_v210_5_1_3.yaml +++ b/compliance/controls/azure/azure_cis_v210_5_1_3.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_5_1_3 Title: "5.1.3 Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key" Description: "Storage accounts with the activity log exports can be configured to use Customer Managed Keys (CMK)." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -29,9 +27,11 @@ Query: and sub.subscription_id = a.subscription_id; PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_container - - azure_storage_account - - azure_subscription + - azure_storage_container + - azure_storage_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_5_1_4.yaml b/compliance/controls/azure/azure_cis_v210_5_1_4.yaml index f058f5fc4..63828a62b 100755 --- a/compliance/controls/azure/azure_cis_v210_5_1_4.yaml +++ b/compliance/controls/azure/azure_cis_v210_5_1_4.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_5_1_4 Title: "5.1.4 Ensure that logging for Azure Key Vault is 'Enabled'" Description: "Enable AuditEvent logging for key vault instances to ensure interactions with key vaults are logged and available." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -42,8 +40,10 @@ Query: sub.subscription_id = v.subscription_id; PrimaryTable: azure_key_vault ListOfTables: - - azure_key_vault - - azure_subscription + - azure_key_vault + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_5_1_5.yaml b/compliance/controls/azure/azure_cis_v210_5_1_5.yaml index 1dff6f11c..eb0e47cb9 100755 --- a/compliance/controls/azure/azure_cis_v210_5_1_5.yaml +++ b/compliance/controls/azure/azure_cis_v210_5_1_5.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_5_1_5 Title: "5.1.5 Ensure that Network Security Group Flow logs are captured and sent to Log Analytics" Description: "Ensure that network flow logs are captured and fed into a central log analytics workspace." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_5_1_6.yaml b/compliance/controls/azure/azure_cis_v210_5_1_6.yaml index fe375e0d9..3cf58509c 100755 --- a/compliance/controls/azure/azure_cis_v210_5_1_6.yaml +++ b/compliance/controls/azure/azure_cis_v210_5_1_6.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_5_1_6 Title: "5.1.6 Ensure that logging for Azure AppService 'HTTP logs' is enabled" Description: "Enable AppServiceHTTPLogs diagnostic log category for Azure App Service instances to ensure all http requests are captured and centrally logged." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_5_2_1.yaml b/compliance/controls/azure/azure_cis_v210_5_2_1.yaml index 60e689148..7919117d3 100755 --- a/compliance/controls/azure/azure_cis_v210_5_2_1.yaml +++ b/compliance/controls/azure/azure_cis_v210_5_2_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_5_2_1 Title: "5.2.1 Ensure that Activity Log Alert exists for Create Policy Assignment" Description: "Create an activity log alert for the Create Policy Assignment event." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -48,8 +46,10 @@ Query: sub.display_name; PrimaryTable: azure_log_alert ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_5_2_10.yaml b/compliance/controls/azure/azure_cis_v210_5_2_10.yaml index a71011c22..d108ad5ed 100755 --- a/compliance/controls/azure/azure_cis_v210_5_2_10.yaml +++ b/compliance/controls/azure/azure_cis_v210_5_2_10.yaml @@ -1,64 +1,15 @@ ID: azure_cis_v210_5_2_10 Title: "5.2.10 Ensure that Activity Log Alert exists for Delete Public IP Address rule" Description: "Create an activity log alert for the Delete Public IP Address rule." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - with alert_rule as( - select - alert.id as alert_id, - alert.name as alert_name, - alert.enabled, - alert.location, - alert.subscription_id - from - azure_log_alert as alert, - jsonb_array_elements_text(scopes) as sc - where - alert.location = 'global' - and alert.enabled - and sc = '/subscriptions/' || alert.subscription_id - and - ( - ( alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - and alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/publicIPAddresses/delete"}]' - ) - or - ( - alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - and alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/publicipaddresses"}]' - and jsonb_array_length(alert.condition -> 'allOf') = 2 - ) - ) - limit 1 - ) - select - sub.subscription_id as resource, - sub.og_account_id as og_account_id, - sub.og_resource_id as og_resource_id, - case - when count(a.subscription_id) > 0 then 'ok' - else 'alarm' - end as status, - case - when count(a.subscription_id) > 0 then 'Activity Log Alert exists for Delete Public IP Address rule.' - else 'Activity Log Alert does not exists for Delete Public IP Address rule.' - end as reason - from - azure_subscription sub - left join alert_rule a on sub.subscription_id = a.subscription_id - group by - sub._ctx, - sub.subscription_id, - sub.og_account_id, - sub.og_resource_id, - sub.display_name; + QueryToExecute: "with alert_rule as(\n select\n alert.id as alert_id,\n alert.name as alert_name,\n alert.enabled,\n alert.location,\n alert.subscription_id\n from\n azure_log_alert as alert,\n jsonb_array_elements_text(scopes) as sc\n where\n alert.location = 'global'\n and alert.enabled\n and sc = '/subscriptions/' || alert.subscription_id\n and\n (\n ( alert.condition -> 'allOf' @> '[{\"equals\":\"Administrative\",\"field\":\"category\"}]'\n and alert.condition -> 'allOf' @> '[{\"field\": \"operationName\", \"equals\": \"Microsoft.Network/publicIPAddresses/delete\"}]'\n )\n or\n (\n alert.condition -> 'allOf' @> '[{\"equals\":\"Administrative\",\"field\":\"category\"}]'\n and alert.condition -> 'allOf' @> '[{\"field\": \"resourceType\", \"equals\": \"microsoft.network/publicipaddresses\"}]'\n and jsonb_array_length(alert.condition -> 'allOf') = 2\n )\n )\n limit 1\n)\nselect\n sub.subscription_id as resource,\n sub.og_account_id as og_account_id,\n sub.og_resource_id as og_resource_id,\n case\n when count(a.subscription_id) > 0 then 'ok'\n else 'alarm'\n end as status,\n case\n when count(a.subscription_id) > 0 then 'Activity Log Alert exists for Delete Public IP Address rule.'\n else 'Activity Log Alert does not exists for Delete Public IP Address rule.'\n end as reason \nfrom\n azure_subscription sub\n left join alert_rule a on sub.subscription_id = a.subscription_id\ngroup by\n sub._ctx,\n sub.subscription_id,\n sub.og_account_id,\n sub.og_resource_id,\n sub.display_name;" PrimaryTable: azure_log_alert ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_5_2_2.yaml b/compliance/controls/azure/azure_cis_v210_5_2_2.yaml index c3896d5b4..90d45f727 100755 --- a/compliance/controls/azure/azure_cis_v210_5_2_2.yaml +++ b/compliance/controls/azure/azure_cis_v210_5_2_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_5_2_2 Title: "5.2.2 Ensure that Activity Log Alert exists for Delete Policy Assignment" Description: "Create an activity log alert for the Delete Policy Assignment event." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -47,8 +45,10 @@ Query: sub.display_name; PrimaryTable: azure_log_alert ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_5_2_3.yaml b/compliance/controls/azure/azure_cis_v210_5_2_3.yaml index c48be132a..b994dff99 100755 --- a/compliance/controls/azure/azure_cis_v210_5_2_3.yaml +++ b/compliance/controls/azure/azure_cis_v210_5_2_3.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_5_2_3 Title: "5.2.3 Ensure that Activity Log Alert exists for Create or Update Network Security Group" Description: "Create an Activity Log Alert for the Create or Update Network Security Group event." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -57,8 +55,10 @@ Query: sub.display_name; PrimaryTable: azure_log_alert ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_5_2_4.yaml b/compliance/controls/azure/azure_cis_v210_5_2_4.yaml index f7f9c19a5..2a8cd23e6 100755 --- a/compliance/controls/azure/azure_cis_v210_5_2_4.yaml +++ b/compliance/controls/azure/azure_cis_v210_5_2_4.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_5_2_4 Title: "5.2.4 Ensure that Activity Log Alert exists for Delete Network Security Group" Description: "Create an activity log alert for the Delete Network Security Group event." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -58,8 +56,10 @@ Query: sub.display_name; PrimaryTable: azure_log_alert ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_5_2_5.yaml b/compliance/controls/azure/azure_cis_v210_5_2_5.yaml index 964f86132..3233b4067 100755 --- a/compliance/controls/azure/azure_cis_v210_5_2_5.yaml +++ b/compliance/controls/azure/azure_cis_v210_5_2_5.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_5_2_5 Title: "5.2.5 Ensure that Activity Log Alert exists for Create or Update Security Solution" Description: "Create an activity log alert for the Create or Update Security Solution event." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -57,8 +55,10 @@ Query: sub.display_name; PrimaryTable: azure_log_alert ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_5_2_6.yaml b/compliance/controls/azure/azure_cis_v210_5_2_6.yaml index b97c943b8..416edd0f4 100755 --- a/compliance/controls/azure/azure_cis_v210_5_2_6.yaml +++ b/compliance/controls/azure/azure_cis_v210_5_2_6.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_5_2_6 Title: "5.2.6 Ensure that Activity Log Alert exists for Delete Security Solution" Description: "Create an activity log alert for the Delete Security Solution event." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -57,8 +55,10 @@ Query: sub.display_name; PrimaryTable: azure_log_alert ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_5_2_7.yaml b/compliance/controls/azure/azure_cis_v210_5_2_7.yaml index 5a26e58fc..4701dabdd 100755 --- a/compliance/controls/azure/azure_cis_v210_5_2_7.yaml +++ b/compliance/controls/azure/azure_cis_v210_5_2_7.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_5_2_7 Title: "5.2.7 Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule" Description: "Create an activity log alert for the Create or Update SQL Server Firewall Rule event." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -58,8 +56,10 @@ Query: sub.display_name; PrimaryTable: azure_log_alert ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_5_2_8.yaml b/compliance/controls/azure/azure_cis_v210_5_2_8.yaml index 49edff7a6..a5cf12107 100755 --- a/compliance/controls/azure/azure_cis_v210_5_2_8.yaml +++ b/compliance/controls/azure/azure_cis_v210_5_2_8.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_5_2_8 Title: "5.2.8 Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule" Description: "Create an activity log alert for the 'Delete SQL Server Firewall Rule.'" -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -56,8 +54,10 @@ Query: sub.display_name; PrimaryTable: azure_log_alert ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_5_2_9.yaml b/compliance/controls/azure/azure_cis_v210_5_2_9.yaml index ef3dc19ca..2c55bde42 100755 --- a/compliance/controls/azure/azure_cis_v210_5_2_9.yaml +++ b/compliance/controls/azure/azure_cis_v210_5_2_9.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_5_2_9 Title: "5.2.9 Ensure that Activity Log Alert exists for Create or Update Public IP Address rule" Description: "Create an activity log alert for the Create or Update Public IP Addresses rule." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -58,8 +56,10 @@ Query: sub.display_name; PrimaryTable: azure_subscription ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_5_3_1.yaml b/compliance/controls/azure/azure_cis_v210_5_3_1.yaml index bc959d875..2598493ad 100755 --- a/compliance/controls/azure/azure_cis_v210_5_3_1.yaml +++ b/compliance/controls/azure/azure_cis_v210_5_3_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_5_3_1 Title: "5.3.1 Ensure Application Insights are Configured" Description: "Application Insights within Azure act as an Application Performance Monitoring solution providing valuable data into how well an application performs and additional information when performing incident response. The types of log data collected include application metrics, telemetry data, and application trace logging data providing organizations with detailed information about application activity and application transactions." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -32,8 +30,10 @@ Query: left join application_insights as i on i.subscription_id = sub.subscription_id; PrimaryTable: azure_application_insight ListOfTables: - - azure_application_insight - - azure_subscription + - azure_application_insight + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_5_4.yaml b/compliance/controls/azure/azure_cis_v210_5_4.yaml index 74482ced9..d0e4a8c4d 100755 --- a/compliance/controls/azure/azure_cis_v210_5_4.yaml +++ b/compliance/controls/azure/azure_cis_v210_5_4.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_5_4 Title: "5.4 Ensure that Azure Monitor Resource Logging is Enabled for All Services that Support it" Description: "Resource Logs capture activity to the data access plane while the Activity log is a subscription-level log for the control plane. Resource-level diagnostic logs provide insight into operations that were performed within that resource itself; for example, reading or updating a secret from a Key Vault." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_6_1.yaml b/compliance/controls/azure/azure_cis_v210_6_1.yaml index a54ff5f3c..951c6ad3a 100755 --- a/compliance/controls/azure/azure_cis_v210_6_1.yaml +++ b/compliance/controls/azure/azure_cis_v210_6_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_6_1 Title: "6.1 Ensure that RDP access from the Internet is evaluated and restricted" Description: "Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -47,8 +45,10 @@ Query: join azure_subscription sub on sub.subscription_id = sg.subscription_id; PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_subscription + - azure_network_security_group + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_6_2.yaml b/compliance/controls/azure/azure_cis_v210_6_2.yaml index e0e69cb09..0b3ceafdb 100755 --- a/compliance/controls/azure/azure_cis_v210_6_2.yaml +++ b/compliance/controls/azure/azure_cis_v210_6_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_6_2 Title: "6.2 Ensure that SSH access from the Internet is evaluated and restricted" Description: "Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -47,8 +45,10 @@ Query: join azure_subscription sub on sub.subscription_id = sg.subscription_id; PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_subscription + - azure_network_security_group + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_6_3.yaml b/compliance/controls/azure/azure_cis_v210_6_3.yaml index a419e034a..48eb4e4b9 100755 --- a/compliance/controls/azure/azure_cis_v210_6_3.yaml +++ b/compliance/controls/azure/azure_cis_v210_6_3.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_6_3 Title: "6.3 Ensure that UDP access from the Internet is evaluated and restricted" Description: "Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -52,8 +50,10 @@ Query: join azure_subscription sub on sub.subscription_id = sg.subscription_id; PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_subscription + - azure_network_security_group + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_6_4.yaml b/compliance/controls/azure/azure_cis_v210_6_4.yaml index 5bb6141b1..c9fbf9037 100755 --- a/compliance/controls/azure/azure_cis_v210_6_4.yaml +++ b/compliance/controls/azure/azure_cis_v210_6_4.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_6_4 Title: "6.4 Ensure that HTTP(S) access from the Internet is evaluated and restricted" Description: "Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required and narrowly configured." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -61,8 +59,10 @@ Query: join azure_subscription sub on sub.subscription_id = sg.subscription_id; PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_subscription + - azure_network_security_group + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_6_6.yaml b/compliance/controls/azure/azure_cis_v210_6_6.yaml index 93cc7cc2a..63f56a4d0 100755 --- a/compliance/controls/azure/azure_cis_v210_6_6.yaml +++ b/compliance/controls/azure/azure_cis_v210_6_6.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_6_6 Title: "6.6 Ensure that Network Watcher is 'Enabled'" Description: "Enable Network Watcher for Azure subscriptions." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,9 +23,11 @@ Query: join azure_subscription sub on sub.subscription_id = loc.subscription_id; PrimaryTable: azure_network_watcher ListOfTables: - - azure_location - - azure_network_watcher - - azure_subscription + - azure_location + - azure_network_watcher + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_6_7.yaml b/compliance/controls/azure/azure_cis_v210_6_7.yaml index e343d1a2c..51c14d31b 100755 --- a/compliance/controls/azure/azure_cis_v210_6_7.yaml +++ b/compliance/controls/azure/azure_cis_v210_6_7.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_6_7 Title: "6.7 Ensure that Public IP addresses are Evaluated on a Periodic Basis" Description: "Public IP Addresses provide tenant accounts with Internet connectivity for resources contained within the tenant. During the creation of certain resources in Azure, a Public IP Address may be created. All Public IP Addresses within the tenant should be periodically reviewed for accuracy and necessity." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_7_1.yaml b/compliance/controls/azure/azure_cis_v210_7_1.yaml index 78d4a2124..fa662478b 100755 --- a/compliance/controls/azure/azure_cis_v210_7_1.yaml +++ b/compliance/controls/azure/azure_cis_v210_7_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_7_1 Title: "7.1 Ensure an Azure Bastion Host Exists" Description: "The Azure Bastion service allows secure remote access to Azure Virtual Machines over the Internet without exposing remote access protocol ports and services directly to the Internet. The Azure Bastion service provides this access using TLS over 443/TCP, and subscribes to hardened configurations within an organization's Azure Active Directory service." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -38,8 +36,10 @@ Query: left join bastion_hosts as i on i.subscription_id = sub.subscription_id; PrimaryTable: azure_bastion_host ListOfTables: - - azure_bastion_host - - azure_subscription + - azure_bastion_host + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_7_2.yaml b/compliance/controls/azure/azure_cis_v210_7_2.yaml index 4eda7c9df..daf973b27 100755 --- a/compliance/controls/azure/azure_cis_v210_7_2.yaml +++ b/compliance/controls/azure/azure_cis_v210_7_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_7_2 Title: "7.2 Ensure Virtual Machines are utilizing Managed Disks" Description: "Migrate blob-based VHDs to Managed Disks on Virtual Machines to exploit the default features of this configuration." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = vm.subscription_id; PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_subscription + - azure_compute_virtual_machine + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_7_3.yaml b/compliance/controls/azure/azure_cis_v210_7_3.yaml index 60a76f5dd..881b5df16 100755 --- a/compliance/controls/azure/azure_cis_v210_7_3.yaml +++ b/compliance/controls/azure/azure_cis_v210_7_3.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_7_3 Title: "7.3 Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK)" Description: "Ensure that OS disks (boot volumes) and data disks (non-boot volumes) are encrypted with CMK (Customer Managed Keys). Customer Managed keys can be either ADE or Server Side Encryption(SSE)." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -26,8 +24,10 @@ Query: and sub.subscription_id = disk.subscription_id; PrimaryTable: azure_compute_disk ListOfTables: - - azure_compute_disk - - azure_subscription + - azure_compute_disk + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_7_4.yaml b/compliance/controls/azure/azure_cis_v210_7_4.yaml index 50527cf6c..b74161e39 100755 --- a/compliance/controls/azure/azure_cis_v210_7_4.yaml +++ b/compliance/controls/azure/azure_cis_v210_7_4.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_7_4 Title: "7.4 Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK)" Description: "Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key (CMK)." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -26,8 +24,10 @@ Query: and sub.subscription_id = disk.subscription_id; PrimaryTable: azure_compute_disk ListOfTables: - - azure_compute_disk - - azure_subscription + - azure_compute_disk + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_7_5.yaml b/compliance/controls/azure/azure_cis_v210_7_5.yaml index 03c3fae3b..9c387632e 100755 --- a/compliance/controls/azure/azure_cis_v210_7_5.yaml +++ b/compliance/controls/azure/azure_cis_v210_7_5.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_7_5 Title: "7.5 Ensure that Only Approved Extensions Are Installed" Description: "For added security, only install organization-approved extensions on VMs." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_7_6.yaml b/compliance/controls/azure/azure_cis_v210_7_6.yaml index fd2fa4d3e..097b283cc 100755 --- a/compliance/controls/azure/azure_cis_v210_7_6.yaml +++ b/compliance/controls/azure/azure_cis_v210_7_6.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_7_6 Title: "7.6 Ensure that Endpoint Protection for all Virtual Machines is installed" Description: "Install endpoint protection for all virtual machines." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_7_7.yaml b/compliance/controls/azure/azure_cis_v210_7_7.yaml index 3eca885f7..08248e6dc 100755 --- a/compliance/controls/azure/azure_cis_v210_7_7.yaml +++ b/compliance/controls/azure/azure_cis_v210_7_7.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_7_7 Title: "7.7 [Legacy] Ensure that VHDs are Encrypted" Description: "VHD (Virtual Hard Disks) are stored in blob storage and are the old-style disks that were attached to Virtual Machines. The blob VHD was then leased to the VM. By default, storage accounts are not encrypted, and Microsoft Defender will then recommend that the OS disks should be encrypted. Storage accounts can be encrypted as a whole using PMK or CMK. This should be turned on for storage accounts containing VHDs." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_7_8.yaml b/compliance/controls/azure/azure_cis_v210_7_8.yaml index bbcca350d..342c3055b 100755 --- a/compliance/controls/azure/azure_cis_v210_7_8.yaml +++ b/compliance/controls/azure/azure_cis_v210_7_8.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_7_8 Title: "7.8 Ensure only MFA enabled identities can access privileged Virtual Machine" Description: "Verify identities without MFA that can log in to a privileged virtual machine using separate login credentials. An adversary can leverage the access to move laterally and perform actions with the virtual machine's managed identity. Make sure the virtual machine only has necessary permissions, and revoke the admin-level permissions according to the least privileges principal." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_7_9.yaml b/compliance/controls/azure/azure_cis_v210_7_9.yaml index 657c1fcb7..f8b75bf45 100755 --- a/compliance/controls/azure/azure_cis_v210_7_9.yaml +++ b/compliance/controls/azure/azure_cis_v210_7_9.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_7_9 Title: "7.9 Ensure Trusted Launch is enabled on Virtual Machines" Description: "When Secure Boot and vTPM are enabled together, they provide a strong foundation for protecting your VM from boot attacks. For example, if an attacker attempts to replace the bootloader with a malicious version, Secure Boot will prevent the VM from booting." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_8_1.yaml b/compliance/controls/azure/azure_cis_v210_8_1.yaml index b4cfd4846..d55e701b7 100755 --- a/compliance/controls/azure/azure_cis_v210_8_1.yaml +++ b/compliance/controls/azure/azure_cis_v210_8_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_8_1 Title: "8.1 Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults" Description: "Ensure that all Keys in Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -37,9 +35,11 @@ Query: sub.subscription_id = kvk.subscription_id; PrimaryTable: azure_key_vault_key ListOfTables: - - azure_key_vault - - azure_key_vault_key - - azure_subscription + - azure_key_vault + - azure_key_vault_key + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_8_2.yaml b/compliance/controls/azure/azure_cis_v210_8_2.yaml index 605a1d267..aa61a4263 100755 --- a/compliance/controls/azure/azure_cis_v210_8_2.yaml +++ b/compliance/controls/azure/azure_cis_v210_8_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_8_2 Title: "8.2 Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults" Description: "Ensure that all Keys in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -37,9 +35,11 @@ Query: sub.subscription_id = kvk.subscription_id; PrimaryTable: azure_key_vault_key ListOfTables: - - azure_key_vault - - azure_key_vault_key - - azure_subscription + - azure_key_vault + - azure_key_vault_key + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_8_3.yaml b/compliance/controls/azure/azure_cis_v210_8_3.yaml index 6c507f52a..2909f730b 100755 --- a/compliance/controls/azure/azure_cis_v210_8_3.yaml +++ b/compliance/controls/azure/azure_cis_v210_8_3.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_8_3 Title: "8.3 Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults" Description: "Ensure that all Secrets in Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -37,9 +35,11 @@ Query: sub.subscription_id = kvs.subscription_id; PrimaryTable: azure_key_vault_secret ListOfTables: - - azure_key_vault - - azure_key_vault_secret - - azure_subscription + - azure_key_vault + - azure_key_vault_secret + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_8_4.yaml b/compliance/controls/azure/azure_cis_v210_8_4.yaml index 3cae8f8e1..66691614b 100755 --- a/compliance/controls/azure/azure_cis_v210_8_4.yaml +++ b/compliance/controls/azure/azure_cis_v210_8_4.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_8_4 Title: "8.4 Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults" Description: "Ensure that all Secrets in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -37,9 +35,11 @@ Query: sub.subscription_id = kvs.subscription_id; PrimaryTable: azure_key_vault_secret ListOfTables: - - azure_key_vault - - azure_key_vault_secret - - azure_subscription + - azure_key_vault + - azure_key_vault_secret + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_8_5.yaml b/compliance/controls/azure/azure_cis_v210_8_5.yaml index 0976d5e7c..72f4240f5 100755 --- a/compliance/controls/azure/azure_cis_v210_8_5.yaml +++ b/compliance/controls/azure/azure_cis_v210_8_5.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_8_5 Title: "8.5 Ensure the Key Vault is Recoverable" Description: "The key vault contains object keys, secrets and certificates. Accidental unavailability of a key vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the key vault objects. It is recommended the key vault be made recoverable by enabling the \\\"Do Not Purge\\\" and \\\"Soft Delete\\\" functions." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -27,8 +25,10 @@ Query: sub.subscription_id = kv.subscription_id; PrimaryTable: azure_key_vault ListOfTables: - - azure_key_vault - - azure_subscription + - azure_key_vault + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_8_6.yaml b/compliance/controls/azure/azure_cis_v210_8_6.yaml index 2fe3ec657..5d0f8f785 100755 --- a/compliance/controls/azure/azure_cis_v210_8_6.yaml +++ b/compliance/controls/azure/azure_cis_v210_8_6.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_8_6 Title: "8.6 Enable Role Based Access Control for Azure Key Vault" Description: "Role assignments disappear when a Key Vault has been deleted (soft-delete) and recovered. Afterwards it will be required to recreate all role assignments. This is a limitation of the soft-delete feature across all Azure services." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = kv.subscription_id; PrimaryTable: azure_key_vault ListOfTables: - - azure_key_vault - - azure_subscription + - azure_key_vault + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_8_8.yaml b/compliance/controls/azure/azure_cis_v210_8_8.yaml index 3c14ae077..8c4247a6d 100755 --- a/compliance/controls/azure/azure_cis_v210_8_8.yaml +++ b/compliance/controls/azure/azure_cis_v210_8_8.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_8_8 Title: "8.8 Ensure Automatic Key Rotation is Enabled Within Azure Key Vault for the Supported Services" Description: "Automatic Key Rotation is available in Public Preview. The currently supported applications are Key Vault, Managed Disks, and Storage accounts accessing keys within Key Vault. The number of supported applications will incrementally increased." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_9_1.yaml b/compliance/controls/azure/azure_cis_v210_9_1.yaml index ffb413fa7..1ed945642 100755 --- a/compliance/controls/azure/azure_cis_v210_9_1.yaml +++ b/compliance/controls/azure/azure_cis_v210_9_1.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_9_1 Title: "9.1 Ensure App Service Authentication is set up for apps in Azure App Service" Description: "Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching a Web Application or authenticate those with tokens before they reach the app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = app.subscription_id; PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_9_10.yaml b/compliance/controls/azure/azure_cis_v210_9_10.yaml index 405bd7f0c..223608489 100755 --- a/compliance/controls/azure/azure_cis_v210_9_10.yaml +++ b/compliance/controls/azure/azure_cis_v210_9_10.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_9_10 Title: "9.10 Ensure Azure Key Vaults are Used to Store Secrets" Description: "Azure Key Vault will store multiple types of sensitive information such as encryption keys, certificate thumbprints, and Managed Identity Credentials. Access to these 'Secrets' can be controlled through granular permissions." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_9_2.yaml b/compliance/controls/azure/azure_cis_v210_9_2.yaml index bcbdecd86..3f0227392 100755 --- a/compliance/controls/azure/azure_cis_v210_9_2.yaml +++ b/compliance/controls/azure/azure_cis_v210_9_2.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_9_2 Title: "9.2 Ensure Web App Redirects All HTTP traffic to HTTPS in Azure App Service" Description: "Azure Web Apps allows sites to run under both HTTP and HTTPS by default. Web apps can be accessed by anyone using non-secure HTTP links by default. Non-secure HTTP requests can be restricted and all HTTP requests redirected to the secure HTTPS port. It is recommended to enforce HTTPS-only traffic." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = app.subscription_id; PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_9_3.yaml b/compliance/controls/azure/azure_cis_v210_9_3.yaml index 75a99be03..596f337a5 100755 --- a/compliance/controls/azure/azure_cis_v210_9_3.yaml +++ b/compliance/controls/azure/azure_cis_v210_9_3.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_9_3 Title: "9.3 Ensure Web App is using the latest version of TLS encryption" Description: "The TLS (Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards such as PCI DSS." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = app.subscription_id; PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_9_4.yaml b/compliance/controls/azure/azure_cis_v210_9_4.yaml index 07590ddae..a5273dd03 100755 --- a/compliance/controls/azure/azure_cis_v210_9_4.yaml +++ b/compliance/controls/azure/azure_cis_v210_9_4.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_9_4 Title: "9.4 Ensure that Register with Entra ID is enabled on App Service" Description: "Managed service identity in App Service provides more security by eliminating secrets from the app, such as credentials in the connection strings. When registering an App Service with Entra ID, the app will connect to other Azure services securely without the need for usernames and passwords." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = app.subscription_id; PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_9_5.yaml b/compliance/controls/azure/azure_cis_v210_9_5.yaml index ea0ab562f..134d72fa9 100755 --- a/compliance/controls/azure/azure_cis_v210_9_5.yaml +++ b/compliance/controls/azure/azure_cis_v210_9_5.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_9_5 Title: "9.5 Ensure That 'PHP version' is the Latest, If Used to Run the Web App" Description: "Periodically newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -52,8 +50,10 @@ Query: sub.subscription_id = a.subscription_id; PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_9_6.yaml b/compliance/controls/azure/azure_cis_v210_9_6.yaml index c6f3908e0..e2244e87a 100755 --- a/compliance/controls/azure/azure_cis_v210_9_6.yaml +++ b/compliance/controls/azure/azure_cis_v210_9_6.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_9_6 Title: "9.6 Ensure that 'Python version' is the Latest Stable Version, if Used to Run the Web App" Description: "Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest full Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or additional functionalities of the newer version." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -52,8 +50,10 @@ Query: sub.subscription_id = a.subscription_id; PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_9_7.yaml b/compliance/controls/azure/azure_cis_v210_9_7.yaml index c141836a0..7d50f6ae5 100755 --- a/compliance/controls/azure/azure_cis_v210_9_7.yaml +++ b/compliance/controls/azure/azure_cis_v210_9_7.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_9_7 Title: "9.7 Ensure that 'Java version' is the latest, if used to run the Web App" Description: "Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the newer version." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -52,8 +50,10 @@ Query: sub.subscription_id = a.subscription_id; PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cis_v210_9_8.yaml b/compliance/controls/azure/azure_cis_v210_9_8.yaml index 7e3d541dc..dccc56df5 100755 --- a/compliance/controls/azure/azure_cis_v210_9_8.yaml +++ b/compliance/controls/azure/azure_cis_v210_9_8.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_9_8 Title: "9.8 Ensure that 'HTTP Version' is the Latest, if Used to Run the Web App" Description: "Periodically, newer versions are released for HTTP either due to security flaws or to include additional functionality. Using the latest HTTP version for web apps to take advantage of security fixes, if any, and/or new functionalities of the newer version." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = app.subscription_id; PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cognitive_account_encrypted_with_cmk.yaml b/compliance/controls/azure/azure_cognitive_account_encrypted_with_cmk.yaml index 5f576f197..ed6c552f5 100755 --- a/compliance/controls/azure/azure_cognitive_account_encrypted_with_cmk.yaml +++ b/compliance/controls/azure/azure_cognitive_account_encrypted_with_cmk.yaml @@ -1,51 +1,19 @@ ID: azure_cognitive_account_encrypted_with_cmk Title: "Cognitive Services accounts should enable data encryption with a customer-managed key" Description: "Customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with cognitive_account_cmk as ( - select - distinct a.id - from - azure_cognitive_account as a, - jsonb_array_elements(capabilities ) as c - where - c ->> 'name' = 'CustomerManagedKey' - ) - select - s.id as resource, - s.og_account_id as og_account_id, - s.og_resource_id as og_resource_id, - case - when c.id is null then 'ok' - when c.id is not null and encryption ->> 'keySource' = 'Microsoft.KeyVault' then 'ok' - else 'alarm' - end as status, - case - when c.id is null then name || ' encryption not supported.' - when c.id is not null and encryption ->> 'keySource' = 'Microsoft.KeyVault' then name || ' encrypted with CMK.' - else name || ' not encrypted with CMK.' - end as reason - - , s.resource_group as resource_group - , sub.display_name as subscription - from - azure_cognitive_account as s - left join cognitive_account_cmk as c on c.id = s.id, - azure_subscription as sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "with cognitive_account_cmk as (\n select\n distinct a.id\n from\n azure_cognitive_account as a,\n jsonb_array_elements(capabilities ) as c\n where\n c ->> 'name' = 'CustomerManagedKey'\n)\nselect\n s.id as resource,\n s.og_account_id as og_account_id,\n s.og_resource_id as og_resource_id,\n case\n when c.id is null then 'ok'\n when c.id is not null and encryption ->> 'keySource' = 'Microsoft.KeyVault' then 'ok'\n else 'alarm'\n end as status,\n case\n when c.id is null then name || ' encryption not supported.'\n when c.id is not null and encryption ->> 'keySource' = 'Microsoft.KeyVault' then name || ' encrypted with CMK.'\n else name || ' not encrypted with CMK.'\n end as reason\n \n , s.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_cognitive_account as s\n left join cognitive_account_cmk as c on c.id = s.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: azure_cognitive_account ListOfTables: - - azure_cognitive_account - - azure_subscription + - azure_cognitive_account + - azure_subscription Parameters: [] Severity: medium Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/CognitiveServices + - Azure/CognitiveServices +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cognitive_account_private_link_used.yaml b/compliance/controls/azure/azure_cognitive_account_private_link_used.yaml index 4de54f8d8..124d128fa 100755 --- a/compliance/controls/azure/azure_cognitive_account_private_link_used.yaml +++ b/compliance/controls/azure/azure_cognitive_account_private_link_used.yaml @@ -1,61 +1,19 @@ ID: azure_cognitive_account_private_link_used Title: "Cognitive Services should use private link" Description: "Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Cognitive Services, you'll reduce the potential for data leakage." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with cognitive_account as ( - select - distinct a.id - from - azure_cognitive_account as a, - jsonb_array_elements(capabilities ) as c - where - c ->> 'name' = 'VirtualNetworks' - ), - cognitive_account_connections as ( - select - distinct a.id - from - cognitive_account as a - left join azure_cognitive_account as b on a.id = b.id, - jsonb_array_elements(private_endpoint_connections ) as c - where - c -> 'PrivateLinkServiceConnectionState' ->> 'status' = 'Approved' - ) - select - b.id as resource, - b.og_account_id as og_account_id, - b.og_resource_id as og_resource_id, - case - when jsonb_array_length(b.private_endpoint_connections) = 0 then 'info' - when c.id is not null then 'ok' - else 'alarm' - end as status, - case - when jsonb_array_length(b.private_endpoint_connections) = 0 then b.name || ' no private link exists.' - when c.id is not null then b.name || ' uses private link.' - else b.name || ' not uses private link.' - end as reason - - , b.resource_group as resource_group - , sub.display_name as subscription - from - azure_cognitive_account as b - left join cognitive_account_connections as c on b.id = c.id, - azure_subscription as sub - where - sub.subscription_id = b.subscription_id; + QueryToExecute: "with cognitive_account as (\n select\n distinct a.id\n from\n azure_cognitive_account as a,\n jsonb_array_elements(capabilities ) as c\n where\n c ->> 'name' = 'VirtualNetworks'\n),\ncognitive_account_connections as (\n select\n distinct a.id\n from\n cognitive_account as a\n left join azure_cognitive_account as b on a.id = b.id,\n jsonb_array_elements(private_endpoint_connections ) as c\n where\n c -> 'PrivateLinkServiceConnectionState' ->> 'status' = 'Approved'\n)\nselect\n b.id as resource,\n b.og_account_id as og_account_id,\n b.og_resource_id as og_resource_id,\n case\n when jsonb_array_length(b.private_endpoint_connections) = 0 then 'info'\n when c.id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when jsonb_array_length(b.private_endpoint_connections) = 0 then b.name || ' no private link exists.'\n when c.id is not null then b.name || ' uses private link.'\n else b.name || ' not uses private link.'\n end as reason\n \n , b.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_cognitive_account as b\n left join cognitive_account_connections as c on b.id = c.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = b.subscription_id;\n" PrimaryTable: azure_cognitive_account ListOfTables: - - azure_cognitive_account - - azure_subscription + - azure_cognitive_account + - azure_subscription Parameters: [] Severity: medium Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/CognitiveServices + - Azure/CognitiveServices +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cognitive_account_public_network_access_disabled.yaml b/compliance/controls/azure/azure_cognitive_account_public_network_access_disabled.yaml index c784e2562..ff7451fbc 100755 --- a/compliance/controls/azure/azure_cognitive_account_public_network_access_disabled.yaml +++ b/compliance/controls/azure/azure_cognitive_account_public_network_access_disabled.yaml @@ -1,39 +1,19 @@ ID: azure_cognitive_account_public_network_access_disabled Title: "Cognitive Services accounts should disable public network access" Description: "Disabling public network access improves security by ensuring that Cognitive Services account isn't exposed on the public internet. Creating private endpoints can limit exposure of Cognitive Services account." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - s.og_account_id as og_account_id, - s.og_resource_id as og_resource_id, - case - when public_network_access = 'Enabled' then 'alarm' - else 'ok' - end as status, - case - when public_network_access = 'Enabled' then name || ' public network access enabled.' - else name || ' public network access disabled.' - end as reason - - , s.resource_group as resource_group - , sub.display_name as subscription - from - azure_cognitive_account as s, - azure_subscription as sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n s.og_account_id as og_account_id,\n s.og_resource_id as og_resource_id,\n case\n when public_network_access = 'Enabled' then 'alarm'\n else 'ok'\n end as status,\n case\n when public_network_access = 'Enabled' then name || ' public network access enabled.'\n else name || ' public network access disabled.'\n end as reason\n \n , s.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_cognitive_account as s,\n azure_subscription as sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: azure_cognitive_account ListOfTables: - - azure_cognitive_account - - azure_subscription + - azure_cognitive_account + - azure_subscription Parameters: [] Severity: high Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/CognitiveServices + - Azure/CognitiveServices +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cognitive_account_restrict_public_access.yaml b/compliance/controls/azure/azure_cognitive_account_restrict_public_access.yaml index e07d9d531..e0664f6f4 100755 --- a/compliance/controls/azure/azure_cognitive_account_restrict_public_access.yaml +++ b/compliance/controls/azure/azure_cognitive_account_restrict_public_access.yaml @@ -1,49 +1,19 @@ ID: azure_cognitive_account_restrict_public_access Title: "Cognitive Services accounts should restrict network access" Description: "Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with account_with_public_access_restricted as ( - select - a.id - from - azure_cognitive_account as a, - jsonb_array_elements(capabilities) as c - where - c ->> 'name' = 'VirtualNetworks' and network_acls ->> 'defaultAction' <> 'Deny' - ) - select - distinct a.name as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when b.id is not null then 'alarm' - else 'ok' - end as status, - case - when b.id is not null then a.name || ' publicly accessible.' - else a.name || ' publicly not accessible.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_cognitive_account as a - left join account_with_public_access_restricted as b on a.id = b.id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with account_with_public_access_restricted as (\n select\n a.id\n from\n azure_cognitive_account as a,\n jsonb_array_elements(capabilities) as c\n where\n c ->> 'name' = 'VirtualNetworks' and network_acls ->> 'defaultAction' <> 'Deny'\n)\nselect\n distinct a.name as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when b.id is not null then 'alarm'\n else 'ok'\n end as status,\n case\n when b.id is not null then a.name || ' publicly accessible.'\n else a.name || ' publicly not accessible.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_cognitive_account as a\n left join account_with_public_access_restricted as b on a.id = b.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_cognitive_account ListOfTables: - - azure_cognitive_account - - azure_subscription + - azure_cognitive_account + - azure_subscription Parameters: [] Severity: high Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/CognitiveServices + - Azure/CognitiveServices +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cognitive_service_local_auth_disabled.yaml b/compliance/controls/azure/azure_cognitive_service_local_auth_disabled.yaml index 0a20ab695..4d7ff1fde 100755 --- a/compliance/controls/azure/azure_cognitive_service_local_auth_disabled.yaml +++ b/compliance/controls/azure/azure_cognitive_service_local_auth_disabled.yaml @@ -1,37 +1,19 @@ ID: azure_cognitive_service_local_auth_disabled Title: "Cognitive Services accounts should have local authentication methods disabled" Description: "Disabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when disable_local_auth then 'ok' - else 'alarm' - end as status, - case - when disable_local_auth then a.name || ' account local authentication enabled.' - else a.name || ' account local authentication disabled.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_cognitive_account a, - azure_subscription sub; + QueryToExecute: "select\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when disable_local_auth then 'ok'\n else 'alarm'\n end as status,\n case\n when disable_local_auth then a.name || ' account local authentication enabled.'\n else a.name || ' account local authentication disabled.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_cognitive_account a,\n azure_subscription sub;\n" PrimaryTable: azure_cognitive_account ListOfTables: - - azure_cognitive_account - - azure_subscription + - azure_cognitive_account + - azure_subscription Parameters: [] Severity: medium Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/CognitiveServices + - Azure/CognitiveServices +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_disk_access_uses_private_link.yaml b/compliance/controls/azure/azure_compute_disk_access_uses_private_link.yaml index efdae7942..917b0c1f6 100755 --- a/compliance/controls/azure/azure_compute_disk_access_uses_private_link.yaml +++ b/compliance/controls/azure/azure_compute_disk_access_uses_private_link.yaml @@ -1,49 +1,19 @@ ID: azure_compute_disk_access_uses_private_link Title: "Disk access resources should use private link" Description: "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to diskAccesses, data leakage risks are reduced." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with compute_disk_connection as ( - select - distinct a.id - from - azure_compute_disk_access as a, - jsonb_array_elements(private_endpoint_connections) as connection - where - connection ->> 'PrivateLinkServiceConnectionStateStatus' = 'Approved' - ) - select - b.id as resource, - b.og_account_id as og_account_id, - b.og_resource_id as og_resource_id, - case - when c.id is null then 'alarm' - else 'ok' - end as status, - case - when c.id is null then b.name || ' not uses private link.' - else b.name || ' uses private link.' - end as reason - - , b.resource_group as resource_group - , sub.display_name as subscription - from - azure_compute_disk_access as b - left join compute_disk_connection as c on b.id = c.id, - azure_subscription as sub - where - sub.subscription_id = b.subscription_id; + QueryToExecute: "with compute_disk_connection as (\n select\n distinct a.id\n from\n azure_compute_disk_access as a,\n jsonb_array_elements(private_endpoint_connections) as connection\n where\n connection ->> 'PrivateLinkServiceConnectionStateStatus' = 'Approved'\n)\nselect\n b.id as resource,\n b.og_account_id as og_account_id,\n b.og_resource_id as og_resource_id,\n case\n when c.id is null then 'alarm'\n else 'ok'\n end as status,\n case\n when c.id is null then b.name || ' not uses private link.'\n else b.name || ' uses private link.'\n end as reason\n \n , b.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_disk_access as b\n left join compute_disk_connection as c on b.id = c.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = b.subscription_id;\n" PrimaryTable: azure_compute_disk_access ListOfTables: - - azure_compute_disk_access - - azure_subscription + - azure_compute_disk_access + - azure_subscription Parameters: [] Severity: medium Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/Compute + - Azure/Compute +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_disk_unattached_encrypted_with_cmk.yaml b/compliance/controls/azure/azure_compute_disk_unattached_encrypted_with_cmk.yaml index 32009d02a..fd69665f6 100755 --- a/compliance/controls/azure/azure_compute_disk_unattached_encrypted_with_cmk.yaml +++ b/compliance/controls/azure/azure_compute_disk_unattached_encrypted_with_cmk.yaml @@ -1,8 +1,6 @@ ID: azure_compute_disk_unattached_encrypted_with_cmk Title: "Unattached Compute disks should be encrypted with ADE/CMK" Description: "This policy identifies the disks which are unattached and are encrypted with default encryption instead of ADE/CMK. Azure encrypts disks by default Server-Side Encryption (SSE) with platform-managed keys [SSE with PMK]. It is recommended to use either SSE with Azure Disk Encryption [SSE with PMK+ADE] or Customer Managed Key [SSE with CMK] which improves on platform-managed keys by giving you control of the encryption keys to meet your compliance need." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -34,8 +32,10 @@ Query: and sub.subscription_id = disk.subscription_id; PrimaryTable: azure_compute_disk ListOfTables: - - azure_compute_disk - - azure_subscription + - azure_compute_disk + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_os_and_data_disk_encrypted_with_cmk.yaml b/compliance/controls/azure/azure_compute_os_and_data_disk_encrypted_with_cmk.yaml index e47249d20..b03ed9d97 100755 --- a/compliance/controls/azure/azure_compute_os_and_data_disk_encrypted_with_cmk.yaml +++ b/compliance/controls/azure/azure_compute_os_and_data_disk_encrypted_with_cmk.yaml @@ -1,54 +1,33 @@ ID: azure_compute_os_and_data_disk_encrypted_with_cmk Title: "OS and data disks should be encrypted with a customer-managed key" Description: "Use customer-managed keys to manage the encryption at rest of the contents of your managed disks. By default, the data is encrypted at rest with platform-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/disks-cmk." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - disk.id as resource, - disk.og_account_id as og_account_id, - disk.og_resource_id as og_resource_id, - case - when encryption_type = 'EncryptionAtRestWithCustomerKey' then 'ok' - else 'alarm' - end as status, - case - when encryption_type = 'EncryptionAtRestWithCustomerKey' then disk.name || ' encrypted with CMK.' - else disk.name || ' not encrypted with CMK.' - end as reason - - , disk.resource_group as resource_group - , sub.display_name as subscription - from - azure_compute_disk disk, - azure_subscription sub - where - disk_state = 'Attached' - and sub.subscription_id = disk.subscription_id; + QueryToExecute: "select\n disk.id as resource,\n disk.og_account_id as og_account_id,\n disk.og_resource_id as og_resource_id,\n case\n when encryption_type = 'EncryptionAtRestWithCustomerKey' then 'ok'\n else 'alarm'\n end as status,\n case\n when encryption_type = 'EncryptionAtRestWithCustomerKey' then disk.name || ' encrypted with CMK.'\n else disk.name || ' not encrypted with CMK.'\n end as reason\n \n , disk.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_disk disk,\n azure_subscription sub\nwhere\n disk_state = 'Attached'\n and sub.subscription_id = disk.subscription_id;\n" PrimaryTable: azure_compute_disk ListOfTables: - - azure_compute_disk - - azure_subscription + - azure_compute_disk + - azure_subscription Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "7.2" + - "7.2" cis_level: - - "2" + - "2" cis_section_id: - - "7" + - "7" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/Compute + - Azure/Compute +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_os_and_data_disk_encrypted_with_cmk_and_platform_managed.yaml b/compliance/controls/azure/azure_compute_os_and_data_disk_encrypted_with_cmk_and_platform_managed.yaml index f27387e1c..8f84c5c29 100755 --- a/compliance/controls/azure/azure_compute_os_and_data_disk_encrypted_with_cmk_and_platform_managed.yaml +++ b/compliance/controls/azure/azure_compute_os_and_data_disk_encrypted_with_cmk_and_platform_managed.yaml @@ -1,40 +1,19 @@ ID: azure_compute_os_and_data_disk_encrypted_with_cmk_and_platform_managed Title: "Managed disks should be double encrypted with both platform-managed and customer-managed keys" Description: "High security sensitive customers who are concerned of the risk associated with any particular encryption algorithm, implementation, or key being compromised can opt for additional layer of encryption using a different encryption algorithm/mode at the infrastructure layer using platform managed encryption keys. The disk encryption sets are required to use double encryption." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - disk.id as resource, - disk.og_account_id as og_account_id, - disk.og_resource_id as og_resource_id, - case - when encryption_type = 'EncryptionAtRestWithPlatformAndCustomerKeys' then 'ok' - else 'alarm' - end as status, - case - when encryption_type = 'EncryptionAtRestWithPlatformAndCustomerKeys' then disk.name || ' encrypted with both platform-managed and customer-managed keys.' - else disk.name || ' not encrypted with both platform-managed and customer-managed keys.' - end as reason - - , disk.resource_group as resource_group - , sub.display_name as subscription - from - azure_compute_disk disk, - azure_subscription sub - where - disk_state = 'Attached' - and sub.subscription_id = disk.subscription_id; + QueryToExecute: "select\n disk.id as resource,\n disk.og_account_id as og_account_id,\n disk.og_resource_id as og_resource_id,\n case\n when encryption_type = 'EncryptionAtRestWithPlatformAndCustomerKeys' then 'ok'\n else 'alarm'\n end as status,\n case\n when encryption_type = 'EncryptionAtRestWithPlatformAndCustomerKeys' then disk.name || ' encrypted with both platform-managed and customer-managed keys.'\n else disk.name || ' not encrypted with both platform-managed and customer-managed keys.'\n end as reason\n \n , disk.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_disk disk,\n azure_subscription sub\nwhere\n disk_state = 'Attached'\n and sub.subscription_id = disk.subscription_id;\n" PrimaryTable: azure_compute_disk ListOfTables: - - azure_compute_disk - - azure_subscription + - azure_compute_disk + - azure_subscription Parameters: [] Severity: medium Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/Compute + - Azure/Compute +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_unattached_disk_encrypted_with_cmk.yaml b/compliance/controls/azure/azure_compute_unattached_disk_encrypted_with_cmk.yaml index 923dc74b0..4bc84afdb 100755 --- a/compliance/controls/azure/azure_compute_unattached_disk_encrypted_with_cmk.yaml +++ b/compliance/controls/azure/azure_compute_unattached_disk_encrypted_with_cmk.yaml @@ -1,54 +1,33 @@ ID: azure_compute_unattached_disk_encrypted_with_cmk Title: "Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK)" Description: "Ensure that unattached disks in a subscription are encrypted with a Customer Managed Key (CMK)." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - disk.id as resource, - disk.og_account_id as og_account_id, - disk.og_resource_id as og_resource_id, - case - when encryption_type = 'EncryptionAtRestWithCustomerKey' then 'ok' - else 'alarm' - end as status, - case - when encryption_type = 'EncryptionAtRestWithCustomerKey' then disk.name || ' encrypted with CMK.' - else disk.name || ' not encrypted with CMK.' - end as reason - - , disk.resource_group as resource_group - , sub.display_name as subscription - from - azure_compute_disk disk, - azure_subscription sub - where - disk_state != 'Attached' - and sub.subscription_id = disk.subscription_id; + QueryToExecute: "select\n disk.id as resource,\n disk.og_account_id as og_account_id,\n disk.og_resource_id as og_resource_id,\n case\n when encryption_type = 'EncryptionAtRestWithCustomerKey' then 'ok'\n else 'alarm'\n end as status,\n case\n when encryption_type = 'EncryptionAtRestWithCustomerKey' then disk.name || ' encrypted with CMK.'\n else disk.name || ' not encrypted with CMK.'\n end as reason\n \n , disk.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_disk disk,\n azure_subscription sub\nwhere\n disk_state != 'Attached'\n and sub.subscription_id = disk.subscription_id;\n" PrimaryTable: azure_compute_disk ListOfTables: - - azure_compute_disk - - azure_subscription + - azure_compute_disk + - azure_subscription Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "7.3" + - "7.3" cis_level: - - "2" + - "2" cis_section_id: - - "7" + - "7" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/Compute + - Azure/Compute +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_account_with_password_linux.yaml b/compliance/controls/azure/azure_compute_vm_account_with_password_linux.yaml index 67082058d..73b62ea03 100755 --- a/compliance/controls/azure/azure_compute_vm_account_with_password_linux.yaml +++ b/compliance/controls/azure/azure_compute_vm_account_with_password_linux.yaml @@ -1,52 +1,19 @@ ID: azure_compute_vm_account_with_password_linux Title: "Audit Linux machines that have accounts without passwords" Description: "Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if Linux machines that have accounts without passwords." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with vm_ssh_key_auth as ( - select - distinct a.vm_id - from - azure_compute_virtual_machine as a, - jsonb_array_elements(guest_configuration_assignments) as b - where - b -> 'guestConfiguration' ->> 'name'= 'PasswordPolicy_msid232' - and b ->> 'complianceStatus' = 'Compliant' - ) - select - a.vm_id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when a.os_type <> 'Linux' then 'skip' - when b.vm_id is not null then 'ok' - else 'alarm' - end as status, - case - when a.os_type <> 'Linux' then a.title || ' is of ' || a.os_type || ' operating system.' - when b.vm_id is not null then a.title || ' have accounts with passwords.' - else a.title || ' does not have have accounts with passwords.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_compute_virtual_machine as a - left join vm_ssh_key_auth as b on a.vm_id = b.vm_id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with vm_ssh_key_auth as (\n select\n distinct a.vm_id\n from\n azure_compute_virtual_machine as a,\n jsonb_array_elements(guest_configuration_assignments) as b\n where\n b -> 'guestConfiguration' ->> 'name'= 'PasswordPolicy_msid232'\n and b ->> 'complianceStatus' = 'Compliant'\n)\nselect\n a.vm_id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when a.os_type <> 'Linux' then 'skip'\n when b.vm_id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when a.os_type <> 'Linux' then a.title || ' is of ' || a.os_type || ' operating system.'\n when b.vm_id is not null then a.title || ' have accounts with passwords.'\n else a.title || ' does not have have accounts with passwords.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine as a\n left join vm_ssh_key_auth as b on a.vm_id = b.vm_id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_subscription + - azure_compute_virtual_machine + - azure_subscription Parameters: [] Severity: high Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/Compute + - Azure/Compute +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_adaptive_application_controls_enabled.yaml b/compliance/controls/azure/azure_compute_vm_adaptive_application_controls_enabled.yaml index b4971e7f5..a783845a8 100755 --- a/compliance/controls/azure/azure_compute_vm_adaptive_application_controls_enabled.yaml +++ b/compliance/controls/azure/azure_compute_vm_adaptive_application_controls_enabled.yaml @@ -1,8 +1,6 @@ ID: azure_compute_vm_adaptive_application_controls_enabled Title: "Adaptive application controls for defining safe applications should be enabled on your machines" Description: "Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_adaptive_network_hardening_recommendation_applied.yaml b/compliance/controls/azure/azure_compute_vm_adaptive_network_hardening_recommendation_applied.yaml index 60df768ad..536a9ce9d 100755 --- a/compliance/controls/azure/azure_compute_vm_adaptive_network_hardening_recommendation_applied.yaml +++ b/compliance/controls/azure/azure_compute_vm_adaptive_network_hardening_recommendation_applied.yaml @@ -1,8 +1,6 @@ ID: azure_compute_vm_adaptive_network_hardening_recommendation_applied Title: "Adaptive network hardening recommendations should be applied on internet facing virtual machines" Description: "Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_administrators_group_with_extra_accounts_windows.yaml b/compliance/controls/azure/azure_compute_vm_administrators_group_with_extra_accounts_windows.yaml index edd4f3ad8..d05cea4fc 100755 --- a/compliance/controls/azure/azure_compute_vm_administrators_group_with_extra_accounts_windows.yaml +++ b/compliance/controls/azure/azure_compute_vm_administrators_group_with_extra_accounts_windows.yaml @@ -1,8 +1,6 @@ ID: azure_compute_vm_administrators_group_with_extra_accounts_windows Title: "Audit Windows machines that have extra accounts in the Administrators group" Description: "Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if the local Administrators group contains members that are not listed in the policy parameter." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_administrators_group_with_no_specified_members_windows.yaml b/compliance/controls/azure/azure_compute_vm_administrators_group_with_no_specified_members_windows.yaml index bff9480b5..f5fb02e70 100755 --- a/compliance/controls/azure/azure_compute_vm_administrators_group_with_no_specified_members_windows.yaml +++ b/compliance/controls/azure/azure_compute_vm_administrators_group_with_no_specified_members_windows.yaml @@ -1,8 +1,6 @@ ID: azure_compute_vm_administrators_group_with_no_specified_members_windows Title: "Audit Windows machines missing any of specified members in the Administrators group" Description: "Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if the local Administrators group does not contain one or more members that are listed in the policy parameter." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_administrators_group_with_specified_members_windows.yaml b/compliance/controls/azure/azure_compute_vm_administrators_group_with_specified_members_windows.yaml index e81e11379..be7479ae2 100755 --- a/compliance/controls/azure/azure_compute_vm_administrators_group_with_specified_members_windows.yaml +++ b/compliance/controls/azure/azure_compute_vm_administrators_group_with_specified_members_windows.yaml @@ -1,8 +1,6 @@ ID: azure_compute_vm_administrators_group_with_specified_members_windows Title: "Audit Windows machines that have the specified members in the Administrators group" Description: "Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_allowlist_rules_in_adaptive_application_control_policy_updated.yaml b/compliance/controls/azure/azure_compute_vm_allowlist_rules_in_adaptive_application_control_policy_updated.yaml index b1a153344..b5abd149b 100755 --- a/compliance/controls/azure/azure_compute_vm_allowlist_rules_in_adaptive_application_control_policy_updated.yaml +++ b/compliance/controls/azure/azure_compute_vm_allowlist_rules_in_adaptive_application_control_policy_updated.yaml @@ -1,8 +1,6 @@ ID: azure_compute_vm_allowlist_rules_in_adaptive_application_control_policy_updated Title: "Allowlist rules in your adaptive application control policy should be updated" Description: "Monitor for changes in behavior on groups of machines configured for auditing by Azure Security Center's adaptive application controls. Security Center uses machine learning to analyze the running processes on your machines and suggest a list of known-safe applications. These are presented as recommended apps to allow in adaptive application control policies." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_and_sacle_set_encryption_at_host_enabled.yaml b/compliance/controls/azure/azure_compute_vm_and_sacle_set_encryption_at_host_enabled.yaml index ed3b950f6..2fbc024b9 100755 --- a/compliance/controls/azure/azure_compute_vm_and_sacle_set_encryption_at_host_enabled.yaml +++ b/compliance/controls/azure/azure_compute_vm_and_sacle_set_encryption_at_host_enabled.yaml @@ -1,67 +1,20 @@ ID: azure_compute_vm_and_sacle_set_encryption_at_host_enabled Title: "Virtual machines and virtual machine scale sets should have encryption at host enabled" Description: "Use encryption at host to get end-to-end encryption for your virtual machine and virtual machine scale set data. Encryption at host enables encryption at rest for your temporary disk and OS/data disk caches. Temporary and ephemeral OS disks are encrypted with platform-managed keys when encryption at host is enabled. OS/data disk caches are encrypted at rest with either customer-managed or platform-managed key, depending on the encryption type selected on the disk." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - ( - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - 'azure_compute_virtual_machine' as og_table_name, - case - when security_profile -> 'encryptionAtHost' = 'true' then 'ok' - else 'alarm' - end as status, - case - when security_profile -> 'encryptionAtHost' = 'true' then a.name || ' encryption at host enabled.' - else a.name || ' encryption at host disabled.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_compute_virtual_machine as a, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id - ) - union - ( - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - 'azure_compute_virtual_machine_scale_set' as og_table_name, - case - when virtual_machine_security_profile -> 'encryptionAtHost' = 'true' then 'ok' - else 'alarm' - end as status, - case - when virtual_machine_security_profile -> 'encryptionAtHost' = 'true' then a.name || ' encryption at host enabled.' - else a.name || ' encryption at host disabled.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_compute_virtual_machine_scale_set as a, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id - ) + QueryToExecute: "(\n select\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n 'azure_compute_virtual_machine' as og_table_name,\n case\n when security_profile -> 'encryptionAtHost' = 'true' then 'ok'\n else 'alarm'\n end as status,\n case\n when security_profile -> 'encryptionAtHost' = 'true' then a.name || ' encryption at host enabled.'\n else a.name || ' encryption at host disabled.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\n from\n azure_compute_virtual_machine as a,\n azure_subscription as sub\n where\n sub.subscription_id = a.subscription_id\n)\nunion\n(\n select\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n 'azure_compute_virtual_machine_scale_set' as og_table_name,\n case\n when virtual_machine_security_profile -> 'encryptionAtHost' = 'true' then 'ok'\n else 'alarm'\n end as status,\n case\n when virtual_machine_security_profile -> 'encryptionAtHost' = 'true' then a.name || ' encryption at host enabled.'\n else a.name || ' encryption at host disabled.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\n from\n azure_compute_virtual_machine_scale_set as a,\n azure_subscription as sub\n where\n sub.subscription_id = a.subscription_id\n)\n" PrimaryTable: "" ListOfTables: - - azure_compute_virtual_machine - - azure_compute_virtual_machine_scale_set - - azure_subscription + - azure_compute_virtual_machine + - azure_compute_virtual_machine_scale_set + - azure_subscription Parameters: [] Severity: medium Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/Compute + - Azure/Compute +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_attached_with_network.yaml b/compliance/controls/azure/azure_compute_vm_attached_with_network.yaml index 9b1268a67..389e0aa8a 100755 --- a/compliance/controls/azure/azure_compute_vm_attached_with_network.yaml +++ b/compliance/controls/azure/azure_compute_vm_attached_with_network.yaml @@ -1,66 +1,20 @@ ID: azure_compute_vm_attached_with_network Title: "Virtual machines should be connected to an approved virtual network" Description: "This policy audits any virtual machine connected to a virtual network that is not approved." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with vm_with_network_interfaces as ( - select - vm.id as vm_id, - n ->> 'id' as network_id - from - azure_compute_virtual_machine as vm, - jsonb_array_elements(network_interfaces) as n - ), - vm_with_appoved_networks as ( - select - vn.vm_id as vm_id, - vn.network_id as network_id, - t.title as title - from - vm_with_network_interfaces as vn - left join azure_network_interface as t on t.id = vn.network_id - where exists - (select - ip -> 'properties' -> 'subnet' ->> 'id' as ip - FROM - azure_network_interface, - jsonb_array_elements(ip_configurations) as ip - where - ip -> 'properties' -> 'subnet' ->> 'id' is not null) - ) - select - a.vm_id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when b.vm_id is null then 'alarm' - else 'ok' - end as status, - case - when b.vm_id is null then a.title || ' not attached with virtual network.' - else a.name || ' attached with virtual network ' || b.title || '.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_compute_virtual_machine as a - left join vm_with_appoved_networks as b on a.id = b.vm_id, - azure_subscription sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with vm_with_network_interfaces as (\n select\n vm.id as vm_id,\n n ->> 'id' as network_id\n from\n azure_compute_virtual_machine as vm,\n jsonb_array_elements(network_interfaces) as n\n),\nvm_with_appoved_networks as (\n select\n vn.vm_id as vm_id,\n vn.network_id as network_id,\n t.title as title\n from\n vm_with_network_interfaces as vn\n left join azure_network_interface as t on t.id = vn.network_id\n where exists\n (select\n ip -> 'properties' -> 'subnet' ->> 'id' as ip\n FROM\n azure_network_interface,\n jsonb_array_elements(ip_configurations) as ip\n where\n ip -> 'properties' -> 'subnet' ->> 'id' is not null)\n)\nselect\n a.vm_id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when b.vm_id is null then 'alarm'\n else 'ok'\n end as status,\n case\n when b.vm_id is null then a.title || ' not attached with virtual network.'\n else a.name || ' attached with virtual network ' || b.title || '.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine as a\n left join vm_with_appoved_networks as b on a.id = b.vm_id,\n azure_subscription sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_network_interface - - azure_subscription + - azure_compute_virtual_machine + - azure_network_interface + - azure_subscription Parameters: [] Severity: medium Tags: hipaa_hitrust_v92: - - "true" + - "true" service: - - Azure/Compute + - Azure/Compute +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_azure_backup_enabled.yaml b/compliance/controls/azure/azure_compute_vm_azure_backup_enabled.yaml index 9816369c5..eecc35965 100755 --- a/compliance/controls/azure/azure_compute_vm_azure_backup_enabled.yaml +++ b/compliance/controls/azure/azure_compute_vm_azure_backup_enabled.yaml @@ -1,8 +1,6 @@ ID: azure_compute_vm_azure_backup_enabled Title: "Azure Backup should be enabled for Virtual Machines" Description: "Ensure protection of your Azure Virtual Machines by enabling Azure Backup. Azure Backup is a secure and cost effective data protection solution for Azure." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_container_security_configurations_vulnerabilities_remediated.yaml b/compliance/controls/azure/azure_compute_vm_container_security_configurations_vulnerabilities_remediated.yaml index 04a0ca9e1..7a9c6ee36 100755 --- a/compliance/controls/azure/azure_compute_vm_container_security_configurations_vulnerabilities_remediated.yaml +++ b/compliance/controls/azure/azure_compute_vm_container_security_configurations_vulnerabilities_remediated.yaml @@ -1,8 +1,6 @@ ID: azure_compute_vm_container_security_configurations_vulnerabilities_remediated Title: "Vulnerabilities in container security configurations should be remediated" Description: "Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_data_and_os_disk_uses_managed_disk.yaml b/compliance/controls/azure/azure_compute_vm_data_and_os_disk_uses_managed_disk.yaml index 6bd9e5dbd..975fb8f4d 100755 --- a/compliance/controls/azure/azure_compute_vm_data_and_os_disk_uses_managed_disk.yaml +++ b/compliance/controls/azure/azure_compute_vm_data_and_os_disk_uses_managed_disk.yaml @@ -1,8 +1,6 @@ ID: azure_compute_vm_data_and_os_disk_uses_managed_disk Title: "Compute virtual machines should use managed disk for OS and data disk" Description: "This control checks whether virtual machines use managed disks for OS and data disks." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -42,8 +40,10 @@ Query: sub.subscription_id = vm.subscription_id; PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_subscription + - azure_compute_virtual_machine + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_disaster_recovery_enabled.yaml b/compliance/controls/azure/azure_compute_vm_disaster_recovery_enabled.yaml index 6793032f6..84c477589 100755 --- a/compliance/controls/azure/azure_compute_vm_disaster_recovery_enabled.yaml +++ b/compliance/controls/azure/azure_compute_vm_disaster_recovery_enabled.yaml @@ -1,50 +1,20 @@ ID: azure_compute_vm_disaster_recovery_enabled Title: "Audit virtual machines without disaster recovery configured" Description: "Audit virtual machines which do not have disaster recovery configured." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with vm_dr_enabled as ( - select - substr(source_id, 0, length(source_id)) as source_id - from - azure_resource_link as l - left join azure_compute_virtual_machine as vm on lower(substr(source_id, 0, length(source_id)))= lower(vm.id) - where - l.name like 'ASR-Protect-%' - ) - select - vm.vm_id as resource, - vm.og_account_id as og_account_id, - vm.og_resource_id as og_resource_id, - case - when l.source_id is null then 'alarm' - else 'ok' - end as status, - case - when l.source_id is null then vm.title || ' disaster recovery disabled.' - else vm.title || ' disaster recovery enabled.' - end as reason - - , vm.resource_group as resource_group - , sub.display_name as subscription - from - azure_compute_virtual_machine as vm - left join vm_dr_enabled as l on lower(vm.id) = lower(l.source_id), - azure_subscription sub - where - sub.subscription_id = vm.subscription_id; + QueryToExecute: "with vm_dr_enabled as (\n select\n substr(source_id, 0, length(source_id)) as source_id\n from\n azure_resource_link as l\n left join azure_compute_virtual_machine as vm on lower(substr(source_id, 0, length(source_id)))= lower(vm.id)\n where\n l.name like 'ASR-Protect-%'\n)\nselect\n vm.vm_id as resource,\n vm.og_account_id as og_account_id,\n vm.og_resource_id as og_resource_id,\n case\n when l.source_id is null then 'alarm'\n else 'ok'\n end as status,\n case\n when l.source_id is null then vm.title || ' disaster recovery disabled.'\n else vm.title || ' disaster recovery enabled.'\n end as reason\n \n , vm.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine as vm\n left join vm_dr_enabled as l on lower(vm.id) = lower(l.source_id),\n azure_subscription sub\nwhere\n sub.subscription_id = vm.subscription_id;\n" PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_resource_link - - azure_subscription + - azure_compute_virtual_machine + - azure_resource_link + - azure_subscription Parameters: [] Severity: medium Tags: hipaa_hitrust_v92: - - "true" + - "true" service: - - Azure/Compute + - Azure/Compute +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_endpoint_protection_agent_installed.yaml b/compliance/controls/azure/azure_compute_vm_endpoint_protection_agent_installed.yaml index 4fdb3ab80..7180148c6 100755 --- a/compliance/controls/azure/azure_compute_vm_endpoint_protection_agent_installed.yaml +++ b/compliance/controls/azure/azure_compute_vm_endpoint_protection_agent_installed.yaml @@ -1,8 +1,6 @@ ID: azure_compute_vm_endpoint_protection_agent_installed Title: "Monitor missing Endpoint Protection in Azure Security Center" Description: "Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_guest_configuration_installed.yaml b/compliance/controls/azure/azure_compute_vm_guest_configuration_installed.yaml index 13edd07d3..46d51d90d 100755 --- a/compliance/controls/azure/azure_compute_vm_guest_configuration_installed.yaml +++ b/compliance/controls/azure/azure_compute_vm_guest_configuration_installed.yaml @@ -1,50 +1,19 @@ ID: azure_compute_vm_guest_configuration_installed Title: "Guest Configuration extension should be installed on your machines" Description: "To ensure secure configurations of in-guest settings of your machine, install the Guest Configuration extension. In-guest settings that the extension monitors include the configuration of the operating system, application configuration or presence, and environment settings. Once installed, in-guest policies will be available such as 'Windows Exploit guard should be enabled'." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with agent_installed_vm as ( - select - distinct a.vm_id - from - azure_compute_virtual_machine as a, - jsonb_array_elements(extensions) as b - where - b ->> 'Publisher' = 'Microsoft.GuestConfiguration' - and b ->> 'ProvisioningState' = 'Succeeded' - ) - select - a.vm_id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when b.vm_id is not null then 'ok' - else 'alarm' - end as status, - case - when b.vm_id is not null then a.title || ' have guest configuration extension installed.' - else a.title || ' guest configuration extension not installed.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_compute_virtual_machine as a - left join agent_installed_vm as b on a.vm_id = b.vm_id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with agent_installed_vm as (\n select\n distinct a.vm_id\n from\n azure_compute_virtual_machine as a,\n jsonb_array_elements(extensions) as b\n where\n b ->> 'Publisher' = 'Microsoft.GuestConfiguration'\n and b ->> 'ProvisioningState' = 'Succeeded'\n)\nselect\n a.vm_id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when b.vm_id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when b.vm_id is not null then a.title || ' have guest configuration extension installed.'\n else a.title || ' guest configuration extension not installed.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine as a\n left join agent_installed_vm as b on a.vm_id = b.vm_id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_subscription + - azure_compute_virtual_machine + - azure_subscription Parameters: [] Severity: medium Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/Compute + - Azure/Compute +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_guest_configuration_installed_linux.yaml b/compliance/controls/azure/azure_compute_vm_guest_configuration_installed_linux.yaml index c24d1b493..f0cf183ed 100755 --- a/compliance/controls/azure/azure_compute_vm_guest_configuration_installed_linux.yaml +++ b/compliance/controls/azure/azure_compute_vm_guest_configuration_installed_linux.yaml @@ -1,54 +1,19 @@ ID: azure_compute_vm_guest_configuration_installed_linux Title: "Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs" Description: "This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with agent_installed_vm as ( - select - distinct a.vm_id - from - azure_compute_virtual_machine as a, - jsonb_array_elements(extensions) as b - where - b ->> 'Publisher' = 'Microsoft.GuestConfiguration' - and b ->> 'ProvisioningState' = 'Succeeded' - and b ->> 'ExtensionType' = 'ConfigurationforLinux' - and b ->> 'Name' like '%AzurePolicyforLinux' - ) - select - a.vm_id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when a.os_type <> 'Linux' then 'skip' - when b.vm_id is not null then 'ok' - else 'alarm' - end as status, - case - when a.os_type <> 'Linux' then a.title || ' is of ' || a.os_type || ' operating system.' - when b.vm_id is not null then a.title || ' have guest configuration extension installed.' - else a.title || ' guest configuration extension not installed.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_compute_virtual_machine as a - left join agent_installed_vm as b on a.vm_id = b.vm_id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with agent_installed_vm as (\n select\n distinct a.vm_id\n from\n azure_compute_virtual_machine as a,\n jsonb_array_elements(extensions) as b\n where\n b ->> 'Publisher' = 'Microsoft.GuestConfiguration'\n and b ->> 'ProvisioningState' = 'Succeeded'\n and b ->> 'ExtensionType' = 'ConfigurationforLinux'\n and b ->> 'Name' like '%AzurePolicyforLinux'\n)\nselect\n a.vm_id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when a.os_type <> 'Linux' then 'skip'\n when b.vm_id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when a.os_type <> 'Linux' then a.title || ' is of ' || a.os_type || ' operating system.'\n when b.vm_id is not null then a.title || ' have guest configuration extension installed.'\n else a.title || ' guest configuration extension not installed.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine as a\n left join agent_installed_vm as b on a.vm_id = b.vm_id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_subscription + - azure_compute_virtual_machine + - azure_subscription Parameters: [] Severity: medium Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/Compute + - Azure/Compute +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_guest_configuration_installed_windows.yaml b/compliance/controls/azure/azure_compute_vm_guest_configuration_installed_windows.yaml index 5231f959d..80e0c6f8d 100755 --- a/compliance/controls/azure/azure_compute_vm_guest_configuration_installed_windows.yaml +++ b/compliance/controls/azure/azure_compute_vm_guest_configuration_installed_windows.yaml @@ -1,56 +1,21 @@ ID: azure_compute_vm_guest_configuration_installed_windows Title: "Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs" Description: "This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with agent_installed_vm as ( - select - distinct a.vm_id - from - azure_compute_virtual_machine as a, - jsonb_array_elements(extensions) as b - where - b ->> 'Publisher' = 'Microsoft.GuestConfiguration' - and b ->> 'ProvisioningState' = 'Succeeded' - and b ->> 'ExtensionType' = 'ConfigurationforWindows' - and b ->> 'Name' like '%AzurePolicyforWindows' - ) - select - a.vm_id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when a.os_type <> 'Windows' then 'skip' - when b.vm_id is not null then 'ok' - else 'alarm' - end as status, - case - when a.os_type <> 'Windows' then a.title || ' is of ' || a.os_type || ' operating system.' - when b.vm_id is not null then a.title || ' have guest configuration extension installed.' - else a.title || ' guest configuration extension not installed.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_compute_virtual_machine as a - left join agent_installed_vm as b on a.vm_id = b.vm_id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with agent_installed_vm as (\n select\n distinct a.vm_id\n from\n azure_compute_virtual_machine as a,\n jsonb_array_elements(extensions) as b\n where\n b ->> 'Publisher' = 'Microsoft.GuestConfiguration'\n and b ->> 'ProvisioningState' = 'Succeeded'\n and b ->> 'ExtensionType' = 'ConfigurationforWindows'\n and b ->> 'Name' like '%AzurePolicyforWindows'\n)\nselect\n a.vm_id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when a.os_type <> 'Windows' then 'skip'\n when b.vm_id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when a.os_type <> 'Windows' then a.title || ' is of ' || a.os_type || ' operating system.'\n when b.vm_id is not null then a.title || ' have guest configuration extension installed.'\n else a.title || ' guest configuration extension not installed.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine as a\n left join agent_installed_vm as b on a.vm_id = b.vm_id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_subscription + - azure_compute_virtual_machine + - azure_subscription Parameters: [] Severity: medium Tags: nist_sp_800_53_rev_5: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" service: - - Azure/Compute + - Azure/Compute +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_guest_configuration_with_no_managed_identity.yaml b/compliance/controls/azure/azure_compute_vm_guest_configuration_with_no_managed_identity.yaml index 8ba8064ea..5bdba9890 100755 --- a/compliance/controls/azure/azure_compute_vm_guest_configuration_with_no_managed_identity.yaml +++ b/compliance/controls/azure/azure_compute_vm_guest_configuration_with_no_managed_identity.yaml @@ -1,52 +1,19 @@ ID: azure_compute_vm_guest_configuration_with_no_managed_identity Title: "Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities" Description: "This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with gc_installed_vm as ( - select - distinct a.vm_id, - title - from - azure_compute_virtual_machine as a, - jsonb_array_elements(extensions) as b - where - b ->> 'Publisher' = 'Microsoft.GuestConfiguration' - ) - select - a.vm_id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when b.vm_id is null then 'skip' - when b.vm_id is not null and identity ->> 'type' is not null then 'ok' - else 'alarm' - end as status, - case - when b.vm_id is null then a.title || ' guest configuration extension not installed.' - when b.vm_id is not null and identity ->> 'type' is not null then a.title || ' guest configuration extension installed with ' || (identity ->> 'type') || ' managed identity.' - else a.title || ' guest configuration extension not installed with managed identity.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_compute_virtual_machine as a - left join gc_installed_vm as b on a.vm_id = b.vm_id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with gc_installed_vm as (\n select\n distinct a.vm_id,\n title\n from\n azure_compute_virtual_machine as a,\n jsonb_array_elements(extensions) as b\n where\n b ->> 'Publisher' = 'Microsoft.GuestConfiguration'\n)\nselect\n a.vm_id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when b.vm_id is null then 'skip'\n when b.vm_id is not null and identity ->> 'type' is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when b.vm_id is null then a.title || ' guest configuration extension not installed.'\n when b.vm_id is not null and identity ->> 'type' is not null then a.title || ' guest configuration extension installed with ' || (identity ->> 'type') || ' managed identity.'\n else a.title || ' guest configuration extension not installed with managed identity.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine as a\n left join gc_installed_vm as b on a.vm_id = b.vm_id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_subscription + - azure_compute_virtual_machine + - azure_subscription Parameters: [] Severity: medium Tags: pci_dss_v321: - - "true" + - "true" service: - - Azure/Compute + - Azure/Compute +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_guest_configuration_with_system_assigned_managed_identity.yaml b/compliance/controls/azure/azure_compute_vm_guest_configuration_with_system_assigned_managed_identity.yaml index 41afa119f..2abb65f24 100755 --- a/compliance/controls/azure/azure_compute_vm_guest_configuration_with_system_assigned_managed_identity.yaml +++ b/compliance/controls/azure/azure_compute_vm_guest_configuration_with_system_assigned_managed_identity.yaml @@ -1,52 +1,19 @@ ID: azure_compute_vm_guest_configuration_with_system_assigned_managed_identity Title: "Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity" Description: "The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with gc_installed_vm as ( - select - distinct a.vm_id, - title - from - azure_compute_virtual_machine as a, - jsonb_array_elements(extensions) as b - where - b ->> 'Publisher' = 'Microsoft.GuestConfiguration' - ) - select - a.vm_id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when b.vm_id is null then 'skip' - when b.vm_id is not null and string_to_array(identity ->> 'type' , ', ') @> array['SystemAssigned'] then 'ok' - else 'alarm' - end as status, - case - when b.vm_id is null then a.title || ' guest configuration extension not installed.' - when b.vm_id is not null and string_to_array(identity ->> 'type' , ', ') @> array['SystemAssigned'] then a.title || ' guest configuration extension installed with system-assigned managed identity.' - else a.title || ' guest configuration extension not installed with system-assigned managed identity.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_compute_virtual_machine as a - left join gc_installed_vm as b on a.vm_id = b.vm_id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with gc_installed_vm as (\n select\n distinct a.vm_id,\n title\n from\n azure_compute_virtual_machine as a,\n jsonb_array_elements(extensions) as b\n where\n b ->> 'Publisher' = 'Microsoft.GuestConfiguration'\n)\nselect\n a.vm_id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when b.vm_id is null then 'skip'\n when b.vm_id is not null and string_to_array(identity ->> 'type' , ', ') @> array['SystemAssigned'] then 'ok'\n else 'alarm'\n end as status,\n case\n when b.vm_id is null then a.title || ' guest configuration extension not installed.'\n when b.vm_id is not null and string_to_array(identity ->> 'type' , ', ') @> array['SystemAssigned'] then a.title || ' guest configuration extension installed with system-assigned managed identity.'\n else a.title || ' guest configuration extension not installed with system-assigned managed identity.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine as a\n left join gc_installed_vm as b on a.vm_id = b.vm_id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_subscription + - azure_compute_virtual_machine + - azure_subscription Parameters: [] Severity: medium Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/Compute + - Azure/Compute +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity.yaml b/compliance/controls/azure/azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity.yaml index e0d88d3dd..ccf10729a 100755 --- a/compliance/controls/azure/azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity.yaml +++ b/compliance/controls/azure/azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity.yaml @@ -1,56 +1,21 @@ ID: azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity Title: "Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity" Description: "This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with gc_installed_vm as ( - select - distinct a.vm_id, - title - from - azure_compute_virtual_machine as a, - jsonb_array_elements(extensions) as b - where - b ->> 'Publisher' = 'Microsoft.GuestConfiguration' - ) - select - a.vm_id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when b.vm_id is null then 'skip' - when not string_to_array(a.identity ->> 'type' , ', ') @> array['UserAssigned'] then 'skip' - when string_to_array(identity ->> 'type' , ', ') @> array['UserAssigned', 'SystemAssigned'] then 'ok' - else 'alarm' - end as status, - case - when b.vm_id is null then a.title || ' guest configuration extension not installed.' - when not string_to_array(a.identity ->> 'type' , ', ') @> array['UserAssigned'] then a.title || ' does not have user assigned managed identity.' - when string_to_array(identity ->> 'type' , ', ') @> array['UserAssigned', 'SystemAssigned'] then a.title || ' guest configuration extension installed with user and system assigned managed identity.' - else a.title || ' guest configuration extension not installed with user and system assigned managed identity.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_compute_virtual_machine as a - left join gc_installed_vm as b on a.vm_id = b.vm_id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with gc_installed_vm as (\n select\n distinct a.vm_id,\n title\n from\n azure_compute_virtual_machine as a,\n jsonb_array_elements(extensions) as b\n where\n b ->> 'Publisher' = 'Microsoft.GuestConfiguration'\n)\nselect\n a.vm_id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when b.vm_id is null then 'skip'\n when not string_to_array(a.identity ->> 'type' , ', ') @> array['UserAssigned'] then 'skip'\n when string_to_array(identity ->> 'type' , ', ') @> array['UserAssigned', 'SystemAssigned'] then 'ok'\n else 'alarm'\n end as status,\n case\n when b.vm_id is null then a.title || ' guest configuration extension not installed.'\n when not string_to_array(a.identity ->> 'type' , ', ') @> array['UserAssigned'] then a.title || ' does not have user assigned managed identity.'\n when string_to_array(identity ->> 'type' , ', ') @> array['UserAssigned', 'SystemAssigned'] then a.title || ' guest configuration extension installed with user and system assigned managed identity.'\n else a.title || ' guest configuration extension not installed with user and system assigned managed identity.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine as a\n left join gc_installed_vm as b on a.vm_id = b.vm_id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_subscription + - azure_compute_virtual_machine + - azure_subscription Parameters: [] Severity: medium Tags: nist_sp_800_53_rev_5: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" service: - - Azure/Compute + - Azure/Compute +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_image_builder_uses_private_link.yaml b/compliance/controls/azure/azure_compute_vm_image_builder_uses_private_link.yaml index a8690b75a..c60287dc8 100755 --- a/compliance/controls/azure/azure_compute_vm_image_builder_uses_private_link.yaml +++ b/compliance/controls/azure/azure_compute_vm_image_builder_uses_private_link.yaml @@ -1,8 +1,6 @@ ID: azure_compute_vm_image_builder_uses_private_link Title: "VM Image Builder templates should use private link" Description: "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your VM Image Builder building resources, data leakage risks are reduced." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_jit_access_protected.yaml b/compliance/controls/azure/azure_compute_vm_jit_access_protected.yaml index 9250a2735..65b7dbb7e 100755 --- a/compliance/controls/azure/azure_compute_vm_jit_access_protected.yaml +++ b/compliance/controls/azure/azure_compute_vm_jit_access_protected.yaml @@ -1,58 +1,22 @@ ID: azure_compute_vm_jit_access_protected Title: "Management ports of virtual machines should be protected with just-in-time network access control" Description: "Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations" -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with compute as ( - select - vm.id as resource, - 'alarm' as status, - vm.name || ' not JIT protected.' as reason, - vm.resource_group, - sub.display_name as subscription - from - azure_compute_virtual_machine as vm, - azure_subscription sub - where - vm.subscription_id = sub.subscription_id - ) - select - distinct vm.vm_id as resource, - vm.og_account_id as og_account_id, - vm.og_resource_id as og_resource_id, - case - when lower(vm.id) = lower(vms ->> 'id') then 'ok' - else 'alarm' - end as status, - case - when lower(vms ->> 'id') = lower(vm.id) then vm.name || ' JIT protected.' - else vm.name || ' not JIT protected.' - end as reason - - , vm.resource_group as resource_group - , sub.display_name as subscription - from - azure_compute_virtual_machine as vm, - azure_security_center_jit_network_access_policy as jit, - jsonb_array_elements(virtual_machines) as vms, - azure_subscription as sub - left join compute on true - where - jit.subscription_id = sub.subscription_id; + QueryToExecute: "with compute as (\n select\n vm.id as resource,\n 'alarm' as status,\n vm.name || ' not JIT protected.' as reason,\n vm.resource_group,\n sub.display_name as subscription\n from\n azure_compute_virtual_machine as vm,\n azure_subscription sub\n where\n vm.subscription_id = sub.subscription_id\n)\nselect\n distinct vm.vm_id as resource,\n vm.og_account_id as og_account_id,\n vm.og_resource_id as og_resource_id,\n case\n when lower(vm.id) = lower(vms ->> 'id') then 'ok'\n else 'alarm'\n end as status,\n case\n when lower(vms ->> 'id') = lower(vm.id) then vm.name || ' JIT protected.'\n else vm.name || ' not JIT protected.'\n end as reason\n \n , vm.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine as vm,\n azure_security_center_jit_network_access_policy as jit,\n jsonb_array_elements(virtual_machines) as vms,\n azure_subscription as sub\n left join compute on true\nwhere\n jit.subscription_id = sub.subscription_id;\n" PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_security_center_jit_network_access_policy - - azure_subscription + - azure_compute_virtual_machine + - azure_security_center_jit_network_access_policy + - azure_subscription Parameters: [] Severity: medium Tags: hipaa_hitrust_v92: - - "true" + - "true" nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/Compute + - Azure/Compute +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_log_analytics_agent_installed.yaml b/compliance/controls/azure/azure_compute_vm_log_analytics_agent_installed.yaml index f582ef3aa..956908979 100755 --- a/compliance/controls/azure/azure_compute_vm_log_analytics_agent_installed.yaml +++ b/compliance/controls/azure/azure_compute_vm_log_analytics_agent_installed.yaml @@ -1,54 +1,21 @@ ID: azure_compute_vm_log_analytics_agent_installed Title: "Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring" Description: "This policy audits any Windows/Linux virtual machines if the Log Analytics extension is not installed." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with agent_installed_vm as ( - select - distinct a.vm_id - from - azure_compute_virtual_machine as a, - jsonb_array_elements(extensions) as b - where - b ->> 'Publisher' = 'Microsoft.EnterpriseCloud.Monitoring' - and b ->> 'ExtensionType' = any(ARRAY ['MicrosoftMonitoringAgent', 'OmsAgentForLinux']) - and b ->> 'ProvisioningState' = 'Succeeded' - and b -> 'Settings' ->> 'workspaceId' is not null - ) - select - a.vm_id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when b.vm_id is not null then 'ok' - else 'alarm' - end as status, - case - when b.vm_id is not null then a.title || ' have log analytics agent installed.' - else a.title || ' log analytics agent not installed.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_compute_virtual_machine as a - left join agent_installed_vm as b on a.vm_id = b.vm_id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with agent_installed_vm as (\n select\n distinct a.vm_id\n from\n azure_compute_virtual_machine as a,\n jsonb_array_elements(extensions) as b\n where\n b ->> 'Publisher' = 'Microsoft.EnterpriseCloud.Monitoring'\n and b ->> 'ExtensionType' = any(ARRAY ['MicrosoftMonitoringAgent', 'OmsAgentForLinux'])\n and b ->> 'ProvisioningState' = 'Succeeded'\n and b -> 'Settings' ->> 'workspaceId' is not null\n)\nselect\n a.vm_id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when b.vm_id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when b.vm_id is not null then a.title || ' have log analytics agent installed.'\n else a.title || ' log analytics agent not installed.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine as a\n left join agent_installed_vm as b on a.vm_id = b.vm_id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_subscription + - azure_compute_virtual_machine + - azure_subscription Parameters: [] Severity: medium Tags: hipaa_hitrust_v92: - - "true" + - "true" nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/Compute + - Azure/Compute +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_log_analytics_agent_installed_windows.yaml b/compliance/controls/azure/azure_compute_vm_log_analytics_agent_installed_windows.yaml index 403b7ce6e..fb5515d6a 100755 --- a/compliance/controls/azure/azure_compute_vm_log_analytics_agent_installed_windows.yaml +++ b/compliance/controls/azure/azure_compute_vm_log_analytics_agent_installed_windows.yaml @@ -1,54 +1,19 @@ ID: azure_compute_vm_log_analytics_agent_installed_windows Title: "Audit Windows machines on which the Log Analytics agent is not connected as expected" Description: "Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if the agent is not installed, or if it is installed but the COM object AgentConfigManager.MgmtSvcCfg returns that it is registered to a workspace other than the ID specified in the policy parameter." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with agent_installed_vm as ( - select - distinct a.vm_id - from - azure_compute_virtual_machine as a, - jsonb_array_elements(extensions) as b - where - b ->> 'Publisher' = 'Microsoft.EnterpriseCloud.Monitoring' - and b ->> 'ExtensionType' = any(ARRAY ['MicrosoftMonitoringAgent', 'OmsAgentForLinux']) - and b ->> 'ProvisioningState' = 'Succeeded' - and b -> 'Settings' ->> 'workspaceId' is not null - ) - select - a.vm_id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when a.os_type <> 'Windows' then 'skip' - when b.vm_id is not null then 'ok' - else 'alarm' - end as status, - case - when a.os_type <> 'Windows' then a.title || ' is of ' || a.os_type || ' operating syetem.' - when b.vm_id is not null then a.title || ' have log analytics agent installed.' - else a.title || ' log analytics agent not installed.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_compute_virtual_machine as a - left join agent_installed_vm as b on a.vm_id = b.vm_id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with agent_installed_vm as (\n select\n distinct a.vm_id\n from\n azure_compute_virtual_machine as a,\n jsonb_array_elements(extensions) as b\n where\n b ->> 'Publisher' = 'Microsoft.EnterpriseCloud.Monitoring'\n and b ->> 'ExtensionType' = any(ARRAY ['MicrosoftMonitoringAgent', 'OmsAgentForLinux'])\n and b ->> 'ProvisioningState' = 'Succeeded'\n and b -> 'Settings' ->> 'workspaceId' is not null\n)\nselect\n a.vm_id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when a.os_type <> 'Windows' then 'skip'\n when b.vm_id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when a.os_type <> 'Windows' then a.title || ' is of ' || a.os_type || ' operating syetem.'\n when b.vm_id is not null then a.title || ' have log analytics agent installed.'\n else a.title || ' log analytics agent not installed.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine as a\n left join agent_installed_vm as b on a.vm_id = b.vm_id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_subscription + - azure_compute_virtual_machine + - azure_subscription Parameters: [] Severity: high Tags: hipaa_hitrust_v92: - - "true" + - "true" service: - - Azure/Compute + - Azure/Compute +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_malware_agent_automatic_upgrade_enabled.yaml b/compliance/controls/azure/azure_compute_vm_malware_agent_automatic_upgrade_enabled.yaml index 8246f1050..b6c45e5bd 100755 --- a/compliance/controls/azure/azure_compute_vm_malware_agent_automatic_upgrade_enabled.yaml +++ b/compliance/controls/azure/azure_compute_vm_malware_agent_automatic_upgrade_enabled.yaml @@ -1,53 +1,19 @@ ID: azure_compute_vm_malware_agent_automatic_upgrade_enabled Title: "Microsoft Antimalware for Azure should be configured to automatically update protection signatures" Description: "This policy audits any Windows virtual machine not configured with automatic update of Microsoft Antimalware protection signatures." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with malware_agent_installed_vm as ( - select - distinct a.vm_id - from - azure_compute_virtual_machine as a, - jsonb_array_elements(extensions) as b - where - b ->> 'Publisher' = 'Microsoft.Azure.Security' - and b ->> 'ExtensionType' = 'IaaSAntimalware' - and b ->> 'AutoUpgradeMinorVersion' = 'true' - ) - select - a.vm_id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when a.os_type <> 'Windows' then 'skip' - when b.vm_id is not null then 'ok' - else 'alarm' - end as status, - case - when a.os_type <> 'Windows' then a.title || ' is of ' || a.os_type || ' operating syetem.' - when b.vm_id is not null then a.title || ' automatic update of Microsoft Antimalware protection signatures enabled.' - else a.title || ' automatic update of Microsoft Antimalware protection signatures not enabled.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_compute_virtual_machine as a - left join malware_agent_installed_vm as b on a.vm_id = b.vm_id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with malware_agent_installed_vm as (\n select\n distinct a.vm_id\n from\n azure_compute_virtual_machine as a,\n jsonb_array_elements(extensions) as b\n where\n b ->> 'Publisher' = 'Microsoft.Azure.Security'\n and b ->> 'ExtensionType' = 'IaaSAntimalware'\n and b ->> 'AutoUpgradeMinorVersion' = 'true'\n)\nselect\n a.vm_id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when a.os_type <> 'Windows' then 'skip'\n when b.vm_id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when a.os_type <> 'Windows' then a.title || ' is of ' || a.os_type || ' operating syetem.'\n when b.vm_id is not null then a.title || ' automatic update of Microsoft Antimalware protection signatures enabled.'\n else a.title || ' automatic update of Microsoft Antimalware protection signatures not enabled.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine as a\n left join malware_agent_installed_vm as b on a.vm_id = b.vm_id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_subscription + - azure_compute_virtual_machine + - azure_subscription Parameters: [] Severity: medium Tags: hipaa_hitrust_v92: - - "true" + - "true" service: - - Azure/Compute + - Azure/Compute +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_malware_agent_installed.yaml b/compliance/controls/azure/azure_compute_vm_malware_agent_installed.yaml index 70c1271b3..b52dec9f7 100755 --- a/compliance/controls/azure/azure_compute_vm_malware_agent_installed.yaml +++ b/compliance/controls/azure/azure_compute_vm_malware_agent_installed.yaml @@ -1,50 +1,19 @@ ID: azure_compute_vm_malware_agent_installed Title: "Deploy default Microsoft IaaSAntimalware extension for Windows Server" Description: "This policy deploys a Microsoft IaaSAntimalware extension with a default configuration when a VM is not configured with the antimalware extension." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with malware_agent_installed_vm as ( - select - distinct a.vm_id - from - azure_compute_virtual_machine as a, - jsonb_array_elements(extensions) as b - where - b ->> 'Publisher' = 'Microsoft.Azure.Security' - and b ->> 'ExtensionType' = 'IaaSAntimalware' - ) - select - a.vm_id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when b.vm_id is not null then 'ok' - else 'alarm' - end as status, - case - when b.vm_id is not null then a.title || ' IaaSAntimalware extension installed.' - else a.title || ' IaaSAntimalware extension not installed.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_compute_virtual_machine as a - left join malware_agent_installed_vm as b on a.vm_id = b.vm_id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with malware_agent_installed_vm as (\n select\n distinct a.vm_id\n from\n azure_compute_virtual_machine as a,\n jsonb_array_elements(extensions) as b\n where\n b ->> 'Publisher' = 'Microsoft.Azure.Security'\n and b ->> 'ExtensionType' = 'IaaSAntimalware'\n)\nselect\n a.vm_id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when b.vm_id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when b.vm_id is not null then a.title || ' IaaSAntimalware extension installed.'\n else a.title || ' IaaSAntimalware extension not installed.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine as a\n left join malware_agent_installed_vm as b on a.vm_id = b.vm_id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_subscription + - azure_compute_virtual_machine + - azure_subscription Parameters: [] Severity: medium Tags: hipaa_hitrust_v92: - - "true" + - "true" service: - - Azure/Compute + - Azure/Compute +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_max_password_age_70_days_windows.yaml b/compliance/controls/azure/azure_compute_vm_max_password_age_70_days_windows.yaml index f4fa0526a..dfed97972 100755 --- a/compliance/controls/azure/azure_compute_vm_max_password_age_70_days_windows.yaml +++ b/compliance/controls/azure/azure_compute_vm_max_password_age_70_days_windows.yaml @@ -1,54 +1,21 @@ ID: azure_compute_vm_max_password_age_70_days_windows Title: "Audit Windows machines that do not have a maximum password age of 70 days" Description: "Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if Windows machines that do not have a maximum password age of 70 days." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with vm_maximum_password_age as ( - select - distinct a.vm_id - from - azure_compute_virtual_machine as a, - jsonb_array_elements(guest_configuration_assignments) as b - where - b -> 'guestConfiguration' ->> 'name'= 'MaximumPasswordAge' - and b ->> 'complianceStatus' = 'Compliant' - ) - select - a.vm_id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when a.os_type <> 'Windows' then 'skip' - when b.vm_id is not null then 'ok' - else 'alarm' - end as status, - case - when a.os_type <> 'Windows' then a.title || ' is of ' || a.os_type || ' operating system.' - when b.vm_id is not null then a.title || ' maximum password age is 70 days.' - else a.title || ' maximum password age is not 70 days.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_compute_virtual_machine as a - left join vm_maximum_password_age as b on a.vm_id = b.vm_id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with vm_maximum_password_age as (\n select\n distinct a.vm_id\n from\n azure_compute_virtual_machine as a,\n jsonb_array_elements(guest_configuration_assignments) as b\n where\n b -> 'guestConfiguration' ->> 'name'= 'MaximumPasswordAge'\n and b ->> 'complianceStatus' = 'Compliant'\n)\nselect\n a.vm_id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when a.os_type <> 'Windows' then 'skip'\n when b.vm_id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when a.os_type <> 'Windows' then a.title || ' is of ' || a.os_type || ' operating system.'\n when b.vm_id is not null then a.title || ' maximum password age is 70 days.'\n else a.title || ' maximum password age is not 70 days.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine as a\n left join vm_maximum_password_age as b on a.vm_id = b.vm_id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_subscription + - azure_compute_virtual_machine + - azure_subscription Parameters: [] Severity: high Tags: nist_sp_800_53_rev_5: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" service: - - Azure/Compute + - Azure/Compute +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_meet_firewall_properties_windows.yaml b/compliance/controls/azure/azure_compute_vm_meet_firewall_properties_windows.yaml index a7d2de19f..290361b17 100755 --- a/compliance/controls/azure/azure_compute_vm_meet_firewall_properties_windows.yaml +++ b/compliance/controls/azure/azure_compute_vm_meet_firewall_properties_windows.yaml @@ -1,8 +1,6 @@ ID: azure_compute_vm_meet_firewall_properties_windows Title: "Windows machines should meet requirements for 'Windows Firewall Properties'" Description: "Windows machines should have the specified Group Policy settings in the category 'Windows Firewall Properties' for firewall state, connections, rule management, and notifications. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_meet_security_baseline_requirements_linux.yaml b/compliance/controls/azure/azure_compute_vm_meet_security_baseline_requirements_linux.yaml index 2579a1727..45dcfc3ad 100755 --- a/compliance/controls/azure/azure_compute_vm_meet_security_baseline_requirements_linux.yaml +++ b/compliance/controls/azure/azure_compute_vm_meet_security_baseline_requirements_linux.yaml @@ -1,55 +1,19 @@ ID: azure_compute_vm_meet_security_baseline_requirements_linux Title: "Linux machines should meet requirements for the Azure compute security baseline" Description: "Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with compute_machine as( - select - id, - name, - subscription_id, - resource_group - from - azure_compute_virtual_machine, - jsonb_array_elements(guest_configuration_assignments) as e - where - e ->> 'name' = 'AzureLinuxBaseline' - and e ->> 'complianceStatus' = 'Compliant' - ) - select - a.vm_id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when a.os_type <> 'Linux' then 'skip' - when m.id is not null then 'ok' - else 'alarm' - end as status, - case - when a.os_type <> 'Linux' then a.name || ' is of ' || a.os_type || ' operating system.' - when m.id is not null then a.name || ' meet requirements for azure compute security baseline.' - else a.name || ' does not meet requirements for azure compute security baseline.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_compute_virtual_machine as a - left join compute_machine as m on m.id = a.id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with compute_machine as(\n select\n id,\n name,\n subscription_id,\n resource_group\n from\n azure_compute_virtual_machine,\n jsonb_array_elements(guest_configuration_assignments) as e\n where\n e ->> 'name' = 'AzureLinuxBaseline'\n and e ->> 'complianceStatus' = 'Compliant'\n)\nselect\n a.vm_id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when a.os_type <> 'Linux' then 'skip'\n when m.id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when a.os_type <> 'Linux' then a.name || ' is of ' || a.os_type || ' operating system.'\n when m.id is not null then a.name || ' meet requirements for azure compute security baseline.'\n else a.name || ' does not meet requirements for azure compute security baseline.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine as a\n left join compute_machine as m on m.id = a.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_subscription + - azure_compute_virtual_machine + - azure_subscription Parameters: [] Severity: high Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/Compute + - Azure/Compute +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_meet_security_baseline_requirements_windows.yaml b/compliance/controls/azure/azure_compute_vm_meet_security_baseline_requirements_windows.yaml index 7e7748e38..11100ee71 100755 --- a/compliance/controls/azure/azure_compute_vm_meet_security_baseline_requirements_windows.yaml +++ b/compliance/controls/azure/azure_compute_vm_meet_security_baseline_requirements_windows.yaml @@ -1,55 +1,19 @@ ID: azure_compute_vm_meet_security_baseline_requirements_windows Title: "Windows machines should meet requirements of the Azure compute security baseline" Description: "Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if the machine is not configured correctly for one of the recommendations in the Azure compute security baseline." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with compute_machine as( - select - id, - name, - subscription_id, - resource_group - from - azure_compute_virtual_machine, - jsonb_array_elements(guest_configuration_assignments) as e - where - e ->> 'name' = 'AzureWindowsBaseline' - and e ->> 'complianceStatus' = 'Compliant' - ) - select - a.vm_id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when a.os_type <> 'Windows' then 'skip' - when m.id is not null then 'ok' - else 'alarm' - end as status, - case - when a.os_type <> 'Windows' then a.name || ' is of ' || a.os_type || ' operating system.' - when m.id is not null then a.name || ' meet requirements for azure compute security baseline.' - else a.name || ' does not meet requirements for azure compute security baseline.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_compute_virtual_machine as a - left join compute_machine as m on m.id = a.id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with compute_machine as(\n select\n id,\n name,\n subscription_id,\n resource_group\n from\n azure_compute_virtual_machine,\n jsonb_array_elements(guest_configuration_assignments) as e\n where\n e ->> 'name' = 'AzureWindowsBaseline'\n and e ->> 'complianceStatus' = 'Compliant'\n)\nselect\n a.vm_id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when a.os_type <> 'Windows' then 'skip'\n when m.id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when a.os_type <> 'Windows' then a.name || ' is of ' || a.os_type || ' operating system.'\n when m.id is not null then a.name || ' meet requirements for azure compute security baseline.'\n else a.name || ' does not meet requirements for azure compute security baseline.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine as a\n left join compute_machine as m on m.id = a.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_subscription + - azure_compute_virtual_machine + - azure_subscription Parameters: [] Severity: high Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/Compute + - Azure/Compute +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_meet_security_option_audit_requirement_windows.yaml b/compliance/controls/azure/azure_compute_vm_meet_security_option_audit_requirement_windows.yaml index cb43decaf..a90f02a24 100755 --- a/compliance/controls/azure/azure_compute_vm_meet_security_option_audit_requirement_windows.yaml +++ b/compliance/controls/azure/azure_compute_vm_meet_security_option_audit_requirement_windows.yaml @@ -1,8 +1,6 @@ ID: azure_compute_vm_meet_security_option_audit_requirement_windows Title: "Windows machines should meet requirements for 'Security Options - Audit'" Description: "Windows machines should have the specified Group Policy settings in the category 'Security Options - Audit' for forcing audit policy subcategory and shutting down if unable to log security audits. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_meet_security_option_requirement_windows.yaml b/compliance/controls/azure/azure_compute_vm_meet_security_option_requirement_windows.yaml index 692b7d925..e63770ce0 100755 --- a/compliance/controls/azure/azure_compute_vm_meet_security_option_requirement_windows.yaml +++ b/compliance/controls/azure/azure_compute_vm_meet_security_option_requirement_windows.yaml @@ -1,8 +1,6 @@ ID: azure_compute_vm_meet_security_option_requirement_windows Title: "Windows machines should meet requirements for 'Security Options - Accounts'" Description: "Windows machines should have the specified Group Policy settings in the category 'Security Options - Accounts' for limiting local account use of blank passwords and guest account status. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_meet_security_options_network_access_requirement_windows.yaml b/compliance/controls/azure/azure_compute_vm_meet_security_options_network_access_requirement_windows.yaml index 736462bb6..e8b3915af 100755 --- a/compliance/controls/azure/azure_compute_vm_meet_security_options_network_access_requirement_windows.yaml +++ b/compliance/controls/azure/azure_compute_vm_meet_security_options_network_access_requirement_windows.yaml @@ -1,8 +1,6 @@ ID: azure_compute_vm_meet_security_options_network_access_requirement_windows Title: "Windows machines should meet requirements for 'Security Options - Network Access'" Description: "Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Access' for including access for anonymous users, local accounts, and remote access to the registry. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_meet_security_options_requirement_windows.yaml b/compliance/controls/azure/azure_compute_vm_meet_security_options_requirement_windows.yaml index 6f16f347f..c02288a5f 100755 --- a/compliance/controls/azure/azure_compute_vm_meet_security_options_requirement_windows.yaml +++ b/compliance/controls/azure/azure_compute_vm_meet_security_options_requirement_windows.yaml @@ -1,8 +1,6 @@ ID: azure_compute_vm_meet_security_options_requirement_windows Title: "Windows machines should meet requirements for 'Security Options - Recovery console'" Description: "Windows machines should have the specified Group Policy settings in the category 'Security Options - Recovery console' for allowing floppy copy and access to all drives and folders. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_meet_security_options_user_account_control_requirement_windows.yaml b/compliance/controls/azure/azure_compute_vm_meet_security_options_user_account_control_requirement_windows.yaml index 08d4346fa..a7c92d208 100755 --- a/compliance/controls/azure/azure_compute_vm_meet_security_options_user_account_control_requirement_windows.yaml +++ b/compliance/controls/azure/azure_compute_vm_meet_security_options_user_account_control_requirement_windows.yaml @@ -1,8 +1,6 @@ ID: azure_compute_vm_meet_security_options_user_account_control_requirement_windows Title: "Windows machines should meet requirements for 'Security Options - User Account Control'" Description: "Windows machines should have the specified Group Policy settings in the category 'Security Options - User Account Control' for mode for admins, behavior of elevation prompt, and virtualizing file and registry write failures. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_meet_system_audit_policies_requirement_windows.yaml b/compliance/controls/azure/azure_compute_vm_meet_system_audit_policies_requirement_windows.yaml index 0e037484a..27efaf0f7 100755 --- a/compliance/controls/azure/azure_compute_vm_meet_system_audit_policies_requirement_windows.yaml +++ b/compliance/controls/azure/azure_compute_vm_meet_system_audit_policies_requirement_windows.yaml @@ -1,8 +1,6 @@ ID: azure_compute_vm_meet_system_audit_policies_requirement_windows Title: "Windows machines should meet requirements for 'System Audit Policies - Detailed Tracking'" Description: "Windows machines should have the specified Group Policy settings in the category 'System Audit Policies - Detailed Tracking' for auditing DPAPI, process creation/termination, RPC events, and PNP activity. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_min_password_age_1_day_windows.yaml b/compliance/controls/azure/azure_compute_vm_min_password_age_1_day_windows.yaml index b24caddec..f5de65e27 100755 --- a/compliance/controls/azure/azure_compute_vm_min_password_age_1_day_windows.yaml +++ b/compliance/controls/azure/azure_compute_vm_min_password_age_1_day_windows.yaml @@ -1,52 +1,19 @@ ID: azure_compute_vm_min_password_age_1_day_windows Title: "Audit Windows machines that do not have a minimum password age of 1 day" Description: "Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if Windows machines that do not have a minimum password age of 1 day." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with vm_min_password_age as ( - select - distinct a.vm_id - from - azure_compute_virtual_machine as a, - jsonb_array_elements(guest_configuration_assignments) as b - where - b -> 'guestConfiguration' ->> 'name'= 'MinimumPasswordAge' - and b ->> 'complianceStatus' = 'Compliant' - ) - select - a.vm_id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when a.os_type <> 'Windows' then 'skip' - when b.vm_id is not null then 'ok' - else 'alarm' - end as status, - case - when a.os_type <> 'Windows' then a.title || ' is of ' || a.os_type || ' operating system.' - when b.vm_id is not null then a.title || ' minimum password age is 1 day.' - else a.title || ' minimum password age is not 1 day.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_compute_virtual_machine as a - left join vm_min_password_age as b on a.vm_id = b.vm_id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with vm_min_password_age as (\n select\n distinct a.vm_id\n from\n azure_compute_virtual_machine as a,\n jsonb_array_elements(guest_configuration_assignments) as b\n where\n b -> 'guestConfiguration' ->> 'name'= 'MinimumPasswordAge'\n and b ->> 'complianceStatus' = 'Compliant'\n)\nselect\n a.vm_id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when a.os_type <> 'Windows' then 'skip'\n when b.vm_id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when a.os_type <> 'Windows' then a.title || ' is of ' || a.os_type || ' operating system.'\n when b.vm_id is not null then a.title || ' minimum password age is 1 day.'\n else a.title || ' minimum password age is not 1 day.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine as a\n left join vm_min_password_age as b on a.vm_id = b.vm_id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_subscription + - azure_compute_virtual_machine + - azure_subscription Parameters: [] Severity: high Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/Compute + - Azure/Compute +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_min_password_length_14_windows.yaml b/compliance/controls/azure/azure_compute_vm_min_password_length_14_windows.yaml index c7a3e1c45..3fc676c6a 100755 --- a/compliance/controls/azure/azure_compute_vm_min_password_length_14_windows.yaml +++ b/compliance/controls/azure/azure_compute_vm_min_password_length_14_windows.yaml @@ -1,54 +1,21 @@ ID: azure_compute_vm_min_password_length_14_windows Title: "Audit Windows machines that do not restrict the minimum password length to 14 characters" Description: "Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if Windows machines that do not restrict the minimum password length to 14 characters." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with vm_min_password_age as ( - select - distinct a.vm_id - from - azure_compute_virtual_machine as a, - jsonb_array_elements(guest_configuration_assignments) as b - where - b -> 'guestConfiguration' ->> 'name'= 'MinimumPasswordLength' - and b ->> 'complianceStatus' = 'Compliant' - ) - select - a.vm_id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when a.os_type <> 'Windows' then 'skip' - when b.vm_id is not null then 'ok' - else 'alarm' - end as status, - case - when a.os_type <> 'Windows' then a.title || ' is of ' || a.os_type || ' operating system.' - when b.vm_id is not null then a.title || ' minimum password length is 14 characters.' - else a.title || ' minimum password length is not 14 characters.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_compute_virtual_machine as a - left join vm_min_password_age as b on a.vm_id = b.vm_id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with vm_min_password_age as (\n select\n distinct a.vm_id\n from\n azure_compute_virtual_machine as a,\n jsonb_array_elements(guest_configuration_assignments) as b\n where\n b -> 'guestConfiguration' ->> 'name'= 'MinimumPasswordLength'\n and b ->> 'complianceStatus' = 'Compliant'\n)\nselect\n a.vm_id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when a.os_type <> 'Windows' then 'skip'\n when b.vm_id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when a.os_type <> 'Windows' then a.title || ' is of ' || a.os_type || ' operating system.'\n when b.vm_id is not null then a.title || ' minimum password length is 14 characters.'\n else a.title || ' minimum password length is not 14 characters.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine as a\n left join vm_min_password_age as b on a.vm_id = b.vm_id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_subscription + - azure_compute_virtual_machine + - azure_subscription Parameters: [] Severity: high Tags: nist_sp_800_53_rev_5: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" service: - - Azure/Compute + - Azure/Compute +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_monitor_missing_endpoint_protection_in_asc.yaml b/compliance/controls/azure/azure_compute_vm_monitor_missing_endpoint_protection_in_asc.yaml index 4c92e2faf..f431b497e 100755 --- a/compliance/controls/azure/azure_compute_vm_monitor_missing_endpoint_protection_in_asc.yaml +++ b/compliance/controls/azure/azure_compute_vm_monitor_missing_endpoint_protection_in_asc.yaml @@ -1,8 +1,6 @@ ID: azure_compute_vm_monitor_missing_endpoint_protection_in_asc Title: "Monitor missing Endpoint Protection in Azure Security Center" Description: "Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_network_traffic_data_collection_linux_agent_installed.yaml b/compliance/controls/azure/azure_compute_vm_network_traffic_data_collection_linux_agent_installed.yaml index 054d834ad..65938c639 100755 --- a/compliance/controls/azure/azure_compute_vm_network_traffic_data_collection_linux_agent_installed.yaml +++ b/compliance/controls/azure/azure_compute_vm_network_traffic_data_collection_linux_agent_installed.yaml @@ -1,55 +1,21 @@ ID: azure_compute_vm_network_traffic_data_collection_linux_agent_installed Title: "Network traffic data collection agent should be installed on Linux virtual machines" Description: "Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with agent_installed_vm as ( - select - distinct a.vm_id - from - azure_compute_virtual_machine as a, - jsonb_array_elements(extensions) as b - where - b ->> 'ExtensionType' = 'DependencyAgentLinux' - and b ->> 'Publisher' = 'Microsoft.Azure.Monitoring.DependencyAgent' - and b ->> 'ProvisioningState' = 'Succeeded' - ) - select - a.vm_id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when a.os_type <> 'Linux' then 'skip' - when b.vm_id is not null then 'ok' - else 'alarm' - end as status, - case - when a.os_type <> 'Linux' then a.title || ' is of ' || a.os_type || ' operating system.' - when b.vm_id is not null then a.title || ' have data collection agent installed.' - else a.title || ' data collection agent not installed.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_compute_virtual_machine as a - left join agent_installed_vm as b on a.vm_id = b.vm_id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with agent_installed_vm as (\n select\n distinct a.vm_id\n from\n azure_compute_virtual_machine as a,\n jsonb_array_elements(extensions) as b\n where\n b ->> 'ExtensionType' = 'DependencyAgentLinux'\n and b ->> 'Publisher' = 'Microsoft.Azure.Monitoring.DependencyAgent'\n and b ->> 'ProvisioningState' = 'Succeeded'\n)\nselect\n a.vm_id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when a.os_type <> 'Linux' then 'skip'\n when b.vm_id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when a.os_type <> 'Linux' then a.title || ' is of ' || a.os_type || ' operating system.'\n when b.vm_id is not null then a.title || ' have data collection agent installed.'\n else a.title || ' data collection agent not installed.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine as a\n left join agent_installed_vm as b on a.vm_id = b.vm_id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_subscription + - azure_compute_virtual_machine + - azure_subscription Parameters: [] Severity: medium Tags: hipaa_hitrust_v92: - - "true" + - "true" nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/Compute + - Azure/Compute +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_network_traffic_data_collection_windows_agent_installed.yaml b/compliance/controls/azure/azure_compute_vm_network_traffic_data_collection_windows_agent_installed.yaml index 8654e72ee..f72446d79 100755 --- a/compliance/controls/azure/azure_compute_vm_network_traffic_data_collection_windows_agent_installed.yaml +++ b/compliance/controls/azure/azure_compute_vm_network_traffic_data_collection_windows_agent_installed.yaml @@ -1,55 +1,21 @@ ID: azure_compute_vm_network_traffic_data_collection_windows_agent_installed Title: "Network traffic data collection agent should be installed on Windows virtual machines" Description: "Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with agent_installed_vm as ( - select - distinct a.vm_id - from - azure_compute_virtual_machine as a, - jsonb_array_elements(extensions) as b - where - b ->> 'ExtensionType' = 'DependencyAgentWindows' - and b ->> 'Publisher' = 'Microsoft.Azure.Monitoring.DependencyAgent' - and b ->> 'ProvisioningState' = 'Succeeded' - ) - select - a.vm_id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when a.os_type <> 'Windows' then 'skip' - when b.vm_id is not null then 'ok' - else 'alarm' - end as status, - case - when a.os_type <> 'Windows' then a.title || ' is of ' || a.os_type || ' operating system.' - when b.vm_id is not null then a.title || ' have data collection agent installed.' - else a.title || ' data collection agent not installed.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_compute_virtual_machine as a - left join agent_installed_vm as b on a.vm_id = b.vm_id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with agent_installed_vm as (\n select\n distinct a.vm_id\n from\n azure_compute_virtual_machine as a,\n jsonb_array_elements(extensions) as b\n where\n b ->> 'ExtensionType' = 'DependencyAgentWindows'\n and b ->> 'Publisher' = 'Microsoft.Azure.Monitoring.DependencyAgent'\n and b ->> 'ProvisioningState' = 'Succeeded'\n)\nselect\n a.vm_id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when a.os_type <> 'Windows' then 'skip'\n when b.vm_id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when a.os_type <> 'Windows' then a.title || ' is of ' || a.os_type || ' operating system.'\n when b.vm_id is not null then a.title || ' have data collection agent installed.'\n else a.title || ' data collection agent not installed.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine as a\n left join agent_installed_vm as b on a.vm_id = b.vm_id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_subscription + - azure_compute_virtual_machine + - azure_subscription Parameters: [] Severity: medium Tags: hipaa_hitrust_v92: - - "true" + - "true" nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/Compute + - Azure/Compute +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_non_internet_facing_protected_with_nsg.yaml b/compliance/controls/azure/azure_compute_vm_non_internet_facing_protected_with_nsg.yaml index 9a876771e..73aa9e77f 100755 --- a/compliance/controls/azure/azure_compute_vm_non_internet_facing_protected_with_nsg.yaml +++ b/compliance/controls/azure/azure_compute_vm_non_internet_facing_protected_with_nsg.yaml @@ -1,8 +1,6 @@ ID: azure_compute_vm_non_internet_facing_protected_with_nsg Title: "Non-internet-facing virtual machines should be protected with network security groups" Description: "Protect your non-internet-facing virtual machines from potential threats by restricting access with network security groups (NSG)." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_password_complexity_setting_enabled_windows.yaml b/compliance/controls/azure/azure_compute_vm_password_complexity_setting_enabled_windows.yaml index 6bfe73f4e..cdcf9c8ec 100755 --- a/compliance/controls/azure/azure_compute_vm_password_complexity_setting_enabled_windows.yaml +++ b/compliance/controls/azure/azure_compute_vm_password_complexity_setting_enabled_windows.yaml @@ -1,52 +1,19 @@ ID: azure_compute_vm_password_complexity_setting_enabled_windows Title: "Audit Windows machines that do not have the password complexity setting enabled" Description: "Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if Windows machines that do not have the password complexity setting enabled." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with vm_password_complexity_setting as ( - select - distinct a.vm_id - from - azure_compute_virtual_machine as a, - jsonb_array_elements(guest_configuration_assignments) as b - where - b -> 'guestConfiguration' ->> 'name'= 'PasswordMustMeetComplexityRequirements' - and b ->> 'complianceStatus' = 'Compliant' - ) - select - a.vm_id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when a.os_type <> 'Windows' then 'skip' - when b.vm_id is not null then 'ok' - else 'alarm' - end as status, - case - when a.os_type <> 'Windows' then a.title || ' is of ' || a.os_type || ' operating system.' - when b.vm_id is not null then a.title || ' password complexity setting enabled.' - else a.title || ' password complexity setting disabled.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_compute_virtual_machine as a - left join vm_password_complexity_setting as b on a.vm_id = b.vm_id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with vm_password_complexity_setting as (\n select\n distinct a.vm_id\n from\n azure_compute_virtual_machine as a,\n jsonb_array_elements(guest_configuration_assignments) as b\n where\n b -> 'guestConfiguration' ->> 'name'= 'PasswordMustMeetComplexityRequirements'\n and b ->> 'complianceStatus' = 'Compliant'\n)\nselect\n a.vm_id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when a.os_type <> 'Windows' then 'skip'\n when b.vm_id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when a.os_type <> 'Windows' then a.title || ' is of ' || a.os_type || ' operating system.'\n when b.vm_id is not null then a.title || ' password complexity setting enabled.'\n else a.title || ' password complexity setting disabled.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine as a\n left join vm_password_complexity_setting as b on a.vm_id = b.vm_id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_subscription + - azure_compute_virtual_machine + - azure_subscription Parameters: [] Severity: high Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/Compute + - Azure/Compute +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_password_file_permissions_0644_linux.yaml b/compliance/controls/azure/azure_compute_vm_password_file_permissions_0644_linux.yaml index a5ee5ebfe..6a944e5f9 100755 --- a/compliance/controls/azure/azure_compute_vm_password_file_permissions_0644_linux.yaml +++ b/compliance/controls/azure/azure_compute_vm_password_file_permissions_0644_linux.yaml @@ -1,8 +1,6 @@ ID: azure_compute_vm_password_file_permissions_0644_linux Title: "Audit Linux machines that do not have the passwd file permissions set to 0644" Description: "Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644" -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_passwords_stored_using_reversible_encryption_windows.yaml b/compliance/controls/azure/azure_compute_vm_passwords_stored_using_reversible_encryption_windows.yaml index 7aea57f61..f67f2bab9 100755 --- a/compliance/controls/azure/azure_compute_vm_passwords_stored_using_reversible_encryption_windows.yaml +++ b/compliance/controls/azure/azure_compute_vm_passwords_stored_using_reversible_encryption_windows.yaml @@ -1,52 +1,19 @@ ID: azure_compute_vm_passwords_stored_using_reversible_encryption_windows Title: "Audit Windows machines that do not store passwords using reversible encryption" Description: "Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if Windows machines that do not store passwords using reversible encryption." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with vm_password_reversible_encryption as ( - select - distinct a.vm_id - from - azure_compute_virtual_machine as a, - jsonb_array_elements(guest_configuration_assignments) as b - where - b -> 'guestConfiguration' ->> 'name'= 'StorePasswordsUsingReversibleEncryption' - and b ->> 'complianceStatus' = 'Compliant' - ) - select - a.vm_id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when a.os_type <> 'Windows' then 'skip' - when b.vm_id is not null then 'ok' - else 'alarm' - end as status, - case - when a.os_type <> 'Windows' then a.title || ' is of ' || a.os_type || ' operating system.' - when b.vm_id is not null then a.title || ' store passwords using reversible encryption.' - else a.title || ' not store passwords using reversible encryption' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_compute_virtual_machine as a - left join vm_password_reversible_encryption as b on a.vm_id = b.vm_id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with vm_password_reversible_encryption as (\n select\n distinct a.vm_id\n from\n azure_compute_virtual_machine as a,\n jsonb_array_elements(guest_configuration_assignments) as b\n where\n b -> 'guestConfiguration' ->> 'name'= 'StorePasswordsUsingReversibleEncryption'\n and b ->> 'complianceStatus' = 'Compliant'\n)\nselect\n a.vm_id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when a.os_type <> 'Windows' then 'skip'\n when b.vm_id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when a.os_type <> 'Windows' then a.title || ' is of ' || a.os_type || ' operating system.'\n when b.vm_id is not null then a.title || ' store passwords using reversible encryption.'\n else a.title || ' not store passwords using reversible encryption'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine as a\n left join vm_password_reversible_encryption as b on a.vm_id = b.vm_id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_subscription + - azure_compute_virtual_machine + - azure_subscription Parameters: [] Severity: high Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/Compute + - Azure/Compute +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_remote_access_restricted_all_ports.yaml b/compliance/controls/azure/azure_compute_vm_remote_access_restricted_all_ports.yaml index 35ffc283c..d0f6a93ca 100755 --- a/compliance/controls/azure/azure_compute_vm_remote_access_restricted_all_ports.yaml +++ b/compliance/controls/azure/azure_compute_vm_remote_access_restricted_all_ports.yaml @@ -1,58 +1,24 @@ ID: azure_compute_vm_remote_access_restricted_all_ports Title: "All network ports should be restricted on network security groups associated to your virtual machine" Description: "Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with network_sg as ( - select - distinct name as sg_name, - network_interfaces - from - azure_network_security_group as nsg, - jsonb_array_elements(security_rules) as sg, - jsonb_array_elements_text(sg -> 'properties' -> 'destinationPortRanges' || (sg -> 'properties' -> 'destinationPortRange') :: jsonb) as dport, - jsonb_array_elements_text(sg -> 'properties' -> 'sourceAddressPrefixes' || (sg -> 'properties' -> 'sourceAddressPrefix') :: jsonb) as sip - where - sg -> 'properties' ->> 'access' = 'Allow' - and sg -> 'properties' ->> 'direction' = 'Inbound' - and sg -> 'properties' ->> 'protocol' in ('TCP','*') - and sip in ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', '/0', '/0') - ) - select - vm.vm_id as resource, - vm.og_account_id as og_account_id, - vm.og_resource_id as og_resource_id, - case - when sg.sg_name is null then 'ok' - else 'alarm' - end as status, - case - when sg.sg_name is null then vm.title || ' restricts remote access from internet.' - else vm.title || ' allows remote access from internet.' - end as reason - - , vm.resource_group as resource_group - , sub.display_name as subscription - from - azure_compute_virtual_machine as vm - left join network_sg as sg on sg.network_interfaces @> vm.network_interfaces - join azure_subscription as sub on sub.subscription_id = vm.subscription_id; + QueryToExecute: "with network_sg as (\n select\n distinct name as sg_name,\n network_interfaces\n from\n azure_network_security_group as nsg,\n jsonb_array_elements(security_rules) as sg,\n jsonb_array_elements_text(sg -> 'properties' -> 'destinationPortRanges' || (sg -> 'properties' -> 'destinationPortRange') :: jsonb) as dport,\n jsonb_array_elements_text(sg -> 'properties' -> 'sourceAddressPrefixes' || (sg -> 'properties' -> 'sourceAddressPrefix') :: jsonb) as sip\n where\n sg -> 'properties' ->> 'access' = 'Allow'\n and sg -> 'properties' ->> 'direction' = 'Inbound'\n and sg -> 'properties' ->> 'protocol' in ('TCP','*')\n and sip in ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', '/0', '/0')\n)\nselect\n vm.vm_id as resource,\n vm.og_account_id as og_account_id,\n vm.og_resource_id as og_resource_id,\n case\n when sg.sg_name is null then 'ok'\n else 'alarm'\n end as status,\n case\n when sg.sg_name is null then vm.title || ' restricts remote access from internet.'\n else vm.title || ' allows remote access from internet.'\n end as reason\n \n , vm.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine as vm\n left join network_sg as sg on sg.network_interfaces @> vm.network_interfaces\n join azure_subscription as sub on sub.subscription_id = vm.subscription_id;\n" PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_network_security_group - - azure_subscription + - azure_compute_virtual_machine + - azure_network_security_group + - azure_subscription Parameters: [] Severity: high Tags: hipaa_hitrust_v92: - - "true" + - "true" nist_sp_800_53_rev_5: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" service: - - Azure/Compute + - Azure/Compute +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_restrict_previous_24_passwords_resuse_windows.yaml b/compliance/controls/azure/azure_compute_vm_restrict_previous_24_passwords_resuse_windows.yaml index 0f6e857ae..caae5f9fe 100755 --- a/compliance/controls/azure/azure_compute_vm_restrict_previous_24_passwords_resuse_windows.yaml +++ b/compliance/controls/azure/azure_compute_vm_restrict_previous_24_passwords_resuse_windows.yaml @@ -1,54 +1,21 @@ ID: azure_compute_vm_restrict_previous_24_passwords_resuse_windows Title: "Audit Windows machines that allow re-use of the previous 24 passwords" Description: "Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if Windows machines that allow re-use of the previous 24 passwords." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with vm_enforce_password_history as ( - select - distinct a.vm_id - from - azure_compute_virtual_machine as a, - jsonb_array_elements(guest_configuration_assignments) as b - where - b -> 'guestConfiguration' ->> 'name'= 'EnforcePasswordHistory' - and b ->> 'complianceStatus' = 'Compliant' - ) - select - a.vm_id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when a.os_type <> 'Windows' then 'skip' - when b.vm_id is not null then 'ok' - else 'alarm' - end as status, - case - when a.os_type <> 'Windows' then a.title || ' is of ' || a.os_type || ' operating system.' - when b.vm_id is not null then a.title || ' enforce password history.' - else a.title || ' doest not enforce password history.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_compute_virtual_machine as a - left join vm_enforce_password_history as b on a.vm_id = b.vm_id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with vm_enforce_password_history as (\n select\n distinct a.vm_id\n from\n azure_compute_virtual_machine as a,\n jsonb_array_elements(guest_configuration_assignments) as b\n where\n b -> 'guestConfiguration' ->> 'name'= 'EnforcePasswordHistory'\n and b ->> 'complianceStatus' = 'Compliant'\n)\nselect\n a.vm_id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when a.os_type <> 'Windows' then 'skip'\n when b.vm_id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when a.os_type <> 'Windows' then a.title || ' is of ' || a.os_type || ' operating system.'\n when b.vm_id is not null then a.title || ' enforce password history.'\n else a.title || ' doest not enforce password history.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine as a\n left join vm_enforce_password_history as b on a.vm_id = b.vm_id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_subscription + - azure_compute_virtual_machine + - azure_subscription Parameters: [] Severity: medium Tags: nist_sp_800_53_rev_5: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" service: - - Azure/Compute + - Azure/Compute +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_restrict_remote_connection_from_accounts_without_password_linux.yaml b/compliance/controls/azure/azure_compute_vm_restrict_remote_connection_from_accounts_without_password_linux.yaml index a48caf0f7..4a0255486 100755 --- a/compliance/controls/azure/azure_compute_vm_restrict_remote_connection_from_accounts_without_password_linux.yaml +++ b/compliance/controls/azure/azure_compute_vm_restrict_remote_connection_from_accounts_without_password_linux.yaml @@ -1,55 +1,19 @@ ID: azure_compute_vm_restrict_remote_connection_from_accounts_without_password_linux Title: "Audit Linux machines that allow remote connections from accounts without passwords" Description: "Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with compute_machine as( - select - id, - name, - subscription_id, - resource_group - from - azure_compute_virtual_machine, - jsonb_array_elements(guest_configuration_assignments) as e - where - e ->> 'name' = 'PasswordPolicy_msid110' - and e ->> 'complianceStatus' = 'Compliant' - ) - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when a.os_type <> 'Linux' then 'skip' - when m.id is not null then 'ok' - else 'alarm' - end as status, - case - when a.os_type <> 'Linux' then a.name || ' is of ' || a.os_type || ' operating system.' - when m.id is not null then a.name || ' restrict remote connections from accounts without passwords.' - else a.name || ' allows remote connections from accounts without passwords.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_compute_virtual_machine as a - left join compute_machine as m on m.id = a.id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with compute_machine as(\n select\n id,\n name,\n subscription_id,\n resource_group\n from\n azure_compute_virtual_machine,\n jsonb_array_elements(guest_configuration_assignments) as e\n where\n e ->> 'name' = 'PasswordPolicy_msid110'\n and e ->> 'complianceStatus' = 'Compliant'\n)\nselect\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when a.os_type <> 'Linux' then 'skip'\n when m.id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when a.os_type <> 'Linux' then a.name || ' is of ' || a.os_type || ' operating system.'\n when m.id is not null then a.name || ' restrict remote connections from accounts without passwords.'\n else a.name || ' allows remote connections from accounts without passwords.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine as a\n left join compute_machine as m on m.id = a.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_subscription + - azure_compute_virtual_machine + - azure_subscription Parameters: [] Severity: high Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/Compute + - Azure/Compute +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_scale_set_automatic_upgrade_enabled.yaml b/compliance/controls/azure/azure_compute_vm_scale_set_automatic_upgrade_enabled.yaml index a9400c25a..4a9e83135 100755 --- a/compliance/controls/azure/azure_compute_vm_scale_set_automatic_upgrade_enabled.yaml +++ b/compliance/controls/azure/azure_compute_vm_scale_set_automatic_upgrade_enabled.yaml @@ -1,8 +1,6 @@ ID: azure_compute_vm_scale_set_automatic_upgrade_enabled Title: "Compute virtual machine scale sets should have automatic OS image patching enabled" Description: "This control checks whether virtual machine scale sets have automatic OS image patching enabled." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -27,8 +25,10 @@ Query: sub.subscription_id = a.subscription_id; PrimaryTable: azure_compute_virtual_machine_scale_set ListOfTables: - - azure_compute_virtual_machine_scale_set - - azure_subscription + - azure_compute_virtual_machine_scale_set + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_scale_set_boot_diagnostics_enabled.yaml b/compliance/controls/azure/azure_compute_vm_scale_set_boot_diagnostics_enabled.yaml index f4e513435..0bdf188f8 100755 --- a/compliance/controls/azure/azure_compute_vm_scale_set_boot_diagnostics_enabled.yaml +++ b/compliance/controls/azure/azure_compute_vm_scale_set_boot_diagnostics_enabled.yaml @@ -1,8 +1,6 @@ ID: azure_compute_vm_scale_set_boot_diagnostics_enabled Title: "Virtual Machine scale sets boot diagnostics should be enabled" Description: "This policy identifies Azure Virtual Machines scale sets which has Boot Diagnostics setting Disabled. Boot Diagnostics when enabled for virtual machine, captures Screenshot and Console Output during virtual machine startup. This would help in troubleshooting virtual machine when it enters a non-bootable state." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = a.subscription_id; PrimaryTable: azure_compute_virtual_machine_scale_set ListOfTables: - - azure_compute_virtual_machine_scale_set - - azure_subscription + - azure_compute_virtual_machine_scale_set + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_scale_set_endpoint_protection_solution_installed.yaml b/compliance/controls/azure/azure_compute_vm_scale_set_endpoint_protection_solution_installed.yaml index f5aef4740..adfc883cc 100755 --- a/compliance/controls/azure/azure_compute_vm_scale_set_endpoint_protection_solution_installed.yaml +++ b/compliance/controls/azure/azure_compute_vm_scale_set_endpoint_protection_solution_installed.yaml @@ -1,8 +1,6 @@ ID: azure_compute_vm_scale_set_endpoint_protection_solution_installed Title: "Endpoint protection solution should be installed on virtual machine scale sets" Description: "Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_scale_set_log_analytics_agent_installed.yaml b/compliance/controls/azure/azure_compute_vm_scale_set_log_analytics_agent_installed.yaml index 7b43b4d96..c6f667653 100755 --- a/compliance/controls/azure/azure_compute_vm_scale_set_log_analytics_agent_installed.yaml +++ b/compliance/controls/azure/azure_compute_vm_scale_set_log_analytics_agent_installed.yaml @@ -1,52 +1,19 @@ ID: azure_compute_vm_scale_set_log_analytics_agent_installed Title: "Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring" Description: "This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics extension is not installed." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with agent_installed_vm_scale_set as ( - select - distinct a.id as vm_id - from - azure_compute_virtual_machine_scale_set as a, - jsonb_array_elements(extensions) as b - where - b ->> 'Publisher' = 'Microsoft.EnterpriseCloud.Monitoring' - and b ->> 'ExtensionType' = any(ARRAY ['MicrosoftMonitoringAgent', 'OmsAgentForLinux']) - and b ->> 'ProvisioningState' = 'Succeeded' - and b -> 'Settings' ->> 'workspaceId' is not null - ) - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when b.vm_id is not null then 'ok' - else 'alarm' - end as status, - case - when b.vm_id is not null then a.title || ' have log analytics agent installed.' - else a.title || ' log analytics agent not installed.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_compute_virtual_machine_scale_set as a - left join agent_installed_vm_scale_set as b on a.id = b.vm_id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with agent_installed_vm_scale_set as (\n select\n distinct a.id as vm_id\n from\n azure_compute_virtual_machine_scale_set as a,\n jsonb_array_elements(extensions) as b\n where\n b ->> 'Publisher' = 'Microsoft.EnterpriseCloud.Monitoring'\n and b ->> 'ExtensionType' = any(ARRAY ['MicrosoftMonitoringAgent', 'OmsAgentForLinux'])\n and b ->> 'ProvisioningState' = 'Succeeded'\n and b -> 'Settings' ->> 'workspaceId' is not null\n)\nselect\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when b.vm_id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when b.vm_id is not null then a.title || ' have log analytics agent installed.'\n else a.title || ' log analytics agent not installed.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine_scale_set as a\n left join agent_installed_vm_scale_set as b on a.id = b.vm_id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_compute_virtual_machine_scale_set ListOfTables: - - azure_compute_virtual_machine_scale_set - - azure_subscription + - azure_compute_virtual_machine_scale_set + - azure_subscription Parameters: [] Severity: medium Tags: hipaa_hitrust_v92: - - "true" + - "true" service: - - Azure/Compute + - Azure/Compute +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_scale_set_logging_enabled.yaml b/compliance/controls/azure/azure_compute_vm_scale_set_logging_enabled.yaml index c8a27556f..55c9eb09f 100755 --- a/compliance/controls/azure/azure_compute_vm_scale_set_logging_enabled.yaml +++ b/compliance/controls/azure/azure_compute_vm_scale_set_logging_enabled.yaml @@ -1,55 +1,21 @@ ID: azure_compute_vm_scale_set_logging_enabled Title: "Resource logs in Virtual Machine Scale Sets should be enabled" Description: "It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with malware_agent_installed_vm as ( - select - distinct a.vm_id - from - azure_compute_virtual_machine as a, - jsonb_array_elements(extensions) as b - where - b ->> 'Publisher' = 'Microsoft.Azure.Security' - and b ->> 'ExtensionType' = 'IaaSAntimalware' - and b ->> 'AutoUpgradeMinorVersion' = 'true' - ) - select - a.vm_id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when a.os_type <> 'Windows' then 'skip' - when b.vm_id is not null then 'ok' - else 'alarm' - end as status, - case - when a.os_type <> 'Windows' then a.title || ' is of ' || a.os_type || ' operating syetem.' - when b.vm_id is not null then a.title || ' automatic update of Microsoft Antimalware protection signatures enabled.' - else a.title || ' automatic update of Microsoft Antimalware protection signatures not enabled.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_compute_virtual_machine as a - left join malware_agent_installed_vm as b on a.vm_id = b.vm_id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with malware_agent_installed_vm as (\n select\n distinct a.vm_id\n from\n azure_compute_virtual_machine as a,\n jsonb_array_elements(extensions) as b\n where\n b ->> 'Publisher' = 'Microsoft.Azure.Security'\n and b ->> 'ExtensionType' = 'IaaSAntimalware'\n and b ->> 'AutoUpgradeMinorVersion' = 'true'\n)\nselect\n a.vm_id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when a.os_type <> 'Windows' then 'skip'\n when b.vm_id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when a.os_type <> 'Windows' then a.title || ' is of ' || a.os_type || ' operating syetem.'\n when b.vm_id is not null then a.title || ' automatic update of Microsoft Antimalware protection signatures enabled.'\n else a.title || ' automatic update of Microsoft Antimalware protection signatures not enabled.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine as a\n left join malware_agent_installed_vm as b on a.vm_id = b.vm_id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_subscription + - azure_compute_virtual_machine + - azure_subscription Parameters: [] Severity: medium Tags: hipaa_hitrust_v92: - - "true" + - "true" nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/Compute + - Azure/Compute +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_scale_set_security_configuration_vulnerabilities_remediated.yaml b/compliance/controls/azure/azure_compute_vm_scale_set_security_configuration_vulnerabilities_remediated.yaml index b407b5279..a6b62fe5c 100755 --- a/compliance/controls/azure/azure_compute_vm_scale_set_security_configuration_vulnerabilities_remediated.yaml +++ b/compliance/controls/azure/azure_compute_vm_scale_set_security_configuration_vulnerabilities_remediated.yaml @@ -1,8 +1,6 @@ ID: azure_compute_vm_scale_set_security_configuration_vulnerabilities_remediated Title: "Vulnerabilities in security configuration on your virtual machine scale sets should be remediated" Description: "Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_scale_set_ssh_key_authentication_linux.yaml b/compliance/controls/azure/azure_compute_vm_scale_set_ssh_key_authentication_linux.yaml index beab1f8c2..650bd3fe2 100755 --- a/compliance/controls/azure/azure_compute_vm_scale_set_ssh_key_authentication_linux.yaml +++ b/compliance/controls/azure/azure_compute_vm_scale_set_ssh_key_authentication_linux.yaml @@ -1,8 +1,6 @@ ID: azure_compute_vm_scale_set_ssh_key_authentication_linux Title: "Compute virtual machine scale sets with linux OS should have SSH key authentication enabled" Description: "This control checks whether virtual machine scale sets have SSH key authentication enabled. This control is only applicable for Linux-type operating systems." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -27,8 +25,10 @@ Query: sub.subscription_id = a.subscription_id; PrimaryTable: azure_compute_virtual_machine_scale_set ListOfTables: - - azure_compute_virtual_machine_scale_set - - azure_subscription + - azure_compute_virtual_machine_scale_set + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_scale_set_system_updates_installed.yaml b/compliance/controls/azure/azure_compute_vm_scale_set_system_updates_installed.yaml index d391f18db..77f76163d 100755 --- a/compliance/controls/azure/azure_compute_vm_scale_set_system_updates_installed.yaml +++ b/compliance/controls/azure/azure_compute_vm_scale_set_system_updates_installed.yaml @@ -1,8 +1,6 @@ ID: azure_compute_vm_scale_set_system_updates_installed Title: "System updates on virtual machine scale sets should be installed" Description: "Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_scale_set_uses_managed_disks.yaml b/compliance/controls/azure/azure_compute_vm_scale_set_uses_managed_disks.yaml index 453fae0a6..8de66e47e 100755 --- a/compliance/controls/azure/azure_compute_vm_scale_set_uses_managed_disks.yaml +++ b/compliance/controls/azure/azure_compute_vm_scale_set_uses_managed_disks.yaml @@ -1,8 +1,6 @@ ID: azure_compute_vm_scale_set_uses_managed_disks Title: "Virtual machine scale sets should use managed disks" Description: "This policy identifies Azure Virtual machine scale sets which are not utilising Managed Disks. Using Azure Managed disk over traditional BLOB storage based VHD's has more advantage features like Managed disks are by default encrypted, reduces cost over storage accounts and more resilient as Microsoft will manage the disk storage and move around if underlying hardware goes faulty. It is recommended to move BLOB based VHD's to Managed Disks." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = a.subscription_id; PrimaryTable: azure_compute_virtual_machine_scale_set ListOfTables: - - azure_compute_virtual_machine_scale_set - - azure_subscription + - azure_compute_virtual_machine_scale_set + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_secure_communication_protocols_configured.yaml b/compliance/controls/azure/azure_compute_vm_secure_communication_protocols_configured.yaml index 98873e727..717bb8756 100755 --- a/compliance/controls/azure/azure_compute_vm_secure_communication_protocols_configured.yaml +++ b/compliance/controls/azure/azure_compute_vm_secure_communication_protocols_configured.yaml @@ -1,58 +1,19 @@ ID: azure_compute_vm_secure_communication_protocols_configured Title: "Windows web servers should be configured to use secure communication protocols" Description: "To protect the privacy of information communicated over the Internet, your web servers should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by using security certificates to encrypt a connection between machines." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with compute_machine as( - select - id, - name, - subscription_id, - resource_group,c - from - azure_compute_virtual_machine, - jsonb_array_elements(guest_configuration_assignments) as e, - jsonb_array_elements(e -> 'guestConfiguration' -> 'configurationParameter') as c - where - e ->> 'name' = 'AuditSecureProtocol' - and e ->> 'complianceStatus' = 'Compliant' - and c ->> 'name' = 'MinimumTLSVersion' - and c ->> 'value' = '1.3' - ) - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when a.os_type <> 'Windows' then 'skip' - when m.id is not null then 'ok' - else 'alarm' - end as status, - case - when a.os_type <> 'Windows' then a.name || ' is of ' || a.os_type || ' operating system.' - when m.id is not null then a.name || ' configured to use secure communication protocols.' - else a.name || ' not configured to use secure communication protocols.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_compute_virtual_machine as a - left join compute_machine as m on m.id = a.id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with compute_machine as(\n select\n id,\n name,\n subscription_id,\n resource_group,c\n from\n azure_compute_virtual_machine,\n jsonb_array_elements(guest_configuration_assignments) as e,\n jsonb_array_elements(e -> 'guestConfiguration' -> 'configurationParameter') as c\n where\n e ->> 'name' = 'AuditSecureProtocol'\n and e ->> 'complianceStatus' = 'Compliant'\n and c ->> 'name' = 'MinimumTLSVersion'\n and c ->> 'value' = '1.3'\n)\nselect\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when a.os_type <> 'Windows' then 'skip'\n when m.id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when a.os_type <> 'Windows' then a.name || ' is of ' || a.os_type || ' operating system.'\n when m.id is not null then a.name || ' configured to use secure communication protocols.'\n else a.name || ' not configured to use secure communication protocols.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine as a\n left join compute_machine as m on m.id = a.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_subscription + - azure_compute_virtual_machine + - azure_subscription Parameters: [] Severity: high Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/Compute + - Azure/Compute +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_security_configuration_vulnerabilities_remediated.yaml b/compliance/controls/azure/azure_compute_vm_security_configuration_vulnerabilities_remediated.yaml index bf0b75e3f..88c940793 100755 --- a/compliance/controls/azure/azure_compute_vm_security_configuration_vulnerabilities_remediated.yaml +++ b/compliance/controls/azure/azure_compute_vm_security_configuration_vulnerabilities_remediated.yaml @@ -1,8 +1,6 @@ ID: azure_compute_vm_security_configuration_vulnerabilities_remediated Title: "Vulnerabilities in security configuration on your machines should be remediated" Description: "Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_ssh_key_authentication_linux.yaml b/compliance/controls/azure/azure_compute_vm_ssh_key_authentication_linux.yaml index 8da099a9c..cb58bd093 100755 --- a/compliance/controls/azure/azure_compute_vm_ssh_key_authentication_linux.yaml +++ b/compliance/controls/azure/azure_compute_vm_ssh_key_authentication_linux.yaml @@ -1,52 +1,19 @@ ID: azure_compute_vm_ssh_key_authentication_linux Title: "Authentication to Linux machines should require SSH keys" Description: "Although SSH itself provides an encrypted connection, using passwords with SSH still leaves the VM vulnerable to brute-force attacks. The most secure option for authenticating to an Azure Linux virtual machine over SSH is with a public-private key pair, also known as SSH keys." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with vm_ssh_key_auth as ( - select - distinct a.vm_id - from - azure_compute_virtual_machine as a, - jsonb_array_elements(guest_configuration_assignments) as b - where - b -> 'guestConfiguration' ->> 'name'= 'LinuxNoPasswordForSSH' - and b ->> 'complianceStatus' = 'Compliant' - ) - select - a.vm_id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when a.os_type <> 'Linux' then 'skip' - when b.vm_id is not null then 'ok' - else 'alarm' - end as status, - case - when a.os_type <> 'Linux' then a.title || ' is of ' || a.os_type || ' operating system.' - when b.vm_id is not null then a.title || ' have SSH keys authentication.' - else a.title || ' does not have SSH keys authentication.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_compute_virtual_machine as a - left join vm_ssh_key_auth as b on a.vm_id = b.vm_id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with vm_ssh_key_auth as (\n select\n distinct a.vm_id\n from\n azure_compute_virtual_machine as a,\n jsonb_array_elements(guest_configuration_assignments) as b\n where\n b -> 'guestConfiguration' ->> 'name'= 'LinuxNoPasswordForSSH'\n and b ->> 'complianceStatus' = 'Compliant'\n)\nselect\n a.vm_id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when a.os_type <> 'Linux' then 'skip'\n when b.vm_id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when a.os_type <> 'Linux' then a.title || ' is of ' || a.os_type || ' operating system.'\n when b.vm_id is not null then a.title || ' have SSH keys authentication.'\n else a.title || ' does not have SSH keys authentication.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine as a\n left join vm_ssh_key_auth as b on a.vm_id = b.vm_id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_subscription + - azure_compute_virtual_machine + - azure_subscription Parameters: [] Severity: high Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/Compute + - Azure/Compute +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_system_updates_installed.yaml b/compliance/controls/azure/azure_compute_vm_system_updates_installed.yaml index a2781692b..ac64c0a27 100755 --- a/compliance/controls/azure/azure_compute_vm_system_updates_installed.yaml +++ b/compliance/controls/azure/azure_compute_vm_system_updates_installed.yaml @@ -1,41 +1,21 @@ ID: azure_compute_vm_system_updates_installed Title: "System updates should be installed on your machines" Description: "Missing security system updates on your servers will be monitored by Azure Security Center as recommendations." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - vm.vm_id as resource, - vm.og_account_id as og_account_id, - vm.og_resource_id as og_resource_id, - case - when enable_automatic_updates then 'ok' - else 'alarm' - end as status, - case - when enable_automatic_updates then vm.title || ' automatic system updates enabled.' - else vm.title || ' automatic system updates disabled.' - end as reason - - , vm.resource_group as resource_group - , sub.display_name as subscription - from - azure_compute_virtual_machine as vm, - azure_subscription as sub - where - sub.subscription_id = vm.subscription_id; + QueryToExecute: "select\n vm.vm_id as resource,\n vm.og_account_id as og_account_id,\n vm.og_resource_id as og_resource_id,\n case\n when enable_automatic_updates then 'ok'\n else 'alarm'\n end as status,\n case\n when enable_automatic_updates then vm.title || ' automatic system updates enabled.'\n else vm.title || ' automatic system updates disabled.'\n end as reason\n \n , vm.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine as vm,\n azure_subscription as sub\nwhere\n sub.subscription_id = vm.subscription_id;\n" PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_subscription + - azure_compute_virtual_machine + - azure_subscription Parameters: [] Severity: high Tags: hipaa_hitrust_v92: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" service: - - Azure/Compute + - Azure/Compute +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_tcp_udp_access_restricted_internet.yaml b/compliance/controls/azure/azure_compute_vm_tcp_udp_access_restricted_internet.yaml index 7614407d3..688d8a1d3 100755 --- a/compliance/controls/azure/azure_compute_vm_tcp_udp_access_restricted_internet.yaml +++ b/compliance/controls/azure/azure_compute_vm_tcp_udp_access_restricted_internet.yaml @@ -1,77 +1,20 @@ ID: azure_compute_vm_tcp_udp_access_restricted_internet Title: "Internet-facing virtual machines should be protected with network security groups" Description: "Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG)." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with network_sg as ( - select - distinct name as sg_name, - network_interfaces - from - azure_network_security_group as nsg, - jsonb_array_elements(security_rules) as sg, - jsonb_array_elements_text(sg -> 'properties' -> 'destinationPortRanges' || (sg -> 'properties' -> 'destinationPortRange') :: jsonb) as dport, - jsonb_array_elements_text(sg -> 'properties' -> 'sourceAddressPrefixes' || (sg -> 'properties' -> 'sourceAddressPrefix') :: jsonb) as sip - where - sg -> 'properties' ->> 'access' = 'Allow' - and sg -> 'properties' ->> 'direction' = 'Inbound' - and sg -> 'properties' ->> 'protocol' in ('TCP', 'UDP') - and sip in ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') - and ( - dport in ('22', '3389', '*') - or ( - dport like '%-%' - and ( - ( - 53 between split_part(dport, '-', 1) :: integer and split_part(dport, '-', 2) :: integer - or 123 between split_part(dport, '-', 1) :: integer and split_part(dport, '-', 2) :: integer - or 161 between split_part(dport, '-', 1) :: integer and split_part(dport, '-', 2) :: integer - or 389 between split_part(dport, '-', 1) :: integer and split_part(dport, '-', 2) :: integer - or 1900 between split_part(dport, '-', 1) :: integer and split_part(dport, '-', 2) :: integer - ) - or ( - split_part(dport, '-', 1) :: integer <= 3389 - and split_part(dport, '-', 2) :: integer >= 3389 - ) - or ( - split_part(dport, '-', 1) :: integer <= 22 - and split_part(dport, '-', 2) :: integer >= 22 - ) - ) - ) - ) - ) - select - vm.vm_id as resource, - vm.og_account_id as og_account_id, - vm.og_resource_id as og_resource_id, - case - when sg.sg_name is null then 'ok' - else 'alarm' - end as status, - case - when sg.sg_name is null then vm.title || ' restricts remote access from internet.' - else vm.title || ' allows remote access from internet.' - end as reason - - , vm.resource_group as resource_group - , sub.display_name as subscription - from - azure_compute_virtual_machine as vm - left join network_sg as sg on sg.network_interfaces @> vm.network_interfaces - join azure_subscription as sub on sub.subscription_id = vm.subscription_id; + QueryToExecute: "with network_sg as (\n select\n distinct name as sg_name,\n network_interfaces\n from\n azure_network_security_group as nsg,\n jsonb_array_elements(security_rules) as sg,\n jsonb_array_elements_text(sg -> 'properties' -> 'destinationPortRanges' || (sg -> 'properties' -> 'destinationPortRange') :: jsonb) as dport,\n jsonb_array_elements_text(sg -> 'properties' -> 'sourceAddressPrefixes' || (sg -> 'properties' -> 'sourceAddressPrefix') :: jsonb) as sip\n where\n sg -> 'properties' ->> 'access' = 'Allow'\n and sg -> 'properties' ->> 'direction' = 'Inbound'\n and sg -> 'properties' ->> 'protocol' in ('TCP', 'UDP')\n and sip in ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0')\n and (\n dport in ('22', '3389', '*')\n or (\n dport like '%-%'\n and (\n (\n 53 between split_part(dport, '-', 1) :: integer and split_part(dport, '-', 2) :: integer\n or 123 between split_part(dport, '-', 1) :: integer and split_part(dport, '-', 2) :: integer\n or 161 between split_part(dport, '-', 1) :: integer and split_part(dport, '-', 2) :: integer\n or 389 between split_part(dport, '-', 1) :: integer and split_part(dport, '-', 2) :: integer\n or 1900 between split_part(dport, '-', 1) :: integer and split_part(dport, '-', 2) :: integer\n )\n or (\n split_part(dport, '-', 1) :: integer <= 3389\n and split_part(dport, '-', 2) :: integer >= 3389\n )\n or (\n split_part(dport, '-', 1) :: integer <= 22\n and split_part(dport, '-', 2) :: integer >= 22\n )\n )\n )\n )\n)\nselect\n vm.vm_id as resource,\n vm.og_account_id as og_account_id,\n vm.og_resource_id as og_resource_id,\n case\n when sg.sg_name is null then 'ok'\n else 'alarm'\n end as status,\n case\n when sg.sg_name is null then vm.title || ' restricts remote access from internet.'\n else vm.title || ' allows remote access from internet.'\n end as reason\n \n , vm.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine as vm\n left join network_sg as sg on sg.network_interfaces @> vm.network_interfaces\n join azure_subscription as sub on sub.subscription_id = vm.subscription_id;\n" PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_network_security_group - - azure_subscription + - azure_compute_virtual_machine + - azure_network_security_group + - azure_subscription Parameters: [] Severity: high Tags: hipaa_hitrust_v92: - - "true" + - "true" service: - - Azure/Compute + - Azure/Compute +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_temp_disks_cache_and_data_flows_encrypted.yaml b/compliance/controls/azure/azure_compute_vm_temp_disks_cache_and_data_flows_encrypted.yaml index 1c1278af5..a809f4ec1 100755 --- a/compliance/controls/azure/azure_compute_vm_temp_disks_cache_and_data_flows_encrypted.yaml +++ b/compliance/controls/azure/azure_compute_vm_temp_disks_cache_and_data_flows_encrypted.yaml @@ -1,8 +1,6 @@ ID: azure_compute_vm_temp_disks_cache_and_data_flows_encrypted Title: "Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources" Description: "By default, a virtual machine's OS and data disks are encrypted-at-rest using platform-managed keys. Temp disks, data caches and data flowing between compute and storage aren't encrypted. Disregard this recommendation if: 1. using encryption-at-host, or 2. server-side encryption on Managed Disks meets your security requirements. Learn more in: Server-side encryption of Azure Disk Storage: https://aka.ms/disksse, Different disk encryption offerings: https://aka.ms/diskencryptioncomparison" -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_uses_azure_resource_manager.yaml b/compliance/controls/azure/azure_compute_vm_uses_azure_resource_manager.yaml index d2ef33413..cd2ac3676 100755 --- a/compliance/controls/azure/azure_compute_vm_uses_azure_resource_manager.yaml +++ b/compliance/controls/azure/azure_compute_vm_uses_azure_resource_manager.yaml @@ -1,43 +1,23 @@ ID: azure_compute_vm_uses_azure_resource_manager Title: "Virtual machines should be migrated to new Azure Resource Manager resources" Description: "Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - vm.vm_id as resource, - vm.og_account_id as og_account_id, - vm.og_resource_id as og_resource_id, - case - when resource_group is not null then 'ok' - else 'alarm' - end as status, - case - when resource_group is not null then vm.title || ' uses azure resource manager.' - else vm.title || ' not uses azure resource manager.' - end as reason - - , vm.resource_group as resource_group - , sub.display_name as subscription - from - azure_compute_virtual_machine as vm, - azure_subscription as sub - where - sub.subscription_id = vm.subscription_id; + QueryToExecute: "select\n vm.vm_id as resource,\n vm.og_account_id as og_account_id,\n vm.og_resource_id as og_resource_id,\n case\n when resource_group is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when resource_group is not null then vm.title || ' uses azure resource manager.'\n else vm.title || ' not uses azure resource manager.'\n end as reason\n \n , vm.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine as vm,\n azure_subscription as sub\nwhere\n sub.subscription_id = vm.subscription_id;\n" PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_subscription + - azure_compute_virtual_machine + - azure_subscription Parameters: [] Severity: medium Tags: hipaa_hitrust_v92: - - "true" + - "true" nist_sp_800_53_rev_5: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" service: - - Azure/Compute + - Azure/Compute +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_utilizing_managed_disk.yaml b/compliance/controls/azure/azure_compute_vm_utilizing_managed_disk.yaml index 5df63ef5b..3180985f1 100755 --- a/compliance/controls/azure/azure_compute_vm_utilizing_managed_disk.yaml +++ b/compliance/controls/azure/azure_compute_vm_utilizing_managed_disk.yaml @@ -1,53 +1,33 @@ ID: azure_compute_vm_utilizing_managed_disk Title: "Ensure Virtual Machines are utilizing Managed Disks" Description: "Migrate BLOB based VHD's to Managed Disks on Virtual Machines to exploit the default features of this configuration." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - vm.id as resource, - vm.og_account_id as og_account_id, - vm.og_resource_id as og_resource_id, - case - when managed_disk_id is null then 'alarm' - else 'ok' - end as status, - case - when managed_disk_id is null then vm.name || ' VM not utilizing managed disks.' - else vm.name || ' VM utilizing managed disks.' - end as reason - - , vm.resource_group as resource_group - , sub.display_name as subscription - from - azure_compute_virtual_machine as vm, - azure_subscription as sub - where - sub.subscription_id = vm.subscription_id; + QueryToExecute: "select\n vm.id as resource,\n vm.og_account_id as og_account_id,\n vm.og_resource_id as og_resource_id,\n case\n when managed_disk_id is null then 'alarm'\n else 'ok'\n end as status,\n case\n when managed_disk_id is null then vm.name || ' VM not utilizing managed disks.'\n else vm.name || ' VM utilizing managed disks.'\n end as reason\n \n , vm.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine as vm,\n azure_subscription as sub\nwhere\n sub.subscription_id = vm.subscription_id;\n" PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_subscription + - azure_compute_virtual_machine + - azure_subscription Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "7.1" + - "7.1" cis_level: - - "1" + - "1" cis_section_id: - - "7" + - "7" cis_type: - - manual + - manual cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/Compute + - Azure/Compute +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_vulnerability_assessment_solution_enabled.yaml b/compliance/controls/azure/azure_compute_vm_vulnerability_assessment_solution_enabled.yaml index 4b0068d1d..40f0d720d 100755 --- a/compliance/controls/azure/azure_compute_vm_vulnerability_assessment_solution_enabled.yaml +++ b/compliance/controls/azure/azure_compute_vm_vulnerability_assessment_solution_enabled.yaml @@ -1,66 +1,23 @@ ID: azure_compute_vm_vulnerability_assessment_solution_enabled Title: "A vulnerability assessment solution should be enabled on your virtual machines" Description: "Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with defender_enabled_vms as ( - select - distinct a.vm_id as vm_id - from - azure_compute_virtual_machine as a, - jsonb_array_elements(extensions) as b - where - b ->> 'ExtensionType' = any(ARRAY ['MDE.Linux', 'MDE.Windows']) - and b ->> 'ProvisioningState' = 'Succeeded' - ), - agent_installed_vm as ( - select - distinct a.vm_id as vm_id - from - defender_enabled_vms as a - left join azure_compute_virtual_machine as w on w.vm_id = a.vm_id, - jsonb_array_elements(extensions) as b - where - b ->> 'Publisher' = 'Qualys' - and b ->> 'ExtensionType' = any(ARRAY ['WindowsAgent.AzureSecurityCenter', 'LinuxAgent.AzureSecurityCenter']) - and b ->> 'ProvisioningState' = 'Succeeded' - ) - select - a.vm_id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when b.vm_id is not null then 'ok' - else 'alarm' - end as status, - case - when b.vm_id is not null then a.title || ' have vulnerability assessment solution enabled.' - else a.title || ' have vulnerability assessment solution disabled.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_compute_virtual_machine as a - left join agent_installed_vm as b on a.vm_id = b.vm_id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with defender_enabled_vms as (\n select\n distinct a.vm_id as vm_id\n from\n azure_compute_virtual_machine as a,\n jsonb_array_elements(extensions) as b\n where\n b ->> 'ExtensionType' = any(ARRAY ['MDE.Linux', 'MDE.Windows'])\n and b ->> 'ProvisioningState' = 'Succeeded'\n),\nagent_installed_vm as (\n select\n distinct a.vm_id as vm_id\n from\n defender_enabled_vms as a\n left join azure_compute_virtual_machine as w on w.vm_id = a.vm_id,\n jsonb_array_elements(extensions) as b\n where\n b ->> 'Publisher' = 'Qualys'\n and b ->> 'ExtensionType' = any(ARRAY ['WindowsAgent.AzureSecurityCenter', 'LinuxAgent.AzureSecurityCenter'])\n and b ->> 'ProvisioningState' = 'Succeeded'\n)\nselect\n a.vm_id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when b.vm_id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when b.vm_id is not null then a.title || ' have vulnerability assessment solution enabled.'\n else a.title || ' have vulnerability assessment solution disabled.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine as a\n left join agent_installed_vm as b on a.vm_id = b.vm_id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_subscription + - azure_compute_virtual_machine + - azure_subscription Parameters: [] Severity: medium Tags: hipaa_hitrust_v92: - - "true" + - "true" nist_sp_800_53_rev_5: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" service: - - Azure/Compute + - Azure/Compute +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_vulnerability_findings_resolved_for_sql_server.yaml b/compliance/controls/azure/azure_compute_vm_vulnerability_findings_resolved_for_sql_server.yaml index 0ad17c6e2..b89179bff 100755 --- a/compliance/controls/azure/azure_compute_vm_vulnerability_findings_resolved_for_sql_server.yaml +++ b/compliance/controls/azure/azure_compute_vm_vulnerability_findings_resolved_for_sql_server.yaml @@ -1,8 +1,6 @@ ID: azure_compute_vm_vulnerability_findings_resolved_for_sql_server Title: "SQL servers on machines should have vulnerability findings resolved" Description: "SQL vulnerability assessment scans your database for security vulnerabilities, and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data. Resolving the vulnerabilities found can greatly improve your database security posture." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_windows_defender_exploit_guard_enabled.yaml b/compliance/controls/azure/azure_compute_vm_windows_defender_exploit_guard_enabled.yaml index 18822535c..affcfcd4b 100755 --- a/compliance/controls/azure/azure_compute_vm_windows_defender_exploit_guard_enabled.yaml +++ b/compliance/controls/azure/azure_compute_vm_windows_defender_exploit_guard_enabled.yaml @@ -1,55 +1,19 @@ ID: azure_compute_vm_windows_defender_exploit_guard_enabled Title: "Windows Defender Exploit Guard should be enabled on your machines" Description: "Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only)." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with compute_machine as( - select - id, - name, - subscription_id, - resource_group - from - azure_compute_virtual_machine, - jsonb_array_elements(guest_configuration_assignments) as e - where - e ->> 'name' = 'WindowsDefenderExploitGuard' - and e ->> 'complianceStatus' = 'Compliant' - ) - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when a.os_type <> 'Windows' then 'skip' - when m.id is not null then 'ok' - else 'alarm' - end as status, - case - when a.os_type <> 'Windows' then a.name || ' is of ' || a.os_type || ' operating system.' - when m.id is not null then a.name || ' windows defender exploit guard enabled.' - else a.name || ' windows defender exploit guard disabled.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_compute_virtual_machine as a - left join compute_machine as m on m.id = a.id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with compute_machine as(\n select\n id,\n name,\n subscription_id,\n resource_group\n from\n azure_compute_virtual_machine,\n jsonb_array_elements(guest_configuration_assignments) as e\n where\n e ->> 'name' = 'WindowsDefenderExploitGuard'\n and e ->> 'complianceStatus' = 'Compliant'\n)\nselect\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when a.os_type <> 'Windows' then 'skip'\n when m.id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when a.os_type <> 'Windows' then a.name || ' is of ' || a.os_type || ' operating system.'\n when m.id is not null then a.name || ' windows defender exploit guard enabled.'\n else a.name || ' windows defender exploit guard disabled.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_compute_virtual_machine as a\n left join compute_machine as m on m.id = a.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_subscription + - azure_compute_virtual_machine + - azure_subscription Parameters: [] Severity: medium Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/Compute + - Azure/Compute +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_compute_vm_with_no_specified_certificates_in_trusted_root_windows.yaml b/compliance/controls/azure/azure_compute_vm_with_no_specified_certificates_in_trusted_root_windows.yaml index 6dbe9562c..df33dc6f1 100755 --- a/compliance/controls/azure/azure_compute_vm_with_no_specified_certificates_in_trusted_root_windows.yaml +++ b/compliance/controls/azure/azure_compute_vm_with_no_specified_certificates_in_trusted_root_windows.yaml @@ -1,8 +1,6 @@ ID: azure_compute_vm_with_no_specified_certificates_in_trusted_root_windows Title: "Audit Windows machines that do not contain the specified certificates in Trusted Root" Description: "Requires that prerequisites are deployed to the policy assignment scope. Machines are non-compliant if the machine Trusted Root certificate store does not contain one or more of the certificates listed by the policy parameter." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_container_instance_container_group_encrypted_using_cmk.yaml b/compliance/controls/azure/azure_container_instance_container_group_encrypted_using_cmk.yaml index a93cfcc54..d5ad00987 100755 --- a/compliance/controls/azure/azure_container_instance_container_group_encrypted_using_cmk.yaml +++ b/compliance/controls/azure/azure_container_instance_container_group_encrypted_using_cmk.yaml @@ -1,8 +1,6 @@ ID: azure_container_instance_container_group_encrypted_using_cmk Title: "Container Instance container group should use customer-managed key for encryption" Description: "Secure your containers with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = cg.subscription_id; PrimaryTable: azure_container_group ListOfTables: - - azure_container_group - - azure_subscription + - azure_container_group + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_container_instance_container_group_identity_provider_enabled.yaml b/compliance/controls/azure/azure_container_instance_container_group_identity_provider_enabled.yaml index d7c2a6a89..d49baaf5c 100755 --- a/compliance/controls/azure/azure_container_instance_container_group_identity_provider_enabled.yaml +++ b/compliance/controls/azure/azure_container_instance_container_group_identity_provider_enabled.yaml @@ -1,8 +1,6 @@ ID: azure_container_instance_container_group_identity_provider_enabled Title: "Container instance container groups identity provider should be enabled" Description: "Ensure that managed identity provider is enabled for the container instance container group. This control is non-compliant if container instance container group identity provider is disabled." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = cg.subscription_id; PrimaryTable: azure_container_group ListOfTables: - - azure_container_group - - azure_subscription + - azure_container_group + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_container_instance_container_group_in_virtual_network.yaml b/compliance/controls/azure/azure_container_instance_container_group_in_virtual_network.yaml index e3dfaacc1..938f88d8f 100755 --- a/compliance/controls/azure/azure_container_instance_container_group_in_virtual_network.yaml +++ b/compliance/controls/azure/azure_container_instance_container_group_in_virtual_network.yaml @@ -1,8 +1,6 @@ ID: azure_container_instance_container_group_in_virtual_network Title: "Container instance container groups should be in virtual network" Description: "This control ensures that the container group is deployed into a virtual network." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = cg.subscription_id; PrimaryTable: azure_container_group ListOfTables: - - azure_container_group - - azure_subscription + - azure_container_group + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_container_instance_container_group_secured_environment_variable.yaml b/compliance/controls/azure/azure_container_instance_container_group_secured_environment_variable.yaml index b2c11e4f0..854941d35 100755 --- a/compliance/controls/azure/azure_container_instance_container_group_secured_environment_variable.yaml +++ b/compliance/controls/azure/azure_container_instance_container_group_secured_environment_variable.yaml @@ -1,8 +1,6 @@ ID: azure_container_instance_container_group_secured_environment_variable Title: "Container instance container groups should use secured environment variable" Description: "Ensure that container instance container group uses secured environment variables. This control is non-compliant if container instance container group does not uses secured environment variables." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -36,8 +34,10 @@ Query: sub.subscription_id = cg.subscription_id; PrimaryTable: azure_container_group ListOfTables: - - azure_container_group - - azure_subscription + - azure_container_group + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_container_registry_admin_user_disabled.yaml b/compliance/controls/azure/azure_container_registry_admin_user_disabled.yaml index 30bd030c6..3079e856d 100755 --- a/compliance/controls/azure/azure_container_registry_admin_user_disabled.yaml +++ b/compliance/controls/azure/azure_container_registry_admin_user_disabled.yaml @@ -1,8 +1,6 @@ ID: azure_container_registry_admin_user_disabled Title: "Container registries admin user should be disabled" Description: "Ensure container registry admin user is disabled. This control is non-compliant if admin user is enabled." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = a.subscription_id; PrimaryTable: azure_container_registry ListOfTables: - - azure_container_registry - - azure_subscription + - azure_container_registry + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_container_registry_encrypted_with_cmk.yaml b/compliance/controls/azure/azure_container_registry_encrypted_with_cmk.yaml index 19eee5397..af437b962 100755 --- a/compliance/controls/azure/azure_container_registry_encrypted_with_cmk.yaml +++ b/compliance/controls/azure/azure_container_registry_encrypted_with_cmk.yaml @@ -1,39 +1,19 @@ ID: azure_container_registry_encrypted_with_cmk Title: "Container registries should be encrypted with a customer-managed key" Description: "Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - distinct a.name as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when encryption ->> 'status' = 'enabled' then 'ok' - else 'alarm' - end as status, - case - when encryption ->> 'status' = 'enabled' then a.name || ' encrypted with CMK.' - else a.name || ' not encrypted with CMK.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_container_registry as a, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "select\n distinct a.name as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when encryption ->> 'status' = 'enabled' then 'ok'\n else 'alarm'\n end as status,\n case\n when encryption ->> 'status' = 'enabled' then a.name || ' encrypted with CMK.'\n else a.name || ' not encrypted with CMK.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_container_registry as a,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_container_registry ListOfTables: - - azure_container_registry - - azure_subscription + - azure_container_registry + - azure_subscription Parameters: [] Severity: high Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/ContainerRegistry + - Azure/ContainerRegistry +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_container_registry_geo_replication_enabled.yaml b/compliance/controls/azure/azure_container_registry_geo_replication_enabled.yaml index 1d8d7841e..79f99b652 100755 --- a/compliance/controls/azure/azure_container_registry_geo_replication_enabled.yaml +++ b/compliance/controls/azure/azure_container_registry_geo_replication_enabled.yaml @@ -1,8 +1,6 @@ ID: azure_container_registry_geo_replication_enabled Title: "Container registries should be geo-replicated" Description: "Ensure that container registries are geo-replicated to align with multi-region container deployments." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -40,8 +38,10 @@ Query: sub.subscription_id = a.subscription_id; PrimaryTable: azure_container_registry ListOfTables: - - azure_container_registry - - azure_subscription + - azure_container_registry + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_container_registry_public_network_access_disabled.yaml b/compliance/controls/azure/azure_container_registry_public_network_access_disabled.yaml index 0ceb3eefd..f066275c0 100755 --- a/compliance/controls/azure/azure_container_registry_public_network_access_disabled.yaml +++ b/compliance/controls/azure/azure_container_registry_public_network_access_disabled.yaml @@ -1,8 +1,6 @@ ID: azure_container_registry_public_network_access_disabled Title: "Container registries public network access should be disabled" Description: "Ensure that container registries public network access is disabled." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = a.subscription_id; PrimaryTable: azure_container_registry ListOfTables: - - azure_container_registry - - azure_subscription + - azure_container_registry + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_container_registry_quarantine_policy_enabled.yaml b/compliance/controls/azure/azure_container_registry_quarantine_policy_enabled.yaml index fb7e33020..222b6cdd0 100755 --- a/compliance/controls/azure/azure_container_registry_quarantine_policy_enabled.yaml +++ b/compliance/controls/azure/azure_container_registry_quarantine_policy_enabled.yaml @@ -1,8 +1,6 @@ ID: azure_container_registry_quarantine_policy_enabled Title: "Container registries quarantine policy should be enabled" Description: "Ensure container registry quarantine policy is enabled. This control is non-compliant if quarantine policy is disabled." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = a.subscription_id; PrimaryTable: azure_container_registry ListOfTables: - - azure_container_registry - - azure_subscription + - azure_container_registry + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_container_registry_restrict_public_access.yaml b/compliance/controls/azure/azure_container_registry_restrict_public_access.yaml index b3cda8d63..94468f8ec 100755 --- a/compliance/controls/azure/azure_container_registry_restrict_public_access.yaml +++ b/compliance/controls/azure/azure_container_registry_restrict_public_access.yaml @@ -1,39 +1,19 @@ ID: azure_container_registry_restrict_public_access Title: "Container registries should not allow unrestricted network access" Description: "Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific public IP addresses or address ranges. If your registry doesn't have an IP/firewall rule or a configured virtual network, it will appear in the unhealthy resources." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - distinct a.name as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when network_rule_set ->> 'defaultAction' = 'Deny' then 'ok' - else 'alarm' - end as status, - case - when network_rule_set ->> 'defaultAction' = 'Deny' then a.name || ' publicly not accessible.' - else a.name || ' publicly accessible.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_container_registry as a, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "select\n distinct a.name as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when network_rule_set ->> 'defaultAction' = 'Deny' then 'ok'\n else 'alarm'\n end as status,\n case\n when network_rule_set ->> 'defaultAction' = 'Deny' then a.name || ' publicly not accessible.'\n else a.name || ' publicly accessible.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_container_registry as a,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_container_registry ListOfTables: - - azure_container_registry - - azure_subscription + - azure_container_registry + - azure_subscription Parameters: [] Severity: high Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/ContainerRegistry + - Azure/ContainerRegistry +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_container_registry_retention_policy_enabled.yaml b/compliance/controls/azure/azure_container_registry_retention_policy_enabled.yaml index b865cd77c..6d1917df1 100755 --- a/compliance/controls/azure/azure_container_registry_retention_policy_enabled.yaml +++ b/compliance/controls/azure/azure_container_registry_retention_policy_enabled.yaml @@ -1,8 +1,6 @@ ID: azure_container_registry_retention_policy_enabled Title: "Container registries retention policy should be enabled" Description: "Ensure container registry retention policy is enabled. This control is non-compliant if retention policy is disabled." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = a.subscription_id; PrimaryTable: azure_container_registry ListOfTables: - - azure_container_registry - - azure_subscription + - azure_container_registry + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_container_registry_trust_policy_enabled.yaml b/compliance/controls/azure/azure_container_registry_trust_policy_enabled.yaml index 0a402ff4b..a3c952038 100755 --- a/compliance/controls/azure/azure_container_registry_trust_policy_enabled.yaml +++ b/compliance/controls/azure/azure_container_registry_trust_policy_enabled.yaml @@ -1,8 +1,6 @@ ID: azure_container_registry_trust_policy_enabled Title: "Container registries trust policy should be enabled" Description: "Ensure container registry trust policy is enabled. This control is non-compliant if trust policy is disabled." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = a.subscription_id; PrimaryTable: azure_container_registry ListOfTables: - - azure_container_registry - - azure_subscription + - azure_container_registry + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_container_registry_use_virtual_service_endpoint.yaml b/compliance/controls/azure/azure_container_registry_use_virtual_service_endpoint.yaml index 44501ffd2..f1ee728ca 100755 --- a/compliance/controls/azure/azure_container_registry_use_virtual_service_endpoint.yaml +++ b/compliance/controls/azure/azure_container_registry_use_virtual_service_endpoint.yaml @@ -1,52 +1,20 @@ ID: azure_container_registry_use_virtual_service_endpoint Title: "Container Registry should use a virtual network service endpoint" Description: "This policy audits any Container Registry not configured to use a virtual network service endpoint." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with container_registry_subnet as ( - select - distinct a.name, - rule ->> 'id' as id - from - azure_container_registry as a, - jsonb_array_elements(network_rule_set -> 'virtualNetworkRules') as rule, - azure_subnet as subnet - ) - select - distinct a.name as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when network_rule_set ->> 'defaultAction' <> 'Deny' then 'alarm' - when s.name is null then 'alarm' - else 'ok' - end as status, - case - when network_rule_set ->> 'defaultAction' <> 'Deny' then a.name || ' not configured with virtual service endpoint.' - when s.name is null then a.name || ' not configured with virtual service endpoint.' - else a.name || ' configured with virtual service endpoint.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_container_registry as a - left join container_registry_subnet as s on a.name = s.name, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with container_registry_subnet as (\n select\n distinct a.name,\n rule ->> 'id' as id\n from\n azure_container_registry as a,\n jsonb_array_elements(network_rule_set -> 'virtualNetworkRules') as rule,\n azure_subnet as subnet\n)\nselect\n distinct a.name as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when network_rule_set ->> 'defaultAction' <> 'Deny' then 'alarm'\n when s.name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when network_rule_set ->> 'defaultAction' <> 'Deny' then a.name || ' not configured with virtual service endpoint.'\n when s.name is null then a.name || ' not configured with virtual service endpoint.'\n else a.name || ' configured with virtual service endpoint.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_container_registry as a\n left join container_registry_subnet as s on a.name = s.name,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_container_registry ListOfTables: - - azure_container_registry - - azure_subnet - - azure_subscription + - azure_container_registry + - azure_subnet + - azure_subscription Parameters: [] Severity: medium Tags: hipaa_hitrust_v92: - - "true" + - "true" service: - - Azure/ContainerRegistry + - Azure/ContainerRegistry +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_container_registry_uses_private_link.yaml b/compliance/controls/azure/azure_container_registry_uses_private_link.yaml index 9ff1672ff..9cfcec9c6 100755 --- a/compliance/controls/azure/azure_container_registry_uses_private_link.yaml +++ b/compliance/controls/azure/azure_container_registry_uses_private_link.yaml @@ -1,49 +1,19 @@ ID: azure_container_registry_uses_private_link Title: "Container registries should use private link" Description: "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with container_registry_private_connection as ( - select - distinct a.id - from - azure_container_registry as a, - jsonb_array_elements(private_endpoint_connections) as connection - where - connection -> 'properties' -> 'privateLinkServiceConnectionState' ->> 'status' = 'Approved' - ) - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when c.id is null then 'alarm' - else 'ok' - end as status, - case - when c.id is null then a.name || ' not uses private link.' - else a.name || ' uses private link.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_container_registry as a - left join container_registry_private_connection as c on c.id = a.id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with container_registry_private_connection as (\n select\n distinct a.id\n from\n azure_container_registry as a,\n jsonb_array_elements(private_endpoint_connections) as connection\n where\n connection -> 'properties' -> 'privateLinkServiceConnectionState' ->> 'status' = 'Approved'\n)\nselect\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when c.id is null then 'alarm'\n else 'ok'\n end as status,\n case\n when c.id is null then a.name || ' not uses private link.'\n else a.name || ' uses private link.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_container_registry as a\n left join container_registry_private_connection as c on c.id = a.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_container_registry ListOfTables: - - azure_container_registry - - azure_subscription + - azure_container_registry + - azure_subscription Parameters: [] Severity: medium Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/ContainerRegistry + - Azure/ContainerRegistry +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_container_registry_vulnerabilities_remediated.yaml b/compliance/controls/azure/azure_container_registry_vulnerabilities_remediated.yaml index 99e5fbbc7..a24d36970 100755 --- a/compliance/controls/azure/azure_container_registry_vulnerabilities_remediated.yaml +++ b/compliance/controls/azure/azure_container_registry_vulnerabilities_remediated.yaml @@ -1,8 +1,6 @@ ID: azure_container_registry_vulnerabilities_remediated Title: "Container registry images should have vulnerability findings resolved" Description: "Container image vulnerability assessment scans your registry for security vulnerabilities and exposes detailed findings for each image. Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cosmosdb_account_encryption_at_rest_using_cmk.yaml b/compliance/controls/azure/azure_cosmosdb_account_encryption_at_rest_using_cmk.yaml index 1e94ee2fa..b7680e6e9 100755 --- a/compliance/controls/azure/azure_cosmosdb_account_encryption_at_rest_using_cmk.yaml +++ b/compliance/controls/azure/azure_cosmosdb_account_encryption_at_rest_using_cmk.yaml @@ -1,39 +1,19 @@ ID: azure_cosmosdb_account_encryption_at_rest_using_cmk Title: "Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest" Description: "Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when key_vault_key_uri is not null then 'ok' - else 'alarm' - end as status, - case - when key_vault_key_uri is not null then a.name || ' encrypted at rest using CMK.' - else a.name || ' not encrypted at rest using CMK.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_cosmosdb_account as a, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "select\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when key_vault_key_uri is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when key_vault_key_uri is not null then a.name || ' encrypted at rest using CMK.'\n else a.name || ' not encrypted at rest using CMK.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_cosmosdb_account as a,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_cosmosdb_account ListOfTables: - - azure_cosmosdb_account - - azure_subscription + - azure_cosmosdb_account + - azure_subscription Parameters: [] Severity: high Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/CosmosDB + - Azure/CosmosDB +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cosmosdb_account_key_based_metadata_write_access_disabled.yaml b/compliance/controls/azure/azure_cosmosdb_account_key_based_metadata_write_access_disabled.yaml index a50433bd0..a76fa76b2 100755 --- a/compliance/controls/azure/azure_cosmosdb_account_key_based_metadata_write_access_disabled.yaml +++ b/compliance/controls/azure/azure_cosmosdb_account_key_based_metadata_write_access_disabled.yaml @@ -1,8 +1,6 @@ ID: azure_cosmosdb_account_key_based_metadata_write_access_disabled Title: "Cosmos DB accounts should disable key based metadata write access" Description: "Ensure Cosmos DB accounts have key-based metadata write_access disabled. This control is non-compliant if Cosmos DB accounts have key-based metadata write access enabled." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = a.subscription_id; PrimaryTable: azure_cosmosdb_account ListOfTables: - - azure_cosmosdb_account - - azure_subscription + - azure_cosmosdb_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cosmosdb_account_uses_aad_and_rbac.yaml b/compliance/controls/azure/azure_cosmosdb_account_uses_aad_and_rbac.yaml index a41bf8759..13c1bd8ba 100755 --- a/compliance/controls/azure/azure_cosmosdb_account_uses_aad_and_rbac.yaml +++ b/compliance/controls/azure/azure_cosmosdb_account_uses_aad_and_rbac.yaml @@ -1,8 +1,6 @@ ID: azure_cosmosdb_account_uses_aad_and_rbac Title: "Cosmos DB account 'Access Control' should be configured to use Azure Active Directory (AAD) and Role-Based Access Control (RBAC)" Description: "Azure Cosmos DB accounts should use Azure Active Directory (AAD) Client Authentication and Role-Based Access Control (RBAC) for access control." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = a.subscription_id; PrimaryTable: azure_cosmosdb_account ListOfTables: - - azure_cosmosdb_account - - azure_subscription + - azure_cosmosdb_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cosmosdb_account_uses_private_link.yaml b/compliance/controls/azure/azure_cosmosdb_account_uses_private_link.yaml index 258e99365..a8f1a445e 100755 --- a/compliance/controls/azure/azure_cosmosdb_account_uses_private_link.yaml +++ b/compliance/controls/azure/azure_cosmosdb_account_uses_private_link.yaml @@ -1,63 +1,33 @@ ID: azure_cosmosdb_account_uses_private_link Title: "CosmosDB accounts should use private link" Description: "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your CosmosDB account, data leakage risks are reduced." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with cosmosdb_private_connection as ( - select - distinct a.id - from - azure_cosmosdb_account as a, - jsonb_array_elements(private_endpoint_connections) as connection - where - connection -> 'properties' -> 'privateLinkServiceConnectionState' ->> 'status' = 'Approved' - ) - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when c.id is null then 'alarm' - else 'ok' - end as status, - case - when c.id is null then a.name || ' not uses private link.' - else a.name || ' uses private link.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_cosmosdb_account as a - left join cosmosdb_private_connection as c on c.id = a.id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with cosmosdb_private_connection as (\n select\n distinct a.id\n from\n azure_cosmosdb_account as a,\n jsonb_array_elements(private_endpoint_connections) as connection\n where\n connection -> 'properties' -> 'privateLinkServiceConnectionState' ->> 'status' = 'Approved'\n)\nselect\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when c.id is null then 'alarm'\n else 'ok'\n end as status,\n case\n when c.id is null then a.name || ' not uses private link.'\n else a.name || ' uses private link.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_cosmosdb_account as a\n left join cosmosdb_private_connection as c on c.id = a.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_cosmosdb_account ListOfTables: - - azure_cosmosdb_account - - azure_subscription + - azure_cosmosdb_account + - azure_subscription Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - 4.5.2 + - 4.5.2 cis_level: - - "2" + - "2" cis_section_id: - - "4.5" + - "4.5" cis_type: - - manual + - manual cis_version: - - v1.5.0 + - v1.5.0 plugin: - - azure + - azure service: - - Azure/SQL + - Azure/SQL +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cosmosdb_account_virtual_network_filter_enabled.yaml b/compliance/controls/azure/azure_cosmosdb_account_virtual_network_filter_enabled.yaml index cf8d94640..02a220897 100755 --- a/compliance/controls/azure/azure_cosmosdb_account_virtual_network_filter_enabled.yaml +++ b/compliance/controls/azure/azure_cosmosdb_account_virtual_network_filter_enabled.yaml @@ -1,55 +1,33 @@ ID: azure_cosmosdb_account_virtual_network_filter_enabled Title: "Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks" Description: "" -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when public_network_access = 'Disabled' then 'ok' - when public_network_access = 'Enabled' and is_virtual_network_filter_enabled = 'true' then 'ok' - else 'alarm' - end as status, - case - when public_network_access = 'Disabled' then a.name || ' public network access disabled.' - when public_network_access = 'Enabled' and is_virtual_network_filter_enabled = 'true' then a.name || ' virtual network filter enabled.' - else a.name || ' virtual network filter disabled.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_cosmosdb_account as a, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "select\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when public_network_access = 'Disabled' then 'ok'\n when public_network_access = 'Enabled' and is_virtual_network_filter_enabled = 'true' then 'ok'\n else 'alarm'\n end as status,\n case\n when public_network_access = 'Disabled' then a.name || ' public network access disabled.'\n when public_network_access = 'Enabled' and is_virtual_network_filter_enabled = 'true' then a.name || ' virtual network filter enabled.'\n else a.name || ' virtual network filter disabled.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_cosmosdb_account as a,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_cosmosdb_account ListOfTables: - - azure_cosmosdb_account - - azure_subscription + - azure_cosmosdb_account + - azure_subscription Parameters: [] Severity: critical Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - 4.5.1 + - 4.5.1 cis_level: - - "2" + - "2" cis_section_id: - - "4.5" + - "4.5" cis_type: - - manual + - manual cis_version: - - v1.5.0 + - v1.5.0 plugin: - - azure + - azure service: - - Azure/SQL + - Azure/SQL +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cosmosdb_account_with_firewall_rules.yaml b/compliance/controls/azure/azure_cosmosdb_account_with_firewall_rules.yaml index 29a83e552..aac556318 100755 --- a/compliance/controls/azure/azure_cosmosdb_account_with_firewall_rules.yaml +++ b/compliance/controls/azure/azure_cosmosdb_account_with_firewall_rules.yaml @@ -1,47 +1,19 @@ ID: azure_cosmosdb_account_with_firewall_rules Title: "Azure Cosmos DB accounts should have firewall rules" Description: "Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when - public_network_access = 'Enabled' - and is_virtual_network_filter_enabled = 'false' - and jsonb_array_length(ip_rules) = 0 - then 'alarm' - else 'ok' - end as status, - case - when - public_network_access = 'Enabled' - and is_virtual_network_filter_enabled = 'false' - and jsonb_array_length(ip_rules) = 0 - then a.name || ' not have firewall rules.' - else a.name || ' have firewall rules.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_cosmosdb_account as a, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "select\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when\n public_network_access = 'Enabled'\n and is_virtual_network_filter_enabled = 'false'\n and jsonb_array_length(ip_rules) = 0\n then 'alarm'\n else 'ok'\n end as status,\n case\n when\n public_network_access = 'Enabled'\n and is_virtual_network_filter_enabled = 'false'\n and jsonb_array_length(ip_rules) = 0\n then a.name || ' not have firewall rules.'\n else a.name || ' have firewall rules.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_cosmosdb_account as a,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_cosmosdb_account ListOfTables: - - azure_cosmosdb_account - - azure_subscription + - azure_cosmosdb_account + - azure_subscription Parameters: [] Severity: high Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/CosmosDB + - Azure/CosmosDB +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_cosmosdb_use_virtual_service_endpoint.yaml b/compliance/controls/azure/azure_cosmosdb_use_virtual_service_endpoint.yaml index bc65d488d..80aecd6d0 100755 --- a/compliance/controls/azure/azure_cosmosdb_use_virtual_service_endpoint.yaml +++ b/compliance/controls/azure/azure_cosmosdb_use_virtual_service_endpoint.yaml @@ -1,49 +1,19 @@ ID: azure_cosmosdb_use_virtual_service_endpoint Title: "Cosmos DB should use a virtual network service endpoint" Description: "This policy audits any Cosmos DB not configured to use a virtual network service endpoint." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with cosmosdb_with_virtual_network as ( - select - distinct a.id - from - azure_cosmosdb_account as a, - jsonb_array_elements(virtual_network_rules) as rule - where - rule ->> 'id' is not null - ) - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when c.id is null then 'alarm' - else 'ok' - end as status, - case - when c.id is null then a.name || ' not configured with virtual network service endpoint.' - else a.name || ' configured with virtual network service endpoint.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_cosmosdb_account as a - left join cosmosdb_with_virtual_network as c on c.id = a.id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with cosmosdb_with_virtual_network as (\n select\n distinct a.id\n from\n azure_cosmosdb_account as a,\n jsonb_array_elements(virtual_network_rules) as rule\n where\n rule ->> 'id' is not null\n)\nselect\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when c.id is null then 'alarm'\n else 'ok'\n end as status,\n case\n when c.id is null then a.name || ' not configured with virtual network service endpoint.'\n else a.name || ' configured with virtual network service endpoint.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_cosmosdb_account as a\n left join cosmosdb_with_virtual_network as c on c.id = a.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_cosmosdb_account ListOfTables: - - azure_cosmosdb_account - - azure_subscription + - azure_cosmosdb_account + - azure_subscription Parameters: [] Severity: medium Tags: hipaa_hitrust_v92: - - "true" + - "true" service: - - Azure/CosmosDB + - Azure/CosmosDB +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_data_factory_encrypted_with_cmk.yaml b/compliance/controls/azure/azure_data_factory_encrypted_with_cmk.yaml index bb11c9dfc..0117a4a3d 100755 --- a/compliance/controls/azure/azure_data_factory_encrypted_with_cmk.yaml +++ b/compliance/controls/azure/azure_data_factory_encrypted_with_cmk.yaml @@ -1,39 +1,19 @@ ID: azure_data_factory_encrypted_with_cmk Title: "Azure data factories should be encrypted with a customer-managed key" Description: "Use customer-managed keys to manage the encryption at rest of your Azure Data Factory. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when encryption ->> 'vaultBaseUrl' is not null then 'ok' - else 'alarm' - end as status, - case - when encryption ->> 'vaultBaseUrl' is not null then a.name || ' encrypted with CMK.' - else a.name || ' not encrypted with CMK.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_data_factory as a, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "select\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when encryption ->> 'vaultBaseUrl' is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when encryption ->> 'vaultBaseUrl' is not null then a.name || ' encrypted with CMK.'\n else a.name || ' not encrypted with CMK.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_data_factory as a,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_data_factory ListOfTables: - - azure_data_factory - - azure_subscription + - azure_data_factory + - azure_subscription Parameters: [] Severity: high Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/DataFactory + - Azure/DataFactory +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_data_factory_public_network_access_disabled.yaml b/compliance/controls/azure/azure_data_factory_public_network_access_disabled.yaml index 84c067cfd..219e2d378 100755 --- a/compliance/controls/azure/azure_data_factory_public_network_access_disabled.yaml +++ b/compliance/controls/azure/azure_data_factory_public_network_access_disabled.yaml @@ -1,8 +1,6 @@ ID: azure_data_factory_public_network_access_disabled Title: "Data factories should disable public network access" Description: "Disabling public network access improves security by ensuring that your Data Factory is not exposed on the public internet." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = a.subscription_id; PrimaryTable: azure_data_factory ListOfTables: - - azure_data_factory - - azure_subscription + - azure_data_factory + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_data_factory_uses_git_repository.yaml b/compliance/controls/azure/azure_data_factory_uses_git_repository.yaml index c3794a423..d08126dc0 100755 --- a/compliance/controls/azure/azure_data_factory_uses_git_repository.yaml +++ b/compliance/controls/azure/azure_data_factory_uses_git_repository.yaml @@ -1,8 +1,6 @@ ID: azure_data_factory_uses_git_repository Title: "Data factories should use GitHub repository" Description: "Ensure that Data Factory utilizes a Git repository as its source control mechanism. This control is non-compliant if Data Factory Git repository is not configured." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = a.subscription_id; PrimaryTable: azure_data_factory ListOfTables: - - azure_data_factory - - azure_subscription + - azure_data_factory + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_data_factory_uses_private_link.yaml b/compliance/controls/azure/azure_data_factory_uses_private_link.yaml index 8e1652e14..8df6b8a2f 100755 --- a/compliance/controls/azure/azure_data_factory_uses_private_link.yaml +++ b/compliance/controls/azure/azure_data_factory_uses_private_link.yaml @@ -1,49 +1,19 @@ ID: azure_data_factory_uses_private_link Title: "Azure Data Factory should use private link" Description: "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Data Factory, data leakage risks are reduced." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with data_factory_connection as ( - select - distinct a.id - from - azure_data_factory as a, - jsonb_array_elements(private_endpoint_connections) as connection - where - connection ->> 'PrivateLinkServiceConnectionStateStatus' = 'Approved' - ) - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when c.id is null then 'alarm' - else 'ok' - end as status, - case - when c.id is null then a.name || ' not uses private link.' - else a.name || ' uses private link.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_data_factory as a - left join data_factory_connection as c on c.id = a.id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with data_factory_connection as (\n select\n distinct a.id\n from\n azure_data_factory as a,\n jsonb_array_elements(private_endpoint_connections) as connection\n where\n connection ->> 'PrivateLinkServiceConnectionStateStatus' = 'Approved'\n)\nselect\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when c.id is null then 'alarm'\n else 'ok'\n end as status,\n case\n when c.id is null then a.name || ' not uses private link.'\n else a.name || ' uses private link.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_data_factory as a\n left join data_factory_connection as c on c.id = a.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_data_factory ListOfTables: - - azure_data_factory - - azure_subscription + - azure_data_factory + - azure_subscription Parameters: [] Severity: medium Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/DataFactory + - Azure/DataFactory +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_databox_edge_device_double_encryption_enabled.yaml b/compliance/controls/azure/azure_databox_edge_device_double_encryption_enabled.yaml index 921733794..4b002ba6c 100755 --- a/compliance/controls/azure/azure_databox_edge_device_double_encryption_enabled.yaml +++ b/compliance/controls/azure/azure_databox_edge_device_double_encryption_enabled.yaml @@ -1,39 +1,19 @@ ID: azure_databox_edge_device_double_encryption_enabled Title: "Azure Stack Edge devices should use double-encryption" Description: "To secure the data at rest on the device, ensure it's double-encrypted, the access to data is controlled, and once the device is deactivated, the data is securely erased off the data disks. Double encryption is the use of two layers of encryption: BitLocker XTS-AES 256-bit encryption on the data volumes and built-in encryption of the hard drives. Learn more in the security overview documentation for the specific Stack Edge device." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when sku_name = any (ARRAY ['TEA_1Node', 'TEA_1Node_UPS', 'TEA_1Node_Heater', 'TEA_1Node_UPS_Heater', 'TEA_4Node_Heater', 'TEA_4Node_UPS_Heater', 'TMA', 'EdgePR_Base', 'EdgePR_Base_UPS', 'EdgeMR_Mini']) then 'ok' - else 'alarm' - end as status, - case - when sku_name = any (ARRAY ['TEA_1Node', 'TEA_1Node_UPS', 'TEA_1Node_Heater', 'TEA_1Node_UPS_Heater', 'TEA_4Node_Heater', 'TEA_4Node_UPS_Heater', 'TMA', 'EdgePR_Base', 'EdgePR_Base_UPS', 'EdgeMR_Mini']) then a.name || ' double encryption enabled.' - else a.name || ' double encryption disabled.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_databox_edge_device as a, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "select\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when sku_name = any (ARRAY ['TEA_1Node', 'TEA_1Node_UPS', 'TEA_1Node_Heater', 'TEA_1Node_UPS_Heater', 'TEA_4Node_Heater', 'TEA_4Node_UPS_Heater', 'TMA', 'EdgePR_Base', 'EdgePR_Base_UPS', 'EdgeMR_Mini']) then 'ok'\n else 'alarm'\n end as status,\n case\n when sku_name = any (ARRAY ['TEA_1Node', 'TEA_1Node_UPS', 'TEA_1Node_Heater', 'TEA_1Node_UPS_Heater', 'TEA_4Node_Heater', 'TEA_4Node_UPS_Heater', 'TMA', 'EdgePR_Base', 'EdgePR_Base_UPS', 'EdgeMR_Mini']) then a.name || ' double encryption enabled.'\n else a.name || ' double encryption disabled.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_databox_edge_device as a,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_databox_edge_device ListOfTables: - - azure_databox_edge_device - - azure_subscription + - azure_databox_edge_device + - azure_subscription Parameters: [] Severity: high Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/DataBox + - Azure/DataBox +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_databox_job_double_encryption_enabled.yaml b/compliance/controls/azure/azure_databox_job_double_encryption_enabled.yaml index cf597b4b8..66eea5263 100755 --- a/compliance/controls/azure/azure_databox_job_double_encryption_enabled.yaml +++ b/compliance/controls/azure/azure_databox_job_double_encryption_enabled.yaml @@ -1,8 +1,6 @@ ID: azure_databox_job_double_encryption_enabled Title: "Azure Data Box jobs should enable double encryption for data at rest on the device" Description: "Enable a second layer of software-based encryption for data at rest on the device. The device is already protected via Advanced Encryption Standard 256-bit encryption for data at rest. This option adds a second layer of data encryption." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_databox_job_unlock_password_encrypted_with_cmk.yaml b/compliance/controls/azure/azure_databox_job_unlock_password_encrypted_with_cmk.yaml index 388a28eed..a7a162014 100755 --- a/compliance/controls/azure/azure_databox_job_unlock_password_encrypted_with_cmk.yaml +++ b/compliance/controls/azure/azure_databox_job_unlock_password_encrypted_with_cmk.yaml @@ -1,8 +1,6 @@ ID: azure_databox_job_unlock_password_encrypted_with_cmk Title: "Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password" Description: "Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_datalake_analytics_account_logging_enabled.yaml b/compliance/controls/azure/azure_datalake_analytics_account_logging_enabled.yaml index 6611d4783..241eddaa1 100755 --- a/compliance/controls/azure/azure_datalake_analytics_account_logging_enabled.yaml +++ b/compliance/controls/azure/azure_datalake_analytics_account_logging_enabled.yaml @@ -1,69 +1,21 @@ ID: azure_datalake_analytics_account_logging_enabled Title: "Resource logs in Data Lake Analytics should be enabled" Description: "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with logging_details as ( - select - distinct account_id as account_id - from - azure_data_lake_analytics_account, - jsonb_array_elements(diagnostic_settings) setting, - jsonb_array_elements(setting -> 'properties' -> 'logs') log - where - diagnostic_settings is not null - and ( - ( - (log ->> 'enabled') :: boolean - and (log -> 'retentionPolicy' ->> 'enabled') :: boolean - and (log -> 'retentionPolicy') :: JSONB ? 'days' - ) - or - ( - (log ->> 'enabled') :: boolean - and ( - log -> 'retentionPolicy' ->> 'enabled' <> 'true' - or setting -> 'properties' ->> 'storageAccountId' = '' - ) - ) - ) - ) - select - a.account_id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when a.diagnostic_settings is null then 'alarm' - when l.account_id is not null then 'ok' - else 'alarm' - end as status, - case - when a.diagnostic_settings is null then a.name || ' logging disabled.' - when l.account_id is not null then a.name || ' logging enabled.' - else a.name || ' logging disabled.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_data_lake_analytics_account as a - left join logging_details as l on a.account_id = l.account_id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with logging_details as (\n select\n distinct account_id as account_id\n from\n azure_data_lake_analytics_account,\n jsonb_array_elements(diagnostic_settings) setting,\n jsonb_array_elements(setting -> 'properties' -> 'logs') log\n where\n diagnostic_settings is not null\n and (\n (\n (log ->> 'enabled') :: boolean\n and (log -> 'retentionPolicy' ->> 'enabled') :: boolean\n and (log -> 'retentionPolicy') :: JSONB ? 'days'\n )\n or\n (\n (log ->> 'enabled') :: boolean\n and (\n log -> 'retentionPolicy' ->> 'enabled' <> 'true'\n or setting -> 'properties' ->> 'storageAccountId' = ''\n )\n )\n )\n)\nselect\n a.account_id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when a.diagnostic_settings is null then 'alarm'\n when l.account_id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when a.diagnostic_settings is null then a.name || ' logging disabled.'\n when l.account_id is not null then a.name || ' logging enabled.'\n else a.name || ' logging disabled.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_data_lake_analytics_account as a\n left join logging_details as l on a.account_id = l.account_id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_data_lake_analytics_account ListOfTables: - - azure_data_lake_analytics_account - - azure_subscription + - azure_data_lake_analytics_account + - azure_subscription Parameters: [] Severity: medium Tags: hipaa_hitrust_v92: - - "true" + - "true" nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/DataLakeAnalytics + - Azure/DataLakeAnalytics +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_datalake_store_account_encryption_enabled.yaml b/compliance/controls/azure/azure_datalake_store_account_encryption_enabled.yaml index 1f6fc9f91..708ddf537 100755 --- a/compliance/controls/azure/azure_datalake_store_account_encryption_enabled.yaml +++ b/compliance/controls/azure/azure_datalake_store_account_encryption_enabled.yaml @@ -1,39 +1,19 @@ ID: azure_datalake_store_account_encryption_enabled Title: "Require encryption on Data Lake Store accounts" Description: "This policy ensures encryption is enabled on all Data Lake Store accounts." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - b.account_id as resource, - b.og_account_id as og_account_id, - b.og_resource_id as og_resource_id, - case - when encryption_state = 'Enabled' then 'ok' - else 'alarm' - end as status, - case - when encryption_state = 'Enabled' then b.name || ' encryption enabled.' - else b.name || ' encryption disabled.' - end as reason - - , b.resource_group as resource_group - , sub.display_name as subscription - from - azure_data_lake_store as b, - azure_subscription as sub - where - sub.subscription_id = b.subscription_id; + QueryToExecute: "select\n b.account_id as resource,\n b.og_account_id as og_account_id,\n b.og_resource_id as og_resource_id,\n case\n when encryption_state = 'Enabled' then 'ok'\n else 'alarm'\n end as status,\n case\n when encryption_state = 'Enabled' then b.name || ' encryption enabled.'\n else b.name || ' encryption disabled.'\n end as reason\n \n , b.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_data_lake_store as b,\n azure_subscription as sub\nwhere\n sub.subscription_id = b.subscription_id;\n" PrimaryTable: azure_data_lake_store ListOfTables: - - azure_data_lake_store - - azure_subscription + - azure_data_lake_store + - azure_subscription Parameters: [] Severity: high Tags: hipaa_hitrust_v92: - - "true" + - "true" service: - - Azure/DataLakeStorage + - Azure/DataLakeStorage +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_datalake_store_account_logging_enabled.yaml b/compliance/controls/azure/azure_datalake_store_account_logging_enabled.yaml index 817f69e08..dc9bebc4e 100755 --- a/compliance/controls/azure/azure_datalake_store_account_logging_enabled.yaml +++ b/compliance/controls/azure/azure_datalake_store_account_logging_enabled.yaml @@ -1,69 +1,21 @@ ID: azure_datalake_store_account_logging_enabled Title: "Resource logs in Azure Data Lake Store should be enabled" Description: "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with logging_details as ( - select - distinct account_id as account_id - from - azure_data_lake_store, - jsonb_array_elements(diagnostic_settings) setting, - jsonb_array_elements(setting -> 'properties' -> 'logs') log - where - diagnostic_settings is not null - and ( - ( - (log ->> 'enabled') :: boolean - and (log -> 'retentionPolicy' ->> 'enabled') :: boolean - and (log -> 'retentionPolicy') :: JSONB ? 'days' - ) - or - ( - (log ->> 'enabled') :: boolean - and ( - log -> 'retentionPolicy' ->> 'enabled' <> 'true' - or setting -> 'properties' ->> 'storageAccountId' = '' - ) - ) - ) - ) - select - a.account_id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when a.diagnostic_settings is null then 'alarm' - when l.account_id is not null then 'ok' - else 'alarm' - end as status, - case - when a.diagnostic_settings is null then a.name || ' logging disabled.' - when l.account_id is not null then a.name || ' logging enabled.' - else a.name || ' logging disabled.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_data_lake_store as a - left join logging_details as l on a.account_id = l.account_id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with logging_details as (\n select\n distinct account_id as account_id\n from\n azure_data_lake_store,\n jsonb_array_elements(diagnostic_settings) setting,\n jsonb_array_elements(setting -> 'properties' -> 'logs') log\n where\n diagnostic_settings is not null\n and (\n (\n (log ->> 'enabled') :: boolean\n and (log -> 'retentionPolicy' ->> 'enabled') :: boolean\n and (log -> 'retentionPolicy') :: JSONB ? 'days'\n )\n or\n (\n (log ->> 'enabled') :: boolean\n and (\n log -> 'retentionPolicy' ->> 'enabled' <> 'true'\n or setting -> 'properties' ->> 'storageAccountId' = ''\n )\n )\n )\n)\nselect\n a.account_id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when a.diagnostic_settings is null then 'alarm'\n when l.account_id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when a.diagnostic_settings is null then a.name || ' logging disabled.'\n when l.account_id is not null then a.name || ' logging enabled.'\n else a.name || ' logging disabled.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_data_lake_store as a\n left join logging_details as l on a.account_id = l.account_id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_data_lake_store ListOfTables: - - azure_data_lake_store - - azure_subscription + - azure_data_lake_store + - azure_subscription Parameters: [] Severity: medium Tags: hipaa_hitrust_v92: - - "true" + - "true" nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/DataLakeStorage + - Azure/DataLakeStorage +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_eventgrid_domain_identity_provider_enabled.yaml b/compliance/controls/azure/azure_eventgrid_domain_identity_provider_enabled.yaml index 73d9a0612..4f9e38b57 100755 --- a/compliance/controls/azure/azure_eventgrid_domain_identity_provider_enabled.yaml +++ b/compliance/controls/azure/azure_eventgrid_domain_identity_provider_enabled.yaml @@ -1,8 +1,6 @@ ID: azure_eventgrid_domain_identity_provider_enabled Title: "Event Grid domains identity provider should be enabled" Description: "Ensure that managed identity provider is enabled for Event Grid Domain. This control is non-compliant if Event Grid domain identity provider is disabled." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -23,8 +21,10 @@ Query: azure_subscription sub; PrimaryTable: azure_eventgrid_domain ListOfTables: - - azure_eventgrid_domain - - azure_subscription + - azure_eventgrid_domain + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_eventgrid_domain_private_link_used.yaml b/compliance/controls/azure/azure_eventgrid_domain_private_link_used.yaml index eb0b5c659..74364e2ae 100755 --- a/compliance/controls/azure/azure_eventgrid_domain_private_link_used.yaml +++ b/compliance/controls/azure/azure_eventgrid_domain_private_link_used.yaml @@ -1,42 +1,19 @@ ID: azure_eventgrid_domain_private_link_used Title: "Azure Event Grid domains should use private link" Description: "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid domain instead of the entire service, you'll also be protected against data leakage risks." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when public_network_access = 'Enabled' then 'alarm' - when private_endpoint_connections is null then 'info' - when private_endpoint_connections @> '[{"privateLinkServiceConnectionStateStatus": "Approved"}]'::jsonb then 'ok' - else 'alarm' - end as status, - case - when public_network_access = 'Enabled' then a.name || ' using public networks.' - when private_endpoint_connections is null then a.name || ' no private link exists.' - when private_endpoint_connections @> '[{"privateLinkServiceConnectionStateStatus": "Approved"}]'::jsonb - then a.name || ' using private link.' - else a.name || ' not using private link.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_eventgrid_domain a, - azure_subscription sub; + QueryToExecute: "select\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when public_network_access = 'Enabled' then 'alarm'\n when private_endpoint_connections is null then 'info'\n when private_endpoint_connections @> '[{\"privateLinkServiceConnectionStateStatus\": \"Approved\"}]'::jsonb then 'ok'\n else 'alarm'\n end as status,\n case\n when public_network_access = 'Enabled' then a.name || ' using public networks.'\n when private_endpoint_connections is null then a.name || ' no private link exists.'\n when private_endpoint_connections @> '[{\"privateLinkServiceConnectionStateStatus\": \"Approved\"}]'::jsonb\n then a.name || ' using private link.'\n else a.name || ' not using private link.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_eventgrid_domain a,\n azure_subscription sub;\n" PrimaryTable: azure_eventgrid_domain ListOfTables: - - azure_eventgrid_domain - - azure_subscription + - azure_eventgrid_domain + - azure_subscription Parameters: [] Severity: medium Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/EventGrid + - Azure/EventGrid +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_eventgrid_domain_restrict_public_access.yaml b/compliance/controls/azure/azure_eventgrid_domain_restrict_public_access.yaml index 0ea1ff2ea..738155fa3 100755 --- a/compliance/controls/azure/azure_eventgrid_domain_restrict_public_access.yaml +++ b/compliance/controls/azure/azure_eventgrid_domain_restrict_public_access.yaml @@ -1,8 +1,6 @@ ID: azure_eventgrid_domain_restrict_public_access Title: "Event Grid domains should restrict public network access" Description: "Ensure that Event Grid Domain public network access is disabled. This control is non-compliant if Event Grid domains have public network access enabled." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -23,8 +21,10 @@ Query: azure_subscription sub; PrimaryTable: azure_eventgrid_domain ListOfTables: - - azure_eventgrid_domain - - azure_subscription + - azure_eventgrid_domain + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_eventgrid_topic_identity_provider_enabled.yaml b/compliance/controls/azure/azure_eventgrid_topic_identity_provider_enabled.yaml index fa1cc318b..9361a2332 100755 --- a/compliance/controls/azure/azure_eventgrid_topic_identity_provider_enabled.yaml +++ b/compliance/controls/azure/azure_eventgrid_topic_identity_provider_enabled.yaml @@ -1,8 +1,6 @@ ID: azure_eventgrid_topic_identity_provider_enabled Title: "Event Grid topics identity provider should be enabled" Description: "Ensure that managed identity provider is enabled for the Event Grid Topic. This control is non-compliant if Event Grid topic identity provider is disabled." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -23,8 +21,10 @@ Query: azure_subscription sub; PrimaryTable: azure_eventgrid_topic ListOfTables: - - azure_eventgrid_topic - - azure_subscription + - azure_eventgrid_topic + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_eventgrid_topic_local_auth_enabled.yaml b/compliance/controls/azure/azure_eventgrid_topic_local_auth_enabled.yaml index 1503b76ff..4fcd2a25d 100755 --- a/compliance/controls/azure/azure_eventgrid_topic_local_auth_enabled.yaml +++ b/compliance/controls/azure/azure_eventgrid_topic_local_auth_enabled.yaml @@ -1,8 +1,6 @@ ID: azure_eventgrid_topic_local_auth_enabled Title: "Event Grid topics should have local authentication enabled" Description: "This control checks if Event Grid topics have local authentication enabled." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -23,8 +21,10 @@ Query: azure_subscription sub; PrimaryTable: azure_eventgrid_domain ListOfTables: - - azure_eventgrid_domain - - azure_subscription + - azure_eventgrid_domain + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_eventgrid_topic_private_link_used.yaml b/compliance/controls/azure/azure_eventgrid_topic_private_link_used.yaml index 71f6c66f1..8a1785bde 100755 --- a/compliance/controls/azure/azure_eventgrid_topic_private_link_used.yaml +++ b/compliance/controls/azure/azure_eventgrid_topic_private_link_used.yaml @@ -1,42 +1,19 @@ ID: azure_eventgrid_topic_private_link_used Title: "Azure Event Grid topics should use private link" Description: "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Event Grid topic instead of the entire service, you'll also be protected against data leakage risks." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when public_network_access = 'Enabled' then 'alarm' - when private_endpoint_connections is null then 'info' - when private_endpoint_connections @> '[{"privateLinkServiceConnectionStateStatus": "Approved"}]'::jsonb then 'ok' - else 'alarm' - end as status, - case - when public_network_access = 'Enabled' then a.name || ' using public networks.' - when private_endpoint_connections is null then a.name || ' no private link exists.' - when private_endpoint_connections @> '[{"privateLinkServiceConnectionStateStatus": "Approved"}]'::jsonb - then a.name || ' using private link.' - else a.name || ' not using private link.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_eventgrid_topic a, - azure_subscription sub; + QueryToExecute: "select\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when public_network_access = 'Enabled' then 'alarm'\n when private_endpoint_connections is null then 'info'\n when private_endpoint_connections @> '[{\"privateLinkServiceConnectionStateStatus\": \"Approved\"}]'::jsonb then 'ok'\n else 'alarm'\n end as status,\n case\n when public_network_access = 'Enabled' then a.name || ' using public networks.'\n when private_endpoint_connections is null then a.name || ' no private link exists.'\n when private_endpoint_connections @> '[{\"privateLinkServiceConnectionStateStatus\": \"Approved\"}]'::jsonb\n then a.name || ' using private link.'\n else a.name || ' not using private link.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_eventgrid_topic a,\n azure_subscription sub;\n" PrimaryTable: azure_eventgrid_topic ListOfTables: - - azure_eventgrid_topic - - azure_subscription + - azure_eventgrid_topic + - azure_subscription Parameters: [] Severity: medium Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/EventGrid + - Azure/EventGrid +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_eventhub_namespace_cmk_encryption_enabled.yaml b/compliance/controls/azure/azure_eventhub_namespace_cmk_encryption_enabled.yaml index 2ebba2af8..ff8fdb31f 100755 --- a/compliance/controls/azure/azure_eventhub_namespace_cmk_encryption_enabled.yaml +++ b/compliance/controls/azure/azure_eventhub_namespace_cmk_encryption_enabled.yaml @@ -1,8 +1,6 @@ ID: azure_eventhub_namespace_cmk_encryption_enabled Title: "Event Hub namespaces should use a customer-managed key for encryption" Description: "Azure Event Hubs supports the option of encrypting data at rest with either Microsoft-managed keys (default) or customer-managed keys. Choosing to encrypt data using customer-managed keys enables you to assign, rotate, disable, and revoke access to the keys that Event Hub will use to encrypt data in your namespace. Note that Event Hub only supports encryption with customer-managed keys for namespaces in dedicated clusters." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = a.subscription_id; PrimaryTable: azure_eventhub_namespace ListOfTables: - - azure_eventhub_namespace - - azure_subscription + - azure_eventhub_namespace + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_eventhub_namespace_logging_enabled.yaml b/compliance/controls/azure/azure_eventhub_namespace_logging_enabled.yaml index 28b91b689..c0e61ddf1 100755 --- a/compliance/controls/azure/azure_eventhub_namespace_logging_enabled.yaml +++ b/compliance/controls/azure/azure_eventhub_namespace_logging_enabled.yaml @@ -1,69 +1,21 @@ ID: azure_eventhub_namespace_logging_enabled Title: "Resource logs in Event Hub should be enabled" Description: "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with logging_details as ( - select - distinct name as namespace_name - from - azure_eventhub_namespace, - jsonb_array_elements(diagnostic_settings) setting, - jsonb_array_elements(setting -> 'properties' -> 'logs') log - where - diagnostic_settings is not null - and ( - ( - (log ->> 'enabled') :: boolean - and (log -> 'retentionPolicy' ->> 'enabled') :: boolean - and (log -> 'retentionPolicy') :: JSONB ? 'days' - ) - or - ( - (log ->> 'enabled') :: boolean - and ( - log -> 'retentionPolicy' ->> 'enabled' <> 'true' - or setting -> 'properties' ->> 'storageAccountId' = '' - ) - ) - ) - ) - select - v.id as resource, - v.og_account_id as og_account_id, - v.og_resource_id as og_resource_id, - case - when v.diagnostic_settings is null then 'alarm' - when l.namespace_name is null then 'alarm' - else 'ok' - end as status, - case - when v.diagnostic_settings is null then v.name || ' logging not enabled.' - when l.namespace_name is null then v.name || ' logging not enabled.' - else v.name || ' logging enabled.' - end as reason - - , v.resource_group as resource_group - , sub.display_name as subscription - from - azure_eventhub_namespace as v - left join logging_details as l on v.name = l.namespace_name, - azure_subscription as sub - where - sub.subscription_id = v.subscription_id; + QueryToExecute: "with logging_details as (\n select\n distinct name as namespace_name\n from\n azure_eventhub_namespace,\n jsonb_array_elements(diagnostic_settings) setting,\n jsonb_array_elements(setting -> 'properties' -> 'logs') log\n where\n diagnostic_settings is not null\n and (\n (\n (log ->> 'enabled') :: boolean\n and (log -> 'retentionPolicy' ->> 'enabled') :: boolean\n and (log -> 'retentionPolicy') :: JSONB ? 'days'\n )\n or\n (\n (log ->> 'enabled') :: boolean\n and (\n log -> 'retentionPolicy' ->> 'enabled' <> 'true'\n or setting -> 'properties' ->> 'storageAccountId' = ''\n )\n )\n )\n)\nselect\n v.id as resource,\n v.og_account_id as og_account_id,\n v.og_resource_id as og_resource_id,\n case\n when v.diagnostic_settings is null then 'alarm'\n when l.namespace_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when v.diagnostic_settings is null then v.name || ' logging not enabled.'\n when l.namespace_name is null then v.name || ' logging not enabled.'\n else v.name || ' logging enabled.'\n end as reason\n \n , v.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_eventhub_namespace as v\n left join logging_details as l on v.name = l.namespace_name,\n azure_subscription as sub\nwhere\n sub.subscription_id = v.subscription_id;\n" PrimaryTable: azure_eventhub_namespace ListOfTables: - - azure_eventhub_namespace - - azure_subscription + - azure_eventhub_namespace + - azure_subscription Parameters: [] Severity: medium Tags: hipaa_hitrust_v92: - - "true" + - "true" nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/EventHub + - Azure/EventHub +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_eventhub_namespace_private_link_used.yaml b/compliance/controls/azure/azure_eventhub_namespace_private_link_used.yaml index aba2dd7cf..b003e8431 100755 --- a/compliance/controls/azure/azure_eventhub_namespace_private_link_used.yaml +++ b/compliance/controls/azure/azure_eventhub_namespace_private_link_used.yaml @@ -1,51 +1,19 @@ ID: azure_eventhub_namespace_private_link_used Title: "Event Hub namespaces should use private link" Description: "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Event Hub namespaces, data leakage risks are reduced." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with eventhub_service_connection as ( - select - distinct a.id - from - azure_eventhub_namespace as a, - jsonb_array_elements(private_endpoint_connections) as connection - where - connection -> 'privateLinkServiceConnectionState' ->> 'status' = 'Approved' - ) - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when sku_tier = 'Basic' then 'skip' - when c.id is null then 'alarm' - else 'ok' - end as status, - case - when sku_tier = 'Basic' then a.name || ' is of ' || sku_tier || ' tier.' - when c.id is null then a.name || ' not uses private link.' - else a.name || ' uses private link.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_eventhub_namespace as a - left join eventhub_service_connection as c on c.id = a.id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with eventhub_service_connection as (\n select\n distinct a.id\n from\n azure_eventhub_namespace as a,\n jsonb_array_elements(private_endpoint_connections) as connection\n where\n connection -> 'privateLinkServiceConnectionState' ->> 'status' = 'Approved'\n)\nselect\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when sku_tier = 'Basic' then 'skip'\n when c.id is null then 'alarm'\n else 'ok'\n end as status,\n case\n when sku_tier = 'Basic' then a.name || ' is of ' || sku_tier || ' tier.'\n when c.id is null then a.name || ' not uses private link.'\n else a.name || ' uses private link.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_eventhub_namespace as a\n left join eventhub_service_connection as c on c.id = a.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_eventhub_namespace ListOfTables: - - azure_eventhub_namespace - - azure_subscription + - azure_eventhub_namespace + - azure_subscription Parameters: [] Severity: medium Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/EventHub + - Azure/EventHub +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_eventhub_namespace_use_virtual_service_endpoint.yaml b/compliance/controls/azure/azure_eventhub_namespace_use_virtual_service_endpoint.yaml index 39f1f12fe..399d8c21d 100755 --- a/compliance/controls/azure/azure_eventhub_namespace_use_virtual_service_endpoint.yaml +++ b/compliance/controls/azure/azure_eventhub_namespace_use_virtual_service_endpoint.yaml @@ -1,49 +1,19 @@ ID: azure_eventhub_namespace_use_virtual_service_endpoint Title: "Event Hub should use a virtual network service endpoint" Description: "This policy audits any Event Hub not configured to use a virtual network service endpoint." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with eventhub_namesapce_with_virtual_network as ( - select - distinct a.id - from - azure_eventhub_namespace as a, - jsonb_array_elements(network_rule_set -> 'properties' -> 'virtualNetworkRules') as rule - where - rule -> 'subnet' ->> 'id' is not null - ) - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when c.id is null then 'alarm' - else 'ok' - end as status, - case - when c.id is null then a.name || ' not configured with virtual network service endpoint.' - else a.name || ' configured with virtual network service endpoint.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_eventhub_namespace as a - left join eventhub_namesapce_with_virtual_network as c on c.id = a.id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with eventhub_namesapce_with_virtual_network as (\n select\n distinct a.id\n from\n azure_eventhub_namespace as a,\n jsonb_array_elements(network_rule_set -> 'properties' -> 'virtualNetworkRules') as rule\n where\n rule -> 'subnet' ->> 'id' is not null\n)\nselect\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when c.id is null then 'alarm'\n else 'ok'\n end as status,\n case\n when c.id is null then a.name || ' not configured with virtual network service endpoint.'\n else a.name || ' configured with virtual network service endpoint.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_eventhub_namespace as a\n left join eventhub_namesapce_with_virtual_network as c on c.id = a.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_eventhub_namespace ListOfTables: - - azure_eventhub_namespace - - azure_subscription + - azure_eventhub_namespace + - azure_subscription Parameters: [] Severity: medium Tags: hipaa_hitrust_v92: - - "true" + - "true" service: - - Azure/EventHub + - Azure/EventHub +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_frontdoor_waf_enabled.yaml b/compliance/controls/azure/azure_frontdoor_waf_enabled.yaml index fd1852029..fe7c5f420 100755 --- a/compliance/controls/azure/azure_frontdoor_waf_enabled.yaml +++ b/compliance/controls/azure/azure_frontdoor_waf_enabled.yaml @@ -1,49 +1,19 @@ ID: azure_frontdoor_waf_enabled Title: "Web Application Firewall (WAF) should be enabled for Azure Front Door Service" Description: "Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with frontdoor_with_waf as ( - select - distinct a.front_door_id - from - azure_frontdoor as a, - jsonb_array_elements(frontend_endpoints) as endpoint - where - endpoint -> 'properties' -> 'webApplicationFirewallPolicyLink' ->> 'id' is not null - ) - select - a.front_door_id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when c.front_door_id is not null then 'ok' - else 'alarm' - end as status, - case - when c.front_door_id is not null then a.name || ' WAF enabled.' - else a.name || ' WAF disabled.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_frontdoor as a - left join frontdoor_with_waf as c on c.front_door_id = a.front_door_id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with frontdoor_with_waf as (\n select\n distinct a.front_door_id\n from\n azure_frontdoor as a,\n jsonb_array_elements(frontend_endpoints) as endpoint\n where\n endpoint -> 'properties' -> 'webApplicationFirewallPolicyLink' ->> 'id' is not null\n)\nselect\n a.front_door_id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when c.front_door_id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when c.front_door_id is not null then a.name || ' WAF enabled.'\n else a.name || ' WAF disabled.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_frontdoor as a\n left join frontdoor_with_waf as c on c.front_door_id = a.front_door_id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_frontdoor ListOfTables: - - azure_frontdoor - - azure_subscription + - azure_frontdoor + - azure_subscription Parameters: [] Severity: high Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/FrontDoor + - Azure/FrontDoor +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_hdinsight_cluster_encrypted_at_rest_with_cmk.yaml b/compliance/controls/azure/azure_hdinsight_cluster_encrypted_at_rest_with_cmk.yaml index afe28e393..1087412bf 100755 --- a/compliance/controls/azure/azure_hdinsight_cluster_encrypted_at_rest_with_cmk.yaml +++ b/compliance/controls/azure/azure_hdinsight_cluster_encrypted_at_rest_with_cmk.yaml @@ -1,41 +1,19 @@ ID: azure_hdinsight_cluster_encrypted_at_rest_with_cmk Title: "Azure HDInsight clusters should use customer-managed keys to encrypt data at rest" Description: "Use customer-managed keys to manage the encryption at rest of your Azure HDInsight clusters. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when provisioning_state <> 'Succeeded' then 'skip' - when disk_encryption_properties -> 'keyName' is not null then 'ok' - else 'alarm' - end as status, - case - when provisioning_state <> 'Succeeded' then a.name || ' is in ' || provisioning_state || ' state.' - when disk_encryption_properties -> 'keyName' is not null then a.name || ' encrypted with CMK.' - else a.name || ' not encrypted with CMK.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_hdinsight_cluster as a, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "select\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when provisioning_state <> 'Succeeded' then 'skip'\n when disk_encryption_properties -> 'keyName' is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when provisioning_state <> 'Succeeded' then a.name || ' is in ' || provisioning_state || ' state.'\n when disk_encryption_properties -> 'keyName' is not null then a.name || ' encrypted with CMK.'\n else a.name || ' not encrypted with CMK.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_hdinsight_cluster as a,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_hdinsight_cluster ListOfTables: - - azure_hdinsight_cluster - - azure_subscription + - azure_hdinsight_cluster + - azure_subscription Parameters: [] Severity: medium Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/HDInsight + - Azure/HDInsight +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_hdinsight_cluster_encryption_at_host_enabled.yaml b/compliance/controls/azure/azure_hdinsight_cluster_encryption_at_host_enabled.yaml index cd6fda758..869d54fa0 100755 --- a/compliance/controls/azure/azure_hdinsight_cluster_encryption_at_host_enabled.yaml +++ b/compliance/controls/azure/azure_hdinsight_cluster_encryption_at_host_enabled.yaml @@ -1,41 +1,19 @@ ID: azure_hdinsight_cluster_encryption_at_host_enabled Title: "Azure HDInsight clusters should use encryption at host to encrypt data at rest" Description: "Enabling encryption at host helps protect and safeguard your data to meet your organizational security and compliance commitments. When you enable encryption at host, data stored on the VM host is encrypted at rest and flows encrypted to the Storage service." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when provisioning_state <> 'Succeeded' then 'skip' - when disk_encryption_properties -> 'encryptionAtHost' = 'true' then 'ok' - else 'alarm' - end as status, - case - when provisioning_state <> 'Succeeded' then a.name || ' is in ' || provisioning_state || ' state.' - when disk_encryption_properties -> 'encryptionAtHost' = 'true' then a.name || ' uses encryption at host to encrypt data at rest.' - else a.name || ' not uses encryption at host to encrypt data at rest.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_hdinsight_cluster as a, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "select\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when provisioning_state <> 'Succeeded' then 'skip'\n when disk_encryption_properties -> 'encryptionAtHost' = 'true' then 'ok'\n else 'alarm'\n end as status,\n case\n when provisioning_state <> 'Succeeded' then a.name || ' is in ' || provisioning_state || ' state.'\n when disk_encryption_properties -> 'encryptionAtHost' = 'true' then a.name || ' uses encryption at host to encrypt data at rest.'\n else a.name || ' not uses encryption at host to encrypt data at rest.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_hdinsight_cluster as a,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_hdinsight_cluster ListOfTables: - - azure_hdinsight_cluster - - azure_subscription + - azure_hdinsight_cluster + - azure_subscription Parameters: [] Severity: high Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/HDInsight + - Azure/HDInsight +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_hdinsight_cluster_encryption_in_transit_enabled.yaml b/compliance/controls/azure/azure_hdinsight_cluster_encryption_in_transit_enabled.yaml index c8e0be885..90b2022f7 100755 --- a/compliance/controls/azure/azure_hdinsight_cluster_encryption_in_transit_enabled.yaml +++ b/compliance/controls/azure/azure_hdinsight_cluster_encryption_in_transit_enabled.yaml @@ -1,41 +1,19 @@ ID: azure_hdinsight_cluster_encryption_in_transit_enabled Title: "Azure HDInsight clusters should use encryption in transit to encrypt communication between Azure HDInsight cluster nodes" Description: "Data can be tampered with during transmission between Azure HDInsight cluster nodes. Enabling encryption in transit addresses problems of misuse and tampering during this transmission." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when provisioning_state <> 'Succeeded' then 'skip' - when encryption_in_transit_properties -> 'isEncryptionInTransitEnabled' = 'true' then 'ok' - else 'alarm' - end as status, - case - when provisioning_state <> 'Succeeded' then a.name || ' is in ' || provisioning_state || ' state.' - when encryption_in_transit_properties -> 'isEncryptionInTransitEnabled' = 'true' then a.name || ' encryption in transit enabled.' - else a.name || ' encryption in transit disabled.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_hdinsight_cluster as a, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "select\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when provisioning_state <> 'Succeeded' then 'skip'\n when encryption_in_transit_properties -> 'isEncryptionInTransitEnabled' = 'true' then 'ok'\n else 'alarm'\n end as status,\n case\n when provisioning_state <> 'Succeeded' then a.name || ' is in ' || provisioning_state || ' state.'\n when encryption_in_transit_properties -> 'isEncryptionInTransitEnabled' = 'true' then a.name || ' encryption in transit enabled.'\n else a.name || ' encryption in transit disabled.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_hdinsight_cluster as a,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_hdinsight_cluster ListOfTables: - - azure_hdinsight_cluster - - azure_subscription + - azure_hdinsight_cluster + - azure_subscription Parameters: [] Severity: high Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/HDInsight + - Azure/HDInsight +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_healthcare_fhir_azure_api_encrypted_at_rest_with_cmk.yaml b/compliance/controls/azure/azure_healthcare_fhir_azure_api_encrypted_at_rest_with_cmk.yaml index 1ae04b970..359fed1d9 100755 --- a/compliance/controls/azure/azure_healthcare_fhir_azure_api_encrypted_at_rest_with_cmk.yaml +++ b/compliance/controls/azure/azure_healthcare_fhir_azure_api_encrypted_at_rest_with_cmk.yaml @@ -1,39 +1,19 @@ ID: azure_healthcare_fhir_azure_api_encrypted_at_rest_with_cmk Title: "Azure API for FHIR should use a customer-managed key to encrypt data at rest" Description: "Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when cosmos_db_configuration -> 'keyVaultKeyUri' is not null then 'ok' - else 'alarm' - end as status, - case - when cosmos_db_configuration -> 'keyVaultKeyUri' is not null then a.name || ' encrypted with CMK.' - else a.name || ' not encrypted with CMK.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_healthcare_service as a, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "select\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when cosmos_db_configuration -> 'keyVaultKeyUri' is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when cosmos_db_configuration -> 'keyVaultKeyUri' is not null then a.name || ' encrypted with CMK.'\n else a.name || ' not encrypted with CMK.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_healthcare_service as a,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_healthcare_service ListOfTables: - - azure_healthcare_service - - azure_subscription + - azure_healthcare_service + - azure_subscription Parameters: [] Severity: high Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/HealthcareAPIs + - Azure/HealthcareAPIs +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_healthcare_fhir_uses_private_link.yaml b/compliance/controls/azure/azure_healthcare_fhir_uses_private_link.yaml index dcee68489..13e3791f6 100755 --- a/compliance/controls/azure/azure_healthcare_fhir_uses_private_link.yaml +++ b/compliance/controls/azure/azure_healthcare_fhir_uses_private_link.yaml @@ -1,39 +1,19 @@ ID: azure_healthcare_fhir_uses_private_link Title: "Azure API for FHIR should use private link" Description: "Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when private_endpoint_connections is null then 'info' - when private_endpoint_connections @> '[{"privateLinkServiceConnectionState": "Approved"}]'::jsonb then 'ok' - else 'alarm' - end as status, - case - when private_endpoint_connections is null then a.name || ' no private link exists.' - when private_endpoint_connections @> '[{"privateLinkServiceConnectionState": "Approved"}]'::jsonb then a.name || ' using private link.' - else a.name || ' not using private link.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_healthcare_service a, - azure_subscription sub; + QueryToExecute: "select\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when private_endpoint_connections is null then 'info'\n when private_endpoint_connections @> '[{\"privateLinkServiceConnectionState\": \"Approved\"}]'::jsonb then 'ok'\n else 'alarm'\n end as status,\n case\n when private_endpoint_connections is null then a.name || ' no private link exists.'\n when private_endpoint_connections @> '[{\"privateLinkServiceConnectionState\": \"Approved\"}]'::jsonb then a.name || ' using private link.'\n else a.name || ' not using private link.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_healthcare_service a,\n azure_subscription sub;\n" PrimaryTable: azure_healthcare_service ListOfTables: - - azure_healthcare_service - - azure_subscription + - azure_healthcare_service + - azure_subscription Parameters: [] Severity: high Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/HealthcareAPIs + - Azure/HealthcareAPIs +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_hpc_cache_encrypted_with_cmk.yaml b/compliance/controls/azure/azure_hpc_cache_encrypted_with_cmk.yaml index ccea9484d..d2f17f418 100755 --- a/compliance/controls/azure/azure_hpc_cache_encrypted_with_cmk.yaml +++ b/compliance/controls/azure/azure_hpc_cache_encrypted_with_cmk.yaml @@ -1,43 +1,19 @@ ID: azure_hpc_cache_encrypted_with_cmk Title: "HPC Cache accounts should use customer-managed key for encryption" Description: "Manage encryption at rest of Azure HPC Cache with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when - a.encryption_settings -> 'keyEncryptionKey' -> 'keyUrl' is not null - and a.encryption_settings -> 'keyEncryptionKey' -> 'sourceVault' ->> 'id' is not null then 'ok' - else 'alarm' - end as status, - case - when - a.encryption_settings -> 'keyEncryptionKey' -> 'keyUrl' is not null - and a.encryption_settings -> 'keyEncryptionKey' -> 'sourceVault' ->> 'id' is not null then a.name || ' encrypted with CMK.' - else a.name || ' not encrypted with CMK.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_hpc_cache as a, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "select\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when\n a.encryption_settings -> 'keyEncryptionKey' -> 'keyUrl' is not null\n and a.encryption_settings -> 'keyEncryptionKey' -> 'sourceVault' ->> 'id' is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when\n a.encryption_settings -> 'keyEncryptionKey' -> 'keyUrl' is not null\n and a.encryption_settings -> 'keyEncryptionKey' -> 'sourceVault' ->> 'id' is not null then a.name || ' encrypted with CMK.'\n else a.name || ' not encrypted with CMK.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_hpc_cache as a,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_hpc_cache ListOfTables: - - azure_hpc_cache - - azure_subscription + - azure_hpc_cache + - azure_subscription Parameters: [] Severity: high Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/HPCCache + - Azure/HPCCache +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_iam_conditional_access_mfa_enabled.yaml b/compliance/controls/azure/azure_iam_conditional_access_mfa_enabled.yaml index 878e607a3..88fd15c52 100755 --- a/compliance/controls/azure/azure_iam_conditional_access_mfa_enabled.yaml +++ b/compliance/controls/azure/azure_iam_conditional_access_mfa_enabled.yaml @@ -1,50 +1,33 @@ ID: azure_iam_conditional_access_mfa_enabled Title: "Ensure Multi-factor Authentication is required for Azure Management" Description: "For designated users, they will be prompted to use their multi-factor authentication (MFA) process on logins." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - p.id as resource, - p.og_account_id as og_account_id, - p.og_resource_id as og_resource_id, - case - when p.built_in_controls @> '["mfa"]' then 'ok' - else 'alarm' - end as status, - case - when p.built_in_controls @> '["mfa"]' then p.display_name || ' MFA enabled.' - else p.display_name || ' MFA disabled.' - end as reason, - t.tenant_id - - from - azure_tenant as t, - azuread_conditional_access_policy as p; + QueryToExecute: "select\n p.id as resource,\n p.og_account_id as og_account_id,\n p.og_resource_id as og_resource_id,\n case\n when p.built_in_controls @> '[\"mfa\"]' then 'ok'\n else 'alarm'\n end as status,\n case\n when p.built_in_controls @> '[\"mfa\"]' then p.display_name || ' MFA enabled.'\n else p.display_name || ' MFA disabled.'\n end as reason,\n t.tenant_id\n \nfrom\n azure_tenant as t,\n azuread_conditional_access_policy as p;\n" PrimaryTable: azuread_conditional_access_policy ListOfTables: - - azure_tenant - - azuread_conditional_access_policy + - azure_tenant + - azuread_conditional_access_policy Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - 1.2.6 + - 1.2.6 cis_level: - - "1" + - "1" cis_section_id: - - "1.2" + - "1.2" cis_type: - - manual + - manual cis_version: - - v1.5.0 + - v1.5.0 plugin: - - azure + - azure service: - - Azure/ActiveDirectory + - Azure/ActiveDirectory +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_iam_deprecated_account.yaml b/compliance/controls/azure/azure_iam_deprecated_account.yaml index 854f90e45..81e416595 100755 --- a/compliance/controls/azure/azure_iam_deprecated_account.yaml +++ b/compliance/controls/azure/azure_iam_deprecated_account.yaml @@ -1,57 +1,25 @@ ID: azure_iam_deprecated_account Title: "Blocked accounts with read and write permissions on Azure resources should be removed" Description: "Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with disabled_users as ( - select - distinct - u.display_name, - u.account_enabled, - u.user_principal_name, - u.id, - d.subscription_id - from - azuread_user as u - left join azure_role_assignment as a on a.principal_id = u.id - left join azure_role_definition as d on d.id = a.role_definition_id - where not u.account_enabled - ) - select - u.user_principal_name as resource, - u.og_account_id as og_account_id, - u.og_resource_id as og_resource_id, - case - when d.id is null then 'ok' - else 'alarm' - end as status, - case - when d.id is null then u.display_name || ' sign-in enabled.' - else u.display_name || ' sign-in disabled.' - end as reason, - t.tenant_id - - from - azure_tenant as t, - azuread_user as u - left join disabled_users as d on d.id = u.id; + QueryToExecute: "with disabled_users as (\n select\n distinct\n u.display_name,\n u.account_enabled,\n u.user_principal_name,\n u.id,\n d.subscription_id\n from\n azuread_user as u\n left join azure_role_assignment as a on a.principal_id = u.id\n left join azure_role_definition as d on d.id = a.role_definition_id\n where not u.account_enabled\n)\nselect\n u.user_principal_name as resource,\n u.og_account_id as og_account_id,\n u.og_resource_id as og_resource_id,\n case\n when d.id is null then 'ok'\n else 'alarm'\n end as status,\n case\n when d.id is null then u.display_name || ' sign-in enabled.'\n else u.display_name || ' sign-in disabled.'\n end as reason,\n t.tenant_id\n \nfrom\n azure_tenant as t,\n azuread_user as u\n left join disabled_users as d on d.id = u.id;\n" PrimaryTable: azuread_user ListOfTables: - - azure_role_assignment - - azure_role_definition - - azure_tenant - - azuread_user + - azure_role_assignment + - azure_role_definition + - azure_tenant + - azuread_user Parameters: [] Severity: high Tags: hipaa_hitrust_v92: - - "true" + - "true" nist_sp_800_53_rev_5: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" service: - - Azure/ActiveDirectory + - Azure/ActiveDirectory +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_iam_deprecated_account_with_owner_roles.yaml b/compliance/controls/azure/azure_iam_deprecated_account_with_owner_roles.yaml index 8676f76b5..d63f8c66b 100755 --- a/compliance/controls/azure/azure_iam_deprecated_account_with_owner_roles.yaml +++ b/compliance/controls/azure/azure_iam_deprecated_account_with_owner_roles.yaml @@ -1,46 +1,25 @@ ID: azure_iam_deprecated_account_with_owner_roles Title: "Blocked accounts with owner permissions on Azure resources should be removed" Description: "Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - distinct u.user_principal_name as resource, - u.og_account_id as og_account_id, - u.og_resource_id as og_resource_id, - case - when not u.account_enabled then 'alarm' - else 'ok' - end as status, - case - when not u.account_enabled then u.display_name || ' signing-in disabled state with ' || d.role_name || ' role.' - else u.display_name || ' signing-in enabled.' - end as reason, - t.tenant_id - - from - azure_tenant as t, - azuread_user as u - left join azure_role_assignment as a on a.principal_id = u.id - left join azure_role_definition as d on d.id = a.role_definition_id - -- Query checks the users with only Owner role - where d.role_name = 'Owner'; + QueryToExecute: "select\n distinct u.user_principal_name as resource,\n u.og_account_id as og_account_id,\n u.og_resource_id as og_resource_id,\n case\n when not u.account_enabled then 'alarm'\n else 'ok'\n end as status,\n case\n when not u.account_enabled then u.display_name || ' signing-in disabled state with ' || d.role_name || ' role.'\n else u.display_name || ' signing-in enabled.'\n end as reason,\n t.tenant_id\n \nfrom\n azure_tenant as t,\n azuread_user as u\n left join azure_role_assignment as a on a.principal_id = u.id\n left join azure_role_definition as d on d.id = a.role_definition_id\n -- Query checks the users with only Owner role\n where d.role_name = 'Owner';\n" PrimaryTable: azuread_user ListOfTables: - - azure_role_assignment - - azure_role_definition - - azure_tenant - - azuread_user + - azure_role_assignment + - azure_role_definition + - azure_tenant + - azuread_user Parameters: [] Severity: high Tags: hipaa_hitrust_v92: - - "true" + - "true" nist_sp_800_53_rev_5: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" service: - - Azure/ActiveDirectory + - Azure/ActiveDirectory +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_iam_external_user_with_owner_role.yaml b/compliance/controls/azure/azure_iam_external_user_with_owner_role.yaml index 10a041cab..e88ea4a17 100755 --- a/compliance/controls/azure/azure_iam_external_user_with_owner_role.yaml +++ b/compliance/controls/azure/azure_iam_external_user_with_owner_role.yaml @@ -1,58 +1,25 @@ ID: azure_iam_external_user_with_owner_role Title: "Guest accounts with owner permissions on Azure resources should be removed" Description: "External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with all_owner_users as ( - select - distinct - u.display_name, - d.role_name, - u.account_enabled, - u.user_principal_name, - d.subscription_id, - u.og_account_id as og_account_id, - u.og_resource_id as og_resource_id - from - azuread_user as u - left join azure_role_assignment as a on a.principal_id = u.id - left join azure_role_definition as d on d.id = a.role_definition_id - where d.role_name = 'Owner' - ) - select - a.user_principal_name as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when a.user_principal_name like '%EXT%' then 'alarm' - else 'ok' - end as status, - case - when a.user_principal_name like '%EXT%' then a.display_name || ' is external user with ' || a.role_name || ' role.' - else a.display_name || ' is domain user with ' || a.role_name || ' role.' - end as reason, - t.tenant_id - - from - azure_tenant as t, - all_owner_users as a; + QueryToExecute: "with all_owner_users as (\n select\n distinct\n u.display_name,\n d.role_name,\n u.account_enabled,\n u.user_principal_name,\n d.subscription_id,\n u.og_account_id as og_account_id,\n u.og_resource_id as og_resource_id\n from\n azuread_user as u\n left join azure_role_assignment as a on a.principal_id = u.id\n left join azure_role_definition as d on d.id = a.role_definition_id\n where d.role_name = 'Owner'\n)\nselect\n a.user_principal_name as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when a.user_principal_name like '%EXT%' then 'alarm'\n else 'ok'\n end as status,\n case\n when a.user_principal_name like '%EXT%' then a.display_name || ' is external user with ' || a.role_name || ' role.'\n else a.display_name || ' is domain user with ' || a.role_name || ' role.'\n end as reason,\n t.tenant_id\n \nfrom\n azure_tenant as t,\n all_owner_users as a;\n" PrimaryTable: azuread_user ListOfTables: - - azure_role_assignment - - azure_role_definition - - azure_tenant - - azuread_user + - azure_role_assignment + - azure_role_definition + - azure_tenant + - azuread_user Parameters: [] Severity: high Tags: hipaa_hitrust_v92: - - "true" + - "true" nist_sp_800_53_rev_5: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" service: - - Azure/ActiveDirectory + - Azure/ActiveDirectory +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_iam_external_user_with_read_permission.yaml b/compliance/controls/azure/azure_iam_external_user_with_read_permission.yaml index fd205a814..4e52c0920 100755 --- a/compliance/controls/azure/azure_iam_external_user_with_read_permission.yaml +++ b/compliance/controls/azure/azure_iam_external_user_with_read_permission.yaml @@ -1,58 +1,25 @@ ID: azure_iam_external_user_with_read_permission Title: "Guest accounts with read permissions on Azure resources should be removed" Description: "External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with all_write_permission_users as ( - select - distinct - u.display_name, - d.role_name, - u.account_enabled, - u.user_principal_name, - d.subscription_id, - u.og_account_id as og_account_id, - u.og_resource_id as og_resource_id - from - azuread_user as u - left join azure_role_assignment as a on a.principal_id = u.id - left join azure_role_definition as d on d.id = a.role_definition_id - where d.role_name = 'Reader' - ) - select - a.user_principal_name as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when a.user_principal_name like '%EXT%' then 'alarm' - else 'ok' - end as status, - case - when a.user_principal_name like '%EXT%' then a.display_name || ' is external user with ' || a.role_name || ' role.' - else a.display_name || ' is domain user with ' || a.role_name || ' role.' - end as reason, - t.tenant_id - - from - azure_tenant as t, - all_write_permission_users as a; + QueryToExecute: "with all_write_permission_users as (\n select\n distinct\n u.display_name,\n d.role_name,\n u.account_enabled,\n u.user_principal_name,\n d.subscription_id,\n u.og_account_id as og_account_id,\n u.og_resource_id as og_resource_id\n from\n azuread_user as u\n left join azure_role_assignment as a on a.principal_id = u.id\n left join azure_role_definition as d on d.id = a.role_definition_id\n where d.role_name = 'Reader'\n)\nselect\n a.user_principal_name as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when a.user_principal_name like '%EXT%' then 'alarm'\n else 'ok'\n end as status,\n case\n when a.user_principal_name like '%EXT%' then a.display_name || ' is external user with ' || a.role_name || ' role.'\n else a.display_name || ' is domain user with ' || a.role_name || ' role.'\n end as reason,\n t.tenant_id\n \nfrom\n azure_tenant as t,\n all_write_permission_users as a;\n" PrimaryTable: azuread_user ListOfTables: - - azure_role_assignment - - azure_role_definition - - azure_tenant - - azuread_user + - azure_role_assignment + - azure_role_definition + - azure_tenant + - azuread_user Parameters: [] Severity: high Tags: hipaa_hitrust_v92: - - "true" + - "true" nist_sp_800_53_rev_5: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" service: - - Azure/ActiveDirectory + - Azure/ActiveDirectory +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_iam_external_user_with_write_permission.yaml b/compliance/controls/azure/azure_iam_external_user_with_write_permission.yaml index 5ae04f8f8..6a38b6288 100755 --- a/compliance/controls/azure/azure_iam_external_user_with_write_permission.yaml +++ b/compliance/controls/azure/azure_iam_external_user_with_write_permission.yaml @@ -1,59 +1,25 @@ ID: azure_iam_external_user_with_write_permission Title: "Guest accounts with write permissions on Azure resources should be removed" Description: "External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with all_write_permission_users as ( - select - distinct - u.display_name, - d.role_name, - u.account_enabled, - u.user_principal_name, - d.subscription_id, - u.og_account_id as og_account_id, - u.og_resource_id as og_resource_id - from - azuread_user as u - left join azure_role_assignment as a on a.principal_id = u.id - left join azure_role_definition as d on d.id = a.role_definition_id - where - d.role_name = any(array['Owner', 'Contributor']) - ) - select - a.user_principal_name as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when a.user_principal_name like '%EXT%' then 'alarm' - else 'ok' - end as status, - case - when a.user_principal_name like '%EXT%' then a.display_name || ' is external user with ' || a.role_name || ' role.' - else a.display_name || ' is domain user with ' || a.role_name || ' role.' - end as reason, - t.tenant_id - - from - azure_tenant as t, - all_write_permission_users as a; + QueryToExecute: "with all_write_permission_users as (\n select\n distinct\n u.display_name,\n d.role_name,\n u.account_enabled,\n u.user_principal_name,\n d.subscription_id,\n u.og_account_id as og_account_id,\n u.og_resource_id as og_resource_id\n from\n azuread_user as u\n left join azure_role_assignment as a on a.principal_id = u.id\n left join azure_role_definition as d on d.id = a.role_definition_id\n where\n d.role_name = any(array['Owner', 'Contributor'])\n)\nselect\n a.user_principal_name as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when a.user_principal_name like '%EXT%' then 'alarm'\n else 'ok'\n end as status,\n case\n when a.user_principal_name like '%EXT%' then a.display_name || ' is external user with ' || a.role_name || ' role.'\n else a.display_name || ' is domain user with ' || a.role_name || ' role.'\n end as reason,\n t.tenant_id\n \nfrom\n azure_tenant as t,\n all_write_permission_users as a;\n" PrimaryTable: azuread_user ListOfTables: - - azure_role_assignment - - azure_role_definition - - azure_tenant - - azuread_user + - azure_role_assignment + - azure_role_definition + - azure_tenant + - azuread_user Parameters: [] Severity: high Tags: hipaa_hitrust_v92: - - "true" + - "true" nist_sp_800_53_rev_5: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" service: - - Azure/ActiveDirectory + - Azure/ActiveDirectory +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_iam_no_custom_role.yaml b/compliance/controls/azure/azure_iam_no_custom_role.yaml index 30afea9c5..a4cc0b974 100755 --- a/compliance/controls/azure/azure_iam_no_custom_role.yaml +++ b/compliance/controls/azure/azure_iam_no_custom_role.yaml @@ -1,58 +1,23 @@ ID: azure_iam_no_custom_role Title: "Audit usage of custom RBAC roles" Description: "Audit built-in roles such as 'Owner, Contributor, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - with custom_roles as ( - select - role_name, - role_type, - subscription_id, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - _ctx - from - azure_role_definition - where - role_type = 'CustomRole' - ) - select - cr.subscription_id as resource, - cr.og_account_id as og_account_id, - cr.og_resource_id as og_resource_id, - case - when count(*) > 0 then 'alarm' - else 'ok' - end as status, - 'There are ' || count(*) || ' custom roles.' as reason - - , sub.display_name as subscription - from - custom_roles as cr, - azure_subscription as sub - where - sub.subscription_id = cr.subscription_id - group by - cr.subscription_id, - cr._ctx, - sub.display_name, - cr.og_account_id, - cr.og_resource_id + QueryToExecute: "with custom_roles as (\n select\n role_name,\n role_type,\n subscription_id,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n _ctx\n from\n azure_role_definition\n where\n role_type = 'CustomRole'\n)\nselect\n cr.subscription_id as resource,\n cr.og_account_id as og_account_id,\n cr.og_resource_id as og_resource_id,\n case\n when count(*) > 0 then 'alarm'\n else 'ok'\n end as status,\n 'There are ' || count(*) || ' custom roles.' as reason\n \n , sub.display_name as subscription\nfrom\n custom_roles as cr,\n azure_subscription as sub\nwhere\n sub.subscription_id = cr.subscription_id\ngroup by\n cr.subscription_id,\n cr._ctx,\n sub.display_name,\n cr.og_account_id,\n cr.og_resource_id " PrimaryTable: azure_subscription ListOfTables: - - azure_role_definition - - azure_subscription + - azure_role_definition + - azure_subscription Parameters: [] Severity: medium Tags: hipaa_hitrust_v92: - - "true" + - "true" nist_sp_800_53_rev_5: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" service: - - Azure/ActiveDirectory + - Azure/ActiveDirectory +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_iam_no_custom_subscription_owner_roles_created.yaml b/compliance/controls/azure/azure_iam_no_custom_subscription_owner_roles_created.yaml index 5a90794eb..136d26256 100755 --- a/compliance/controls/azure/azure_iam_no_custom_subscription_owner_roles_created.yaml +++ b/compliance/controls/azure/azure_iam_no_custom_subscription_owner_roles_created.yaml @@ -1,77 +1,33 @@ ID: azure_iam_no_custom_subscription_owner_roles_created Title: "Ensure that no Custom Subscription Administrator roles exist" Description: "The principle of least privilege should be followed and only necessary privileges should be assigned instead of allowing full administrative access." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with owner_custom_roles as ( - select - role_name, - role_type, - title, - action, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - _ctx, - subscription_id - from - azure_role_definition, - jsonb_array_elements(permissions) as s, - jsonb_array_elements_text(s -> 'actions') as action - where - role_type = 'CustomRole' - and action in ('*', '*:*') - ) - select - cr.subscription_id as resource, - cr.og_account_id as og_account_id, - cr.og_resource_id as og_resource_id, - case - when count(*) > 0 then 'alarm' - else 'ok' - end as status, - case - when count(*) = 1 then 'There is one custom owner role.' - when count(*) > 1 then 'There are ' || count(*) || ' custom owner roles.' - else 'There are no custom owner roles.' - end as reason - - , sub.display_name as subscription - from - owner_custom_roles cr, - azure_subscription sub - where - sub.subscription_id = cr.subscription_id - group by - cr.subscription_id, - cr.og_account_id, - cr.og_resource_id, - cr._ctx, - sub.display_name; + QueryToExecute: "with owner_custom_roles as (\n select\n role_name,\n role_type,\n title,\n action,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n _ctx,\n subscription_id\n from\n azure_role_definition,\n jsonb_array_elements(permissions) as s,\n jsonb_array_elements_text(s -> 'actions') as action\n where\n role_type = 'CustomRole'\n and action in ('*', '*:*')\n)\nselect\n cr.subscription_id as resource,\n cr.og_account_id as og_account_id,\n cr.og_resource_id as og_resource_id,\n case\n when count(*) > 0 then 'alarm'\n else 'ok'\n end as status,\n case\n when count(*) = 1 then 'There is one custom owner role.'\n when count(*) > 1 then 'There are ' || count(*) || ' custom owner roles.'\n else 'There are no custom owner roles.'\n end as reason\n \n , sub.display_name as subscription\nfrom\n owner_custom_roles cr,\n azure_subscription sub\nwhere\n sub.subscription_id = cr.subscription_id\ngroup by\n cr.subscription_id,\n cr.og_account_id,\n cr.og_resource_id,\n cr._ctx,\n sub.display_name;\n" PrimaryTable: azure_subscription ListOfTables: - - azure_role_definition - - azure_subscription + - azure_role_definition + - azure_subscription Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "1.21" + - "1.21" cis_level: - - "2" + - "2" cis_section_id: - - "1" + - "1" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/ActiveDirectory + - Azure/ActiveDirectory +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_iam_subscription_owner_max_3.yaml b/compliance/controls/azure/azure_iam_subscription_owner_max_3.yaml index 684f49658..e77657c95 100755 --- a/compliance/controls/azure/azure_iam_subscription_owner_max_3.yaml +++ b/compliance/controls/azure/azure_iam_subscription_owner_max_3.yaml @@ -1,62 +1,24 @@ ID: azure_iam_subscription_owner_max_3 Title: "A maximum of 3 owners should be designated for your subscription" Description: "It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with owner_roles as ( - select - d.role_name, - d.role_type, - d.name, - d.title, - d.og_account_id as og_account_id, - d.og_resource_id as og_resource_id, - d._ctx, - d.subscription_id - from - azure_role_definition as d - left join azure_role_assignment as a on d.id = a.role_definition_id - where - d.role_name = 'Owner' - ) - select - owner.subscription_id as resource, - owner.og_account_id as og_account_id, - owner.og_resource_id as og_resource_id, - case - when count(*) <= 3 then 'ok' - else 'alarm' - end as status, - count(*) || ' owner(s) associated.' as reason - - , sub.display_name as subscription - from - owner_roles as owner, - azure_subscription as sub - where - sub.subscription_id =owner.subscription_id - group by - owner.subscription_id, - owner.og_account_id, - owner.og_resource_id, - owner._ctx, - sub.display_name; + QueryToExecute: "with owner_roles as (\n select\n d.role_name,\n d.role_type,\n d.name,\n d.title,\n d.og_account_id as og_account_id,\n d.og_resource_id as og_resource_id,\n d._ctx,\n d.subscription_id\n from\n azure_role_definition as d\n left join azure_role_assignment as a on d.id = a.role_definition_id\n where\n d.role_name = 'Owner'\n)\nselect\n owner.subscription_id as resource,\n owner.og_account_id as og_account_id,\n owner.og_resource_id as og_resource_id,\n case\n when count(*) <= 3 then 'ok'\n else 'alarm'\n end as status,\n count(*) || ' owner(s) associated.' as reason\n \n , sub.display_name as subscription\nfrom\n owner_roles as owner,\n azure_subscription as sub\nwhere\n sub.subscription_id =owner.subscription_id\ngroup by\n owner.subscription_id,\n owner.og_account_id,\n owner.og_resource_id,\n owner._ctx,\n sub.display_name;\n" PrimaryTable: azure_subscription ListOfTables: - - azure_role_assignment - - azure_role_definition - - azure_subscription + - azure_role_assignment + - azure_role_definition + - azure_subscription Parameters: [] Severity: medium Tags: hipaa_hitrust_v92: - - "true" + - "true" nist_sp_800_53_rev_5: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" service: - - Azure/ActiveDirectory + - Azure/ActiveDirectory +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_iam_subscription_owner_more_than_1.yaml b/compliance/controls/azure/azure_iam_subscription_owner_more_than_1.yaml index ab593c0a9..a1d38284c 100755 --- a/compliance/controls/azure/azure_iam_subscription_owner_more_than_1.yaml +++ b/compliance/controls/azure/azure_iam_subscription_owner_more_than_1.yaml @@ -1,60 +1,22 @@ ID: azure_iam_subscription_owner_more_than_1 Title: "There should be more than one owner assigned to your subscription" Description: "It is recommended to designate more than one subscription owner in order to have administrator access redundancy." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with owner_roles as ( - select - d.role_name, - d.role_type, - d.name, - d.title, - d.og_account_id as og_account_id, - d.og_resource_id as og_resource_id, - d._ctx, - d.subscription_id - from - azure_role_definition as d - left join azure_role_assignment as a on d.id = a.role_definition_id - where - d.role_name = 'Owner' - ) - select - owner.subscription_id as resource, - owner.og_account_id as og_account_id, - owner.og_resource_id as og_resource_id, - case - when count(*) > 1 then 'ok' - else 'alarm' - end as status, - count(*) || ' owner(s) associated.' as reason - - , sub.display_name as subscription - from - owner_roles as owner, - azure_subscription as sub - where - sub.subscription_id =owner.subscription_id - group by - owner.subscription_id, - owner.og_account_id, - owner.og_resource_id, - owner._ctx, - sub.display_name; + QueryToExecute: "with owner_roles as (\n select\n d.role_name,\n d.role_type,\n d.name,\n d.title,\n d.og_account_id as og_account_id,\n d.og_resource_id as og_resource_id,\n d._ctx,\n d.subscription_id\n from\n azure_role_definition as d\n left join azure_role_assignment as a on d.id = a.role_definition_id\n where\n d.role_name = 'Owner'\n)\nselect\n owner.subscription_id as resource,\n owner.og_account_id as og_account_id,\n owner.og_resource_id as og_resource_id,\n case\n when count(*) > 1 then 'ok'\n else 'alarm'\n end as status,\n count(*) || ' owner(s) associated.' as reason\n \n , sub.display_name as subscription\nfrom\n owner_roles as owner,\n azure_subscription as sub\nwhere\n sub.subscription_id =owner.subscription_id\ngroup by\n owner.subscription_id,\n owner.og_account_id,\n owner.og_resource_id,\n owner._ctx,\n sub.display_name;\n" PrimaryTable: azure_subscription ListOfTables: - - azure_role_assignment - - azure_role_definition - - azure_subscription + - azure_role_assignment + - azure_role_definition + - azure_subscription Parameters: [] Severity: medium Tags: hipaa_hitrust_v92: - - "true" + - "true" nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/ActiveDirectory + - Azure/ActiveDirectory +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_iam_subscriptions_with_custom_roles_no_overly_permissive.yaml b/compliance/controls/azure/azure_iam_subscriptions_with_custom_roles_no_overly_permissive.yaml index 645982784..4ff73155f 100755 --- a/compliance/controls/azure/azure_iam_subscriptions_with_custom_roles_no_overly_permissive.yaml +++ b/compliance/controls/azure/azure_iam_subscriptions_with_custom_roles_no_overly_permissive.yaml @@ -1,8 +1,6 @@ ID: azure_iam_subscriptions_with_custom_roles_no_overly_permissive Title: "Subscriptions with custom roles should not be overly permissive" Description: "This policy identifies azure subscriptions with custom roles are overly permissive. Least privilege access rule should be followed and only necessary privileges should be assigned instead of allowing full administrative access." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -49,8 +47,10 @@ Query: ``` PrimaryTable: azure_role_definition ListOfTables: - - azure_role_definition - - azure_subscription + - azure_role_definition + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_iam_user_no_built_in_contributor_role.yaml b/compliance/controls/azure/azure_iam_user_no_built_in_contributor_role.yaml index b560ca74f..e6bec7f11 100755 --- a/compliance/controls/azure/azure_iam_user_no_built_in_contributor_role.yaml +++ b/compliance/controls/azure/azure_iam_user_no_built_in_contributor_role.yaml @@ -1,8 +1,6 @@ ID: azure_iam_user_no_built_in_contributor_role Title: "IAM users should not have built in contributor role" Description: "Ensure that IAM user does not have built in contributor role. This rule is non-compliant if IAM user have built in contributor role." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -46,10 +44,12 @@ Query: azuread_user as u left join all_contributor_permission_users as c on c.user_principal_name = u.user_principal_name; PrimaryTable: azuread_user ListOfTables: - - azuread_user - - azure_role_assignment - - azure_role_definition - - azure_tenant + - azuread_user + - azure_role_assignment + - azure_role_definition + - azure_tenant Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_iam_user_not_allowed_to_create_security_group.yaml b/compliance/controls/azure/azure_iam_user_not_allowed_to_create_security_group.yaml index 8c2d3bfd6..e46457b7e 100755 --- a/compliance/controls/azure/azure_iam_user_not_allowed_to_create_security_group.yaml +++ b/compliance/controls/azure/azure_iam_user_not_allowed_to_create_security_group.yaml @@ -1,50 +1,33 @@ ID: azure_iam_user_not_allowed_to_create_security_group Title: "Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No'" Description: "Restrict security group creation to administrators only." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when a.default_user_role_permissions ->> 'allowedToCreateSecurityGroups' = 'false' then 'ok' - else 'alarm' - end as status, - case - when a.default_user_role_permissions ->> 'allowedToCreateSecurityGroups' = 'false' then a.display_name || ' does not allow user to create security groups.' - else a.display_name || ' allows user to create security groups.' - end as reason, - t.tenant_id - - from - azure_tenant as t, - azuread_authorization_policy as a; + QueryToExecute: "select\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when a.default_user_role_permissions ->> 'allowedToCreateSecurityGroups' = 'false' then 'ok'\n else 'alarm'\n end as status,\n case\n when a.default_user_role_permissions ->> 'allowedToCreateSecurityGroups' = 'false' then a.display_name || ' does not allow user to create security groups.'\n else a.display_name || ' allows user to create security groups.'\n end as reason,\n t.tenant_id\n \nfrom\n azure_tenant as t,\n azuread_authorization_policy as a;\n" PrimaryTable: azuread_authorization_policy ListOfTables: - - azure_tenant - - azuread_authorization_policy + - azure_tenant + - azuread_authorization_policy Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "1.19" + - "1.19" cis_level: - - "2" + - "2" cis_section_id: - - "1" + - "1" cis_type: - - manual + - manual cis_version: - - v1.5.0 + - v1.5.0 plugin: - - azure + - azure service: - - Azure/ActiveDirectory + - Azure/ActiveDirectory +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_iam_user_not_allowed_to_create_tenants.yaml b/compliance/controls/azure/azure_iam_user_not_allowed_to_create_tenants.yaml index 566689ec4..39b2482c8 100755 --- a/compliance/controls/azure/azure_iam_user_not_allowed_to_create_tenants.yaml +++ b/compliance/controls/azure/azure_iam_user_not_allowed_to_create_tenants.yaml @@ -1,8 +1,6 @@ ID: azure_iam_user_not_allowed_to_create_tenants Title: "Ensure that 'Users Can Create Tenants' is set to 'No'" Description: "Restrict tenant creation to administrators only." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -32,8 +30,10 @@ Query: azuread_authorization_policy as a; PrimaryTable: azuread_authorization_policy ListOfTables: - - azure_tenant - - azuread_authorization_policy + - azure_tenant + - azuread_authorization_policy Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_iam_user_not_allowed_to_register_application.yaml b/compliance/controls/azure/azure_iam_user_not_allowed_to_register_application.yaml index 84af0979e..b18645b0b 100755 --- a/compliance/controls/azure/azure_iam_user_not_allowed_to_register_application.yaml +++ b/compliance/controls/azure/azure_iam_user_not_allowed_to_register_application.yaml @@ -1,50 +1,33 @@ ID: azure_iam_user_not_allowed_to_register_application Title: "Ensure that 'Users Can Register Applications' is set to 'No'" Description: "Require administrators or appropriately delegated users to register third-party applications." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when a.default_user_role_permissions ->> 'allowedToCreateApps' = 'false' then 'ok' - else 'alarm' - end as status, - case - when a.default_user_role_permissions ->> 'allowedToCreateApps' = 'false' then a.display_name || ' does not allow user to register applications.' - else a.display_name || ' allows user to register applications.' - end as reason, - t.tenant_id - - from - azure_tenant as t, - azuread_authorization_policy as a; + QueryToExecute: "select\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when a.default_user_role_permissions ->> 'allowedToCreateApps' = 'false' then 'ok'\n else 'alarm'\n end as status,\n case\n when a.default_user_role_permissions ->> 'allowedToCreateApps' = 'false' then a.display_name || ' does not allow user to register applications.'\n else a.display_name || ' allows user to register applications.'\n end as reason,\n t.tenant_id\n \nfrom\n azure_tenant as t,\n azuread_authorization_policy as a;\n" PrimaryTable: azuread_authorization_policy ListOfTables: - - azure_tenant - - azuread_authorization_policy + - azure_tenant + - azuread_authorization_policy Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "1.14" + - "1.14" cis_level: - - "1" + - "1" cis_section_id: - - "1" + - "1" cis_type: - - manual + - manual cis_version: - - v1.5.0 + - v1.5.0 plugin: - - azure + - azure service: - - Azure/ActiveDirectory + - Azure/ActiveDirectory +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_iam_user_with_owner_permission_on_subscription_mfa_enabled.yaml b/compliance/controls/azure/azure_iam_user_with_owner_permission_on_subscription_mfa_enabled.yaml index 8ad9c4557..38a2a7478 100755 --- a/compliance/controls/azure/azure_iam_user_with_owner_permission_on_subscription_mfa_enabled.yaml +++ b/compliance/controls/azure/azure_iam_user_with_owner_permission_on_subscription_mfa_enabled.yaml @@ -1,8 +1,6 @@ ID: azure_iam_user_with_owner_permission_on_subscription_mfa_enabled Title: "Accounts with owner permissions on Azure resources should be MFA enabled" Description: "Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_iam_user_with_read_permission_on_subscription_mfa_enabled.yaml b/compliance/controls/azure/azure_iam_user_with_read_permission_on_subscription_mfa_enabled.yaml index f05812423..ee1845637 100755 --- a/compliance/controls/azure/azure_iam_user_with_read_permission_on_subscription_mfa_enabled.yaml +++ b/compliance/controls/azure/azure_iam_user_with_read_permission_on_subscription_mfa_enabled.yaml @@ -1,8 +1,6 @@ ID: azure_iam_user_with_read_permission_on_subscription_mfa_enabled Title: "Accounts with read permissions on Azure resources should be MFA enabled" Description: "Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_iam_user_with_write_permission_on_subscription_mfa_enabled.yaml b/compliance/controls/azure/azure_iam_user_with_write_permission_on_subscription_mfa_enabled.yaml index 8721ef4d3..1c9232cf7 100755 --- a/compliance/controls/azure/azure_iam_user_with_write_permission_on_subscription_mfa_enabled.yaml +++ b/compliance/controls/azure/azure_iam_user_with_write_permission_on_subscription_mfa_enabled.yaml @@ -1,8 +1,6 @@ ID: azure_iam_user_with_write_permission_on_subscription_mfa_enabled Title: "Accounts with write permissions on Azure resources should be MFA enabled" Description: "Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_iot_hub_encrypted_with_cmk.yaml b/compliance/controls/azure/azure_iot_hub_encrypted_with_cmk.yaml index 66e969c56..dd306baeb 100755 --- a/compliance/controls/azure/azure_iot_hub_encrypted_with_cmk.yaml +++ b/compliance/controls/azure/azure_iot_hub_encrypted_with_cmk.yaml @@ -1,8 +1,6 @@ ID: azure_iot_hub_encrypted_with_cmk Title: "IoT Hub device provisioning service data should be encrypted using customer-managed keys (CMK)" Description: "Use customer-managed keys to manage the encryption at rest of your IoT Hub device provisioning service. The data is automatically encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. Learn more about CMK encryption at https://aka.ms/dps/CMK." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_iot_hub_logging_enabled.yaml b/compliance/controls/azure/azure_iot_hub_logging_enabled.yaml index 67d59de23..330eed7c8 100755 --- a/compliance/controls/azure/azure_iot_hub_logging_enabled.yaml +++ b/compliance/controls/azure/azure_iot_hub_logging_enabled.yaml @@ -1,66 +1,21 @@ ID: azure_iot_hub_logging_enabled Title: "Resource logs in IoT Hub should be enabled" Description: "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with logging_details as ( - select - distinct id as id - from - azure_iothub, - jsonb_array_elements(diagnostic_settings) setting, - jsonb_array_elements(setting -> 'properties' -> 'logs') log - where - diagnostic_settings is not null - and ( - ( - (log ->> 'enabled') :: boolean - and (log -> 'retentionPolicy' ->> 'enabled') :: boolean - and (log -> 'retentionPolicy') :: JSONB ? 'days' - ) - or - ( - (log ->> 'enabled') :: boolean - and log -> 'retentionPolicy' ->> 'enabled' <> 'true' - ) - ) - ) - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when a.diagnostic_settings is null then 'alarm' - when l.id is not null then 'ok' - else 'alarm' - end as status, - case - when a.diagnostic_settings is null then a.name || ' logging disabled.' - when l.id is not null then a.name || ' logging enabled.' - else a.name || ' logging disabled.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_iothub as a - left join logging_details as l on a.id = l.id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with logging_details as (\n select\n distinct id as id\n from\n azure_iothub,\n jsonb_array_elements(diagnostic_settings) setting,\n jsonb_array_elements(setting -> 'properties' -> 'logs') log\n where\n diagnostic_settings is not null\n and (\n (\n (log ->> 'enabled') :: boolean\n and (log -> 'retentionPolicy' ->> 'enabled') :: boolean\n and (log -> 'retentionPolicy') :: JSONB ? 'days'\n )\n or\n (\n (log ->> 'enabled') :: boolean\n and log -> 'retentionPolicy' ->> 'enabled' <> 'true'\n )\n )\n)\nselect\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when a.diagnostic_settings is null then 'alarm'\n when l.id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when a.diagnostic_settings is null then a.name || ' logging disabled.'\n when l.id is not null then a.name || ' logging enabled.'\n else a.name || ' logging disabled.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_iothub as a\n left join logging_details as l on a.id = l.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_iothub ListOfTables: - - azure_iothub - - azure_subscription + - azure_iothub + - azure_subscription Parameters: [] Severity: medium Tags: hipaa_hitrust_v92: - - "true" + - "true" nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/IoTHub + - Azure/IoTHub +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_keyvault_certificate_validity_12_months.yaml b/compliance/controls/azure/azure_keyvault_certificate_validity_12_months.yaml index 69af51488..edd53d7d0 100755 --- a/compliance/controls/azure/azure_keyvault_certificate_validity_12_months.yaml +++ b/compliance/controls/azure/azure_keyvault_certificate_validity_12_months.yaml @@ -1,8 +1,6 @@ ID: azure_keyvault_certificate_validity_12_months Title: "Certificates should have the specified maximum validity period" Description: "Manage your organizational compliance requirements by specifying the maximum amount of time that a certificate can be valid within your key vault." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_keyvault_firewall_enabled.yaml b/compliance/controls/azure/azure_keyvault_firewall_enabled.yaml index f6c61ac30..d0031790d 100755 --- a/compliance/controls/azure/azure_keyvault_firewall_enabled.yaml +++ b/compliance/controls/azure/azure_keyvault_firewall_enabled.yaml @@ -1,8 +1,6 @@ ID: azure_keyvault_firewall_enabled Title: "Azure Key Vault should have firewall enabled" Description: "Enable the key vault firewall so that the key vault is not accessible by default to any public IPs. Optionally, you can configure specific IP ranges to limit access to those networks." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = kv.subscription_id; PrimaryTable: azure_key_vault ListOfTables: - - azure_key_vault - - azure_subscription + - azure_key_vault + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_keyvault_key_expiration_set.yaml b/compliance/controls/azure/azure_keyvault_key_expiration_set.yaml index 82eee8998..331c67aeb 100755 --- a/compliance/controls/azure/azure_keyvault_key_expiration_set.yaml +++ b/compliance/controls/azure/azure_keyvault_key_expiration_set.yaml @@ -1,55 +1,33 @@ ID: azure_keyvault_key_expiration_set Title: "Key Vault keys should have an expiration date" Description: "Cryptographic keys should have a defined expiration date and not be permanent. Keys that are valid forever provide a potential attacker with more time to compromise the key. It is a recommended security practice to set expiration dates on cryptographic keys." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - kvk.id as resource, - kvk.og_account_id as og_account_id, - kvk.og_resource_id as og_resource_id, - case - when enabled and expires_at is null then 'alarm' - else 'ok' - end as status, - vault_name || ' key ' || name || - case - when enabled and expires_at is null then ' expiration date not set.' - when not enabled then ' disabled.' - else ' expiration date set to ' || to_char(expires_at, 'DD-Mon-YYYY') || '.' - end as reason - - , kvk.resource_group as resource_group - , sub.display_name as subscription - from - azure_key_vault_key kvk, - azure_subscription sub - where - sub.subscription_id = kvk.subscription_id; + QueryToExecute: "select\n kvk.id as resource,\n kvk.og_account_id as og_account_id,\n kvk.og_resource_id as og_resource_id,\n case\n when enabled and expires_at is null then 'alarm'\n else 'ok'\n end as status,\n vault_name || ' key ' || name ||\n case\n when enabled and expires_at is null then ' expiration date not set.'\n when not enabled then ' disabled.'\n else ' expiration date set to ' || to_char(expires_at, 'DD-Mon-YYYY') || '.'\n end as reason\n \n , kvk.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_key_vault_key kvk,\n azure_subscription sub\nwhere\n sub.subscription_id = kvk.subscription_id;\n" PrimaryTable: azure_key_vault_key ListOfTables: - - azure_key_vault_key - - azure_subscription + - azure_key_vault_key + - azure_subscription Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "8.1" + - "8.1" cis_level: - - "1" + - "1" cis_section_id: - - "8" + - "8" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/KeyVault + - Azure/KeyVault +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_keyvault_logging_enabled.yaml b/compliance/controls/azure/azure_keyvault_logging_enabled.yaml index 865c67e5c..56bbc8765 100755 --- a/compliance/controls/azure/azure_keyvault_logging_enabled.yaml +++ b/compliance/controls/azure/azure_keyvault_logging_enabled.yaml @@ -1,8 +1,6 @@ ID: azure_keyvault_logging_enabled Title: "Resource logs in Key Vault should be enabled" Description: "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -34,7 +32,7 @@ Query: when l.key_vault_name not like concat('%', v.name, '%') then v.name || ' logging not enabled.' else v.name || ' logging enabled.' end as reason - + , v.resource_group as resource_group , sub.display_name as subscription from @@ -45,28 +43,30 @@ Query: azure_subscription sub ON sub.subscription_id = v.subscription_id; PrimaryTable: azure_key_vault ListOfTables: - - azure_key_vault - - azure_subscription + - azure_key_vault + - azure_subscription Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - 5.1.5 + - 5.1.5 cis_level: - - "1" + - "1" cis_section_id: - - "5.1" + - "5.1" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure score_service_name: - - Azure KeyVault + - Azure KeyVault score_tags: - - Observability + - Observability +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_keyvault_managed_hms_logging_enabled.yaml b/compliance/controls/azure/azure_keyvault_managed_hms_logging_enabled.yaml index b056cb6cf..4526f5fa9 100755 --- a/compliance/controls/azure/azure_keyvault_managed_hms_logging_enabled.yaml +++ b/compliance/controls/azure/azure_keyvault_managed_hms_logging_enabled.yaml @@ -1,57 +1,19 @@ ID: azure_keyvault_managed_hms_logging_enabled Title: "Resource logs in Azure Key Vault Managed HSM should be enabled" Description: "To recreate activity trails for investigation purposes when a security incident occurs or when your network is compromised, you may want to audit by enabling resource logs on Managed HSMs." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with logging_details as ( - select - name as key_vault_name - from - azure_key_vault_managed_hardware_security_module, - jsonb_array_elements(diagnostic_settings) setting, - jsonb_array_elements(setting -> 'properties' -> 'logs') log - where - diagnostic_settings is not null - and setting -> 'properties' ->> 'storageAccountId' <> '' - and (log ->> 'enabled') :: boolean - and log ->> 'category' = 'AuditEvent' - and (log -> 'retentionPolicy') :: JSONB ? 'days' - ) - select - v.id as resource, - v.og_account_id as og_account_id, - v.og_resource_id as og_resource_id, - case - when v.diagnostic_settings is null then 'alarm' - when l.key_vault_name not like concat('%', v.name, '%') then 'alarm' - else 'ok' - end as status, - case - when v.diagnostic_settings is null then v.name || ' logging not enabled.' - when l.key_vault_name not like concat('%', v.name, '%') - then v.name || ' logging not enabled.' - else v.name || ' logging enabled.' - end as reason - - , v.resource_group as resource_group - , sub.display_name as subscription - from - azure_key_vault_managed_hardware_security_module as v, - logging_details as l, - azure_subscription as sub - where - sub.subscription_id = v.subscription_id; + QueryToExecute: "with logging_details as (\n select\n name as key_vault_name\n from\n azure_key_vault_managed_hardware_security_module,\n jsonb_array_elements(diagnostic_settings) setting,\n jsonb_array_elements(setting -> 'properties' -> 'logs') log\n where\n diagnostic_settings is not null\n and setting -> 'properties' ->> 'storageAccountId' <> ''\n and (log ->> 'enabled') :: boolean\n and log ->> 'category' = 'AuditEvent'\n and (log -> 'retentionPolicy') :: JSONB ? 'days'\n)\nselect\n v.id as resource,\n v.og_account_id as og_account_id,\n v.og_resource_id as og_resource_id,\n case\n when v.diagnostic_settings is null then 'alarm'\n when l.key_vault_name not like concat('%', v.name, '%') then 'alarm'\n else 'ok'\n end as status,\n case\n when v.diagnostic_settings is null then v.name || ' logging not enabled.'\n when l.key_vault_name not like concat('%', v.name, '%')\n then v.name || ' logging not enabled.'\n else v.name || ' logging enabled.'\n end as reason\n \n , v.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_key_vault_managed_hardware_security_module as v,\n logging_details as l,\n azure_subscription as sub\nwhere\n sub.subscription_id = v.subscription_id;\n" PrimaryTable: azure_key_vault_managed_hardware_security_module ListOfTables: - - azure_key_vault_managed_hardware_security_module - - azure_subscription + - azure_key_vault_managed_hardware_security_module + - azure_subscription Parameters: [] Severity: medium Tags: hipaa_hitrust_v92: - - "true" + - "true" service: - - Azure/KeyVault + - Azure/KeyVault +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_keyvault_managed_hms_purge_protection_enabled.yaml b/compliance/controls/azure/azure_keyvault_managed_hms_purge_protection_enabled.yaml index 0b0b705e4..2fc9126c5 100755 --- a/compliance/controls/azure/azure_keyvault_managed_hms_purge_protection_enabled.yaml +++ b/compliance/controls/azure/azure_keyvault_managed_hms_purge_protection_enabled.yaml @@ -1,39 +1,19 @@ ID: azure_keyvault_managed_hms_purge_protection_enabled Title: "Azure Key Vault Managed HSM should have purge protection enabled" Description: "Malicious deletion of an Azure Key Vault Managed HSM can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge Azure Key Vault Managed HSM. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted Azure Key Vault Managed HSM. No one inside your organization or Microsoft will be able to purge your Azure Key Vault Managed HSM during the soft delete retention period." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - kv.id as resource, - kv.og_account_id as og_account_id, - kv.og_resource_id as og_resource_id, - case - when enable_purge_protection then 'ok' - else 'alarm' - end as status, - case - when enable_purge_protection then name || ' purge protection enabled.' - else name || ' purge protection disabled.' - end as reason - - , kv.resource_group as resource_group - , sub.display_name as subscription - from - azure_key_vault_managed_hardware_security_module as kv, - azure_subscription as sub - where - sub.subscription_id = kv.subscription_id; + QueryToExecute: "select\n kv.id as resource,\n kv.og_account_id as og_account_id,\n kv.og_resource_id as og_resource_id,\n case\n when enable_purge_protection then 'ok'\n else 'alarm'\n end as status,\n case\n when enable_purge_protection then name || ' purge protection enabled.'\n else name || ' purge protection disabled.'\n end as reason\n \n , kv.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_key_vault_managed_hardware_security_module as kv,\n azure_subscription as sub\nwhere\n sub.subscription_id = kv.subscription_id;\n" PrimaryTable: azure_key_vault_managed_hardware_security_module ListOfTables: - - azure_key_vault_managed_hardware_security_module - - azure_subscription + - azure_key_vault_managed_hardware_security_module + - azure_subscription Parameters: [] Severity: critical Tags: hipaa_hitrust_v92: - - "true" + - "true" service: - - Azure/KeyVault + - Azure/KeyVault +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_keyvault_purge_protection_enabled.yaml b/compliance/controls/azure/azure_keyvault_purge_protection_enabled.yaml index ea0fa770e..07eb557cd 100755 --- a/compliance/controls/azure/azure_keyvault_purge_protection_enabled.yaml +++ b/compliance/controls/azure/azure_keyvault_purge_protection_enabled.yaml @@ -1,41 +1,21 @@ ID: azure_keyvault_purge_protection_enabled Title: "Key vaults should have deletion protection enabled" Description: "Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - kv.id as resource, - kv.og_account_id as og_account_id, - kv.og_resource_id as og_resource_id, - case - when purge_protection_enabled then 'ok' - else 'alarm' - end as status, - case - when purge_protection_enabled then name || ' purge protection enabled.' - else name || ' purge protection disabled.' - end as reason - - , kv.resource_group as resource_group - , sub.display_name as subscription - from - azure_key_vault as kv, - azure_subscription as sub - where - sub.subscription_id = kv.subscription_id; + QueryToExecute: "select\n kv.id as resource,\n kv.og_account_id as og_account_id,\n kv.og_resource_id as og_resource_id,\n case\n when purge_protection_enabled then 'ok'\n else 'alarm'\n end as status,\n case\n when purge_protection_enabled then name || ' purge protection enabled.'\n else name || ' purge protection disabled.'\n end as reason\n \n , kv.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_key_vault as kv,\n azure_subscription as sub\nwhere\n sub.subscription_id = kv.subscription_id;\n" PrimaryTable: azure_key_vault ListOfTables: - - azure_key_vault - - azure_subscription + - azure_key_vault + - azure_subscription Parameters: [] Severity: critical Tags: hipaa_hitrust_v92: - - "true" + - "true" nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/KeyVault + - Azure/KeyVault +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_keyvault_rbac_enabled.yaml b/compliance/controls/azure/azure_keyvault_rbac_enabled.yaml index 9d6f37cfe..657766218 100755 --- a/compliance/controls/azure/azure_keyvault_rbac_enabled.yaml +++ b/compliance/controls/azure/azure_keyvault_rbac_enabled.yaml @@ -1,53 +1,33 @@ ID: azure_keyvault_rbac_enabled Title: "Enable Role Based Access Control for Azure Key Vault" Description: "Role assignments disappear when a Key Vault has been deleted (soft- delete) and recovered. Afterwards it will be required to recreate all role assignments. This is a limitation of the soft-delete feature across all Azure services." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - kv.id as resource, - kv.og_account_id as og_account_id, - kv.og_resource_id as og_resource_id, - case - when enable_rbac_authorization then 'ok' - else 'alarm' - end as status, - case - when enable_rbac_authorization then name || ' has RBAC enabled.' - else name || ' have RBAC disabled.' - end as reason - - , kv.resource_group as resource_group - , sub.display_name as subscription - from - azure_key_vault as kv, - azure_subscription as sub - where - sub.subscription_id = kv.subscription_id; + QueryToExecute: "select\n kv.id as resource,\n kv.og_account_id as og_account_id,\n kv.og_resource_id as og_resource_id,\n case\n when enable_rbac_authorization then 'ok'\n else 'alarm'\n end as status,\n case\n when enable_rbac_authorization then name || ' has RBAC enabled.'\n else name || ' have RBAC disabled.'\n end as reason\n \n , kv.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_key_vault as kv,\n azure_subscription as sub\nwhere\n sub.subscription_id = kv.subscription_id;\n" PrimaryTable: azure_key_vault ListOfTables: - - azure_key_vault - - azure_subscription + - azure_key_vault + - azure_subscription Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "8.6" + - "8.6" cis_level: - - "2" + - "2" cis_section_id: - - "8" + - "8" cis_type: - - manual + - manual cis_version: - - v1.5.0 + - v1.5.0 plugin: - - azure + - azure service: - - Azure/KeyVault + - Azure/KeyVault +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_keyvault_secret_expiration_set.yaml b/compliance/controls/azure/azure_keyvault_secret_expiration_set.yaml index 4b3da55b9..c7f4da1aa 100755 --- a/compliance/controls/azure/azure_keyvault_secret_expiration_set.yaml +++ b/compliance/controls/azure/azure_keyvault_secret_expiration_set.yaml @@ -1,55 +1,33 @@ ID: azure_keyvault_secret_expiration_set Title: "Key Vault secrets should have an expiration date" Description: "Secrets should have a defined expiration date and not be permanent. Secrets that are valid forever provide a potential attacker with more time to compromise them. It is a recommended security practice to set expiration dates on secrets." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - kvs.id as resource, - kvs.og_account_id as og_account_id, - kvs.og_resource_id as og_resource_id, - case - when enabled and expires_at is null then 'alarm' - else 'ok' - end as status, - vault_name || ' secret ' || name || - case - when enabled and expires_at is null then ' expiration date not set.' - when not enabled then ' disabled.' - else ' expiration date set to ' || to_char(expires_at, 'DD-Mon-YYYY') || '.' - end as reason - - , kvs.resource_group as resource_group - , sub.display_name as subscription - from - azure_key_vault_secret as kvs, - azure_subscription as sub - where - sub.subscription_id = kvs.subscription_id; + QueryToExecute: "select\n kvs.id as resource,\n kvs.og_account_id as og_account_id,\n kvs.og_resource_id as og_resource_id,\n case\n when enabled and expires_at is null then 'alarm'\n else 'ok'\n end as status,\n vault_name || ' secret ' || name ||\n case\n when enabled and expires_at is null then ' expiration date not set.'\n when not enabled then ' disabled.'\n else ' expiration date set to ' || to_char(expires_at, 'DD-Mon-YYYY') || '.'\n end as reason\n \n , kvs.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_key_vault_secret as kvs,\n azure_subscription as sub\nwhere\n sub.subscription_id = kvs.subscription_id;\n" PrimaryTable: azure_key_vault_secret ListOfTables: - - azure_key_vault_secret - - azure_subscription + - azure_key_vault_secret + - azure_subscription Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "8.2" + - "8.2" cis_level: - - "1" + - "1" cis_section_id: - - "8" + - "8" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/KeyVault + - Azure/KeyVault +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_keyvault_soft_delete_enabled.yaml b/compliance/controls/azure/azure_keyvault_soft_delete_enabled.yaml index 76b8b2ace..791c13040 100755 --- a/compliance/controls/azure/azure_keyvault_soft_delete_enabled.yaml +++ b/compliance/controls/azure/azure_keyvault_soft_delete_enabled.yaml @@ -1,39 +1,19 @@ ID: azure_keyvault_soft_delete_enabled Title: "Key vaults should have soft delete enabled" Description: "Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidentally deleted key vault for a configurable retention period." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - kv.id as resource, - kv.og_account_id as og_account_id, - kv.og_resource_id as og_resource_id, - case - when soft_delete_enabled then 'ok' - else 'alarm' - end as status, - case - when soft_delete_enabled then name || ' soft delete enabled.' - else name || ' soft delete disabled.' - end as reason - - , kv.resource_group as resource_group - , sub.display_name as subscription - from - azure_key_vault as kv, - azure_subscription as sub - where - sub.subscription_id = kv.subscription_id; + QueryToExecute: "select\n kv.id as resource,\n kv.og_account_id as og_account_id,\n kv.og_resource_id as og_resource_id,\n case\n when soft_delete_enabled then 'ok'\n else 'alarm'\n end as status,\n case\n when soft_delete_enabled then name || ' soft delete enabled.'\n else name || ' soft delete disabled.'\n end as reason\n \n , kv.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_key_vault as kv,\n azure_subscription as sub\nwhere\n sub.subscription_id = kv.subscription_id;\n" PrimaryTable: azure_key_vault ListOfTables: - - azure_key_vault - - azure_subscription + - azure_key_vault + - azure_subscription Parameters: [] Severity: critical Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/KeyVault + - Azure/KeyVault +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_keyvault_vault_private_link_used.yaml b/compliance/controls/azure/azure_keyvault_vault_private_link_used.yaml index 700cbc2d5..93f5cf0e8 100755 --- a/compliance/controls/azure/azure_keyvault_vault_private_link_used.yaml +++ b/compliance/controls/azure/azure_keyvault_vault_private_link_used.yaml @@ -1,59 +1,33 @@ ID: azure_keyvault_vault_private_link_used Title: "Azure Key Vaults should use private link" Description: "Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to key vault, you can reduce data leakage risks." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - -- Having private_endpoint_connections will not permit vault to use the same. - -- In case'defaultAction' = 'Allow', All Network including internet is allowed, which will not satisfy the private endpoint connection. - -- Default All network will have not network_acls associated. - when network_acls is null or network_acls ->> 'defaultAction' = 'Allow' then 'alarm' - when private_endpoint_connections is null then 'info' - when private_endpoint_connections @> '[{"PrivateLinkServiceConnectionStateStatus": "Approved"}]' then 'ok' - else 'alarm' - end as status, - case - when network_acls is null or network_acls ->> 'defaultAction' = 'Allow' then a.name || ' using public networks.' - when private_endpoint_connections is null then a.name || ' no private link exists.' - when private_endpoint_connections @> '[{"PrivateLinkServiceConnectionStateStatus": "Approved"}]' - then a.name || ' using private link.' - else a.name || ' private link not enabled.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_key_vault a, - azure_subscription sub; + QueryToExecute: "select\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n -- Having private_endpoint_connections will not permit vault to use the same.\n -- In case'defaultAction' = 'Allow', All Network including internet is allowed, which will not satisfy the private endpoint connection.\n -- Default All network will have not network_acls associated.\n when network_acls is null or network_acls ->> 'defaultAction' = 'Allow' then 'alarm'\n when private_endpoint_connections is null then 'info'\n when private_endpoint_connections @> '[{\"PrivateLinkServiceConnectionStateStatus\": \"Approved\"}]' then 'ok'\n else 'alarm'\n end as status,\n case\n when network_acls is null or network_acls ->> 'defaultAction' = 'Allow' then a.name || ' using public networks.'\n when private_endpoint_connections is null then a.name || ' no private link exists.'\n when private_endpoint_connections @> '[{\"PrivateLinkServiceConnectionStateStatus\": \"Approved\"}]'\n then a.name || ' using private link.'\n else a.name || ' private link not enabled.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_key_vault a,\n azure_subscription sub;\n" PrimaryTable: azure_key_vault ListOfTables: - - azure_key_vault - - azure_subscription + - azure_key_vault + - azure_subscription Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "8.7" + - "8.7" cis_level: - - "2" + - "2" cis_section_id: - - "8" + - "8" cis_type: - - manual + - manual cis_version: - - v1.5.0 + - v1.5.0 plugin: - - azure + - azure service: - - Azure/KeyVault + - Azure/KeyVault +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_keyvault_vault_public_network_access_disabled.yaml b/compliance/controls/azure/azure_keyvault_vault_public_network_access_disabled.yaml index 6165eb90f..9846044df 100755 --- a/compliance/controls/azure/azure_keyvault_vault_public_network_access_disabled.yaml +++ b/compliance/controls/azure/azure_keyvault_vault_public_network_access_disabled.yaml @@ -1,39 +1,19 @@ ID: azure_keyvault_vault_public_network_access_disabled Title: "Azure Key Vault should disable public network access" Description: "Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - -- In case'defaultAction' = 'Allow', All Network including internet is allowed - -- Default All network will have not network_acls associated - when network_acls is null or network_acls ->> 'defaultAction' != 'Deny' then 'alarm' - else 'ok' - end as status, - case - when network_acls is null or network_acls ->> 'defaultAction' != 'Deny' then a.name || ' public network access enabled.' - else a.name || ' public network access disabled.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_key_vault a, - azure_subscription sub; + QueryToExecute: "select\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n -- In case'defaultAction' = 'Allow', All Network including internet is allowed\n -- Default All network will have not network_acls associated\n when network_acls is null or network_acls ->> 'defaultAction' != 'Deny' then 'alarm'\n else 'ok'\n end as status,\n case\n when network_acls is null or network_acls ->> 'defaultAction' != 'Deny' then a.name || ' public network access enabled.'\n else a.name || ' public network access disabled.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_key_vault a,\n azure_subscription sub;\n" PrimaryTable: azure_key_vault ListOfTables: - - azure_key_vault - - azure_subscription + - azure_key_vault + - azure_subscription Parameters: [] Severity: high Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/KeyVault + - Azure/KeyVault +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_keyvault_vault_recoverable.yaml b/compliance/controls/azure/azure_keyvault_vault_recoverable.yaml index 9667afc0d..a0192c298 100755 --- a/compliance/controls/azure/azure_keyvault_vault_recoverable.yaml +++ b/compliance/controls/azure/azure_keyvault_vault_recoverable.yaml @@ -1,55 +1,33 @@ ID: azure_keyvault_vault_recoverable Title: "Ensure the key vault is recoverable" Description: "The key vault contains object keys, secrets and certificates. Accidental unavailability of a key vault can cause immediate data loss or loss of security functions (authentication, validation, verification, non-repudiation, etc.) supported by the key vault objects. It is recommended the key vault be made recoverable by enabling the \\\"Do Not Purge\\\" and \\\"Soft Delete\\\" functions." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - kv.id as resource, - kv.og_account_id as og_account_id, - kv.og_resource_id as og_resource_id, - case - when soft_delete_enabled and purge_protection_enabled then 'ok' - else 'alarm' - end as status, - case - when not soft_delete_enabled and not purge_protection_enabled then name || ' "soft delete" and "do not purge" not enabled.' - when not soft_delete_enabled then name || ' "soft delete" not enabled.' - when not purge_protection_enabled then name || ' "do not purge" not enabled.' - else name || ' "soft delete" and "do not purge" enabled.' - end as reason - - , kv.resource_group as resource_group - , sub.display_name as subscription - from - azure_key_vault kv, - azure_subscription sub - where - sub.subscription_id = kv.subscription_id; + QueryToExecute: "select\n kv.id as resource,\n kv.og_account_id as og_account_id,\n kv.og_resource_id as og_resource_id,\n case\n when soft_delete_enabled and purge_protection_enabled then 'ok'\n else 'alarm'\n end as status,\n case\n when not soft_delete_enabled and not purge_protection_enabled then name || ' \"soft delete\" and \"do not purge\" not enabled.'\n when not soft_delete_enabled then name || ' \"soft delete\" not enabled.'\n when not purge_protection_enabled then name || ' \"do not purge\" not enabled.'\n else name || ' \"soft delete\" and \"do not purge\" enabled.'\n end as reason\n \n , kv.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_key_vault kv,\n azure_subscription sub\nwhere\n sub.subscription_id = kv.subscription_id;\n" PrimaryTable: azure_key_vault ListOfTables: - - azure_key_vault - - azure_subscription + - azure_key_vault + - azure_subscription Parameters: [] Severity: critical Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "8.4" + - "8.4" cis_level: - - "1" + - "1" cis_section_id: - - "8" + - "8" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/KeyVault + - Azure/KeyVault +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_keyvault_vault_use_virtual_service_endpoint.yaml b/compliance/controls/azure/azure_keyvault_vault_use_virtual_service_endpoint.yaml index c6fc85074..69d898092 100755 --- a/compliance/controls/azure/azure_keyvault_vault_use_virtual_service_endpoint.yaml +++ b/compliance/controls/azure/azure_keyvault_vault_use_virtual_service_endpoint.yaml @@ -1,52 +1,19 @@ ID: azure_keyvault_vault_use_virtual_service_endpoint Title: "Key Vault should use a virtual network service endpoint" Description: "This policy audits any Key Vault not configured to use a virtual network service endpoint." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with keyvault_vault_subnet as ( - select - distinct a.name, - rule ->> 'id' as id - from - azure_key_vault as a, - jsonb_array_elements(network_acls -> 'virtualNetworkRules') as rule - where - rule ->> 'id' is not null - ) - select - distinct a.name as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when network_acls ->> 'defaultAction' <> 'Deny' then 'alarm' - when s.name is null then 'alarm' - else 'ok' - end as status, - case - when network_acls ->> 'defaultAction' <> 'Deny' then a.name || ' not configured with virtual service endpoint.' - when s.name is null then a.name || ' not configured with virtual service endpoint.' - else a.name || ' configured with virtual service endpoint.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_key_vault as a - left join keyvault_vault_subnet as s on a.name = s.name, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with keyvault_vault_subnet as (\n select\n distinct a.name,\n rule ->> 'id' as id\n from\n azure_key_vault as a,\n jsonb_array_elements(network_acls -> 'virtualNetworkRules') as rule\n where\n rule ->> 'id' is not null\n)\nselect\n distinct a.name as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when network_acls ->> 'defaultAction' <> 'Deny' then 'alarm'\n when s.name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when network_acls ->> 'defaultAction' <> 'Deny' then a.name || ' not configured with virtual service endpoint.'\n when s.name is null then a.name || ' not configured with virtual service endpoint.'\n else a.name || ' configured with virtual service endpoint.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_key_vault as a\n left join keyvault_vault_subnet as s on a.name = s.name,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_key_vault ListOfTables: - - azure_key_vault - - azure_subscription + - azure_key_vault + - azure_subscription Parameters: [] Severity: medium Tags: hipaa_hitrust_v92: - - "true" + - "true" service: - - Azure/KeyVault + - Azure/KeyVault +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_keyvault_with_non_rbac_key_expiration_set.yaml b/compliance/controls/azure/azure_keyvault_with_non_rbac_key_expiration_set.yaml index cb23c2423..49dca5e88 100755 --- a/compliance/controls/azure/azure_keyvault_with_non_rbac_key_expiration_set.yaml +++ b/compliance/controls/azure/azure_keyvault_with_non_rbac_key_expiration_set.yaml @@ -1,66 +1,34 @@ ID: azure_keyvault_with_non_rbac_key_expiration_set Title: "Ensure that the Expiration Date is set for all Keys in Non-RBAC Key Vaults" Description: "Ensure that all Keys in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration time set." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with non_rbac_vault as ( - select - name - from - azure_key_vault - where not enable_rbac_authorization - ) - select - kvk.id as resource, - kvk.og_account_id as og_account_id, - kvk.og_resource_id as og_resource_id, - case - when v.name is null then 'skip' - when enabled and expires_at is null then 'alarm' - else 'ok' - end as status, - vault_name || ' key ' || kvk.name || - case - when v.name is null then ' RBAC enabled vault.' - when enabled and expires_at is null then ' expiration date not set.' - when not enabled then ' disabled.' - else ' expiration date set to ' || to_char(expires_at, 'DD-Mon-YYYY') || '.' - end as reason - - , kvk.resource_group as resource_group - , sub.display_name as subscription - from - azure_key_vault_key kvk - left join non_rbac_vault as v on v.name = kvk.vault_name, - azure_subscription sub - where - sub.subscription_id = kvk.subscription_id; + QueryToExecute: "with non_rbac_vault as (\n select\n name\n from\n azure_key_vault\n where not enable_rbac_authorization\n)\nselect\n kvk.id as resource,\n kvk.og_account_id as og_account_id,\n kvk.og_resource_id as og_resource_id,\n case\n when v.name is null then 'skip'\n when enabled and expires_at is null then 'alarm'\n else 'ok'\n end as status,\n vault_name || ' key ' || kvk.name ||\n case\n when v.name is null then ' RBAC enabled vault.'\n when enabled and expires_at is null then ' expiration date not set.'\n when not enabled then ' disabled.'\n else ' expiration date set to ' || to_char(expires_at, 'DD-Mon-YYYY') || '.'\n end as reason\n \n , kvk.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_key_vault_key kvk\n left join non_rbac_vault as v on v.name = kvk.vault_name,\n azure_subscription sub\nwhere\n sub.subscription_id = kvk.subscription_id;\n" PrimaryTable: azure_key_vault_key ListOfTables: - - azure_key_vault - - azure_key_vault_key - - azure_subscription + - azure_key_vault + - azure_key_vault_key + - azure_subscription Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "8.2" + - "8.2" cis_level: - - "1" + - "1" cis_section_id: - - "8" + - "8" cis_type: - - automated + - automated cis_version: - - v1.4.0 + - v1.4.0 plugin: - - azure + - azure service: - - Azure/KeyVault + - Azure/KeyVault +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_keyvault_with_non_rbac_secret_expiration_set.yaml b/compliance/controls/azure/azure_keyvault_with_non_rbac_secret_expiration_set.yaml index 935800c70..b7919dc7c 100755 --- a/compliance/controls/azure/azure_keyvault_with_non_rbac_secret_expiration_set.yaml +++ b/compliance/controls/azure/azure_keyvault_with_non_rbac_secret_expiration_set.yaml @@ -1,66 +1,34 @@ ID: azure_keyvault_with_non_rbac_secret_expiration_set Title: "Ensure that the Expiration Date is set for all Secrets in Non-RBAC Key Vaults" Description: "Ensure that all Secrets in Non Role Based Access Control (RBAC) Azure Key Vaults have an expiration time set." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with non_rbac_vault as ( - select - name - from - azure_key_vault - where not enable_rbac_authorization - ) - select - kvs.id as resource, - kvs.og_account_id as og_account_id, - kvs.og_resource_id as og_resource_id, - case - when v.name is null then 'skip' - when enabled and expires_at is null then 'alarm' - else 'ok' - end as status, - vault_name || ' key ' || kvs.name || - case - when v.name is null then ' RBAC enabled vault.' - when enabled and expires_at is null then ' expiration date not set.' - when not enabled then ' disabled.' - else ' expiration date set to ' || to_char(expires_at, 'DD-Mon-YYYY') || '.' - end as reason - - , kvs.resource_group as resource_group - , sub.display_name as subscription - from - azure_key_vault_secret kvs - left join non_rbac_vault as v on v.name = kvs.vault_name, - azure_subscription sub - where - sub.subscription_id = kvs.subscription_id; + QueryToExecute: "with non_rbac_vault as (\n select\n name\n from\n azure_key_vault\n where not enable_rbac_authorization\n)\nselect\n kvs.id as resource,\n kvs.og_account_id as og_account_id,\n kvs.og_resource_id as og_resource_id,\n case\n when v.name is null then 'skip'\n when enabled and expires_at is null then 'alarm'\n else 'ok'\n end as status,\n vault_name || ' key ' || kvs.name ||\n case\n when v.name is null then ' RBAC enabled vault.'\n when enabled and expires_at is null then ' expiration date not set.'\n when not enabled then ' disabled.'\n else ' expiration date set to ' || to_char(expires_at, 'DD-Mon-YYYY') || '.'\n end as reason\n \n , kvs.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_key_vault_secret kvs\n left join non_rbac_vault as v on v.name = kvs.vault_name,\n azure_subscription sub\nwhere\n sub.subscription_id = kvs.subscription_id;\n" PrimaryTable: azure_key_vault_secret ListOfTables: - - azure_key_vault - - azure_key_vault_secret - - azure_subscription + - azure_key_vault + - azure_key_vault_secret + - azure_subscription Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "8.4" + - "8.4" cis_level: - - "1" + - "1" cis_section_id: - - "8" + - "8" cis_type: - - automated + - automated cis_version: - - v1.4.0 + - v1.4.0 plugin: - - azure + - azure service: - - Azure/KeyVault + - Azure/KeyVault +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_keyvault_with_rbac_key_expiration_set.yaml b/compliance/controls/azure/azure_keyvault_with_rbac_key_expiration_set.yaml index 8d50db0a5..225a0df87 100755 --- a/compliance/controls/azure/azure_keyvault_with_rbac_key_expiration_set.yaml +++ b/compliance/controls/azure/azure_keyvault_with_rbac_key_expiration_set.yaml @@ -1,66 +1,34 @@ ID: azure_keyvault_with_rbac_key_expiration_set Title: "Ensure that the Expiration Date is set for all Keys in RBAC Key Vaults" Description: "Ensure that all Keys in Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with rbac_vault as ( - select - name - from - azure_key_vault - where enable_rbac_authorization - ) - select - kvk.id as resource, - kvk.og_account_id as og_account_id, - kvk.og_resource_id as og_resource_id, - case - when v.name is null then 'skip' - when enabled and expires_at is null then 'alarm' - else 'ok' - end as status, - vault_name || ' key ' || kvk.name || - case - when v.name is null then ' not RBAC enabled vault.' - when enabled and expires_at is null then ' expiration date not set.' - when not enabled then ' disabled.' - else ' expiration date set to ' || to_char(expires_at, 'DD-Mon-YYYY') || '.' - end as reason - - , kvk.resource_group as resource_group - , sub.display_name as subscription - from - azure_key_vault_key kvk - left join rbac_vault as v on v.name = kvk.vault_name, - azure_subscription sub - where - sub.subscription_id = kvk.subscription_id; + QueryToExecute: "with rbac_vault as (\n select\n name\n from\n azure_key_vault\n where enable_rbac_authorization\n)\nselect\n kvk.id as resource,\n kvk.og_account_id as og_account_id,\n kvk.og_resource_id as og_resource_id,\n case\n when v.name is null then 'skip'\n when enabled and expires_at is null then 'alarm'\n else 'ok'\n end as status,\n vault_name || ' key ' || kvk.name ||\n case\n when v.name is null then ' not RBAC enabled vault.'\n when enabled and expires_at is null then ' expiration date not set.'\n when not enabled then ' disabled.'\n else ' expiration date set to ' || to_char(expires_at, 'DD-Mon-YYYY') || '.'\n end as reason\n \n , kvk.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_key_vault_key kvk\n left join rbac_vault as v on v.name = kvk.vault_name,\n azure_subscription sub\nwhere\n sub.subscription_id = kvk.subscription_id;\n" PrimaryTable: azure_key_vault_key ListOfTables: - - azure_key_vault - - azure_key_vault_key - - azure_subscription + - azure_key_vault + - azure_key_vault_key + - azure_subscription Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "8.1" + - "8.1" cis_level: - - "1" + - "1" cis_section_id: - - "8" + - "8" cis_type: - - automated + - automated cis_version: - - v1.4.0 + - v1.4.0 plugin: - - azure + - azure service: - - Azure/KeyVault + - Azure/KeyVault +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_keyvault_with_rbac_secret_expiration_set.yaml b/compliance/controls/azure/azure_keyvault_with_rbac_secret_expiration_set.yaml index a90549758..8b74f573e 100755 --- a/compliance/controls/azure/azure_keyvault_with_rbac_secret_expiration_set.yaml +++ b/compliance/controls/azure/azure_keyvault_with_rbac_secret_expiration_set.yaml @@ -1,66 +1,34 @@ ID: azure_keyvault_with_rbac_secret_expiration_set Title: "Ensure that the Expiration Date is set for all Secrets in RBAC Key Vaults" Description: "Ensure that all Secrets in Role Based Access Control (RBAC) Azure Key Vaults have an expiration date set." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with rbac_vault as ( - select - name - from - azure_key_vault - where enable_rbac_authorization - ) - select - kvs.id as resource, - kvs.og_account_id as og_account_id, - kvs.og_resource_id as og_resource_id, - case - when v.name is null then 'skip' - when enabled and expires_at is null then 'alarm' - else 'ok' - end as status, - vault_name || ' key ' || kvs.name || - case - when v.name is null then ' not RBAC enabled vault.' - when enabled and expires_at is null then ' expiration date not set.' - when not enabled then ' disabled.' - else ' expiration date set to ' || to_char(expires_at, 'DD-Mon-YYYY') || '.' - end as reason - - , kvs.resource_group as resource_group - , sub.display_name as subscription - from - azure_key_vault_secret kvs - left join rbac_vault as v on v.name = kvs.vault_name, - azure_subscription sub - where - sub.subscription_id = kvs.subscription_id; + QueryToExecute: "with rbac_vault as (\n select\n name\n from\n azure_key_vault\n where enable_rbac_authorization\n)\nselect\n kvs.id as resource,\n kvs.og_account_id as og_account_id,\n kvs.og_resource_id as og_resource_id,\n case\n when v.name is null then 'skip'\n when enabled and expires_at is null then 'alarm'\n else 'ok'\n end as status,\n vault_name || ' key ' || kvs.name ||\n case\n when v.name is null then ' not RBAC enabled vault.'\n when enabled and expires_at is null then ' expiration date not set.'\n when not enabled then ' disabled.'\n else ' expiration date set to ' || to_char(expires_at, 'DD-Mon-YYYY') || '.'\n end as reason\n \n , kvs.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_key_vault_secret kvs\n left join rbac_vault as v on v.name = kvs.vault_name,\n azure_subscription sub\nwhere\n sub.subscription_id = kvs.subscription_id;\n" PrimaryTable: azure_key_vault_secret ListOfTables: - - azure_key_vault - - azure_key_vault_secret - - azure_subscription + - azure_key_vault + - azure_key_vault_secret + - azure_subscription Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "8.3" + - "8.3" cis_level: - - "1" + - "1" cis_section_id: - - "8" + - "8" cis_type: - - automated + - automated cis_version: - - v1.4.0 + - v1.4.0 plugin: - - azure + - azure service: - - Azure/KeyVault + - Azure/KeyVault +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_kubernetes_cluster_add_on_azure_policy_enabled.yaml b/compliance/controls/azure/azure_kubernetes_cluster_add_on_azure_policy_enabled.yaml index f095acb51..0dc2d2d98 100755 --- a/compliance/controls/azure/azure_kubernetes_cluster_add_on_azure_policy_enabled.yaml +++ b/compliance/controls/azure/azure_kubernetes_cluster_add_on_azure_policy_enabled.yaml @@ -1,39 +1,19 @@ ID: azure_kubernetes_cluster_add_on_azure_policy_enabled Title: "Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters" Description: "Azure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - kc.id as resource, - kc.og_account_id as og_account_id, - kc.og_resource_id as og_resource_id, - case - when addon_profiles -> 'azurepolicy' ->> 'enabled' = 'true' then 'ok' - else 'alarm' - end as status, - case - when addon_profiles -> 'azurepolicy' ->> 'enabled' = 'true' then name || ' add on azure policy enabled.' - else name || ' add on azure policy disabled.' - end as reason - - , kc.resource_group as resource_group - , sub.display_name as subscription - from - azure_kubernetes_cluster kc, - azure_subscription sub - where - sub.subscription_id = kc.subscription_id; + QueryToExecute: "select\n kc.id as resource,\n kc.og_account_id as og_account_id,\n kc.og_resource_id as og_resource_id,\n case\n when addon_profiles -> 'azurepolicy' ->> 'enabled' = 'true' then 'ok'\n else 'alarm'\n end as status,\n case\n when addon_profiles -> 'azurepolicy' ->> 'enabled' = 'true' then name || ' add on azure policy enabled.'\n else name || ' add on azure policy disabled.'\n end as reason\n \n , kc.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_kubernetes_cluster kc,\n azure_subscription sub\nwhere\n sub.subscription_id = kc.subscription_id;\n" PrimaryTable: azure_kubernetes_cluster ListOfTables: - - azure_kubernetes_cluster - - azure_subscription + - azure_kubernetes_cluster + - azure_subscription Parameters: [] Severity: medium Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/KubernetesService + - Azure/KubernetesService +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_kubernetes_cluster_addon_azure_policy_enabled.yaml b/compliance/controls/azure/azure_kubernetes_cluster_addon_azure_policy_enabled.yaml index a8607a42b..0cefd3d4c 100755 --- a/compliance/controls/azure/azure_kubernetes_cluster_addon_azure_policy_enabled.yaml +++ b/compliance/controls/azure/azure_kubernetes_cluster_addon_azure_policy_enabled.yaml @@ -1,8 +1,6 @@ ID: azure_kubernetes_cluster_addon_azure_policy_enabled Title: "Kubernetes cluster addon Azure policy should be enabled" Description: "Ensure that Kubernetes cluster uses Azure Policies Add-on." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = c.subscription_id; PrimaryTable: azure_kubernetes_cluster ListOfTables: - - azure_kubernetes_cluster - - azure_subscription + - azure_kubernetes_cluster + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_kubernetes_cluster_authorized_ip_range_defined.yaml b/compliance/controls/azure/azure_kubernetes_cluster_authorized_ip_range_defined.yaml index fdee0b5a8..cfc782cfd 100755 --- a/compliance/controls/azure/azure_kubernetes_cluster_authorized_ip_range_defined.yaml +++ b/compliance/controls/azure/azure_kubernetes_cluster_authorized_ip_range_defined.yaml @@ -1,39 +1,19 @@ ID: azure_kubernetes_cluster_authorized_ip_range_defined Title: "Authorized IP ranges should be defined on Kubernetes Services" Description: "ARestrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - c.id as resource, - c.og_account_id as og_account_id, - c.og_resource_id as og_resource_id, - case - when api_server_access_profile -> 'AuthorizedIPRanges' is not null then 'ok' - else 'alarm' - end as status, - case - when api_server_access_profile -> 'AuthorizedIPRanges' is not null then c.title || ' authorized IP ranges defined.' - else c.title || ' authorized IP ranges not defined.' - end as reason - - , c.resource_group as resource_group - , sub.display_name as subscription - from - azure_kubernetes_cluster as c, - azure_subscription as sub - where - sub.subscription_id = c.subscription_id; + QueryToExecute: "select\n c.id as resource,\n c.og_account_id as og_account_id,\n c.og_resource_id as og_resource_id,\n case\n when api_server_access_profile -> 'AuthorizedIPRanges' is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when api_server_access_profile -> 'AuthorizedIPRanges' is not null then c.title || ' authorized IP ranges defined.'\n else c.title || ' authorized IP ranges not defined.'\n end as reason\n \n , c.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_kubernetes_cluster as c,\n azure_subscription as sub\nwhere\n sub.subscription_id = c.subscription_id;\n" PrimaryTable: azure_kubernetes_cluster ListOfTables: - - azure_kubernetes_cluster - - azure_subscription + - azure_kubernetes_cluster + - azure_subscription Parameters: [] Severity: high Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/KubernetesService + - Azure/KubernetesService +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_kubernetes_cluster_container_cpu_and_memory_resource_limit.yaml b/compliance/controls/azure/azure_kubernetes_cluster_container_cpu_and_memory_resource_limit.yaml index 267da1a12..d853bc29e 100755 --- a/compliance/controls/azure/azure_kubernetes_cluster_container_cpu_and_memory_resource_limit.yaml +++ b/compliance/controls/azure/azure_kubernetes_cluster_container_cpu_and_memory_resource_limit.yaml @@ -1,8 +1,6 @@ ID: azure_kubernetes_cluster_container_cpu_and_memory_resource_limit Title: "Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits" Description: "Enforce container CPU and memory resource limits to prevent resource exhaustion attacks in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_kubernetes_cluster_container_host_process_id_not_shared.yaml b/compliance/controls/azure/azure_kubernetes_cluster_container_host_process_id_not_shared.yaml index d54518e39..b9a526405 100755 --- a/compliance/controls/azure/azure_kubernetes_cluster_container_host_process_id_not_shared.yaml +++ b/compliance/controls/azure/azure_kubernetes_cluster_container_host_process_id_not_shared.yaml @@ -1,8 +1,6 @@ ID: azure_kubernetes_cluster_container_host_process_id_not_shared Title: "Kubernetes cluster containers should not share host process ID or host IPC namespace" Description: "Block pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This recommendation is part of CIS 5.2.2 and CIS 5.2.3 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_kubernetes_cluster_container_privilege_escalation_restricted.yaml b/compliance/controls/azure/azure_kubernetes_cluster_container_privilege_escalation_restricted.yaml index a3238f586..054f695f1 100755 --- a/compliance/controls/azure/azure_kubernetes_cluster_container_privilege_escalation_restricted.yaml +++ b/compliance/controls/azure/azure_kubernetes_cluster_container_privilege_escalation_restricted.yaml @@ -1,8 +1,6 @@ ID: azure_kubernetes_cluster_container_privilege_escalation_restricted Title: "Kubernetes clusters should not allow container privilege escalation" Description: "Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_kubernetes_cluster_container_use_allowed_apparmor_profile.yaml b/compliance/controls/azure/azure_kubernetes_cluster_container_use_allowed_apparmor_profile.yaml index 08ec643a8..4865116fb 100755 --- a/compliance/controls/azure/azure_kubernetes_cluster_container_use_allowed_apparmor_profile.yaml +++ b/compliance/controls/azure/azure_kubernetes_cluster_container_use_allowed_apparmor_profile.yaml @@ -1,8 +1,6 @@ ID: azure_kubernetes_cluster_container_use_allowed_apparmor_profile Title: "Kubernetes cluster containers should only use allowed AppArmor profiles" Description: "Containers should only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_kubernetes_cluster_container_use_allowed_capabilities.yaml b/compliance/controls/azure/azure_kubernetes_cluster_container_use_allowed_capabilities.yaml index a8b4d1b80..51fbd39e1 100755 --- a/compliance/controls/azure/azure_kubernetes_cluster_container_use_allowed_capabilities.yaml +++ b/compliance/controls/azure/azure_kubernetes_cluster_container_use_allowed_capabilities.yaml @@ -1,8 +1,6 @@ ID: azure_kubernetes_cluster_container_use_allowed_capabilities Title: "Kubernetes cluster containers should only use allowed capabilities" Description: "Restrict the capabilities to reduce the attack surface of containers in a Kubernetes cluster. This recommendation is part of CIS 5.2.8 and CIS 5.2.9 which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_kubernetes_cluster_container_use_allowed_images.yaml b/compliance/controls/azure/azure_kubernetes_cluster_container_use_allowed_images.yaml index 756114164..38ddd7aec 100755 --- a/compliance/controls/azure/azure_kubernetes_cluster_container_use_allowed_images.yaml +++ b/compliance/controls/azure/azure_kubernetes_cluster_container_use_allowed_images.yaml @@ -1,8 +1,6 @@ ID: azure_kubernetes_cluster_container_use_allowed_images Title: "Kubernetes cluster containers should only use allowed images" Description: "Use images from trusted registries to reduce the Kubernetes cluster's exposure risk to unknown vulnerabilities, security issues and malicious images. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_kubernetes_cluster_container_with_read_only_root_file_system.yaml b/compliance/controls/azure/azure_kubernetes_cluster_container_with_read_only_root_file_system.yaml index b0241f175..77a04b856 100755 --- a/compliance/controls/azure/azure_kubernetes_cluster_container_with_read_only_root_file_system.yaml +++ b/compliance/controls/azure/azure_kubernetes_cluster_container_with_read_only_root_file_system.yaml @@ -1,8 +1,6 @@ ID: azure_kubernetes_cluster_container_with_read_only_root_file_system Title: "Kubernetes cluster containers should run with a read only root file system" Description: "Run containers with a read only root file system to protect from changes at run-time with malicious binaries being added to PATH in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_kubernetes_cluster_http_application_routing_disabled.yaml b/compliance/controls/azure/azure_kubernetes_cluster_http_application_routing_disabled.yaml index a82d4cb05..05d77f0da 100755 --- a/compliance/controls/azure/azure_kubernetes_cluster_http_application_routing_disabled.yaml +++ b/compliance/controls/azure/azure_kubernetes_cluster_http_application_routing_disabled.yaml @@ -1,8 +1,6 @@ ID: azure_kubernetes_cluster_http_application_routing_disabled Title: "Kubernetes clusters HTTP application routing should be disabled" Description: "This control checks if HTTP application routing is disabled for Kubernetes cluster." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = c.subscription_id; PrimaryTable: azure_kubernetes_cluster ListOfTables: - - azure_kubernetes_cluster - - azure_subscription + - azure_kubernetes_cluster + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_kubernetes_cluster_https_enabled.yaml b/compliance/controls/azure/azure_kubernetes_cluster_https_enabled.yaml index fba65b757..03b2c2177 100755 --- a/compliance/controls/azure/azure_kubernetes_cluster_https_enabled.yaml +++ b/compliance/controls/azure/azure_kubernetes_cluster_https_enabled.yaml @@ -1,8 +1,6 @@ ID: azure_kubernetes_cluster_https_enabled Title: "Kubernetes clusters should be accessible only over HTTPS" Description: "Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc" -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_kubernetes_cluster_key_vault_secret_rotation_enabled.yaml b/compliance/controls/azure/azure_kubernetes_cluster_key_vault_secret_rotation_enabled.yaml index d212daefa..4e7c05409 100755 --- a/compliance/controls/azure/azure_kubernetes_cluster_key_vault_secret_rotation_enabled.yaml +++ b/compliance/controls/azure/azure_kubernetes_cluster_key_vault_secret_rotation_enabled.yaml @@ -1,8 +1,6 @@ ID: azure_kubernetes_cluster_key_vault_secret_rotation_enabled Title: "Kubernetes clusters key vault secret rotation should be enabled" Description: "This control checks if key vault secret rotation should is enabled for Kubernetes cluster." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = c.subscription_id; PrimaryTable: azure_kubernetes_cluster ListOfTables: - - azure_kubernetes_cluster - - azure_subscription + - azure_kubernetes_cluster + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_kubernetes_cluster_logging_enabled.yaml b/compliance/controls/azure/azure_kubernetes_cluster_logging_enabled.yaml index c83e87e95..688f668a5 100755 --- a/compliance/controls/azure/azure_kubernetes_cluster_logging_enabled.yaml +++ b/compliance/controls/azure/azure_kubernetes_cluster_logging_enabled.yaml @@ -1,8 +1,6 @@ ID: azure_kubernetes_cluster_logging_enabled Title: "Kubernetes clusters should have logging enabled" Description: "This control checks if OMS agent is enabled for Kubernetes cluster." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = c.subscription_id; PrimaryTable: azure_kubernetes_cluster ListOfTables: - - azure_kubernetes_cluster - - azure_subscription + - azure_kubernetes_cluster + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_kubernetes_cluster_max_pod_50.yaml b/compliance/controls/azure/azure_kubernetes_cluster_max_pod_50.yaml index f84e61830..eed87596b 100755 --- a/compliance/controls/azure/azure_kubernetes_cluster_max_pod_50.yaml +++ b/compliance/controls/azure/azure_kubernetes_cluster_max_pod_50.yaml @@ -1,8 +1,6 @@ ID: azure_kubernetes_cluster_max_pod_50 Title: "Kubernetes clusters should use a minimum number of 50 pods" Description: "This control checks if Kubernetes clusters is using a minimum number of 50 pods." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -35,8 +33,10 @@ Query: sub.subscription_id = c.subscription_id; PrimaryTable: azure_kubernetes_cluster ListOfTables: - - azure_kubernetes_cluster - - azure_subscription + - azure_kubernetes_cluster + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_kubernetes_cluster_network_plugin_azure.yaml b/compliance/controls/azure/azure_kubernetes_cluster_network_plugin_azure.yaml index f1021cd2c..bfd36208a 100755 --- a/compliance/controls/azure/azure_kubernetes_cluster_network_plugin_azure.yaml +++ b/compliance/controls/azure/azure_kubernetes_cluster_network_plugin_azure.yaml @@ -1,8 +1,6 @@ ID: azure_kubernetes_cluster_network_plugin_azure Title: "Kubernetes clusters should have Azure network plugin" Description: "This control checks if Azure CNI networking is enabled for Kubernetes cluster." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -25,8 +23,10 @@ Query: sub.subscription_id = c.subscription_id; PrimaryTable: azure_kubernetes_cluster ListOfTables: - - azure_kubernetes_cluster - - azure_subscription + - azure_kubernetes_cluster + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_kubernetes_cluster_network_policy_enabled.yaml b/compliance/controls/azure/azure_kubernetes_cluster_network_policy_enabled.yaml index 4e77a7dac..1c74b102a 100755 --- a/compliance/controls/azure/azure_kubernetes_cluster_network_policy_enabled.yaml +++ b/compliance/controls/azure/azure_kubernetes_cluster_network_policy_enabled.yaml @@ -1,8 +1,6 @@ ID: azure_kubernetes_cluster_network_policy_enabled Title: "Kubernetes clusters should have network policy enabled" Description: "This control checks if network policy is enabled for Kubernetes cluster." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = c.subscription_id; PrimaryTable: azure_kubernetes_cluster ListOfTables: - - azure_kubernetes_cluster - - azure_subscription + - azure_kubernetes_cluster + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_kubernetes_cluster_node_restrict_public_access.yaml b/compliance/controls/azure/azure_kubernetes_cluster_node_restrict_public_access.yaml index f8a0b8a5c..c5549086e 100755 --- a/compliance/controls/azure/azure_kubernetes_cluster_node_restrict_public_access.yaml +++ b/compliance/controls/azure/azure_kubernetes_cluster_node_restrict_public_access.yaml @@ -1,8 +1,6 @@ ID: azure_kubernetes_cluster_node_restrict_public_access Title: "Kubernetes cluster nodes should prohibit public access" Description: "Ensure Kubernetes cluster nodes do not have public IP addresses. This control is non-compliant if Kubernetes cluster nodes have a public IP address assigned." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -37,8 +35,10 @@ Query: sub.subscription_id = c.subscription_id; PrimaryTable: azure_kubernetes_cluster ListOfTables: - - azure_kubernetes_cluster - - azure_subscription + - azure_kubernetes_cluster + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_kubernetes_cluster_os_and_data_disks_encrypted_with_cmk.yaml b/compliance/controls/azure/azure_kubernetes_cluster_os_and_data_disks_encrypted_with_cmk.yaml index e960f615d..d88f9fbae 100755 --- a/compliance/controls/azure/azure_kubernetes_cluster_os_and_data_disks_encrypted_with_cmk.yaml +++ b/compliance/controls/azure/azure_kubernetes_cluster_os_and_data_disks_encrypted_with_cmk.yaml @@ -1,39 +1,19 @@ ID: azure_kubernetes_cluster_os_and_data_disks_encrypted_with_cmk Title: "Both operating systems and data disks in Azure Kubernetes Service clusters should be encrypted by customer-managed keys" Description: "Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - c.id as resource, - c.og_account_id as og_account_id, - c.og_resource_id as og_resource_id, - case - when disk_encryption_set_id is not null then 'ok' - else 'alarm' - end as status, - case - when disk_encryption_set_id is not null then c.name || ' os and data diska encrypted with CMK.' - else c.name || ' os and data diska not encrypted with CMK.' - end as reason - - , c.resource_group as resource_group - , sub.display_name as subscription - from - azure_kubernetes_cluster c, - azure_subscription sub - where - sub.subscription_id = c.subscription_id; + QueryToExecute: "select\n c.id as resource,\n c.og_account_id as og_account_id,\n c.og_resource_id as og_resource_id,\n case\n when disk_encryption_set_id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when disk_encryption_set_id is not null then c.name || ' os and data diska encrypted with CMK.'\n else c.name || ' os and data diska not encrypted with CMK.'\n end as reason\n \n , c.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_kubernetes_cluster c,\n azure_subscription sub\nwhere\n sub.subscription_id = c.subscription_id;\n" PrimaryTable: azure_kubernetes_cluster ListOfTables: - - azure_kubernetes_cluster - - azure_subscription + - azure_kubernetes_cluster + - azure_subscription Parameters: [] Severity: high Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/KubernetesService + - Azure/KubernetesService +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_kubernetes_cluster_pod_host_path_volume_use_allowed_host_path.yaml b/compliance/controls/azure/azure_kubernetes_cluster_pod_host_path_volume_use_allowed_host_path.yaml index 28ac8feff..787d9be43 100755 --- a/compliance/controls/azure/azure_kubernetes_cluster_pod_host_path_volume_use_allowed_host_path.yaml +++ b/compliance/controls/azure/azure_kubernetes_cluster_pod_host_path_volume_use_allowed_host_path.yaml @@ -1,8 +1,6 @@ ID: azure_kubernetes_cluster_pod_host_path_volume_use_allowed_host_path Title: "Kubernetes cluster pod hostPath volumes should only use allowed host paths" Description: "Limit pod HostPath volume mounts to the allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_kubernetes_cluster_pod_use_approved_host_network_and_port_range.yaml b/compliance/controls/azure/azure_kubernetes_cluster_pod_use_approved_host_network_and_port_range.yaml index 05208536b..bfab046c0 100755 --- a/compliance/controls/azure/azure_kubernetes_cluster_pod_use_approved_host_network_and_port_range.yaml +++ b/compliance/controls/azure/azure_kubernetes_cluster_pod_use_approved_host_network_and_port_range.yaml @@ -1,8 +1,6 @@ ID: azure_kubernetes_cluster_pod_use_approved_host_network_and_port_range Title: "Kubernetes cluster pods should only use approved host network and port range" Description: "Restrict pod access to the host network and the allowable host port range in a Kubernetes cluster. This recommendation is part of CIS 5.2.4 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_kubernetes_cluster_pods_and_containers_uses_approved_user_and_group_id.yaml b/compliance/controls/azure/azure_kubernetes_cluster_pods_and_containers_uses_approved_user_and_group_id.yaml index 5fd6e75c0..be587ac3e 100755 --- a/compliance/controls/azure/azure_kubernetes_cluster_pods_and_containers_uses_approved_user_and_group_id.yaml +++ b/compliance/controls/azure/azure_kubernetes_cluster_pods_and_containers_uses_approved_user_and_group_id.yaml @@ -1,8 +1,6 @@ ID: azure_kubernetes_cluster_pods_and_containers_uses_approved_user_and_group_id Title: "Kubernetes cluster pods and containers should only run with approved user and group IDs" Description: "Control the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This recommendation is part of Pod Security Policies which are intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_kubernetes_cluster_privilege_containers_restricted.yaml b/compliance/controls/azure/azure_kubernetes_cluster_privilege_containers_restricted.yaml index 489a870c1..e07b2a852 100755 --- a/compliance/controls/azure/azure_kubernetes_cluster_privilege_containers_restricted.yaml +++ b/compliance/controls/azure/azure_kubernetes_cluster_privilege_containers_restricted.yaml @@ -1,8 +1,6 @@ ID: azure_kubernetes_cluster_privilege_containers_restricted Title: "Kubernetes cluster should not allow privileged containers" Description: "Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_kubernetes_cluster_restrict_public_access.yaml b/compliance/controls/azure/azure_kubernetes_cluster_restrict_public_access.yaml index 24be0afb8..b01a1195f 100755 --- a/compliance/controls/azure/azure_kubernetes_cluster_restrict_public_access.yaml +++ b/compliance/controls/azure/azure_kubernetes_cluster_restrict_public_access.yaml @@ -1,8 +1,6 @@ ID: azure_kubernetes_cluster_restrict_public_access Title: "Kubernetes cluster should restrict public access" Description: "Ensure that Kubernetes cluster enables private clusters to restrict public access." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = c.subscription_id; PrimaryTable: azure_kubernetes_cluster ListOfTables: - - azure_kubernetes_cluster - - azure_subscription + - azure_kubernetes_cluster + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_kubernetes_cluster_service_listen_to_allowed_ports.yaml b/compliance/controls/azure/azure_kubernetes_cluster_service_listen_to_allowed_ports.yaml index 1670c222d..e8db026ef 100755 --- a/compliance/controls/azure/azure_kubernetes_cluster_service_listen_to_allowed_ports.yaml +++ b/compliance/controls/azure/azure_kubernetes_cluster_service_listen_to_allowed_ports.yaml @@ -1,8 +1,6 @@ ID: azure_kubernetes_cluster_service_listen_to_allowed_ports Title: "Kubernetes cluster services should listen only on allowed ports" Description: "Restrict services to listen only on allowed ports to secure access to the Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_kubernetes_cluster_sku_standard.yaml b/compliance/controls/azure/azure_kubernetes_cluster_sku_standard.yaml index ad4e9f8af..0457aba55 100755 --- a/compliance/controls/azure/azure_kubernetes_cluster_sku_standard.yaml +++ b/compliance/controls/azure/azure_kubernetes_cluster_sku_standard.yaml @@ -1,8 +1,6 @@ ID: azure_kubernetes_cluster_sku_standard Title: "Kubernetes clusters should use standard SKU" Description: "Ensure that Kubernetes clusters uses standard SKU tier for production workloads. This control is non-compliant if App Configuration does not use standard SKU." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = c.subscription_id; PrimaryTable: azure_kubernetes_cluster ListOfTables: - - azure_kubernetes_cluster - - azure_subscription + - azure_kubernetes_cluster + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_kubernetes_cluster_temp_disks_and_agent_node_pool_cache_encrypted_at_host.yaml b/compliance/controls/azure/azure_kubernetes_cluster_temp_disks_and_agent_node_pool_cache_encrypted_at_host.yaml index a97a5c3b5..a01b5e3c8 100755 --- a/compliance/controls/azure/azure_kubernetes_cluster_temp_disks_and_agent_node_pool_cache_encrypted_at_host.yaml +++ b/compliance/controls/azure/azure_kubernetes_cluster_temp_disks_and_agent_node_pool_cache_encrypted_at_host.yaml @@ -1,52 +1,19 @@ ID: azure_kubernetes_cluster_temp_disks_and_agent_node_pool_cache_encrypted_at_host Title: "Temp disks and cache for agent node pools in Azure Kubernetes Service clusters should be encrypted at host" Description: "To enhance data security, the data stored on the virtual machine (VM) host of your Azure Kubernetes Service nodes VMs should be encrypted at rest. This is a common requirement in many regulatory and industry compliance standards." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with kubernetes_cluster as( - select - id, - name, - subscription_id, - resource_group - from - azure_kubernetes_cluster, - jsonb_array_elements(agent_pool_profiles) as p - where - p -> 'enableEncryptionAtHost' = 'true' - ) - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when s.id is not null then 'ok' - else 'alarm' - end as status, - case - when s.id is not null then a.name || ' encrypted at host.' - else a.name || ' not encrypted at host.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_kubernetes_cluster as a - left join kubernetes_cluster as s on s.id = a.id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with kubernetes_cluster as(\n select\n id,\n name,\n subscription_id,\n resource_group\n from\n azure_kubernetes_cluster,\n jsonb_array_elements(agent_pool_profiles) as p\n where\n p -> 'enableEncryptionAtHost' = 'true'\n)\nselect\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when s.id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when s.id is not null then a.name || ' encrypted at host.'\n else a.name || ' not encrypted at host.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_kubernetes_cluster as a\n left join kubernetes_cluster as s on s.id = a.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_kubernetes_cluster ListOfTables: - - azure_kubernetes_cluster - - azure_subscription + - azure_kubernetes_cluster + - azure_subscription Parameters: [] Severity: high Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/KubernetesService + - Azure/KubernetesService +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_kubernetes_cluster_upgrade_channel.yaml b/compliance/controls/azure/azure_kubernetes_cluster_upgrade_channel.yaml index d2ab0d4ce..cad648a88 100755 --- a/compliance/controls/azure/azure_kubernetes_cluster_upgrade_channel.yaml +++ b/compliance/controls/azure/azure_kubernetes_cluster_upgrade_channel.yaml @@ -1,8 +1,6 @@ ID: azure_kubernetes_cluster_upgrade_channel Title: "Kubernetes clusters upgrade channel should be configured" Description: "Ensure Kubernetes clusters upgrade channel is configured. This control is non-compliant if Kubernetes clusters upgrade channel is set to none." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = c.subscription_id; PrimaryTable: azure_kubernetes_cluster ListOfTables: - - azure_kubernetes_cluster - - azure_subscription + - azure_kubernetes_cluster + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_kubernetes_cluster_upgraded_with_non_vulnerable_version.yaml b/compliance/controls/azure/azure_kubernetes_cluster_upgraded_with_non_vulnerable_version.yaml index eabf24cc6..d22d7ab92 100755 --- a/compliance/controls/azure/azure_kubernetes_cluster_upgraded_with_non_vulnerable_version.yaml +++ b/compliance/controls/azure/azure_kubernetes_cluster_upgraded_with_non_vulnerable_version.yaml @@ -1,47 +1,19 @@ ID: azure_kubernetes_cluster_upgraded_with_non_vulnerable_version Title: "Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version" Description: "Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when - a.kubernetes_version ~ '1\.13\.[0-4]' - or a.kubernetes_version ~ '1\.12\.[0-6]' - or a.kubernetes_version ~ '1\.11\.[0-8]' - or a.kubernetes_version ~ '1\.\d|10\.*' then 'alarm' - else 'ok' - end as status, - case - when - a.kubernetes_version ~ '1\.13\.[0-4]' - or a.kubernetes_version ~ '1\.12\.[0-6]' - or a.kubernetes_version ~ '1\.11\.[0-8]' - or a.kubernetes_version ~ '1\.\d|10\.*' then a.name || ' not upgraded to a non-vulnerable Kubernetes version.' - else a.name || ' upgraded to a non-vulnerable Kubernetes version.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_kubernetes_cluster as a, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "select\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when\n a.kubernetes_version ~ '1\\.13\\.[0-4]'\n or a.kubernetes_version ~ '1\\.12\\.[0-6]'\n or a.kubernetes_version ~ '1\\.11\\.[0-8]'\n or a.kubernetes_version ~ '1\\.\\d|10\\.*' then 'alarm'\n else 'ok'\n end as status,\n case\n when\n a.kubernetes_version ~ '1\\.13\\.[0-4]'\n or a.kubernetes_version ~ '1\\.12\\.[0-6]'\n or a.kubernetes_version ~ '1\\.11\\.[0-8]'\n or a.kubernetes_version ~ '1\\.\\d|10\\.*' then a.name || ' not upgraded to a non-vulnerable Kubernetes version.'\n else a.name || ' upgraded to a non-vulnerable Kubernetes version.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_kubernetes_cluster as a,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_kubernetes_cluster ListOfTables: - - azure_kubernetes_cluster - - azure_subscription + - azure_kubernetes_cluster + - azure_subscription Parameters: [] Severity: high Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/KubernetesService + - Azure/KubernetesService +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_kubernetes_instance_rbac_enabled.yaml b/compliance/controls/azure/azure_kubernetes_instance_rbac_enabled.yaml index 2b0146dc4..c1770936a 100755 --- a/compliance/controls/azure/azure_kubernetes_instance_rbac_enabled.yaml +++ b/compliance/controls/azure/azure_kubernetes_instance_rbac_enabled.yaml @@ -1,42 +1,21 @@ ID: azure_kubernetes_instance_rbac_enabled Title: "Role-Based Access Control (RBAC) should be used on Kubernetes Services" Description: "To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - kc.id as resource, - kc.og_account_id as og_account_id, - kc.og_resource_id as og_resource_id, - case - when enable_rbac then 'ok' - else 'alarm' - end as status, - case - when enable_rbac then name || ' role based access control enabled.' - else name || ' role based access control disabled.' - end as reason, - enable_rbac - - , kc.resource_group as resource_group - , sub.display_name as subscription - from - azure_kubernetes_cluster kc, - azure_subscription sub - where - sub.subscription_id = kc.subscription_id; + QueryToExecute: "select\n kc.id as resource,\n kc.og_account_id as og_account_id,\n kc.og_resource_id as og_resource_id,\n case\n when enable_rbac then 'ok'\n else 'alarm'\n end as status,\n case\n when enable_rbac then name || ' role based access control enabled.'\n else name || ' role based access control disabled.'\n end as reason,\n enable_rbac\n \n , kc.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_kubernetes_cluster kc,\n azure_subscription sub\nwhere\n sub.subscription_id = kc.subscription_id;\n" PrimaryTable: azure_kubernetes_cluster ListOfTables: - - azure_kubernetes_cluster - - azure_subscription + - azure_kubernetes_cluster + - azure_subscription Parameters: [] Severity: medium Tags: hipaa_hitrust_v92: - - "true" + - "true" nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/KubernetesService + - Azure/KubernetesService +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_kusto_cluster_disk_encryption_enabled.yaml b/compliance/controls/azure/azure_kusto_cluster_disk_encryption_enabled.yaml index ac60f7470..6470b86fb 100755 --- a/compliance/controls/azure/azure_kusto_cluster_disk_encryption_enabled.yaml +++ b/compliance/controls/azure/azure_kusto_cluster_disk_encryption_enabled.yaml @@ -1,39 +1,19 @@ ID: azure_kusto_cluster_disk_encryption_enabled Title: "Disk encryption should be enabled on Azure Data Explorer" Description: "Enabling disk encryption helps protect and safeguard your data to meet your organizational security and compliance commitments." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - kv.id as resource, - kv.og_account_id as og_account_id, - kv.og_resource_id as og_resource_id, - case - when enable_disk_encryption then 'ok' - else 'alarm' - end as status, - case - when enable_disk_encryption then name || ' disk encryption enabled.' - else name || ' disk encryption disabled.' - end as reason - - , kv.resource_group as resource_group - , sub.display_name as subscription - from - azure_kusto_cluster as kv, - azure_subscription as sub - where - sub.subscription_id = kv.subscription_id; + QueryToExecute: "select\n kv.id as resource,\n kv.og_account_id as og_account_id,\n kv.og_resource_id as og_resource_id,\n case\n when enable_disk_encryption then 'ok'\n else 'alarm'\n end as status,\n case\n when enable_disk_encryption then name || ' disk encryption enabled.'\n else name || ' disk encryption disabled.'\n end as reason\n \n , kv.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_kusto_cluster as kv,\n azure_subscription as sub\nwhere\n sub.subscription_id = kv.subscription_id;\n" PrimaryTable: azure_kusto_cluster ListOfTables: - - azure_kusto_cluster - - azure_subscription + - azure_kusto_cluster + - azure_subscription Parameters: [] Severity: high Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/DataExplorer + - Azure/DataExplorer +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_kusto_cluster_double_encryption_enabled.yaml b/compliance/controls/azure/azure_kusto_cluster_double_encryption_enabled.yaml index 9c1513332..7c40fbdf2 100755 --- a/compliance/controls/azure/azure_kusto_cluster_double_encryption_enabled.yaml +++ b/compliance/controls/azure/azure_kusto_cluster_double_encryption_enabled.yaml @@ -1,39 +1,19 @@ ID: azure_kusto_cluster_double_encryption_enabled Title: "Double encryption should be enabled on Azure Data Explorer" Description: "Enabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - kv.id as resource, - kv.og_account_id as og_account_id, - kv.og_resource_id as og_resource_id, - case - when enable_double_encryption then 'ok' - else 'alarm' - end as status, - case - when enable_double_encryption then name || ' double encryption enabled.' - else name || ' double encryption disabled.' - end as reason - - , kv.resource_group as resource_group - , sub.display_name as subscription - from - azure_kusto_cluster as kv, - azure_subscription as sub - where - sub.subscription_id = kv.subscription_id; + QueryToExecute: "select\n kv.id as resource,\n kv.og_account_id as og_account_id,\n kv.og_resource_id as og_resource_id,\n case\n when enable_double_encryption then 'ok'\n else 'alarm'\n end as status,\n case\n when enable_double_encryption then name || ' double encryption enabled.'\n else name || ' double encryption disabled.'\n end as reason\n \n , kv.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_kusto_cluster as kv,\n azure_subscription as sub\nwhere\n sub.subscription_id = kv.subscription_id;\n" PrimaryTable: azure_kusto_cluster ListOfTables: - - azure_kusto_cluster - - azure_subscription + - azure_kusto_cluster + - azure_subscription Parameters: [] Severity: high Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/DataExplorer + - Azure/DataExplorer +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_kusto_cluster_encrypted_at_rest_with_cmk.yaml b/compliance/controls/azure/azure_kusto_cluster_encrypted_at_rest_with_cmk.yaml index c7f489b6d..590ba3d43 100755 --- a/compliance/controls/azure/azure_kusto_cluster_encrypted_at_rest_with_cmk.yaml +++ b/compliance/controls/azure/azure_kusto_cluster_encrypted_at_rest_with_cmk.yaml @@ -1,47 +1,19 @@ ID: azure_kusto_cluster_encrypted_at_rest_with_cmk Title: "Azure Data Explorer encryption at rest should use a customer-managed key" Description: "Enabling encryption at rest using a customer-managed key on your Azure Data Explorer cluster provides additional control over the key being used by the encryption at rest. This feature is oftentimes applicable to customers with special compliance requirements and requires a Key Vault to managing the keys." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - kv.id as resource, - kv.og_account_id as og_account_id, - kv.og_resource_id as og_resource_id, - case - when - key_vault_properties -> 'keyName' is not null - and key_vault_properties -> 'keyVaultUri' is not null - and key_vault_properties -> 'keyVersion' is not null - then 'ok' - else 'alarm' - end as status, - case - when - key_vault_properties -> 'keyName' is not null - and key_vault_properties -> 'keyVaultUri' is not null - and key_vault_properties -> 'keyVersion' is not null - then name || ' encrypted at rest with CMK.' - else name || ' not encrypted at rest with CMK.' - end as reason - - , kv.resource_group as resource_group - , sub.display_name as subscription - from - azure_kusto_cluster as kv, - azure_subscription as sub - where - sub.subscription_id = kv.subscription_id; + QueryToExecute: "select\n kv.id as resource,\n kv.og_account_id as og_account_id,\n kv.og_resource_id as og_resource_id,\n case\n when\n key_vault_properties -> 'keyName' is not null\n and key_vault_properties -> 'keyVaultUri' is not null\n and key_vault_properties -> 'keyVersion' is not null\n then 'ok'\n else 'alarm'\n end as status,\n case\n when\n key_vault_properties -> 'keyName' is not null\n and key_vault_properties -> 'keyVaultUri' is not null\n and key_vault_properties -> 'keyVersion' is not null\n then name || ' encrypted at rest with CMK.'\n else name || ' not encrypted at rest with CMK.'\n end as reason\n \n , kv.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_kusto_cluster as kv,\n azure_subscription as sub\nwhere\n sub.subscription_id = kv.subscription_id;\n" PrimaryTable: azure_kusto_cluster ListOfTables: - - azure_kusto_cluster - - azure_subscription + - azure_kusto_cluster + - azure_subscription Parameters: [] Severity: medium Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/DataExplorer + - Azure/DataExplorer +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_kusto_cluster_sku_with_sla.yaml b/compliance/controls/azure/azure_kusto_cluster_sku_with_sla.yaml index 063eef1ec..a56535209 100755 --- a/compliance/controls/azure/azure_kusto_cluster_sku_with_sla.yaml +++ b/compliance/controls/azure/azure_kusto_cluster_sku_with_sla.yaml @@ -1,8 +1,6 @@ ID: azure_kusto_cluster_sku_with_sla Title: "Kusto clusters should use SKU with an SLA" Description: "This control checks if Kusto clusters use SKU with an SLA. This control is considered non-compliant if Kusto clusters use SKUs without an SLA." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,8 +20,10 @@ Query: sub.subscription_id = kv.subscription_id; PrimaryTable: azure_kusto_cluster ListOfTables: - - azure_kusto_cluster - - azure_subscription + - azure_kusto_cluster + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_log_analytics_workspace_block_log_ingestion_and_querying_from_public.yaml b/compliance/controls/azure/azure_log_analytics_workspace_block_log_ingestion_and_querying_from_public.yaml index 944aa8728..5193d4f4f 100755 --- a/compliance/controls/azure/azure_log_analytics_workspace_block_log_ingestion_and_querying_from_public.yaml +++ b/compliance/controls/azure/azure_log_analytics_workspace_block_log_ingestion_and_querying_from_public.yaml @@ -1,8 +1,6 @@ ID: azure_log_analytics_workspace_block_log_ingestion_and_querying_from_public Title: "Log Analytics workspaces should block log ingestion and querying from public networks" Description: "Improve workspace security by blocking log ingestion and querying from public networks. Only private-link connected networks will be able to ingest and query logs on this workspace. Learn more at https://aka.ms/AzMonPrivateLink#configure-log-analytics." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -23,8 +21,10 @@ Query: left join azure_subscription sub on sub.subscription_id = w.subscription_id; PrimaryTable: azure_log_analytics_workspace ListOfTables: - - azure_log_analytics_workspace - - azure_subscription + - azure_log_analytics_workspace + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_log_analytics_workspace_block_non_azure_ingestion.yaml b/compliance/controls/azure/azure_log_analytics_workspace_block_non_azure_ingestion.yaml index fb519ab73..5b70064fc 100755 --- a/compliance/controls/azure/azure_log_analytics_workspace_block_non_azure_ingestion.yaml +++ b/compliance/controls/azure/azure_log_analytics_workspace_block_non_azure_ingestion.yaml @@ -1,8 +1,6 @@ ID: azure_log_analytics_workspace_block_non_azure_ingestion Title: "Log Analytics Workspaces should block non-Azure Active Directory based ingestion" Description: "Enforcing log ingestion to require Azure Active Directory authentication prevents unauthenticated logs from an attacker which could lead to incorrect status, false alerts, and incorrect logs stored in the system." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -23,8 +21,10 @@ Query: left join azure_subscription sub on sub.subscription_id = w.subscription_id; PrimaryTable: azure_log_analytics_workspace ListOfTables: - - azure_log_analytics_workspace - - azure_subscription + - azure_log_analytics_workspace + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_log_profile_enabled_for_all_subscription.yaml b/compliance/controls/azure/azure_log_profile_enabled_for_all_subscription.yaml index b8fdb476b..3555fcbf1 100755 --- a/compliance/controls/azure/azure_log_profile_enabled_for_all_subscription.yaml +++ b/compliance/controls/azure/azure_log_profile_enabled_for_all_subscription.yaml @@ -1,8 +1,6 @@ ID: azure_log_profile_enabled_for_all_subscription Title: "Azure subscriptions should have a log profile for Activity Log" Description: "This policy ensures if a log profile is enabled for exporting activity logs. It audits if there is no log profile created to export the logs either to a storage account or to an event hub." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -31,8 +29,10 @@ Query: left join log_profiles as i on i.subscription_id = sub.subscription_id; PrimaryTable: azure_subscription ListOfTables: - - azure_log_profile - - azure_subscription + - azure_log_profile + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_logic_app_integration_service_environment_encrypted_with_cmk.yaml b/compliance/controls/azure/azure_logic_app_integration_service_environment_encrypted_with_cmk.yaml index cce0a62e5..9b58482b8 100755 --- a/compliance/controls/azure/azure_logic_app_integration_service_environment_encrypted_with_cmk.yaml +++ b/compliance/controls/azure/azure_logic_app_integration_service_environment_encrypted_with_cmk.yaml @@ -1,8 +1,6 @@ ID: azure_logic_app_integration_service_environment_encrypted_with_cmk Title: "Logic Apps Integration Service Environment should be encrypted with customer-managed keys" Description: "Deploy into Integration Service Environment to manage encryption at rest of Logic Apps data using customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_logic_app_workflow_logging_enabled.yaml b/compliance/controls/azure/azure_logic_app_workflow_logging_enabled.yaml index ca27d324c..18e19a72f 100755 --- a/compliance/controls/azure/azure_logic_app_workflow_logging_enabled.yaml +++ b/compliance/controls/azure/azure_logic_app_workflow_logging_enabled.yaml @@ -1,69 +1,21 @@ ID: azure_logic_app_workflow_logging_enabled Title: "Resource logs in Logic Apps should be enabled" Description: "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with logging_details as ( - select - distinct id as workflow_id - from - azure_logic_app_workflow, - jsonb_array_elements(diagnostic_settings) setting, - jsonb_array_elements(setting -> 'properties' -> 'logs') log - where - diagnostic_settings is not null - and ( - ( - (log ->> 'enabled') :: boolean - and (log -> 'retentionPolicy' ->> 'enabled') :: boolean - and (log -> 'retentionPolicy') :: JSONB ? 'days' - ) - or - ( - (log ->> 'enabled') :: boolean - and ( - log -> 'retentionPolicy' ->> 'enabled' <> 'true' - or setting -> 'properties' ->> 'storageAccountId' = '' - ) - ) - ) - ) - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when a.diagnostic_settings is null then 'alarm' - when l.workflow_id is not null then 'ok' - else 'alarm' - end as status, - case - when a.diagnostic_settings is null then a.name || ' logging disabled.' - when l.workflow_id is not null then a.name || ' logging enabled.' - else a.name || ' logging disabled.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_logic_app_workflow as a - left join logging_details as l on a.id = l.workflow_id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with logging_details as (\n select\n distinct id as workflow_id\n from\n azure_logic_app_workflow,\n jsonb_array_elements(diagnostic_settings) setting,\n jsonb_array_elements(setting -> 'properties' -> 'logs') log\n where\n diagnostic_settings is not null\n and (\n (\n (log ->> 'enabled') :: boolean\n and (log -> 'retentionPolicy' ->> 'enabled') :: boolean\n and (log -> 'retentionPolicy') :: JSONB ? 'days'\n )\n or\n (\n (log ->> 'enabled') :: boolean\n and (\n log -> 'retentionPolicy' ->> 'enabled' <> 'true'\n or setting -> 'properties' ->> 'storageAccountId' = ''\n )\n )\n )\n)\nselect\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when a.diagnostic_settings is null then 'alarm'\n when l.workflow_id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when a.diagnostic_settings is null then a.name || ' logging disabled.'\n when l.workflow_id is not null then a.name || ' logging enabled.'\n else a.name || ' logging disabled.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_logic_app_workflow as a\n left join logging_details as l on a.id = l.workflow_id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_logic_app_workflow ListOfTables: - - azure_logic_app_workflow - - azure_subscription + - azure_logic_app_workflow + - azure_subscription Parameters: [] Severity: medium Tags: hipaa_hitrust_v92: - - "true" + - "true" nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/Logic + - Azure/Logic +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_machine_learning_workspace_encrypted_with_cmk.yaml b/compliance/controls/azure/azure_machine_learning_workspace_encrypted_with_cmk.yaml index 4092e2a8b..2df1b8183 100755 --- a/compliance/controls/azure/azure_machine_learning_workspace_encrypted_with_cmk.yaml +++ b/compliance/controls/azure/azure_machine_learning_workspace_encrypted_with_cmk.yaml @@ -1,39 +1,19 @@ ID: azure_machine_learning_workspace_encrypted_with_cmk Title: "Azure Machine Learning workspaces should be encrypted with a customer-managed key" Description: "Manage encryption at rest of Azure Machine Learning workspace data with customer-managed keys. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - c.id as resource, - c.og_account_id as og_account_id, - c.og_resource_id as og_resource_id, - case - when encryption ->> 'status' = 'Enabled' then 'ok' - else 'alarm' - end as status, - case - when encryption ->> 'status' = 'Enabled' then c.name || ' encrypted with CMK.' - else c.name || ' not encrypted with CMK.' - end as reason - - , c.resource_group as resource_group - , sub.display_name as subscription - from - azure_machine_learning_workspace c, - azure_subscription sub - where - sub.subscription_id = c.subscription_id; + QueryToExecute: "select\n c.id as resource,\n c.og_account_id as og_account_id,\n c.og_resource_id as og_resource_id,\n case\n when encryption ->> 'status' = 'Enabled' then 'ok'\n else 'alarm'\n end as status,\n case\n when encryption ->> 'status' = 'Enabled' then c.name || ' encrypted with CMK.'\n else c.name || ' not encrypted with CMK.'\n end as reason\n \n , c.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_machine_learning_workspace c,\n azure_subscription sub\nwhere\n sub.subscription_id = c.subscription_id;\n" PrimaryTable: azure_machine_learning_workspace ListOfTables: - - azure_machine_learning_workspace - - azure_subscription + - azure_machine_learning_workspace + - azure_subscription Parameters: [] Severity: medium Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/MachineLearning + - Azure/MachineLearning +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_machine_learning_workspace_private_link_used.yaml b/compliance/controls/azure/azure_machine_learning_workspace_private_link_used.yaml index 37dfef408..106b64dda 100755 --- a/compliance/controls/azure/azure_machine_learning_workspace_private_link_used.yaml +++ b/compliance/controls/azure/azure_machine_learning_workspace_private_link_used.yaml @@ -1,8 +1,6 @@ ID: azure_machine_learning_workspace_private_link_used Title: "Azure Machine Learning workspaces should use private link" Description: "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Machine Learning workspaces, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/machine-learning/how-to-configure-private-link." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_api_management_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_api_management_mandatory.yaml index d7a706b12..630e71d72 100755 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_api_management_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_api_management_mandatory.yaml @@ -1,8 +1,6 @@ ID: azure_mandatory_sql_resource_group_api_management_mandatory Title: "API Management services should have mandatory tags" Description: "Check if API Management services have mandatory tags." -Connector: -- azure Query: Engine: steampipe-v0.5 QueryToExecute: | @@ -35,9 +33,11 @@ Query: analysis; PrimaryTable: azure_api_management ListOfTables: - - azure_api_management + - azure_api_management Parameters: - - key: azureMandatoryTags - required: true + - key: azureMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_app_service_environment_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_app_service_environment_mandatory.yaml index 3d0c33a38..cde54c34e 100755 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_app_service_environment_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_app_service_environment_mandatory.yaml @@ -1,8 +1,6 @@ ID: azure_mandatory_sql_resource_group_app_service_environment_mandatory Title: "App Service environments should have mandatory tags" Description: "Check if App Service environments have mandatory tags." -Connector: -- azure Query: Engine: steampipe-v0.5 QueryToExecute: | @@ -35,9 +33,11 @@ Query: analysis; PrimaryTable: azure_app_service_environment ListOfTables: - - azure_app_service_environment + - azure_app_service_environment Parameters: - - key: azureMandatoryTags - required: true + - key: azureMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_app_service_function_app_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_app_service_function_app_mandatory.yaml index 5f9d5cc87..68c9e8be1 100755 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_app_service_function_app_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_app_service_function_app_mandatory.yaml @@ -1,8 +1,6 @@ ID: azure_mandatory_sql_resource_group_app_service_function_app_mandatory Title: "App Service function apps should have mandatory tags" Description: "Check if App Service function apps have mandatory tags." -Connector: -- azure Query: Engine: steampipe-v0.5 QueryToExecute: | @@ -35,9 +33,11 @@ Query: analysis; PrimaryTable: azure_app_service_function_app ListOfTables: - - azure_app_service_function_app + - azure_app_service_function_app Parameters: - - key: azureMandatoryTags - required: true + - key: azureMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_app_service_plan_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_app_service_plan_mandatory.yaml index b3f57f33e..87017dfbb 100755 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_app_service_plan_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_app_service_plan_mandatory.yaml @@ -1,8 +1,6 @@ ID: azure_mandatory_sql_resource_group_app_service_plan_mandatory Title: "App Service plans should have mandatory tags" Description: "Check if App Service plans have mandatory tags." -Connector: -- azure Query: Engine: steampipe-v0.5 QueryToExecute: | @@ -35,9 +33,11 @@ Query: analysis; PrimaryTable: azure_app_service_plan ListOfTables: - - azure_app_service_plan + - azure_app_service_plan Parameters: - - key: azureMandatoryTags - required: true + - key: azureMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_app_service_web_app_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_app_service_web_app_mandatory.yaml index d98e4a1a4..262442750 100755 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_app_service_web_app_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_app_service_web_app_mandatory.yaml @@ -1,8 +1,6 @@ ID: azure_mandatory_sql_resource_group_app_service_web_app_mandatory Title: "App Service web apps should have mandatory tags" Description: "Check if App Service web apps have mandatory tags." -Connector: -- azure Query: Engine: steampipe-v0.5 QueryToExecute: | @@ -35,9 +33,11 @@ Query: analysis; PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app + - azure_app_service_web_app Parameters: - - key: azureMandatoryTags - required: true + - key: azureMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_application_security_group_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_application_security_group_mandatory.yaml index 377110678..c85728944 100755 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_application_security_group_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_application_security_group_mandatory.yaml @@ -1,8 +1,6 @@ ID: azure_mandatory_sql_resource_group_application_security_group_mandatory Title: "Application security groups should have mandatory tags" Description: "Check if Application security groups have mandatory tags." -Connector: -- azure Query: Engine: steampipe-v0.5 QueryToExecute: | @@ -35,9 +33,11 @@ Query: analysis; PrimaryTable: azure_application_security_group ListOfTables: - - azure_application_security_group + - azure_application_security_group Parameters: - - key: azureMandatoryTags - required: true + - key: azureMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_batch_account_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_batch_account_mandatory.yaml index 718d20ac9..5e997fe7d 100755 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_batch_account_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_batch_account_mandatory.yaml @@ -1,8 +1,6 @@ ID: azure_mandatory_sql_resource_group_batch_account_mandatory Title: "Batch accounts should have mandatory tags" Description: "Check if Batch accounts have mandatory tags." -Connector: -- azure Query: Engine: steampipe-v0.5 QueryToExecute: | @@ -35,9 +33,11 @@ Query: analysis; PrimaryTable: azure_batch_account ListOfTables: - - azure_batch_account + - azure_batch_account Parameters: - - key: azureMandatoryTags - required: true + - key: azureMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_compute_availability_set_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_compute_availability_set_mandatory.yaml index 4a7754e84..547e1336c 100755 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_compute_availability_set_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_compute_availability_set_mandatory.yaml @@ -1,8 +1,6 @@ ID: azure_mandatory_sql_resource_group_compute_availability_set_mandatory Title: "Compute availability sets should have mandatory tags" Description: "Check if Compute availability sets have mandatory tags." -Connector: -- azure Query: Engine: steampipe-v0.5 QueryToExecute: | @@ -35,9 +33,11 @@ Query: analysis; PrimaryTable: azure_compute_availability_set ListOfTables: - - azure_compute_availability_set + - azure_compute_availability_set Parameters: - - key: azureMandatoryTags - required: true + - key: azureMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_compute_disk_encryption_set_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_compute_disk_encryption_set_mandatory.yaml index 4e83e2ec8..bcc287df9 100755 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_compute_disk_encryption_set_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_compute_disk_encryption_set_mandatory.yaml @@ -1,8 +1,6 @@ ID: azure_mandatory_sql_resource_group_compute_disk_encryption_set_mandatory Title: "Compute disk encryption sets should have mandatory tags" Description: "Check if Compute disk encryption sets have mandatory tags." -Connector: -- azure Query: Engine: steampipe-v0.5 QueryToExecute: | @@ -35,9 +33,11 @@ Query: analysis; PrimaryTable: azure_compute_disk_encryption_set ListOfTables: - - azure_compute_disk_encryption_set + - azure_compute_disk_encryption_set Parameters: - - key: azureMandatoryTags - required: true + - key: azureMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_compute_disk_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_compute_disk_mandatory.yaml index 7faa878a1..68d351de7 100755 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_compute_disk_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_compute_disk_mandatory.yaml @@ -1,8 +1,6 @@ ID: azure_mandatory_sql_resource_group_compute_disk_mandatory Title: "Compute disks should have mandatory tags" Description: "Check if Compute disks have mandatory tags." -Connector: -- azure Query: Engine: steampipe-v0.5 QueryToExecute: | @@ -35,9 +33,11 @@ Query: analysis; PrimaryTable: azure_compute_disk ListOfTables: - - azure_compute_disk + - azure_compute_disk Parameters: - - key: azureMandatoryTags - required: true + - key: azureMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_compute_image_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_compute_image_mandatory.yaml index b67e54ac6..bc89a0984 100755 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_compute_image_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_compute_image_mandatory.yaml @@ -1,8 +1,6 @@ ID: azure_mandatory_sql_resource_group_compute_image_mandatory Title: "Compute images should have mandatory tags" Description: "Check if Compute images have mandatory tags." -Connector: -- azure Query: Engine: steampipe-v0.5 QueryToExecute: | @@ -35,9 +33,11 @@ Query: analysis; PrimaryTable: azure_compute_image ListOfTables: - - azure_compute_image + - azure_compute_image Parameters: - - key: azureMandatoryTags - required: true + - key: azureMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_compute_snapshot_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_compute_snapshot_mandatory.yaml index 4f65b98ee..006b17159 100755 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_compute_snapshot_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_compute_snapshot_mandatory.yaml @@ -1,8 +1,6 @@ ID: azure_mandatory_sql_resource_group_compute_snapshot_mandatory Title: "Compute snapshots should have mandatory tags" Description: "Check if Compute snapshots have mandatory tags." -Connector: -- azure Query: Engine: steampipe-v0.5 QueryToExecute: | @@ -35,9 +33,11 @@ Query: analysis; PrimaryTable: azure_compute_snapshot ListOfTables: - - azure_compute_snapshot + - azure_compute_snapshot Parameters: - - key: azureMandatoryTags - required: true + - key: azureMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_compute_virtual_machine_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_compute_virtual_machine_mandatory.yaml index 4c8840dcf..7dc2c74e3 100755 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_compute_virtual_machine_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_compute_virtual_machine_mandatory.yaml @@ -1,8 +1,6 @@ ID: azure_mandatory_sql_resource_group_compute_virtual_machine_mandatory Title: "Compute virtual machines should have mandatory tags" Description: "Check if Compute virtual machines have mandatory tags." -Connector: -- azure Query: Engine: steampipe-v0.5 QueryToExecute: | @@ -35,9 +33,11 @@ Query: analysis; PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine + - azure_compute_virtual_machine Parameters: - - key: azureMandatoryTags - required: true + - key: azureMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_compute_virtual_machine_scale_set_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_compute_virtual_machine_scale_set_mandatory.yaml index 7a57bf069..9cc13c67f 100755 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_compute_virtual_machine_scale_set_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_compute_virtual_machine_scale_set_mandatory.yaml @@ -1,8 +1,6 @@ ID: azure_mandatory_sql_resource_group_compute_virtual_machine_scale_set_mandatory Title: "Compute virtual machine scale sets should have mandatory tags" Description: "Check if Compute virtual machine scale sets have mandatory tags." -Connector: -- azure Query: Engine: steampipe-v0.5 QueryToExecute: | @@ -35,9 +33,11 @@ Query: analysis; PrimaryTable: azure_compute_virtual_machine_scale_set ListOfTables: - - azure_compute_virtual_machine_scale_set + - azure_compute_virtual_machine_scale_set Parameters: - - key: azureMandatoryTags - required: true + - key: azureMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_container_registry_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_container_registry_mandatory.yaml index f4a52c231..e5332f6ae 100755 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_container_registry_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_container_registry_mandatory.yaml @@ -1,8 +1,6 @@ ID: azure_mandatory_sql_resource_group_container_registry_mandatory Title: "Container registries should have mandatory tags" Description: "Check if Container registries have mandatory tags." -Connector: -- azure Query: Engine: steampipe-v0.5 QueryToExecute: | @@ -35,9 +33,11 @@ Query: analysis; PrimaryTable: azure_container_registry ListOfTables: - - azure_container_registry + - azure_container_registry Parameters: - - key: azureMandatoryTags - required: true + - key: azureMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_cosmosdb_account_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_cosmosdb_account_mandatory.yaml index ac172ef8f..7140cab75 100755 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_cosmosdb_account_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_cosmosdb_account_mandatory.yaml @@ -1,8 +1,6 @@ ID: azure_mandatory_sql_resource_group_cosmosdb_account_mandatory Title: "CosmosDB accounts should have mandatory tags" Description: "Check if CosmosDB accounts have mandatory tags." -Connector: -- azure Query: Engine: steampipe-v0.5 QueryToExecute: | @@ -35,9 +33,11 @@ Query: analysis; PrimaryTable: azure_cosmosdb_account ListOfTables: - - azure_cosmosdb_account + - azure_cosmosdb_account Parameters: - - key: azureMandatoryTags - required: true + - key: azureMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_cosmosdb_mongo_database_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_cosmosdb_mongo_database_mandatory.yaml index 7ed80a534..f72994ad7 100755 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_cosmosdb_mongo_database_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_cosmosdb_mongo_database_mandatory.yaml @@ -1,8 +1,6 @@ ID: azure_mandatory_sql_resource_group_cosmosdb_mongo_database_mandatory Title: "CosmosDB mongo databases should have mandatory tags" Description: "Check if CosmosDB mongo databases have mandatory tags." -Connector: -- azure Query: Engine: steampipe-v0.5 QueryToExecute: | @@ -35,9 +33,11 @@ Query: analysis; PrimaryTable: azure_cosmosdb_mongo_database ListOfTables: - - azure_cosmosdb_mongo_database + - azure_cosmosdb_mongo_database Parameters: - - key: azureMandatoryTags - required: true + - key: azureMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_cosmosdb_sql_database_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_cosmosdb_sql_database_mandatory.yaml index e07c461e4..1e288e378 100755 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_cosmosdb_sql_database_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_cosmosdb_sql_database_mandatory.yaml @@ -1,8 +1,6 @@ ID: azure_mandatory_sql_resource_group_cosmosdb_sql_database_mandatory Title: "CosmosDB sql databases should have mandatory tags" Description: "Check if CosmosDB sql databases have mandatory tags." -Connector: -- azure Query: Engine: steampipe-v0.5 QueryToExecute: | @@ -35,9 +33,11 @@ Query: analysis; PrimaryTable: azure_cosmosdb_sql_database ListOfTables: - - azure_cosmosdb_sql_database + - azure_cosmosdb_sql_database Parameters: - - key: azureMandatoryTags - required: true + - key: azureMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_data_factory_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_data_factory_mandatory.yaml index bd5dfb1cc..746e9c5d2 100755 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_data_factory_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_data_factory_mandatory.yaml @@ -1,8 +1,6 @@ ID: azure_mandatory_sql_resource_group_data_factory_mandatory Title: "Data factories should have mandatory tags" Description: "Check if Data factories have mandatory tags." -Connector: -- azure Query: Engine: steampipe-v0.5 QueryToExecute: | @@ -35,9 +33,11 @@ Query: analysis; PrimaryTable: azure_data_factory ListOfTables: - - azure_data_factory + - azure_data_factory Parameters: - - key: azureMandatoryTags - required: true + - key: azureMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_data_lake_analytics_account_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_data_lake_analytics_account_mandatory.yaml index 5460e2e69..fb0291bf4 100755 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_data_lake_analytics_account_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_data_lake_analytics_account_mandatory.yaml @@ -1,8 +1,6 @@ ID: azure_mandatory_sql_resource_group_data_lake_analytics_account_mandatory Title: "Data lake analytics accounts should have mandatory tags" Description: "Check if Data lake analytics accounts have mandatory tags." -Connector: -- azure Query: Engine: steampipe-v0.5 QueryToExecute: | @@ -35,9 +33,11 @@ Query: analysis; PrimaryTable: azure_data_lake_analytics_account ListOfTables: - - azure_data_lake_analytics_account + - azure_data_lake_analytics_account Parameters: - - key: azureMandatoryTags - required: true + - key: azureMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_data_lake_store_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_data_lake_store_mandatory.yaml index 6022444d1..a83c1a2cc 100755 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_data_lake_store_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_data_lake_store_mandatory.yaml @@ -1,8 +1,6 @@ ID: azure_mandatory_sql_resource_group_data_lake_store_mandatory Title: "Data lake stores should have mandatory tags" Description: "Check if Data lake stores have mandatory tags." -Connector: -- azure Query: Engine: steampipe-v0.5 QueryToExecute: | @@ -35,9 +33,11 @@ Query: analysis; PrimaryTable: azure_data_lake_store ListOfTables: - - azure_data_lake_store + - azure_data_lake_store Parameters: - - key: azureMandatoryTags - required: true + - key: azureMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_eventhub_namespace_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_eventhub_namespace_mandatory.yaml index a84704b0c..2f6ce909b 100755 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_eventhub_namespace_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_eventhub_namespace_mandatory.yaml @@ -1,8 +1,6 @@ ID: azure_mandatory_sql_resource_group_eventhub_namespace_mandatory Title: "Event Hub namespaces should have mandatory tags" Description: "Check if Event Hub namespaces have mandatory tags." -Connector: -- azure Query: Engine: steampipe-v0.5 QueryToExecute: | @@ -35,9 +33,11 @@ Query: analysis; PrimaryTable: azure_eventhub_namespace ListOfTables: - - azure_eventhub_namespace + - azure_eventhub_namespace Parameters: - - key: azureMandatoryTags - required: true + - key: azureMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_express_route_circuit_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_express_route_circuit_mandatory.yaml index d38f01077..9dee38a68 100755 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_express_route_circuit_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_express_route_circuit_mandatory.yaml @@ -1,8 +1,6 @@ ID: azure_mandatory_sql_resource_group_express_route_circuit_mandatory Title: "ExpressRoute circuits should have mandatory tags" Description: "Check if ExpressRoute circuits have mandatory tags." -Connector: -- azure Query: Engine: steampipe-v0.5 QueryToExecute: | @@ -35,9 +33,11 @@ Query: analysis; PrimaryTable: azure_express_route_circuit ListOfTables: - - azure_express_route_circuit + - azure_express_route_circuit Parameters: - - key: azureMandatoryTags - required: true + - key: azureMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_firewall_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_firewall_mandatory.yaml index e061619e2..54ce241c1 100755 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_firewall_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_firewall_mandatory.yaml @@ -1,8 +1,6 @@ ID: azure_mandatory_sql_resource_group_firewall_mandatory Title: "Firewalls should have mandatory tags" Description: "Check if Firewalls have mandatory tags." -Connector: -- azure Query: Engine: steampipe-v0.5 QueryToExecute: | @@ -35,9 +33,11 @@ Query: analysis; PrimaryTable: azure_firewall ListOfTables: - - azure_firewall + - azure_firewall Parameters: - - key: azureMandatoryTags - required: true + - key: azureMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_iothub_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_iothub_mandatory.yaml index 6475b4757..e87eb0478 100755 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_iothub_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_iothub_mandatory.yaml @@ -1,8 +1,6 @@ ID: azure_mandatory_sql_resource_group_iothub_mandatory Title: "IoT Hubs should have mandatory tags" Description: "Check if IoT Hubs have mandatory tags." -Connector: -- azure Query: Engine: steampipe-v0.5 QueryToExecute: | @@ -35,9 +33,11 @@ Query: analysis; PrimaryTable: azure_iothub ListOfTables: - - azure_iothub + - azure_iothub Parameters: - - key: azureMandatoryTags - required: true + - key: azureMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_key_vault_deleted_vault_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_key_vault_deleted_vault_mandatory.yaml index 63d13a290..44d57cdfc 100755 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_key_vault_deleted_vault_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_key_vault_deleted_vault_mandatory.yaml @@ -1,8 +1,6 @@ ID: azure_mandatory_sql_resource_group_key_vault_deleted_vault_mandatory Title: "Key vault deleted vaults should have mandatory tags" Description: "Check if Key vault deleted vaults have mandatory tags." -Connector: -- azure Query: Engine: steampipe-v0.5 QueryToExecute: | @@ -35,9 +33,11 @@ Query: analysis; PrimaryTable: azure_key_vault_deleted_vault ListOfTables: - - azure_key_vault_deleted_vault + - azure_key_vault_deleted_vault Parameters: - - key: azureMandatoryTags - required: true + - key: azureMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_key_vault_key_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_key_vault_key_mandatory.yaml index 118264a99..e3bfcda7a 100755 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_key_vault_key_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_key_vault_key_mandatory.yaml @@ -1,8 +1,6 @@ ID: azure_mandatory_sql_resource_group_key_vault_key_mandatory Title: "Key vault keys should have mandatory tags" Description: "Check if Key vault keys have mandatory tags." -Connector: -- azure Query: Engine: steampipe-v0.5 QueryToExecute: | @@ -35,9 +33,11 @@ Query: analysis; PrimaryTable: azure_key_vault_key ListOfTables: - - azure_key_vault_key + - azure_key_vault_key Parameters: - - key: azureMandatoryTags - required: true + - key: azureMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_key_vault_managed_hardware_security_module_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_key_vault_managed_hardware_security_module_mandatory.yaml index 8bf274195..58fc66e4e 100755 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_key_vault_managed_hardware_security_module_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_key_vault_managed_hardware_security_module_mandatory.yaml @@ -1,8 +1,6 @@ ID: azure_mandatory_sql_resource_group_key_vault_managed_hardware_security_module_mandatory Title: "Key vault managed hardware security modules should have mandatory tags" Description: "Check if Key vault managed hardware security modules have mandatory tags." -Connector: -- azure Query: Engine: steampipe-v0.5 QueryToExecute: | @@ -35,9 +33,11 @@ Query: analysis; PrimaryTable: azure_key_vault_managed_hardware_security_module ListOfTables: - - azure_key_vault_managed_hardware_security_module + - azure_key_vault_managed_hardware_security_module Parameters: - - key: azureMandatoryTags - required: true + - key: azureMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_key_vault_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_key_vault_mandatory.yaml index a4783c168..23b10d504 100755 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_key_vault_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_key_vault_mandatory.yaml @@ -1,8 +1,6 @@ ID: azure_mandatory_sql_resource_group_key_vault_mandatory Title: "Key vaults should have mandatory tags" Description: "Check if Key vaults have mandatory tags." -Connector: -- azure Query: Engine: steampipe-v0.5 QueryToExecute: | @@ -35,9 +33,11 @@ Query: analysis; PrimaryTable: azure_key_vault ListOfTables: - - azure_key_vault + - azure_key_vault Parameters: - - key: azureMandatoryTags - required: true + - key: azureMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_key_vault_secret_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_key_vault_secret_mandatory.yaml index b95f5e893..303615f2f 100755 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_key_vault_secret_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_key_vault_secret_mandatory.yaml @@ -1,8 +1,6 @@ ID: azure_mandatory_sql_resource_group_key_vault_secret_mandatory Title: "Key vault secrets should have mandatory tags" Description: "Check if Key vault secrets have mandatory tags." -Connector: -- azure Query: Engine: steampipe-v0.5 QueryToExecute: | @@ -35,9 +33,11 @@ Query: analysis; PrimaryTable: azure_key_vault_secret ListOfTables: - - azure_key_vault_secret + - azure_key_vault_secret Parameters: - - key: azureMandatoryTags - required: true + - key: azureMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_kubernetes_cluster_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_kubernetes_cluster_mandatory.yaml index 0ffbac565..28e7e6f78 100755 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_kubernetes_cluster_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_kubernetes_cluster_mandatory.yaml @@ -1,8 +1,6 @@ ID: azure_mandatory_sql_resource_group_kubernetes_cluster_mandatory Title: "Kubernetes clusters should have mandatory tags" Description: "Check if Kubernetes clusters have mandatory tags." -Connector: -- azure Query: Engine: steampipe-v0.5 QueryToExecute: | @@ -35,9 +33,11 @@ Query: analysis; PrimaryTable: azure_kubernetes_cluster ListOfTables: - - azure_kubernetes_cluster + - azure_kubernetes_cluster Parameters: - - key: azureMandatoryTags - required: true + - key: azureMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_lb_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_lb_mandatory.yaml index 5cf97a903..649f8557c 100755 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_lb_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_lb_mandatory.yaml @@ -1,8 +1,6 @@ ID: azure_mandatory_sql_resource_group_lb_mandatory Title: "Load balancers should have mandatory tags" Description: "Check if Load balancers have mandatory tags." -Connector: -- azure Query: Engine: steampipe-v0.5 QueryToExecute: | @@ -35,9 +33,11 @@ Query: analysis; PrimaryTable: azure_lb ListOfTables: - - azure_lb + - azure_lb Parameters: - - key: azureMandatoryTags - required: true + - key: azureMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_log_alert_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_log_alert_mandatory.yaml index 27a606fa4..f5ea3721e 100755 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_log_alert_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_log_alert_mandatory.yaml @@ -1,8 +1,6 @@ ID: azure_mandatory_sql_resource_group_log_alert_mandatory Title: "Log alerts should have mandatory tags" Description: "Check if Log alerts have mandatory tags." -Connector: -- azure Query: Engine: steampipe-v0.5 QueryToExecute: | @@ -35,9 +33,11 @@ Query: analysis; PrimaryTable: azure_log_alert ListOfTables: - - azure_log_alert + - azure_log_alert Parameters: - - key: azureMandatoryTags - required: true + - key: azureMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_log_profile_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_log_profile_mandatory.yaml index f90ecdf4c..a23ea2511 100755 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_log_profile_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_log_profile_mandatory.yaml @@ -1,8 +1,6 @@ ID: azure_mandatory_sql_resource_group_log_profile_mandatory Title: "Log profiles should have mandatory tags" Description: "Check if Log profiles have mandatory tags." -Connector: -- azure Query: Engine: steampipe-v0.5 QueryToExecute: | @@ -35,9 +33,11 @@ Query: analysis; PrimaryTable: azure_log_profile ListOfTables: - - azure_log_profile + - azure_log_profile Parameters: - - key: azureMandatoryTags - required: true + - key: azureMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_logic_app_workflow_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_logic_app_workflow_mandatory.yaml index 04503bc0e..38c287668 100755 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_logic_app_workflow_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_logic_app_workflow_mandatory.yaml @@ -1,8 +1,6 @@ ID: azure_mandatory_sql_resource_group_logic_app_workflow_mandatory Title: "Logic app workflows should have mandatory tags" Description: "Check if Logic app workflows have mandatory tags." -Connector: -- azure Query: Engine: steampipe-v0.5 QueryToExecute: | @@ -35,9 +33,11 @@ Query: analysis; PrimaryTable: azure_logic_app_workflow ListOfTables: - - azure_logic_app_workflow + - azure_logic_app_workflow Parameters: - - key: azureMandatoryTags - required: true + - key: azureMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_mariadb_server_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_mariadb_server_mandatory.yaml index 381e600db..3a867cb86 100755 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_mariadb_server_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_mariadb_server_mandatory.yaml @@ -1,8 +1,6 @@ ID: azure_mandatory_sql_resource_group_mariadb_server_mandatory Title: "MariaDB servers should have mandatory tags" Description: "Check if MariaDB servers have mandatory tags." -Connector: -- azure Query: Engine: steampipe-v0.5 QueryToExecute: | @@ -35,9 +33,11 @@ Query: analysis; PrimaryTable: azure_mariadb_server ListOfTables: - - azure_mariadb_server + - azure_mariadb_server Parameters: - - key: azureMandatoryTags - required: true + - key: azureMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_mssql_elasticpool_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_mssql_elasticpool_mandatory.yaml index f1545caee..e8bb935c6 100755 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_mssql_elasticpool_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_mssql_elasticpool_mandatory.yaml @@ -1,8 +1,6 @@ ID: azure_mandatory_sql_resource_group_mssql_elasticpool_mandatory Title: "Microsoft SQL elasticpools should have mandatory tags" Description: "Check if Microsoft SQL elasticpools have mandatory tags." -Connector: -- azure Query: Engine: steampipe-v0.5 QueryToExecute: | @@ -35,9 +33,11 @@ Query: analysis; PrimaryTable: azure_mssql_elasticpool ListOfTables: - - azure_mssql_elasticpool + - azure_mssql_elasticpool Parameters: - - key: azureMandatoryTags - required: true + - key: azureMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_mssql_managed_instance_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_mssql_managed_instance_mandatory.yaml index c0486e9c3..1e4dee46d 100755 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_mssql_managed_instance_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_mssql_managed_instance_mandatory.yaml @@ -1,8 +1,6 @@ ID: azure_mandatory_sql_resource_group_mssql_managed_instance_mandatory Title: "Microsoft SQL managed instances should have mandatory tags" Description: "Check if Microsoft SQL managed instances have mandatory tags." -Connector: -- azure Query: Engine: steampipe-v0.5 QueryToExecute: | @@ -35,9 +33,11 @@ Query: analysis; PrimaryTable: azure_mssql_managed_instance ListOfTables: - - azure_mssql_managed_instance + - azure_mssql_managed_instance Parameters: - - key: azureMandatoryTags - required: true + - key: azureMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_mysql_server_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_mysql_server_mandatory.yaml index ec6141b7e..0ff70ea92 100755 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_mysql_server_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_mysql_server_mandatory.yaml @@ -1,8 +1,6 @@ ID: azure_mandatory_sql_resource_group_mysql_server_mandatory Title: "MySQL servers should have mandatory tags" Description: "Check if MySQL servers have mandatory tags." -Connector: -- azure Query: Engine: steampipe-v0.5 QueryToExecute: | @@ -35,9 +33,11 @@ Query: analysis; PrimaryTable: azure_mysql_server ListOfTables: - - azure_mysql_server + - azure_mysql_server Parameters: - - key: azureMandatoryTags - required: true + - key: azureMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_network_interface_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_network_interface_mandatory.yaml index 0ae269242..ee6cf6ca2 100755 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_network_interface_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_network_interface_mandatory.yaml @@ -1,8 +1,6 @@ ID: azure_mandatory_sql_resource_group_network_interface_mandatory Title: "Network interfaces should have mandatory tags" Description: "Check if Network interfaces have mandatory tags." -Connector: -- azure Query: Engine: steampipe-v0.5 QueryToExecute: | @@ -35,9 +33,11 @@ Query: analysis; PrimaryTable: azure_network_interface ListOfTables: - - azure_network_interface + - azure_network_interface Parameters: - - key: azureMandatoryTags - required: true + - key: azureMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_network_security_group_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_network_security_group_mandatory.yaml index 38015a937..f5bc06ff8 100755 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_network_security_group_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_network_security_group_mandatory.yaml @@ -1,8 +1,6 @@ ID: azure_mandatory_sql_resource_group_network_security_group_mandatory Title: "Network security groups should have mandatory tags" Description: "Check if Network security groups have mandatory tags." -Connector: -- azure Query: Engine: steampipe-v0.5 QueryToExecute: | @@ -35,9 +33,11 @@ Query: analysis; PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group + - azure_network_security_group Parameters: - - key: azureMandatoryTags - required: true + - key: azureMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_network_watcher_flow_log_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_network_watcher_flow_log_mandatory.yaml index fed15c3bf..d5a46c49e 100755 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_network_watcher_flow_log_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_network_watcher_flow_log_mandatory.yaml @@ -1,8 +1,6 @@ ID: azure_mandatory_sql_resource_group_network_watcher_flow_log_mandatory Title: "Network watcher flow logs should have mandatory tags" Description: "Check if Network watcher flow logs have mandatory tags." -Connector: -- azure Query: Engine: steampipe-v0.5 QueryToExecute: | @@ -35,9 +33,11 @@ Query: analysis; PrimaryTable: azure_network_watcher_flow_log ListOfTables: - - azure_network_watcher_flow_log + - azure_network_watcher_flow_log Parameters: - - key: azureMandatoryTags - required: true + - key: azureMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_network_watcher_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_network_watcher_mandatory.yaml index e55a5ac99..4a6696f41 100755 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_network_watcher_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_network_watcher_mandatory.yaml @@ -1,8 +1,6 @@ ID: azure_mandatory_sql_resource_group_network_watcher_mandatory Title: "Network watchers should have mandatory tags" Description: "Check if Network watchers have mandatory tags." -Connector: -- azure Query: Engine: steampipe-v0.5 QueryToExecute: | @@ -35,9 +33,11 @@ Query: analysis; PrimaryTable: azure_network_watcher ListOfTables: - - azure_network_watcher + - azure_network_watcher Parameters: - - key: azureMandatoryTags - required: true + - key: azureMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_postgresql_server_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_postgresql_server_mandatory.yaml index 3086f9a8c..c4058c293 100755 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_postgresql_server_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_postgresql_server_mandatory.yaml @@ -1,8 +1,6 @@ ID: azure_mandatory_sql_resource_group_postgresql_server_mandatory Title: "PostgreSQL servers should have mandatory tags" Description: "Check if PostgreSQL servers have mandatory tags." -Connector: -- azure Query: Engine: steampipe-v0.5 QueryToExecute: | @@ -35,9 +33,11 @@ Query: analysis; PrimaryTable: azure_postgresql_server ListOfTables: - - azure_postgresql_server + - azure_postgresql_server Parameters: - - key: azureMandatoryTags - required: true + - key: azureMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_public_ip_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_public_ip_mandatory.yaml index 3ddb893da..11500f8e0 100755 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_public_ip_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_public_ip_mandatory.yaml @@ -1,8 +1,6 @@ ID: azure_mandatory_sql_resource_group_public_ip_mandatory Title: "Public IPs should have mandatory tags" Description: "Check if Public ips have mandatory tags." -Connector: -- azure Query: Engine: steampipe-v0.5 QueryToExecute: | @@ -35,9 +33,11 @@ Query: analysis; PrimaryTable: azure_public_ip ListOfTables: - - azure_public_ip + - azure_public_ip Parameters: - - key: azureMandatoryTags - required: true + - key: azureMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_recovery_services_vault_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_recovery_services_vault_mandatory.yaml index 61e8df6cf..125cccd87 100755 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_recovery_services_vault_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_recovery_services_vault_mandatory.yaml @@ -1,8 +1,6 @@ ID: azure_mandatory_sql_resource_group_recovery_services_vault_mandatory Title: "Recovery services vaults should have mandatory tags" Description: "Check if Recovery services vaults have mandatory tags." -Connector: -- azure Query: Engine: steampipe-v0.5 QueryToExecute: | @@ -35,9 +33,11 @@ Query: analysis; PrimaryTable: azure_recovery_services_vault ListOfTables: - - azure_recovery_services_vault + - azure_recovery_services_vault Parameters: - - key: azureMandatoryTags - required: true + - key: azureMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_redis_cache_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_redis_cache_mandatory.yaml index c84299846..1bbbcbd1b 100755 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_redis_cache_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_redis_cache_mandatory.yaml @@ -1,8 +1,6 @@ ID: azure_mandatory_sql_resource_group_redis_cache_mandatory Title: "Redis caches should have mandatory tags" Description: "Check if Redis caches have mandatory tags." -Connector: -- azure Query: Engine: steampipe-v0.5 QueryToExecute: | @@ -35,9 +33,11 @@ Query: analysis; PrimaryTable: azure_redis_cache ListOfTables: - - azure_redis_cache + - azure_redis_cache Parameters: - - key: azureMandatoryTags - required: true + - key: azureMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_route_table_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_route_table_mandatory.yaml index b15c3c763..cad4c3f69 100755 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_route_table_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_route_table_mandatory.yaml @@ -1,8 +1,6 @@ ID: azure_mandatory_sql_resource_group_route_table_mandatory Title: "Route tables should have mandatory tags" Description: "Check if Route tables have mandatory tags." -Connector: -- azure Query: Engine: steampipe-v0.5 QueryToExecute: | @@ -35,9 +33,11 @@ Query: analysis; PrimaryTable: azure_route_table ListOfTables: - - azure_route_table + - azure_route_table Parameters: - - key: azureMandatoryTags - required: true + - key: azureMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_search_service_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_search_service_mandatory.yaml index 3dfa4a91c..8252762f4 100755 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_search_service_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_search_service_mandatory.yaml @@ -1,8 +1,6 @@ ID: azure_mandatory_sql_resource_group_search_service_mandatory Title: "Search services should have mandatory tags" Description: "Check if Search services have mandatory tags." -Connector: -- azure Query: Engine: steampipe-v0.5 QueryToExecute: | @@ -35,9 +33,11 @@ Query: analysis; PrimaryTable: azure_search_service ListOfTables: - - azure_search_service + - azure_search_service Parameters: - - key: azureMandatoryTags - required: true + - key: azureMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_servicebus_namespace_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_servicebus_namespace_mandatory.yaml index ff79bda07..fa65de72a 100755 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_servicebus_namespace_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_servicebus_namespace_mandatory.yaml @@ -1,8 +1,6 @@ ID: azure_mandatory_sql_resource_group_servicebus_namespace_mandatory Title: "Service Bus namespaces should have mandatory tags" Description: "Check if Service Bus namespaces have mandatory tags." -Connector: -- azure Query: Engine: steampipe-v0.5 QueryToExecute: | @@ -35,9 +33,11 @@ Query: analysis; PrimaryTable: azure_servicebus_namespace ListOfTables: - - azure_servicebus_namespace + - azure_servicebus_namespace Parameters: - - key: azureMandatoryTags - required: true + - key: azureMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_sql_database_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_sql_database_mandatory.yaml index db17c10fe..fa7f375c2 100755 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_sql_database_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_sql_database_mandatory.yaml @@ -1,8 +1,6 @@ ID: azure_mandatory_sql_resource_group_sql_database_mandatory Title: "SQL databases should have mandatory tags" Description: "Check if SQL databases have mandatory tags." -Connector: -- azure Query: Engine: steampipe-v0.5 QueryToExecute: | @@ -35,9 +33,11 @@ Query: analysis; PrimaryTable: azure_sql_database ListOfTables: - - azure_sql_database + - azure_sql_database Parameters: - - key: azureMandatoryTags - required: true + - key: azureMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_sql_server_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_sql_server_mandatory.yaml index bb258ecf2..c0570a832 100755 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_sql_server_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_sql_server_mandatory.yaml @@ -1,8 +1,6 @@ ID: azure_mandatory_sql_resource_group_sql_server_mandatory Title: "SQL servers should have mandatory tags" Description: "Check if SQL servers have mandatory tags." -Connector: -- azure Query: Engine: steampipe-v0.5 QueryToExecute: | @@ -35,9 +33,11 @@ Query: analysis; PrimaryTable: azure_sql_server ListOfTables: - - azure_sql_server + - azure_sql_server Parameters: - - key: azureMandatoryTags - required: true + - key: azureMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_storage_account_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_storage_account_mandatory.yaml index 75f877be6..606776a94 100755 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_storage_account_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_storage_account_mandatory.yaml @@ -1,8 +1,6 @@ ID: azure_mandatory_sql_resource_group_storage_account_mandatory Title: "Storage accounts should have mandatory tags" Description: "Check if Storage accounts have mandatory tags." -Connector: -- azure Query: Engine: steampipe-v0.5 QueryToExecute: | @@ -35,9 +33,11 @@ Query: analysis; PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account + - azure_storage_account Parameters: - - key: azureMandatoryTags - required: true + - key: azureMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_stream_analytics_job_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_stream_analytics_job_mandatory.yaml index 3e8490954..08a02647f 100755 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_stream_analytics_job_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_stream_analytics_job_mandatory.yaml @@ -1,8 +1,6 @@ ID: azure_mandatory_sql_resource_group_stream_analytics_job_mandatory Title: "Stream Analytics jobs should have mandatory tags" Description: "Check if Stream Analytics jobs have mandatory tags." -Connector: -- azure Query: Engine: steampipe-v0.5 QueryToExecute: | @@ -35,9 +33,11 @@ Query: analysis; PrimaryTable: azure_stream_analytics_job ListOfTables: - - azure_stream_analytics_job + - azure_stream_analytics_job Parameters: - - key: azureMandatoryTags - required: true + - key: azureMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_virtual_network_gateway_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_virtual_network_gateway_mandatory.yaml index 022991e1c..17d26bdaf 100755 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_virtual_network_gateway_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_virtual_network_gateway_mandatory.yaml @@ -1,8 +1,6 @@ ID: azure_mandatory_sql_resource_group_virtual_network_gateway_mandatory Title: "Virtual network gateways should have mandatory tags" Description: "Check if Virtual network gateways have mandatory tags." -Connector: -- azure Query: Engine: steampipe-v0.5 QueryToExecute: | @@ -35,9 +33,11 @@ Query: analysis; PrimaryTable: azure_virtual_network_gateway ListOfTables: - - azure_virtual_network_gateway + - azure_virtual_network_gateway Parameters: - - key: azureMandatoryTags - required: true + - key: azureMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mandatory_sql_resource_group_virtual_network_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_resource_group_virtual_network_mandatory.yaml index d0c95adb8..2ce5c9064 100755 --- a/compliance/controls/azure/azure_mandatory_sql_resource_group_virtual_network_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_resource_group_virtual_network_mandatory.yaml @@ -1,8 +1,6 @@ ID: azure_mandatory_sql_resource_group_virtual_network_mandatory Title: "Virtual networks should have mandatory tags" Description: "Check if Virtual networks have mandatory tags." -Connector: -- azure Query: Engine: steampipe-v0.5 QueryToExecute: | @@ -35,9 +33,11 @@ Query: analysis; PrimaryTable: azure_virtual_network ListOfTables: - - azure_virtual_network + - azure_virtual_network Parameters: - - key: azureMandatoryTags - required: true + - key: azureMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mandatory_sql_subscription_resource_group_mandatory.yaml b/compliance/controls/azure/azure_mandatory_sql_subscription_resource_group_mandatory.yaml index 124265d1a..c6fcc5897 100755 --- a/compliance/controls/azure/azure_mandatory_sql_subscription_resource_group_mandatory.yaml +++ b/compliance/controls/azure/azure_mandatory_sql_subscription_resource_group_mandatory.yaml @@ -1,8 +1,6 @@ ID: azure_mandatory_sql_subscription_resource_group_mandatory Title: "Resource groups should have mandatory tags" Description: "Check if Resource groups have mandatory tags." -Connector: -- azure Query: Engine: steampipe-v0.5 QueryToExecute: | @@ -35,9 +33,11 @@ Query: analysis; PrimaryTable: azure_resource_group ListOfTables: - - azure_resource_group + - azure_resource_group Parameters: - - key: azureMandatoryTags - required: true + - key: azureMandatoryTags + required: true Severity: high Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mariadb_server_geo_redundant_backup_enabled.yaml b/compliance/controls/azure/azure_mariadb_server_geo_redundant_backup_enabled.yaml index 8d995a0ee..b624478bc 100755 --- a/compliance/controls/azure/azure_mariadb_server_geo_redundant_backup_enabled.yaml +++ b/compliance/controls/azure/azure_mariadb_server_geo_redundant_backup_enabled.yaml @@ -1,39 +1,21 @@ ID: azure_mariadb_server_geo_redundant_backup_enabled Title: "Geo-redundant backup should be enabled for Azure Database for MariaDB" Description: "Azure Database for MariaDB allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - s.og_account_id as og_account_id, - s.og_resource_id as og_resource_id, - case - when s.geo_redundant_backup_enabled = 'Enabled' then 'ok' - else 'alarm' - end as status, - case - when s.geo_redundant_backup_enabled = 'Enabled' then s.title || ' geo-redundant backup enabled.' - else s.title || ' geo-redundant backup disabled.' - end as reason - - , s.resource_group as resource_group - , sub.display_name as subscription - from - azure_mariadb_server as s - join azure_subscription as sub on sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n s.og_account_id as og_account_id,\n s.og_resource_id as og_resource_id,\n case\n when s.geo_redundant_backup_enabled = 'Enabled' then 'ok'\n else 'alarm'\n end as status,\n case\n when s.geo_redundant_backup_enabled = 'Enabled' then s.title || ' geo-redundant backup enabled.'\n else s.title || ' geo-redundant backup disabled.'\n end as reason\n \n , s.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_mariadb_server as s\n join azure_subscription as sub on sub.subscription_id = s.subscription_id;\n" PrimaryTable: azure_mariadb_server ListOfTables: - - azure_mariadb_server - - azure_subscription + - azure_mariadb_server + - azure_subscription Parameters: [] Severity: medium Tags: hipaa_hitrust_v92: - - "true" + - "true" nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/MariaDB + - Azure/MariaDB +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mariadb_server_public_network_access_disabled.yaml b/compliance/controls/azure/azure_mariadb_server_public_network_access_disabled.yaml index c92de03e3..08abc4255 100755 --- a/compliance/controls/azure/azure_mariadb_server_public_network_access_disabled.yaml +++ b/compliance/controls/azure/azure_mariadb_server_public_network_access_disabled.yaml @@ -1,39 +1,19 @@ ID: azure_mariadb_server_public_network_access_disabled Title: "Public network access should be disabled for MariaDB servers" Description: "Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - s.og_account_id as og_account_id, - s.og_resource_id as og_resource_id, - case - when public_network_access = 'Enabled' then 'alarm' - else 'ok' - end as status, - case - when public_network_access = 'Enabled' then name || ' public network access enabled.' - else name || ' public network access disabled.' - end as reason - - , s.resource_group as resource_group - , sub.display_name as subscription - from - azure_mariadb_server as s, - azure_subscription as sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n s.og_account_id as og_account_id,\n s.og_resource_id as og_resource_id,\n case\n when public_network_access = 'Enabled' then 'alarm'\n else 'ok'\n end as status,\n case\n when public_network_access = 'Enabled' then name || ' public network access enabled.'\n else name || ' public network access disabled.'\n end as reason\n \n , s.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_mariadb_server as s,\n azure_subscription as sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: azure_mariadb_server ListOfTables: - - azure_mariadb_server - - azure_subscription + - azure_mariadb_server + - azure_subscription Parameters: [] Severity: high Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/MariaDB + - Azure/MariaDB +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mariadb_server_ssl_enabled.yaml b/compliance/controls/azure/azure_mariadb_server_ssl_enabled.yaml index 6b3904802..1567ed105 100755 --- a/compliance/controls/azure/azure_mariadb_server_ssl_enabled.yaml +++ b/compliance/controls/azure/azure_mariadb_server_ssl_enabled.yaml @@ -1,8 +1,6 @@ ID: azure_mariadb_server_ssl_enabled Title: "MariaDB servers should have 'Enforce SSL connection' set to 'ENABLED'" Description: "This control checks whether MariaDB servers SSL enforcement is enabled. This control is non-compliant if SSL enforcement is disabled." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = s.subscription_id; PrimaryTable: azure_mariadb_server ListOfTables: - - azure_mariadb_server - - azure_subscription + - azure_mariadb_server + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_monitor_application_insights_configured.yaml b/compliance/controls/azure/azure_monitor_application_insights_configured.yaml index d24bfc400..59d582a47 100755 --- a/compliance/controls/azure/azure_monitor_application_insights_configured.yaml +++ b/compliance/controls/azure/azure_monitor_application_insights_configured.yaml @@ -1,59 +1,33 @@ ID: azure_monitor_application_insights_configured Title: "Ensure Application Insights are Configured" Description: "Application Insights within Azure act as an Application Performance Monitoring solution providing valuable data into how well an application performs and additional information when performing incident response. The types of log data collected include application metrics, telemetry data, and application trace logging data providing organizations with detailed information about application activity and application transactions." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with application_insights as ( - select - subscription_id, - count(*) as no_application_insight - from - azure_application_insight - group by - subscription_id - ) - select - sub.id as resource, - sub.og_account_id as og_account_id, - sub.og_resource_id as og_resource_id, - case - when i.subscription_id is null then 'alarm' - else 'ok' - end as status, - case - when i.subscription_id is null then sub.display_name || ' does not have application insights configured.' - else sub.display_name || ' has ' || no_application_insight || ' application insights configured.' - end as reason - - , sub.display_name as subscription - from - azure_subscription as sub - left join application_insights as i on i.subscription_id = sub.subscription_id; + QueryToExecute: "with application_insights as (\n select\n subscription_id,\n count(*) as no_application_insight\n from\n azure_application_insight\n group by\n subscription_id\n)\nselect\n sub.id as resource,\n sub.og_account_id as og_account_id,\n sub.og_resource_id as og_resource_id,\n case\n when i.subscription_id is null then 'alarm'\n else 'ok'\n end as status,\n case\n when i.subscription_id is null then sub.display_name || ' does not have application insights configured.'\n else sub.display_name || ' has ' || no_application_insight || ' application insights configured.'\n end as reason\n \n , sub.display_name as subscription\nfrom\n azure_subscription as sub\n left join application_insights as i on i.subscription_id = sub.subscription_id;\n" PrimaryTable: azure_application_insight ListOfTables: - - azure_application_insight - - azure_subscription + - azure_application_insight + - azure_subscription Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - 5.3.1 + - 5.3.1 cis_level: - - "2" + - "2" cis_section_id: - - "5" + - "5" cis_type: - - automated + - automated cis_version: - - v1.4.0 + - v1.4.0 plugin: - - azure + - azure service: - - Azure/Monitor + - Azure/Monitor +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_monitor_diagnostic_settings_captures_proper_categories.yaml b/compliance/controls/azure/azure_monitor_diagnostic_settings_captures_proper_categories.yaml index 0febae67e..0f88d268c 100755 --- a/compliance/controls/azure/azure_monitor_diagnostic_settings_captures_proper_categories.yaml +++ b/compliance/controls/azure/azure_monitor_diagnostic_settings_captures_proper_categories.yaml @@ -1,8 +1,6 @@ ID: azure_monitor_diagnostic_settings_captures_proper_categories Title: "Ensure Diagnostic Setting captures appropriate categories" Description: "A Diagnostic Setting must exist. If a Diagnostic Setting does not exist, the navigation and options within this recommendation will not be available. Please review the recommendation at the beginning of this subsection titled: 'Ensure that a 'Diagnostic Setting' exists.' The diagnostic setting should be configured to log the appropriate activities from the control/management plane." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -57,26 +55,28 @@ Query: sub.subscription_id = sett.subscription_id; PrimaryTable: azure_diagnostic_setting ListOfTables: - - azure_diagnostic_setting - - azure_subscription + - azure_diagnostic_setting + - azure_subscription Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - 5.1.2 + - 5.1.2 cis_level: - - "1" + - "1" cis_section_id: - - "5.1" + - "5.1" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/Monitor + - Azure/Monitor +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_monitor_log_alert_create_policy_assignment.yaml b/compliance/controls/azure/azure_monitor_log_alert_create_policy_assignment.yaml index d7cff3359..71d0d6b7c 100755 --- a/compliance/controls/azure/azure_monitor_log_alert_create_policy_assignment.yaml +++ b/compliance/controls/azure/azure_monitor_log_alert_create_policy_assignment.yaml @@ -1,77 +1,33 @@ ID: azure_monitor_log_alert_create_policy_assignment Title: "Ensure that Activity Log Alert exists for Create Policy Assignment" Description: "Create an activity log alert for the Create Policy Assignment event." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with alert_rule as ( - select - alert.id as alert_id, - alert.name as alert_name, - alert.og_account_id as og_account_id, - alert.og_resource_id as og_resource_id, - alert.enabled, - alert.location, - alert.subscription_id - from - azure_log_alert as alert, - jsonb_array_elements_text(scopes) as sc - where - alert.location = 'Global' - and alert.enabled - and sc = '/subscriptions/' || alert.subscription_id - and alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - and alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.authorization/policyassignments"}]' - and alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Authorization/policyAssignments/write"}]' - limit 1 - ) - select - sub.subscription_id as resource, - sub.og_account_id as og_account_id, - sub.og_resource_id as og_resource_id, - case - when count(a.subscription_id) > 0 then 'ok' - else 'alarm' - end as status, - case - when count(a.subscription_id) > 0 then 'Activity log alert exists for create policy assignment event.' - else 'Activity log alert does not exists for create policy assignment event.' - end as reason - - , sub.display_name as subscription - from - azure_subscription sub - left join alert_rule a on sub.subscription_id = a.subscription_id - group by - sub.subscription_id, - sub.og_account_id, - sub.og_resource_id, - sub._ctx, - sub.display_name; + QueryToExecute: "with alert_rule as (\n select\n alert.id as alert_id,\n alert.name as alert_name,\n alert.og_account_id as og_account_id,\n alert.og_resource_id as og_resource_id,\n alert.enabled,\n alert.location,\n alert.subscription_id\n from\n azure_log_alert as alert,\n jsonb_array_elements_text(scopes) as sc\n where\n alert.location = 'Global'\n and alert.enabled\n and sc = '/subscriptions/' || alert.subscription_id\n and alert.condition -> 'allOf' @> '[{\"equals\":\"Administrative\",\"field\":\"category\"}]'\n and alert.condition -> 'allOf' @> '[{\"field\": \"resourceType\", \"equals\": \"microsoft.authorization/policyassignments\"}]'\n and alert.condition -> 'allOf' @> '[{\"field\": \"operationName\", \"equals\": \"Microsoft.Authorization/policyAssignments/write\"}]'\n limit 1\n)\nselect\n sub.subscription_id as resource,\n sub.og_account_id as og_account_id,\n sub.og_resource_id as og_resource_id,\n case\n when count(a.subscription_id) > 0 then 'ok'\n else 'alarm'\n end as status,\n case\n when count(a.subscription_id) > 0 then 'Activity log alert exists for create policy assignment event.'\n else 'Activity log alert does not exists for create policy assignment event.'\n end as reason\n \n , sub.display_name as subscription\nfrom\n azure_subscription sub\n left join alert_rule a on sub.subscription_id = a.subscription_id\ngroup by\n sub.subscription_id,\n sub.og_account_id,\n sub.og_resource_id,\n sub._ctx,\n sub.display_name;\n" PrimaryTable: azure_log_alert ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - 5.2.1 + - 5.2.1 cis_level: - - "1" + - "1" cis_section_id: - - "5.2" + - "5.2" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/Monitor + - Azure/Monitor +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_monitor_log_alert_create_update_nsg.yaml b/compliance/controls/azure/azure_monitor_log_alert_create_update_nsg.yaml index ac914a5d8..4cac590a4 100755 --- a/compliance/controls/azure/azure_monitor_log_alert_create_update_nsg.yaml +++ b/compliance/controls/azure/azure_monitor_log_alert_create_update_nsg.yaml @@ -1,85 +1,33 @@ ID: azure_monitor_log_alert_create_update_nsg Title: "Ensure that Activity Log Alert exists for Create or Update Network Security Group" Description: "Create an Activity Log Alert for the Create or Update Network Security Group event." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with alert_rule as ( - select - alert.id as alert_id, - alert.name as alert_name, - alert.enabled, - alert.location, - alert.subscription_id - from - azure_log_alert as alert, - jsonb_array_elements_text(scopes) as sc - where - alert.location = 'Global' - and alert.enabled - and sc = '/subscriptions/' || alert.subscription_id - and ( - ( - alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - and alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/networksecuritygroups"}]' - and alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/networkSecurityGroups/write"}]' - ) - or - ( - alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - and alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/networksecuritygroups"}]' - and jsonb_array_length(alert.condition -> 'allOf') = 2 - ) - ) - limit 1 - ) - select - sub.subscription_id as resource, - sub.og_account_id as og_account_id, - sub.og_resource_id as og_resource_id, - case - when count(a.subscription_id) > 0 then 'ok' - else 'alarm' - end as status, - case - when count(a.subscription_id) > 0 then 'Activity log alert exists for create or update Network Security Group event.' - else 'Activity log alert does not exists for create or update Network Security Group event.' - end as reason - - , sub.display_name as subscription - from - azure_subscription sub - left join alert_rule a on sub.subscription_id = a.subscription_id - group by - sub._ctx, - sub.subscription_id, - sub.og_account_id, - sub.og_resource_id, - sub.display_name; + QueryToExecute: "with alert_rule as (\n select\n alert.id as alert_id,\n alert.name as alert_name,\n alert.enabled,\n alert.location,\n alert.subscription_id\n from\n azure_log_alert as alert,\n jsonb_array_elements_text(scopes) as sc\n where\n alert.location = 'Global'\n and alert.enabled\n and sc = '/subscriptions/' || alert.subscription_id\n and (\n (\n alert.condition -> 'allOf' @> '[{\"equals\":\"Administrative\",\"field\":\"category\"}]'\n and alert.condition -> 'allOf' @> '[{\"field\": \"resourceType\", \"equals\": \"microsoft.network/networksecuritygroups\"}]'\n and alert.condition -> 'allOf' @> '[{\"field\": \"operationName\", \"equals\": \"Microsoft.Network/networkSecurityGroups/write\"}]'\n )\n or\n (\n alert.condition -> 'allOf' @> '[{\"equals\":\"Administrative\",\"field\":\"category\"}]'\n and alert.condition -> 'allOf' @> '[{\"field\": \"resourceType\", \"equals\": \"microsoft.network/networksecuritygroups\"}]'\n and jsonb_array_length(alert.condition -> 'allOf') = 2\n )\n )\n limit 1\n)\nselect\n sub.subscription_id as resource,\n sub.og_account_id as og_account_id,\n sub.og_resource_id as og_resource_id,\n case\n when count(a.subscription_id) > 0 then 'ok'\n else 'alarm'\n end as status,\n case\n when count(a.subscription_id) > 0 then 'Activity log alert exists for create or update Network Security Group event.'\n else 'Activity log alert does not exists for create or update Network Security Group event.'\n end as reason\n \n , sub.display_name as subscription\nfrom\n azure_subscription sub\n left join alert_rule a on sub.subscription_id = a.subscription_id\ngroup by\n sub._ctx,\n sub.subscription_id,\n sub.og_account_id,\n sub.og_resource_id,\n sub.display_name;\n" PrimaryTable: azure_log_alert ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - 5.2.3 + - 5.2.3 cis_level: - - "1" + - "1" cis_section_id: - - "5.2" + - "5.2" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/Monitor + - Azure/Monitor +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_monitor_log_alert_create_update_nsg_rule.yaml b/compliance/controls/azure/azure_monitor_log_alert_create_update_nsg_rule.yaml index 2a7d25d43..5bc212684 100755 --- a/compliance/controls/azure/azure_monitor_log_alert_create_update_nsg_rule.yaml +++ b/compliance/controls/azure/azure_monitor_log_alert_create_update_nsg_rule.yaml @@ -1,85 +1,33 @@ ID: azure_monitor_log_alert_create_update_nsg_rule Title: "Ensure that Activity Log Alert exists for Create or Update Network Security Group Rule" Description: "Create an activity log alert for the Create or Update Network Security Group Rule event." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with alert_rule as ( - select - alert.id as alert_id, - alert.name as alert_name, - alert.enabled, - alert.location, - alert.subscription_id - from - azure_log_alert as alert, - jsonb_array_elements_text(scopes) as sc - where - alert.location = 'Global' - and alert.enabled - and sc = '/subscriptions/' || alert.subscription_id - and ( - ( - alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - and alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/networksecuritygroups/securityrules"}]' - and alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/networksecuritygroups/securityrules/write"}]' - ) - or - ( - alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - and alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/networksecuritygroups/securityrules"}]' - and jsonb_array_length(alert.condition -> 'allOf') = 2 - ) - ) - limit 1 - ) - select - sub.subscription_id as resource, - sub.og_account_id as og_account_id, - sub.og_resource_id as og_resource_id, - case - when count(a.subscription_id) > 0 then 'ok' - else 'alarm' - end as status, - case - when count(a.subscription_id) > 0 then 'Activity log alert exists for create or update Network Security Group Rule event.' - else 'Activity log alert does not exists for create or update Network Security Group Rule event.' - end as reason - - , sub.display_name as subscription - from - azure_subscription sub - left join alert_rule a on sub.subscription_id = a.subscription_id - group by - sub._ctx, - sub.og_account_id, - sub.og_resource_id, - sub.subscription_id, - sub.display_name; + QueryToExecute: "with alert_rule as (\n select\n alert.id as alert_id,\n alert.name as alert_name,\n alert.enabled,\n alert.location,\n alert.subscription_id\n from\n azure_log_alert as alert,\n jsonb_array_elements_text(scopes) as sc\n where\n alert.location = 'Global'\n and alert.enabled\n and sc = '/subscriptions/' || alert.subscription_id\n and (\n (\n alert.condition -> 'allOf' @> '[{\"equals\":\"Administrative\",\"field\":\"category\"}]'\n and alert.condition -> 'allOf' @> '[{\"field\": \"resourceType\", \"equals\": \"microsoft.network/networksecuritygroups/securityrules\"}]'\n and alert.condition -> 'allOf' @> '[{\"field\": \"operationName\", \"equals\": \"Microsoft.Network/networksecuritygroups/securityrules/write\"}]'\n )\n or\n (\n alert.condition -> 'allOf' @> '[{\"equals\":\"Administrative\",\"field\":\"category\"}]'\n and alert.condition -> 'allOf' @> '[{\"field\": \"resourceType\", \"equals\": \"microsoft.network/networksecuritygroups/securityrules\"}]'\n and jsonb_array_length(alert.condition -> 'allOf') = 2\n )\n )\n limit 1\n)\nselect\n sub.subscription_id as resource,\n sub.og_account_id as og_account_id,\n sub.og_resource_id as og_resource_id,\n case\n when count(a.subscription_id) > 0 then 'ok'\n else 'alarm'\n end as status,\n case\n when count(a.subscription_id) > 0 then 'Activity log alert exists for create or update Network Security Group Rule event.'\n else 'Activity log alert does not exists for create or update Network Security Group Rule event.'\n end as reason\n \n , sub.display_name as subscription\nfrom\n azure_subscription sub\n left join alert_rule a on sub.subscription_id = a.subscription_id\ngroup by\n sub._ctx,\n sub.og_account_id,\n sub.og_resource_id,\n sub.subscription_id,\n sub.display_name;\n" PrimaryTable: azure_log_alert ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - 5.2.5 + - 5.2.5 cis_level: - - "1" + - "1" cis_section_id: - - "5.2" + - "5.2" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/Monitor + - Azure/Monitor +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_monitor_log_alert_create_update_public_ip_address.yaml b/compliance/controls/azure/azure_monitor_log_alert_create_update_public_ip_address.yaml index 6ed25f1c1..2f82fee3b 100755 --- a/compliance/controls/azure/azure_monitor_log_alert_create_update_public_ip_address.yaml +++ b/compliance/controls/azure/azure_monitor_log_alert_create_update_public_ip_address.yaml @@ -1,8 +1,6 @@ ID: azure_monitor_log_alert_create_update_public_ip_address Title: "Ensure that Activity Log Alert exists for Create or Update Public IP Address rule" Description: "Create an activity log alert for the Create or Update Public IP Addresses rule." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -48,7 +46,7 @@ Query: when count(a.subscription_id) > 0 then 'Activity Log Alert exists for Create or Update Public IP Address rule.' else 'Activity Log Alert does not exists for Create or Update Public IP Address rule.' end as reason - + , sub.display_name as subscription from azure_subscription sub @@ -61,26 +59,28 @@ Query: sub.display_name; PrimaryTable: azure_log_alert ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - 5.2.9 + - 5.2.9 cis_level: - - "1" + - "1" cis_section_id: - - "5.2" + - "5.2" cis_type: - - automated + - automated cis_version: - - v1.5.0 + - v1.5.0 plugin: - - azure + - azure service: - - Azure/Monitor + - Azure/Monitor +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_monitor_log_alert_create_update_security_solution.yaml b/compliance/controls/azure/azure_monitor_log_alert_create_update_security_solution.yaml index 8b5257323..97f3baf03 100755 --- a/compliance/controls/azure/azure_monitor_log_alert_create_update_security_solution.yaml +++ b/compliance/controls/azure/azure_monitor_log_alert_create_update_security_solution.yaml @@ -1,85 +1,33 @@ ID: azure_monitor_log_alert_create_update_security_solution Title: "Ensure that Activity Log Alert exists for Create or Update Security Solution" Description: "Create an activity log alert for the Create or Update Security Solution event." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with alert_rule as ( - select - alert.id as alert_id, - alert.name as alert_name, - alert.enabled, - alert.location, - alert.subscription_id - from - azure_log_alert as alert, - jsonb_array_elements_text(scopes) as sc - where - alert.location = 'Global' - and alert.enabled - and sc = '/subscriptions/' || alert.subscription_id - and ( - ( - alert.condition -> 'allOf' @> '[{"equals":"Security","field":"category"}]' - and alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.security/securitysolutions"}]' - and alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Security/securitySolutions/write"}]' - ) - or - ( - alert.condition -> 'allOf' @> '[{"equals":"Security","field":"category"}]' - and alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.security/securitysolutions"}]' - and jsonb_array_length(alert.condition -> 'allOf') = 2 - ) - ) - limit 1 - ) - select - sub.subscription_id as resource, - sub.og_account_id as og_account_id, - sub.og_resource_id as og_resource_id, - case - when count(a.subscription_id) > 0 then 'ok' - else 'alarm' - end as status, - case - when count(a.subscription_id) > 0 then 'Activity log alert exists for create or update Security Solution event.' - else 'Activity log alert does not exists for create or update Security Solution event.' - end as reason - - , sub.display_name as subscription - from - azure_subscription sub - left join alert_rule a on sub.subscription_id = a.subscription_id - group by - sub.og_account_id, - sub.og_resource_id, - sub._ctx, - sub.subscription_id, - sub.display_name; + QueryToExecute: "with alert_rule as (\n select\n alert.id as alert_id,\n alert.name as alert_name,\n alert.enabled,\n alert.location,\n alert.subscription_id\n from\n azure_log_alert as alert,\n jsonb_array_elements_text(scopes) as sc\n where\n alert.location = 'Global'\n and alert.enabled\n and sc = '/subscriptions/' || alert.subscription_id\n and (\n (\n alert.condition -> 'allOf' @> '[{\"equals\":\"Security\",\"field\":\"category\"}]'\n and alert.condition -> 'allOf' @> '[{\"field\": \"resourceType\", \"equals\": \"microsoft.security/securitysolutions\"}]'\n and alert.condition -> 'allOf' @> '[{\"field\": \"operationName\", \"equals\": \"Microsoft.Security/securitySolutions/write\"}]'\n )\n or\n (\n alert.condition -> 'allOf' @> '[{\"equals\":\"Security\",\"field\":\"category\"}]'\n and alert.condition -> 'allOf' @> '[{\"field\": \"resourceType\", \"equals\": \"microsoft.security/securitysolutions\"}]'\n and jsonb_array_length(alert.condition -> 'allOf') = 2\n )\n )\n limit 1\n)\nselect\n sub.subscription_id as resource,\n sub.og_account_id as og_account_id,\n sub.og_resource_id as og_resource_id,\n case\n when count(a.subscription_id) > 0 then 'ok'\n else 'alarm'\n end as status,\n case\n when count(a.subscription_id) > 0 then 'Activity log alert exists for create or update Security Solution event.'\n else 'Activity log alert does not exists for create or update Security Solution event.'\n end as reason\n \n , sub.display_name as subscription\nfrom\n azure_subscription sub\n left join alert_rule a on sub.subscription_id = a.subscription_id\ngroup by\n sub.og_account_id,\n sub.og_resource_id,\n sub._ctx,\n sub.subscription_id,\n sub.display_name;\n" PrimaryTable: azure_log_alert ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - 5.2.7 + - 5.2.7 cis_level: - - "1" + - "1" cis_section_id: - - "5.2" + - "5.2" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/Monitor + - Azure/Monitor +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_monitor_log_alert_create_update_sql_servers_firewall_rule.yaml b/compliance/controls/azure/azure_monitor_log_alert_create_update_sql_servers_firewall_rule.yaml index 6a14974e4..d81317d2b 100755 --- a/compliance/controls/azure/azure_monitor_log_alert_create_update_sql_servers_firewall_rule.yaml +++ b/compliance/controls/azure/azure_monitor_log_alert_create_update_sql_servers_firewall_rule.yaml @@ -1,86 +1,33 @@ ID: azure_monitor_log_alert_create_update_sql_servers_firewall_rule Title: "Ensure that Activity Log Alert exists for Create or Update SQL Server Firewall Rule" Description: "Create an activity log alert for the Create or Update SQL Server Firewall Rule event." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with alert_rule as - ( - select - alert.id as alert_id, - alert.name as alert_name, - alert.enabled, - alert.location, - alert.subscription_id - from - azure_log_alert as alert, - jsonb_array_elements_text(scopes) as sc - where - alert.location = 'Global' - and alert.enabled - and sc = '/subscriptions/' || alert.subscription_id - and - ( - ( alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - and alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.sql/servers/firewallrules"}]' - and alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Sql/servers/firewallRules/write"}]' - ) - or - ( - alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - and alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.sql/servers/firewallrules"}]' - and jsonb_array_length(alert.condition -> 'allOf') = 2 - ) - ) - limit 1 - ) - select - sub.subscription_id as resource, - sub.og_account_id as og_account_id, - sub.og_resource_id as og_resource_id, - case - when count(a.subscription_id) > 0 then 'ok' - else 'alarm' - end as status, - case - when count(a.subscription_id) > 0 then 'Activity Log Alert exists for Create or Update SQL Server Firewall Rule.' - else 'Activity Log Alert does not exists for Create or Update SQL Server Firewall Rule.' - end as reason - - , sub.display_name as subscription - from - azure_subscription sub - left join alert_rule a on sub.subscription_id = a.subscription_id - group by - sub.og_account_id, - sub.og_resource_id, - sub._ctx, - sub.subscription_id, - sub.display_name; + QueryToExecute: "with alert_rule as\n(\n select\n alert.id as alert_id,\n alert.name as alert_name,\n alert.enabled,\n alert.location,\n alert.subscription_id\n from\n azure_log_alert as alert,\n jsonb_array_elements_text(scopes) as sc\n where\n alert.location = 'Global'\n and alert.enabled\n and sc = '/subscriptions/' || alert.subscription_id\n and\n (\n ( alert.condition -> 'allOf' @> '[{\"equals\":\"Administrative\",\"field\":\"category\"}]'\n and alert.condition -> 'allOf' @> '[{\"field\": \"resourceType\", \"equals\": \"microsoft.sql/servers/firewallrules\"}]'\n and alert.condition -> 'allOf' @> '[{\"field\": \"operationName\", \"equals\": \"Microsoft.Sql/servers/firewallRules/write\"}]'\n )\n or\n (\n alert.condition -> 'allOf' @> '[{\"equals\":\"Administrative\",\"field\":\"category\"}]'\n and alert.condition -> 'allOf' @> '[{\"field\": \"resourceType\", \"equals\": \"microsoft.sql/servers/firewallrules\"}]'\n and jsonb_array_length(alert.condition -> 'allOf') = 2\n )\n )\n limit 1\n)\nselect\n sub.subscription_id as resource,\n sub.og_account_id as og_account_id,\n sub.og_resource_id as og_resource_id,\n case\n when count(a.subscription_id) > 0 then 'ok'\n else 'alarm'\n end as status,\n case\n when count(a.subscription_id) > 0 then 'Activity Log Alert exists for Create or Update SQL Server Firewall Rule.'\n else 'Activity Log Alert does not exists for Create or Update SQL Server Firewall Rule.'\n end as reason\n \n , sub.display_name as subscription\nfrom\n azure_subscription sub\n left join alert_rule a on sub.subscription_id = a.subscription_id\ngroup by\n sub.og_account_id,\n sub.og_resource_id,\n sub._ctx,\n sub.subscription_id,\n sub.display_name;\n" PrimaryTable: azure_log_alert ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - 5.2.7 + - 5.2.7 cis_level: - - "1" + - "1" cis_section_id: - - "5.2" + - "5.2" cis_type: - - automated + - automated cis_version: - - v1.5.0 + - v1.5.0 plugin: - - azure + - azure service: - - Azure/Monitor + - Azure/Monitor +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_monitor_log_alert_delete_nsg.yaml b/compliance/controls/azure/azure_monitor_log_alert_delete_nsg.yaml index f9a8c8134..90fe89fcc 100755 --- a/compliance/controls/azure/azure_monitor_log_alert_delete_nsg.yaml +++ b/compliance/controls/azure/azure_monitor_log_alert_delete_nsg.yaml @@ -1,86 +1,33 @@ ID: azure_monitor_log_alert_delete_nsg Title: "Ensure that Activity Log Alert exists for Delete Network Security Group" Description: "Create an activity log alert for the Delete Network Security Group event." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with alert_rule as ( - select - alert.id as alert_id, - alert.name as alert_name, - alert.enabled, - alert.location, - alert.subscription_id, - jsonb_array_length(alert.condition -> 'allOf') - from - azure_log_alert as alert, - jsonb_array_elements_text(scopes) as sc - where - alert.location = 'Global' - and alert.enabled - and sc = '/subscriptions/' || alert.subscription_id - and ( - ( - alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - and alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/networksecuritygroups"}]' - and alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/networkSecurityGroups/delete"}]' - ) - or - ( - alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - and alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/networksecuritygroups"}]' - and jsonb_array_length(alert.condition -> 'allOf') = 2 - ) - ) - limit 1 - ) - select - sub.subscription_id as resource, - sub.og_account_id as og_account_id, - sub.og_resource_id as og_resource_id, - case - when count(a.subscription_id) > 0 then 'ok' - else 'alarm' - end as status, - case - when count(a.subscription_id) > 0 then 'Activity log alert exists for delete Network Security Group event.' - else 'Activity log alert does not exists for delete Network Security Group event.' - end as reason - - , sub.display_name as subscription - from - azure_subscription sub - left join alert_rule a on sub.subscription_id = a.subscription_id - group by - og_account_id, - og_resource_id, - sub._ctx, - sub.subscription_id, - sub.display_name; + QueryToExecute: "with alert_rule as (\n select\n alert.id as alert_id,\n alert.name as alert_name,\n alert.enabled,\n alert.location,\n alert.subscription_id,\n jsonb_array_length(alert.condition -> 'allOf')\n from\n azure_log_alert as alert,\n jsonb_array_elements_text(scopes) as sc\n where\n alert.location = 'Global'\n and alert.enabled\n and sc = '/subscriptions/' || alert.subscription_id\n and (\n (\n alert.condition -> 'allOf' @> '[{\"equals\":\"Administrative\",\"field\":\"category\"}]'\n and alert.condition -> 'allOf' @> '[{\"field\": \"resourceType\", \"equals\": \"microsoft.network/networksecuritygroups\"}]'\n and alert.condition -> 'allOf' @> '[{\"field\": \"operationName\", \"equals\": \"Microsoft.Network/networkSecurityGroups/delete\"}]'\n )\n or\n (\n alert.condition -> 'allOf' @> '[{\"equals\":\"Administrative\",\"field\":\"category\"}]'\n and alert.condition -> 'allOf' @> '[{\"field\": \"resourceType\", \"equals\": \"microsoft.network/networksecuritygroups\"}]'\n and jsonb_array_length(alert.condition -> 'allOf') = 2\n )\n )\n limit 1\n)\n select\n sub.subscription_id as resource,\n sub.og_account_id as og_account_id,\n sub.og_resource_id as og_resource_id,\n case\n when count(a.subscription_id) > 0 then 'ok'\n else 'alarm'\n end as status,\n case\n when count(a.subscription_id) > 0 then 'Activity log alert exists for delete Network Security Group event.'\n else 'Activity log alert does not exists for delete Network Security Group event.'\n end as reason\n \n , sub.display_name as subscription\n from\n azure_subscription sub\n left join alert_rule a on sub.subscription_id = a.subscription_id\n group by\n og_account_id,\n og_resource_id,\n sub._ctx,\n sub.subscription_id,\n sub.display_name;\n" PrimaryTable: azure_log_alert ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - 5.2.4 + - 5.2.4 cis_level: - - "1" + - "1" cis_section_id: - - "5.2" + - "5.2" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/Monitor + - Azure/Monitor +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_monitor_log_alert_delete_nsg_rule.yaml b/compliance/controls/azure/azure_monitor_log_alert_delete_nsg_rule.yaml index b232a3b8f..5e2ad092d 100755 --- a/compliance/controls/azure/azure_monitor_log_alert_delete_nsg_rule.yaml +++ b/compliance/controls/azure/azure_monitor_log_alert_delete_nsg_rule.yaml @@ -1,85 +1,33 @@ ID: azure_monitor_log_alert_delete_nsg_rule Title: "Ensure that Activity Log Alert exists for Delete Network Security Group Rule" Description: "Create an activity log alert for the Delete Network Security Group Rule event." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with alert_rule as ( - select - alert.id as alert_id, - alert.name as alert_name, - alert.enabled, - alert.location, - alert.subscription_id - from - azure_log_alert as alert, - jsonb_array_elements_text(scopes) as sc - where - alert.location = 'Global' - and alert.enabled - and sc = '/subscriptions/' || alert.subscription_id - and ( - ( - alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - and alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/networksecuritygroups/securityrules"}]' - and alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/networksecuritygroups/securityrules/delete"}]' - ) - or - ( - alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - and alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/networksecuritygroups/securityrules"}]' - and jsonb_array_length(alert.condition -> 'allOf') = 2 - ) - ) - limit 1 - ) - select - sub.subscription_id as resource, - sub.og_account_id as og_account_id, - sub.og_resource_id as og_resource_id, - case - when count(a.subscription_id) > 0 then 'ok' - else 'alarm' - end as status, - case - when count(a.subscription_id) > 0 then 'Activity log alert exists for delete Network Security Group Rule event.' - else 'Activity log alert does not exists for delete Network Security Group Rule event.' - end as reason - - , sub.display_name as subscription - from - azure_subscription sub - left join alert_rule a on sub.subscription_id = a.subscription_id - group by - sub.og_account_id, - sub.og_resource_id, - sub._ctx, - sub.subscription_id, - sub.display_name; + QueryToExecute: "with alert_rule as (\n select\n alert.id as alert_id,\n alert.name as alert_name,\n alert.enabled,\n alert.location,\n alert.subscription_id\n from\n azure_log_alert as alert,\n jsonb_array_elements_text(scopes) as sc\n where\n alert.location = 'Global'\n and alert.enabled\n and sc = '/subscriptions/' || alert.subscription_id\n and (\n (\n alert.condition -> 'allOf' @> '[{\"equals\":\"Administrative\",\"field\":\"category\"}]'\n and alert.condition -> 'allOf' @> '[{\"field\": \"resourceType\", \"equals\": \"microsoft.network/networksecuritygroups/securityrules\"}]'\n and alert.condition -> 'allOf' @> '[{\"field\": \"operationName\", \"equals\": \"Microsoft.Network/networksecuritygroups/securityrules/delete\"}]'\n )\n or\n (\n alert.condition -> 'allOf' @> '[{\"equals\":\"Administrative\",\"field\":\"category\"}]'\n and alert.condition -> 'allOf' @> '[{\"field\": \"resourceType\", \"equals\": \"microsoft.network/networksecuritygroups/securityrules\"}]'\n and jsonb_array_length(alert.condition -> 'allOf') = 2\n )\n )\n limit 1\n)\nselect\n sub.subscription_id as resource,\n sub.og_account_id as og_account_id,\n sub.og_resource_id as og_resource_id,\n case\n when count(a.subscription_id) > 0 then 'ok'\n else 'alarm'\n end as status,\n case\n when count(a.subscription_id) > 0 then 'Activity log alert exists for delete Network Security Group Rule event.'\n else 'Activity log alert does not exists for delete Network Security Group Rule event.'\n end as reason\n \n , sub.display_name as subscription\nfrom\n azure_subscription sub\n left join alert_rule a on sub.subscription_id = a.subscription_id\ngroup by\n sub.og_account_id,\n sub.og_resource_id,\n sub._ctx,\n sub.subscription_id,\n sub.display_name;\n" PrimaryTable: azure_log_alert ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - 5.2.6 + - 5.2.6 cis_level: - - "1" + - "1" cis_section_id: - - "5.2" + - "5.2" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/Monitor + - Azure/Monitor +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_monitor_log_alert_delete_policy_assignment.yaml b/compliance/controls/azure/azure_monitor_log_alert_delete_policy_assignment.yaml index cc6317555..f138f37b6 100755 --- a/compliance/controls/azure/azure_monitor_log_alert_delete_policy_assignment.yaml +++ b/compliance/controls/azure/azure_monitor_log_alert_delete_policy_assignment.yaml @@ -1,75 +1,33 @@ ID: azure_monitor_log_alert_delete_policy_assignment Title: "Ensure that Activity Log Alert exists for Delete Policy Assignment" Description: "Create an activity log alert for the Delete Policy Assignment event." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with alert_rule as ( - select - alert.id as alert_id, - alert.name as alert_name, - alert.enabled, - alert.location, - alert.subscription_id - from - azure_log_alert as alert, - jsonb_array_elements_text(scopes) as sc - where - alert.location = 'Global' - and alert.enabled - and sc = '/subscriptions/' || alert.subscription_id - and alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - and alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.authorization/policyassignments"}]' - and alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Authorization/policyAssignments/delete"}]' - limit 1 - ) - select - sub.subscription_id as resource, - sub.og_account_id as og_account_id, - sub.og_resource_id as og_resource_id, - case - when count(a.subscription_id) > 0 then 'ok' - else 'alarm' - end as status, - case - when count(a.subscription_id) > 0 then 'Activity log alert exists for delete policy assignment event.' - else 'Activity log alert does not exists for delete policy assignment event.' - end as reason - - , sub.display_name as subscription - from - azure_subscription sub - left join alert_rule a on sub.subscription_id = a.subscription_id - group by - sub.og_account_id, - sub.og_resource_id, - sub._ctx, - sub.subscription_id, - sub.display_name; + QueryToExecute: "with alert_rule as (\n select\n alert.id as alert_id,\n alert.name as alert_name,\n alert.enabled,\n alert.location,\n alert.subscription_id\n from\n azure_log_alert as alert,\n jsonb_array_elements_text(scopes) as sc\n where\n alert.location = 'Global'\n and alert.enabled\n and sc = '/subscriptions/' || alert.subscription_id\n and alert.condition -> 'allOf' @> '[{\"equals\":\"Administrative\",\"field\":\"category\"}]'\n and alert.condition -> 'allOf' @> '[{\"field\": \"resourceType\", \"equals\": \"microsoft.authorization/policyassignments\"}]'\n and alert.condition -> 'allOf' @> '[{\"field\": \"operationName\", \"equals\": \"Microsoft.Authorization/policyAssignments/delete\"}]'\n limit 1\n)\nselect\n sub.subscription_id as resource,\n sub.og_account_id as og_account_id,\n sub.og_resource_id as og_resource_id,\n case\n when count(a.subscription_id) > 0 then 'ok'\n else 'alarm'\n end as status,\n case\n when count(a.subscription_id) > 0 then 'Activity log alert exists for delete policy assignment event.'\n else 'Activity log alert does not exists for delete policy assignment event.'\n end as reason\n \n , sub.display_name as subscription\nfrom\n azure_subscription sub\n left join alert_rule a on sub.subscription_id = a.subscription_id\ngroup by\n sub.og_account_id,\n sub.og_resource_id,\n sub._ctx,\n sub.subscription_id,\n sub.display_name;\n" PrimaryTable: azure_log_alert ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - 5.2.2 + - 5.2.2 cis_level: - - "1" + - "1" cis_section_id: - - "5.2" + - "5.2" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/Monitor + - Azure/Monitor +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_monitor_log_alert_delete_public_ip_address.yaml b/compliance/controls/azure/azure_monitor_log_alert_delete_public_ip_address.yaml index e23606927..7ed6dea4b 100755 --- a/compliance/controls/azure/azure_monitor_log_alert_delete_public_ip_address.yaml +++ b/compliance/controls/azure/azure_monitor_log_alert_delete_public_ip_address.yaml @@ -1,85 +1,33 @@ ID: azure_monitor_log_alert_delete_public_ip_address Title: "Ensure that Activity Log Alert exists for Delete Public IP Address rule" Description: "Create an activity log alert for the Delete Public IP Address rule." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with alert_rule as( - select - alert.id as alert_id, - alert.name as alert_name, - alert.enabled, - alert.location, - alert.subscription_id - from - azure_log_alert as alert, - jsonb_array_elements_text(scopes) as sc - where - alert.location = 'Global' - and alert.enabled - and sc = '/subscriptions/' || alert.subscription_id - and - ( - ( alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - and alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/publicipaddresses"}]' - and alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/publicIPAddresses/delete"}]' - ) - or - ( - alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - and alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.network/publicipaddresses"}]' - and jsonb_array_length(alert.condition -> 'allOf') = 2 - ) - ) - limit 1 - ) - select - sub.subscription_id as resource, - sub.og_account_id as og_account_id, - sub.og_resource_id as og_resource_id, - case - when count(a.subscription_id) > 0 then 'ok' - else 'alarm' - end as status, - case - when count(a.subscription_id) > 0 then 'Activity Log Alert exists for Delete Public IP Address rule.' - else 'Activity Log Alert does not exists for Delete Public IP Address rule.' - end as reason - - , sub.display_name as subscription - from - azure_subscription sub - left join alert_rule a on sub.subscription_id = a.subscription_id - group by - sub.og_account_id, - sub.og_resource_id, - sub._ctx, - sub.subscription_id, - sub.display_name; + QueryToExecute: "with alert_rule as(\n select\n alert.id as alert_id,\n alert.name as alert_name,\n alert.enabled,\n alert.location,\n alert.subscription_id\n from\n azure_log_alert as alert,\n jsonb_array_elements_text(scopes) as sc\n where\n alert.location = 'Global'\n and alert.enabled\n and sc = '/subscriptions/' || alert.subscription_id\n and\n (\n ( alert.condition -> 'allOf' @> '[{\"equals\":\"Administrative\",\"field\":\"category\"}]'\n and alert.condition -> 'allOf' @> '[{\"field\": \"resourceType\", \"equals\": \"microsoft.network/publicipaddresses\"}]'\n and alert.condition -> 'allOf' @> '[{\"field\": \"operationName\", \"equals\": \"Microsoft.Network/publicIPAddresses/delete\"}]'\n )\n or\n (\n alert.condition -> 'allOf' @> '[{\"equals\":\"Administrative\",\"field\":\"category\"}]'\n and alert.condition -> 'allOf' @> '[{\"field\": \"resourceType\", \"equals\": \"microsoft.network/publicipaddresses\"}]'\n and jsonb_array_length(alert.condition -> 'allOf') = 2\n )\n )\n limit 1\n)\nselect\n sub.subscription_id as resource,\n sub.og_account_id as og_account_id,\n sub.og_resource_id as og_resource_id,\n case\n when count(a.subscription_id) > 0 then 'ok'\n else 'alarm'\n end as status,\n case\n when count(a.subscription_id) > 0 then 'Activity Log Alert exists for Delete Public IP Address rule.'\n else 'Activity Log Alert does not exists for Delete Public IP Address rule.'\n end as reason\n \n , sub.display_name as subscription\nfrom\n azure_subscription sub\n left join alert_rule a on sub.subscription_id = a.subscription_id\ngroup by\n sub.og_account_id,\n sub.og_resource_id,\n sub._ctx,\n sub.subscription_id,\n sub.display_name;\n" PrimaryTable: azure_log_alert ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - 5.2.10 + - 5.2.10 cis_level: - - "1" + - "1" cis_section_id: - - "5" + - "5" cis_type: - - automated + - automated cis_version: - - v1.5.0 + - v1.5.0 plugin: - - azure + - azure service: - - Azure/Monitor + - Azure/Monitor +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_monitor_log_alert_delete_security_solution.yaml b/compliance/controls/azure/azure_monitor_log_alert_delete_security_solution.yaml index c2155d712..7b51fad7b 100755 --- a/compliance/controls/azure/azure_monitor_log_alert_delete_security_solution.yaml +++ b/compliance/controls/azure/azure_monitor_log_alert_delete_security_solution.yaml @@ -1,8 +1,6 @@ ID: azure_monitor_log_alert_delete_security_solution Title: "Ensure that Activity Log Alert exists for Delete Security Solution" Description: "Create an activity log alert for the Delete Security Solution event." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -40,7 +38,7 @@ Query: when count(a.subscription_id) > 0 then 'Activity log alert exists for delete Security Solution event.' else 'Activity log alert does not exists for delete Security Solution event.' end as reason - + , sub.display_name as subscription from azure_subscription sub @@ -53,26 +51,28 @@ Query: sub.display_name; PrimaryTable: azure_log_alert ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - 5.2.8 + - 5.2.8 cis_level: - - "1" + - "1" cis_section_id: - - "5.2" + - "5.2" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/Monitor + - Azure/Monitor +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_monitor_log_alert_delete_sql_servers_firewall_rule.yaml b/compliance/controls/azure/azure_monitor_log_alert_delete_sql_servers_firewall_rule.yaml index 6dfdb45d4..d93a8f1b4 100755 --- a/compliance/controls/azure/azure_monitor_log_alert_delete_sql_servers_firewall_rule.yaml +++ b/compliance/controls/azure/azure_monitor_log_alert_delete_sql_servers_firewall_rule.yaml @@ -1,8 +1,6 @@ ID: azure_monitor_log_alert_delete_sql_servers_firewall_rule Title: "Ensure that Activity Log Alert exists for Delete SQL Server Firewall Rule" Description: "Create an activity log alert for the 'Delete SQL Server Firewall Rule.'" -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -39,7 +37,7 @@ Query: when count(a.subscription_id) > 0 then 'Activity Log Alert exists for Delete SQL Server Firewall Rule.' else 'Activity Log Alert does not exists for Delete SQL Server Firewall Rule.' end as reason - + , sub.display_name as subscription from azure_subscription sub @@ -52,26 +50,28 @@ Query: sub.display_name; PrimaryTable: azure_log_alert ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - 5.2.8 + - 5.2.8 cis_level: - - "1" + - "1" cis_section_id: - - "5.2" + - "5.2" cis_type: - - automated + - automated cis_version: - - v1.5.0 + - v1.5.0 plugin: - - azure + - azure service: - - Azure/Monitor + - Azure/Monitor +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_monitor_log_alert_for_administrative_operations.yaml b/compliance/controls/azure/azure_monitor_log_alert_for_administrative_operations.yaml index 7f4f820c5..79fc78a5c 100755 --- a/compliance/controls/azure/azure_monitor_log_alert_for_administrative_operations.yaml +++ b/compliance/controls/azure/azure_monitor_log_alert_for_administrative_operations.yaml @@ -1,71 +1,19 @@ ID: azure_monitor_log_alert_for_administrative_operations Title: "An activity log alert should exist for specific Administrative operations" Description: "This policy audits specific Administrative operations with no activity log alerts configured." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with alert_rule as ( - select - alert.id as alert_id, - alert.name as alert_name, - alert.enabled, - alert.location, - alert.subscription_id - from - azure_log_alert as alert, - jsonb_array_elements_text(scopes) as sc - where - alert.location = 'Global' - and alert.enabled - and sc = '/subscriptions/' || alert.subscription_id - and alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - and ( - alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Sql/servers/firewallRules/write"}]' - or alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Sql/servers/firewallRules/delete"}]' - or alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/networkSecurityGroups/write"}]' - or alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/networkSecurityGroups/delete"}]' - or alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.ClassicNetwork/networkSecurityGroups/write"}]' - or alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.ClassicNetwork/networkSecurityGroups/delete"}]' - or alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/networkSecurityGroups/securityRules/write"}]' - or alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.Network/networkSecurityGroups/securityRules/delete"}]' - or alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/write"}]' - or alert.condition -> 'allOf' @> '[{"field": "operationName", "equals": "Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/delete"}]' - ) - limit 1 - ) - select - sub.subscription_id as resource, - sub.og_account_id as og_account_id, - sub.og_resource_id as og_resource_id, - case - when count(a.subscription_id) > 0 then 'ok' - else 'alarm' - end as status, - case - when count(a.subscription_id) > 0 then 'Activity log alert exists for administrative operations.' - else 'Activity log alert does not exists for administrative operations.' - end as reason - - , sub.display_name as subscription - from - azure_subscription sub - left join alert_rule a on sub.subscription_id = a.subscription_id - group by - sub.og_account_id, - sub.og_resource_id, - sub._ctx, - sub.subscription_id, - sub.display_name; + QueryToExecute: "with alert_rule as (\n select\n alert.id as alert_id,\n alert.name as alert_name,\n alert.enabled,\n alert.location,\n alert.subscription_id\n from\n azure_log_alert as alert,\n jsonb_array_elements_text(scopes) as sc\n where\n alert.location = 'Global'\n and alert.enabled\n and sc = '/subscriptions/' || alert.subscription_id\n and alert.condition -> 'allOf' @> '[{\"equals\":\"Administrative\",\"field\":\"category\"}]'\n and (\n alert.condition -> 'allOf' @> '[{\"field\": \"operationName\", \"equals\": \"Microsoft.Sql/servers/firewallRules/write\"}]'\n or alert.condition -> 'allOf' @> '[{\"field\": \"operationName\", \"equals\": \"Microsoft.Sql/servers/firewallRules/delete\"}]'\n or alert.condition -> 'allOf' @> '[{\"field\": \"operationName\", \"equals\": \"Microsoft.Network/networkSecurityGroups/write\"}]'\n or alert.condition -> 'allOf' @> '[{\"field\": \"operationName\", \"equals\": \"Microsoft.Network/networkSecurityGroups/delete\"}]'\n or alert.condition -> 'allOf' @> '[{\"field\": \"operationName\", \"equals\": \"Microsoft.ClassicNetwork/networkSecurityGroups/write\"}]'\n or alert.condition -> 'allOf' @> '[{\"field\": \"operationName\", \"equals\": \"Microsoft.ClassicNetwork/networkSecurityGroups/delete\"}]'\n or alert.condition -> 'allOf' @> '[{\"field\": \"operationName\", \"equals\": \"Microsoft.Network/networkSecurityGroups/securityRules/write\"}]'\n or alert.condition -> 'allOf' @> '[{\"field\": \"operationName\", \"equals\": \"Microsoft.Network/networkSecurityGroups/securityRules/delete\"}]'\n or alert.condition -> 'allOf' @> '[{\"field\": \"operationName\", \"equals\": \"Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/write\"}]'\n or alert.condition -> 'allOf' @> '[{\"field\": \"operationName\", \"equals\": \"Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/delete\"}]'\n )\n limit 1\n)\nselect\n sub.subscription_id as resource,\n sub.og_account_id as og_account_id,\n sub.og_resource_id as og_resource_id,\n case\n when count(a.subscription_id) > 0 then 'ok'\n else 'alarm'\n end as status,\n case\n when count(a.subscription_id) > 0 then 'Activity log alert exists for administrative operations.'\n else 'Activity log alert does not exists for administrative operations.'\n end as reason\n \n , sub.display_name as subscription\nfrom\n azure_subscription sub\n left join alert_rule a on sub.subscription_id = a.subscription_id\ngroup by\n sub.og_account_id,\n sub.og_resource_id,\n sub._ctx,\n sub.subscription_id,\n sub.display_name;\n" PrimaryTable: azure_log_alert ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: medium Tags: hipaa_hitrust_v92: - - "true" + - "true" service: - - Azure/Monitor + - Azure/Monitor +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_monitor_log_alert_sql_firewall_rule.yaml b/compliance/controls/azure/azure_monitor_log_alert_sql_firewall_rule.yaml index e1ff3d943..91d90d25d 100755 --- a/compliance/controls/azure/azure_monitor_log_alert_sql_firewall_rule.yaml +++ b/compliance/controls/azure/azure_monitor_log_alert_sql_firewall_rule.yaml @@ -1,75 +1,33 @@ ID: azure_monitor_log_alert_sql_firewall_rule Title: "Ensure that Activity Log Alert exists for Create or Update or Delete SQL Server Firewall Rule" Description: "Create an activity log alert for the Create or Update or Delete SQL Server Firewall Rule event." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with alert_rule as ( - select - alert.id as alert_id, - alert.name as alert_name, - alert.enabled, - alert.location, - alert.subscription_id - from - azure_log_alert as alert, - jsonb_array_elements_text(scopes) as sc - where - alert.location = 'Global' - and alert.enabled - and sc = '/subscriptions/' || alert.subscription_id - and alert.condition -> 'allOf' @> '[{"equals":"Administrative","field":"category"}]' - and alert.condition -> 'allOf' @> '[{"field": "resourceType", "equals": "microsoft.sql/servers"}]' - and jsonb_array_length(alert.condition -> 'allOf') = 2 - limit 1 - ) - select - sub.subscription_id as resource, - sub.og_account_id as og_account_id, - sub.og_resource_id as og_resource_id, - case - when count(a.subscription_id) > 0 then 'ok' - else 'alarm' - end as status, - case - when count(a.subscription_id) > 0 then 'Activity log alert exists for create, update and delete SQL Server Firewall Rule event.' - else 'Activity log alert does not exists for create, update and delete SQL Server Firewall Rule event.' - end as reason - - , sub.display_name as subscription - from - azure_subscription sub - left join alert_rule a on sub.subscription_id = a.subscription_id - group by - sub.og_account_id, - sub.og_resource_id, - sub._ctx, - sub.subscription_id, - sub.display_name; + QueryToExecute: "with alert_rule as (\n select\n alert.id as alert_id,\n alert.name as alert_name,\n alert.enabled,\n alert.location,\n alert.subscription_id\n from\n azure_log_alert as alert,\n jsonb_array_elements_text(scopes) as sc\n where\n alert.location = 'Global'\n and alert.enabled\n and sc = '/subscriptions/' || alert.subscription_id\n and alert.condition -> 'allOf' @> '[{\"equals\":\"Administrative\",\"field\":\"category\"}]'\n and alert.condition -> 'allOf' @> '[{\"field\": \"resourceType\", \"equals\": \"microsoft.sql/servers\"}]'\n and jsonb_array_length(alert.condition -> 'allOf') = 2\n limit 1\n)\nselect\n sub.subscription_id as resource,\n sub.og_account_id as og_account_id,\n sub.og_resource_id as og_resource_id,\n case\n when count(a.subscription_id) > 0 then 'ok'\n else 'alarm'\n end as status,\n case\n when count(a.subscription_id) > 0 then 'Activity log alert exists for create, update and delete SQL Server Firewall Rule event.'\n else 'Activity log alert does not exists for create, update and delete SQL Server Firewall Rule event.'\n end as reason\n \n , sub.display_name as subscription\nfrom\n azure_subscription sub\n left join alert_rule a on sub.subscription_id = a.subscription_id\ngroup by\n sub.og_account_id,\n sub.og_resource_id,\n sub._ctx,\n sub.subscription_id,\n sub.display_name;\n" PrimaryTable: azure_log_alert ListOfTables: - - azure_log_alert - - azure_subscription + - azure_log_alert + - azure_subscription Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - 5.2.9 + - 5.2.9 cis_level: - - "1" + - "1" cis_section_id: - - "5.2" + - "5.2" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/Monitor + - Azure/Monitor +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_monitor_log_analytics_workspace_integrated_with_encrypted_storage_account.yaml b/compliance/controls/azure/azure_monitor_log_analytics_workspace_integrated_with_encrypted_storage_account.yaml index d470a351a..f5785a142 100755 --- a/compliance/controls/azure/azure_monitor_log_analytics_workspace_integrated_with_encrypted_storage_account.yaml +++ b/compliance/controls/azure/azure_monitor_log_analytics_workspace_integrated_with_encrypted_storage_account.yaml @@ -1,8 +1,6 @@ ID: azure_monitor_log_analytics_workspace_integrated_with_encrypted_storage_account Title: "Saved-queries in Azure Monitor should be saved in customer storage account for logs encryption" Description: "Link storage account to Log Analytics workspace to protect saved-queries with storage account encryption. Customer-managed keys are commonly required to meet regulatory compliance and for more control over the access to your saved-queries in Azure Monitor. For more details on the above, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys?tabs" -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_monitor_log_cluster_encrypted_with_cmk.yaml b/compliance/controls/azure/azure_monitor_log_cluster_encrypted_with_cmk.yaml index 8785656a0..9be7b0fac 100755 --- a/compliance/controls/azure/azure_monitor_log_cluster_encrypted_with_cmk.yaml +++ b/compliance/controls/azure/azure_monitor_log_cluster_encrypted_with_cmk.yaml @@ -1,8 +1,6 @@ ID: azure_monitor_log_cluster_encrypted_with_cmk Title: "Azure Monitor Logs clusters should be encrypted with customer-managed key" Description: "Create Azure Monitor logs cluster with customer-managed keys encryption. By default, the log data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance. Customer-managed key in Azure Monitor gives you more control over the access to you data, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_monitor_log_cluster_infrastructure_encryption_enabled.yaml b/compliance/controls/azure/azure_monitor_log_cluster_infrastructure_encryption_enabled.yaml index bbf15039c..0fdde372b 100755 --- a/compliance/controls/azure/azure_monitor_log_cluster_infrastructure_encryption_enabled.yaml +++ b/compliance/controls/azure/azure_monitor_log_cluster_infrastructure_encryption_enabled.yaml @@ -1,8 +1,6 @@ ID: azure_monitor_log_cluster_infrastructure_encryption_enabled Title: "Azure Monitor Logs clusters should be created with infrastructure-encryption enabled (double encryption)" Description: "To ensure secure data encryption is enabled at the service level and the infrastructure level with two different encryption algorithms and two different keys, use an Azure Monitor dedicated cluster. This option is enabled by default when supported at the region, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys#customer-managed-key-overview." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_monitor_log_profile_enabled_for_all_categories.yaml b/compliance/controls/azure/azure_monitor_log_profile_enabled_for_all_categories.yaml index c09af8627..e2b3d17f0 100755 --- a/compliance/controls/azure/azure_monitor_log_profile_enabled_for_all_categories.yaml +++ b/compliance/controls/azure/azure_monitor_log_profile_enabled_for_all_categories.yaml @@ -1,37 +1,19 @@ ID: azure_monitor_log_profile_enabled_for_all_categories Title: "Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action'" Description: "This policy ensures that a log profile collects logs for categories 'write,' 'delete,' and 'action'." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - p.id as resource, - p.og_account_id as og_account_id, - p.og_resource_id as og_resource_id, - case - when p.categories @> '["Write", "Action", "Delete"]' then 'ok' - else 'alarm' - end as status, - case - when p.categories @> '["Write", "Action", "Delete"]' then p.name || ' collects logs for categories write, delete and action' - else p.name || ' does not collects logs for all categories.' - end as reason - - , p.resource_group as resource_group - , sub.display_name as subscription - from - azure_log_profile as p - left join azure_subscription sub on sub.subscription_id = p.subscription_id; + QueryToExecute: "select\n p.id as resource,\n p.og_account_id as og_account_id,\n p.og_resource_id as og_resource_id,\n case\n when p.categories @> '[\"Write\", \"Action\", \"Delete\"]' then 'ok'\n else 'alarm'\n end as status,\n case\n when p.categories @> '[\"Write\", \"Action\", \"Delete\"]' then p.name || ' collects logs for categories write, delete and action'\n else p.name || ' does not collects logs for all categories.'\n end as reason\n \n , p.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_log_profile as p\n left join azure_subscription sub on sub.subscription_id = p.subscription_id;\n" PrimaryTable: azure_log_profile ListOfTables: - - azure_log_profile - - azure_subscription + - azure_log_profile + - azure_subscription Parameters: [] Severity: medium Tags: hipaa_hitrust_v92: - - "true" + - "true" service: - - Azure/Monitor + - Azure/Monitor +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_monitor_log_profile_enabled_for_all_regions.yaml b/compliance/controls/azure/azure_monitor_log_profile_enabled_for_all_regions.yaml index 55985e3f4..32833574a 100755 --- a/compliance/controls/azure/azure_monitor_log_profile_enabled_for_all_regions.yaml +++ b/compliance/controls/azure/azure_monitor_log_profile_enabled_for_all_regions.yaml @@ -1,39 +1,19 @@ ID: azure_monitor_log_profile_enabled_for_all_regions Title: "Azure Monitor should collect activity logs from all regions" Description: "This policy audits the Azure Monitor log profile which does not export activities from all Azure supported regions including global." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - p.id as resource, - p.og_account_id as og_account_id, - p.og_resource_id as og_resource_id, - case - when p.log_event_location @> '["global", "australiacentral", "australiacentral2", "australiaeast", "australiasoutheast", "brazilsouth", "brazilsoutheast", "canadacentral", "canadaeast", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "francesouth","germanynorth", "germanywestcentral", "japaneast", "japanwest", "jioindiawest", "koreacentral", "koreasouth", "northcentralus", "northeurope", - "norwayeast", "norwaywest", "southafricanorth", "southafricawest", "southcentralus", "southeastasia", "southindia", "switzerlandnorth", "switzerlandwest", "uaecentral", "uaenorth", "uksouth", "ukwest", "westcentralus", "westeurope", "westindia", "westus", "westus2", "westus3"]' then 'ok' - else 'alarm' - end as status, - case - when p.log_event_location @> '["global", "australiacentral", "australiacentral2", "australiaeast", "australiasoutheast", "brazilsouth", "brazilsoutheast", "canadacentral", "canadaeast", "centralindia", "centralus", "eastasia", "eastus", "eastus2", "francecentral", "francesouth","germanynorth", "germanywestcentral", "japaneast", "japanwest", "jioindiawest", "koreacentral", "koreasouth", "northcentralus", "northeurope", - "norwayeast", "norwaywest", "southafricanorth", "southafricawest", "southcentralus", "southeastasia", "southindia", "switzerlandnorth", "switzerlandwest", "uaecentral", "uaenorth", "uksouth", "ukwest", "westcentralus", "westeurope", "westindia", "westus", "westus2", "westus3"]' then p.name || ' collect activity logs from all regions.' - else p.name || ' not collect activity logs from all regions.' - end as reason - - , p.resource_group as resource_group - , sub.display_name as subscription - from - azure_log_profile as p - left join azure_subscription sub on sub.subscription_id = p.subscription_id; + QueryToExecute: "select\n p.id as resource,\n p.og_account_id as og_account_id,\n p.og_resource_id as og_resource_id,\n case\n when p.log_event_location @> '[\"global\", \"australiacentral\", \"australiacentral2\", \"australiaeast\", \"australiasoutheast\", \"brazilsouth\", \"brazilsoutheast\", \"canadacentral\", \"canadaeast\", \"centralindia\", \"centralus\", \"eastasia\", \"eastus\", \"eastus2\", \"francecentral\", \"francesouth\",\"germanynorth\", \"germanywestcentral\", \"japaneast\", \"japanwest\", \"jioindiawest\", \"koreacentral\", \"koreasouth\", \"northcentralus\", \"northeurope\",\n \"norwayeast\", \"norwaywest\", \"southafricanorth\", \"southafricawest\", \"southcentralus\", \"southeastasia\", \"southindia\", \"switzerlandnorth\", \"switzerlandwest\", \"uaecentral\", \"uaenorth\", \"uksouth\", \"ukwest\", \"westcentralus\", \"westeurope\", \"westindia\", \"westus\", \"westus2\", \"westus3\"]' then 'ok'\n else 'alarm'\n end as status,\n case\n when p.log_event_location @> '[\"global\", \"australiacentral\", \"australiacentral2\", \"australiaeast\", \"australiasoutheast\", \"brazilsouth\", \"brazilsoutheast\", \"canadacentral\", \"canadaeast\", \"centralindia\", \"centralus\", \"eastasia\", \"eastus\", \"eastus2\", \"francecentral\", \"francesouth\",\"germanynorth\", \"germanywestcentral\", \"japaneast\", \"japanwest\", \"jioindiawest\", \"koreacentral\", \"koreasouth\", \"northcentralus\", \"northeurope\",\n \"norwayeast\", \"norwaywest\", \"southafricanorth\", \"southafricawest\", \"southcentralus\", \"southeastasia\", \"southindia\", \"switzerlandnorth\", \"switzerlandwest\", \"uaecentral\", \"uaenorth\", \"uksouth\", \"ukwest\", \"westcentralus\", \"westeurope\", \"westindia\", \"westus\", \"westus2\", \"westus3\"]' then p.name || ' collect activity logs from all regions.'\n else p.name || ' not collect activity logs from all regions.'\n end as reason\n \n , p.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_log_profile as p\n left join azure_subscription sub on sub.subscription_id = p.subscription_id;\n" PrimaryTable: azure_log_profile ListOfTables: - - azure_log_profile - - azure_subscription + - azure_log_profile + - azure_subscription Parameters: [] Severity: medium Tags: hipaa_hitrust_v92: - - "true" + - "true" service: - - Azure/Monitor + - Azure/Monitor +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_monitor_log_profile_retention_365_days.yaml b/compliance/controls/azure/azure_monitor_log_profile_retention_365_days.yaml index 3b240e9a4..f845ca931 100755 --- a/compliance/controls/azure/azure_monitor_log_profile_retention_365_days.yaml +++ b/compliance/controls/azure/azure_monitor_log_profile_retention_365_days.yaml @@ -1,8 +1,6 @@ ID: azure_monitor_log_profile_retention_365_days Title: "Monitor log profiles should have retention set to 365 days or greater" Description: "This control is non-compliant if Monitor log profile retention is set to less than 365 days." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -24,8 +22,10 @@ Query: left join azure_subscription sub on sub.subscription_id = p.subscription_id; PrimaryTable: azure_log_profile ListOfTables: - - azure_log_profile - - azure_subscription + - azure_log_profile + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_monitor_logs_storage_container_encryptes_with_byok.yaml b/compliance/controls/azure/azure_monitor_logs_storage_container_encryptes_with_byok.yaml index a7a4b0032..fa058db03 100755 --- a/compliance/controls/azure/azure_monitor_logs_storage_container_encryptes_with_byok.yaml +++ b/compliance/controls/azure/azure_monitor_logs_storage_container_encryptes_with_byok.yaml @@ -1,58 +1,34 @@ ID: azure_monitor_logs_storage_container_encryptes_with_byok Title: "Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key)" Description: "The storage account with the activity log export container is configured to use BYOK (Use Your Own Key)." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when a.encryption_key_source = 'Microsoft.Keyvault' then 'ok' - else 'alarm' - end as status, - case - when a.encryption_key_source = 'Microsoft.Keyvault' - then a.name || ' container insights-operational-logs encrypted with BYOK.' - else a.name || ' container insights-operational-logs not encrypted with BYOK.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_storage_container c, - azure_storage_account a, - azure_subscription sub - where - c.name = 'insights-operational-logs' - and c.account_name = a.name - and sub.subscription_id = a.subscription_id; + QueryToExecute: "select\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when a.encryption_key_source = 'Microsoft.Keyvault' then 'ok'\n else 'alarm'\n end as status,\n case\n when a.encryption_key_source = 'Microsoft.Keyvault'\n then a.name || ' container insights-operational-logs encrypted with BYOK.'\n else a.name || ' container insights-operational-logs not encrypted with BYOK.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_storage_container c,\n azure_storage_account a,\n azure_subscription sub\nwhere\n c.name = 'insights-operational-logs'\n and c.account_name = a.name\n and sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_storage_container - - azure_subscription + - azure_storage_account + - azure_storage_container + - azure_subscription Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - 5.1.4 + - 5.1.4 cis_level: - - "2" + - "2" cis_section_id: - - "5.1" + - "5.1" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/Monitor + - Azure/Monitor +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_monitor_logs_storage_container_insights_activity_logs_not_public_accessible.yaml b/compliance/controls/azure/azure_monitor_logs_storage_container_insights_activity_logs_not_public_accessible.yaml index 8add39f64..0396e83a6 100755 --- a/compliance/controls/azure/azure_monitor_logs_storage_container_insights_activity_logs_not_public_accessible.yaml +++ b/compliance/controls/azure/azure_monitor_logs_storage_container_insights_activity_logs_not_public_accessible.yaml @@ -1,8 +1,6 @@ ID: azure_monitor_logs_storage_container_insights_activity_logs_not_public_accessible Title: "Ensure the Storage Container Storing the Activity Logs is not Publicly Accessible" Description: "The storage account container containing the activity log export should not be publicly accessible." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -27,8 +25,10 @@ Query: and sub.subscription_id = sc.subscription_id; PrimaryTable: azure_storage_container ListOfTables: - - azure_storage_container - - azure_subscription + - azure_storage_container + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_monitor_logs_storage_container_insights_operational_logs_not_public_accessible.yaml b/compliance/controls/azure/azure_monitor_logs_storage_container_insights_operational_logs_not_public_accessible.yaml index c68b1edaf..969867362 100755 --- a/compliance/controls/azure/azure_monitor_logs_storage_container_insights_operational_logs_not_public_accessible.yaml +++ b/compliance/controls/azure/azure_monitor_logs_storage_container_insights_operational_logs_not_public_accessible.yaml @@ -1,8 +1,6 @@ ID: azure_monitor_logs_storage_container_insights_operational_logs_not_public_accessible Title: "Ensure the storage container storing the operational logs is not publicly accessible" Description: "The storage account container containing the operational log export should not be publicly accessible." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -27,8 +25,10 @@ Query: and sub.subscription_id = sc.subscription_id; PrimaryTable: azure_storage_container ListOfTables: - - azure_storage_container - - azure_subscription + - azure_storage_container + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_monitor_logs_storage_container_not_public_accessible.yaml b/compliance/controls/azure/azure_monitor_logs_storage_container_not_public_accessible.yaml index eb97fc7c5..bd61e1fed 100755 --- a/compliance/controls/azure/azure_monitor_logs_storage_container_not_public_accessible.yaml +++ b/compliance/controls/azure/azure_monitor_logs_storage_container_not_public_accessible.yaml @@ -1,8 +1,6 @@ ID: azure_monitor_logs_storage_container_not_public_accessible Title: "Ensure the storage container storing the activity logs is not publicly accessible" Description: "The storage account container containing the activity log export should not be publicly accessible." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -29,26 +27,28 @@ Query: and sub.subscription_id = sc.subscription_id; PrimaryTable: azure_storage_container ListOfTables: - - azure_storage_container - - azure_subscription + - azure_storage_container + - azure_subscription Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - 5.1.3 + - 5.1.3 cis_level: - - "1" + - "1" cis_section_id: - - "5.1" + - "5.1" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/Monitor + - Azure/Monitor +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mssql_managed_instance_encryption_at_rest_using_cmk.yaml b/compliance/controls/azure/azure_mssql_managed_instance_encryption_at_rest_using_cmk.yaml index 2ca2d8580..27fdea11a 100755 --- a/compliance/controls/azure/azure_mssql_managed_instance_encryption_at_rest_using_cmk.yaml +++ b/compliance/controls/azure/azure_mssql_managed_instance_encryption_at_rest_using_cmk.yaml @@ -1,52 +1,21 @@ ID: azure_mssql_managed_instance_encryption_at_rest_using_cmk Title: "SQL managed instances should use customer-managed keys to encrypt data at rest" Description: "Implementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with encryption_protector as ( - select - distinct i.id as id - from - azure_mssql_managed_instance as i, - jsonb_array_elements(encryption_protectors) a - where - a ->> 'serverKeyType' = 'AzureKeyVault' - and a ->> 'uri' is not null - ) - select - s.id as resource, - s.og_account_id as og_account_id, - s.og_resource_id as og_resource_id, - case - when a.id is not null then 'ok' - else 'alarm' - end as status, - case - when a.id is not null then s.title || ' encrypted with CMK.' - else s.title || ' not encrypted with CMK.' - end as reason - - , s.resource_group as resource_group - , sub.display_name as subscription - from - azure_mssql_managed_instance as s - left join encryption_protector as a on s.id = a.id, - azure_subscription as sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "with encryption_protector as (\n select\n distinct i.id as id\n from\n azure_mssql_managed_instance as i,\n jsonb_array_elements(encryption_protectors) a\n where\n a ->> 'serverKeyType' = 'AzureKeyVault'\n and a ->> 'uri' is not null\n)\nselect\n s.id as resource,\n s.og_account_id as og_account_id,\n s.og_resource_id as og_resource_id,\n case\n when a.id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when a.id is not null then s.title || ' encrypted with CMK.'\n else s.title || ' not encrypted with CMK.'\n end as reason\n \n , s.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_mssql_managed_instance as s\n left join encryption_protector as a on s.id = a.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: azure_mssql_managed_instance ListOfTables: - - azure_mssql_managed_instance - - azure_subscription + - azure_mssql_managed_instance + - azure_subscription Parameters: [] Severity: high Tags: hipaa_hitrust_v92: - - "true" + - "true" nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/MySQL + - Azure/MySQL +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mssql_managed_instance_vulnerability_assessment_enabled.yaml b/compliance/controls/azure/azure_mssql_managed_instance_vulnerability_assessment_enabled.yaml index a0be54f8e..5c32ac095 100755 --- a/compliance/controls/azure/azure_mssql_managed_instance_vulnerability_assessment_enabled.yaml +++ b/compliance/controls/azure/azure_mssql_managed_instance_vulnerability_assessment_enabled.yaml @@ -1,52 +1,21 @@ ID: azure_mssql_managed_instance_vulnerability_assessment_enabled Title: "Vulnerability assessment should be enabled on SQL Managed Instance" Description: "Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with vulnerability_assessments as ( - select - distinct i.id as id - from - azure_mssql_managed_instance as i, - jsonb_array_elements(vulnerability_assessments) a - where - a -> 'recurringScans' ->> 'isEnabled' = 'true' - and a ->> 'name' = 'Default' - ) - select - s.id as resource, - s.og_account_id as og_account_id, - s.og_resource_id as og_resource_id, - case - when a.id is not null then 'ok' - else 'alarm' - end as status, - case - when a.id is not null then s.title || ' vulnerability assessment enabled.' - else s.title || ' vulnerability assessment disabled.' - end as reason - - , s.resource_group as resource_group - , sub.display_name as subscription - from - azure_mssql_managed_instance as s - left join vulnerability_assessments as a on s.id = a.id, - azure_subscription as sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "with vulnerability_assessments as (\n select\n distinct i.id as id\n from\n azure_mssql_managed_instance as i,\n jsonb_array_elements(vulnerability_assessments) a\n where\n a -> 'recurringScans' ->> 'isEnabled' = 'true'\n and a ->> 'name' = 'Default'\n)\nselect\n s.id as resource,\n s.og_account_id as og_account_id,\n s.og_resource_id as og_resource_id,\n case\n when a.id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when a.id is not null then s.title || ' vulnerability assessment enabled.'\n else s.title || ' vulnerability assessment disabled.'\n end as reason\n \n , s.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_mssql_managed_instance as s\n left join vulnerability_assessments as a on s.id = a.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: azure_mssql_managed_instance ListOfTables: - - azure_mssql_managed_instance - - azure_subscription + - azure_mssql_managed_instance + - azure_subscription Parameters: [] Severity: medium Tags: hipaa_hitrust_v92: - - "true" + - "true" nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/MySQL + - Azure/MySQL +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mysql_db_server_geo_redundant_backup_enabled.yaml b/compliance/controls/azure/azure_mysql_db_server_geo_redundant_backup_enabled.yaml index ac7b1d295..a4629cb10 100755 --- a/compliance/controls/azure/azure_mysql_db_server_geo_redundant_backup_enabled.yaml +++ b/compliance/controls/azure/azure_mysql_db_server_geo_redundant_backup_enabled.yaml @@ -1,41 +1,21 @@ ID: azure_mysql_db_server_geo_redundant_backup_enabled Title: "Geo-redundant backup should be enabled for Azure Database for MySQL" Description: "Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - s.og_account_id as og_account_id, - s.og_resource_id as og_resource_id, - case - when geo_redundant_backup = 'Enabled' then 'ok' - else 'alarm' - end as status, - case - when geo_redundant_backup = 'Enabled' then name || ' Geo-redundant backup enabled.' - else name || ' Geo-redundant backup disabled.' - end as reason - - , s.resource_group as resource_group - , sub.display_name as subscription - from - azure_mysql_server as s, - azure_subscription as sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n s.og_account_id as og_account_id,\n s.og_resource_id as og_resource_id,\n case\n when geo_redundant_backup = 'Enabled' then 'ok'\n else 'alarm'\n end as status,\n case\n when geo_redundant_backup = 'Enabled' then name || ' Geo-redundant backup enabled.'\n else name || ' Geo-redundant backup disabled.'\n end as reason\n \n , s.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_mysql_server as s,\n azure_subscription as sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: azure_mysql_server ListOfTables: - - azure_mysql_server - - azure_subscription + - azure_mysql_server + - azure_subscription Parameters: [] Severity: medium Tags: hipaa_hitrust_v92: - - "true" + - "true" nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/MySQL + - Azure/MySQL +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mysql_server_audit_logging_enabled.yaml b/compliance/controls/azure/azure_mysql_server_audit_logging_enabled.yaml index 94984d459..7089e76d3 100755 --- a/compliance/controls/azure/azure_mysql_server_audit_logging_enabled.yaml +++ b/compliance/controls/azure/azure_mysql_server_audit_logging_enabled.yaml @@ -1,55 +1,33 @@ ID: azure_mysql_server_audit_logging_enabled Title: "Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL Database Server" Description: "Enable audit logging on MySQL Servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - s.og_account_id as og_account_id, - s.og_resource_id as og_resource_id, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then 'alarm' - else 'ok' - end as status, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then s.name || ' server parameter audit_log_enabled off.' - else s.name || ' server parameter audit_log_enabled on.' - end as reason - - , s.resource_group as resource_group - , sub.display_name as subscription - from - azure_mysql_server as s, - jsonb_array_elements(server_configurations) config, - azure_subscription sub - where - config ->> 'Name' = 'audit_log_enabled' - and sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n s.og_account_id as og_account_id,\n s.og_resource_id as og_resource_id,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then 'alarm'\n else 'ok'\n end as status,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then s.name || ' server parameter audit_log_enabled off.'\n else s.name || ' server parameter audit_log_enabled on.'\n end as reason\n \n , s.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_mysql_server as s,\n jsonb_array_elements(server_configurations) config,\n azure_subscription sub\nwhere\n config ->> 'Name' = 'audit_log_enabled'\n and sub.subscription_id = s.subscription_id;\n" PrimaryTable: azure_mysql_server ListOfTables: - - azure_mysql_server - - azure_subscription + - azure_mysql_server + - azure_subscription Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - 4.4.3 + - 4.4.3 cis_level: - - "2" + - "2" cis_section_id: - - "4.4" + - "4.4" cis_type: - - manual + - manual cis_version: - - v1.5.0 + - v1.5.0 plugin: - - azure + - azure service: - - Azure/MySQL + - Azure/MySQL +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mysql_server_audit_logging_events_connection_set.yaml b/compliance/controls/azure/azure_mysql_server_audit_logging_events_connection_set.yaml index b44809154..5ee8c252e 100755 --- a/compliance/controls/azure/azure_mysql_server_audit_logging_events_connection_set.yaml +++ b/compliance/controls/azure/azure_mysql_server_audit_logging_events_connection_set.yaml @@ -1,55 +1,33 @@ ID: azure_mysql_server_audit_logging_events_connection_set Title: "Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL Database Server" Description: "Set audit_log_enabled to include CONNECTION on MySQL Servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - s.og_account_id as og_account_id, - s.og_resource_id as og_resource_id, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') = 'connection' then 'ok' - else 'alarm' - end as status, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') = 'connection' then s.name || ' server parameter audit_log_events has connection set.' - else s.name || ' server parameter audit_log_events connection not set.' - end as reason - - , s.resource_group as resource_group - , sub.display_name as subscription - from - azure_mysql_server as s, - jsonb_array_elements(server_configurations) config, - azure_subscription sub - where - config ->> 'Name' = 'audit_log_events' - and sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n s.og_account_id as og_account_id,\n s.og_resource_id as og_resource_id,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') = 'connection' then 'ok'\n else 'alarm'\n end as status,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') = 'connection' then s.name || ' server parameter audit_log_events has connection set.'\n else s.name || ' server parameter audit_log_events connection not set.'\n end as reason\n \n , s.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_mysql_server as s,\n jsonb_array_elements(server_configurations) config,\n azure_subscription sub\nwhere\n config ->> 'Name' = 'audit_log_events'\n and sub.subscription_id = s.subscription_id;\n" PrimaryTable: azure_mysql_server ListOfTables: - - azure_mysql_server - - azure_subscription + - azure_mysql_server + - azure_subscription Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - 4.4.4 + - 4.4.4 cis_level: - - "2" + - "2" cis_section_id: - - "4.4" + - "4.4" cis_type: - - manual + - manual cis_version: - - v1.5.0 + - v1.5.0 plugin: - - azure + - azure service: - - Azure/MySQL + - Azure/MySQL +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mysql_server_encrypted_at_rest_using_cmk.yaml b/compliance/controls/azure/azure_mysql_server_encrypted_at_rest_using_cmk.yaml index 53b5760e8..f42d6c2b8 100755 --- a/compliance/controls/azure/azure_mysql_server_encrypted_at_rest_using_cmk.yaml +++ b/compliance/controls/azure/azure_mysql_server_encrypted_at_rest_using_cmk.yaml @@ -1,50 +1,19 @@ ID: azure_mysql_server_encrypted_at_rest_using_cmk Title: "MySQL servers should use customer-managed keys to encrypt data at rest" Description: "Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with mysql_server_encrypted as ( - select - distinct i.id as id - from - azure_mysql_server as i, - jsonb_array_elements(server_keys) a - where - a ->> 'serverKeyType' = 'AzureKeyVault' - and a ->> 'uri' is not null - ) - select - s.id as resource, - s.og_account_id as og_account_id, - s.og_resource_id as og_resource_id, - case - when a.id is not null then 'ok' - else 'alarm' - end as status, - case - when a.id is not null then s.title || ' encrypted with CMK.' - else s.title || ' not encrypted with CMK.' - end as reason - - , s.resource_group as resource_group - , sub.display_name as subscription - from - azure_mysql_server as s - left join mysql_server_encrypted as a on s.id = a.id, - azure_subscription as sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "with mysql_server_encrypted as (\n select\n distinct i.id as id\n from\n azure_mysql_server as i,\n jsonb_array_elements(server_keys) a\n where\n a ->> 'serverKeyType' = 'AzureKeyVault'\n and a ->> 'uri' is not null\n)\nselect\n s.id as resource,\n s.og_account_id as og_account_id,\n s.og_resource_id as og_resource_id,\n case\n when a.id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when a.id is not null then s.title || ' encrypted with CMK.'\n else s.title || ' not encrypted with CMK.'\n end as reason\n \n , s.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_mysql_server as s\n left join mysql_server_encrypted as a on s.id = a.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: azure_mysql_server ListOfTables: - - azure_mysql_server - - azure_subscription + - azure_mysql_server + - azure_subscription Parameters: [] Severity: high Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/MySQL + - Azure/MySQL +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mysql_server_infrastructure_encryption_enabled.yaml b/compliance/controls/azure/azure_mysql_server_infrastructure_encryption_enabled.yaml index 9c49278e9..9731f8162 100755 --- a/compliance/controls/azure/azure_mysql_server_infrastructure_encryption_enabled.yaml +++ b/compliance/controls/azure/azure_mysql_server_infrastructure_encryption_enabled.yaml @@ -1,39 +1,19 @@ ID: azure_mysql_server_infrastructure_encryption_enabled Title: "Infrastructure encryption should be enabled for Azure Database for MySQL servers" Description: "Enable infrastructure encryption for Azure Database for MySQL servers to have higher level of assurance that the data is secure. When infrastructure encryption is enabled, the data at rest is encrypted twice using FIPS 140-2 compliant Microsoft managed keys." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - s.og_account_id as og_account_id, - s.og_resource_id as og_resource_id, - case - when infrastructure_encryption = 'Enabled' then 'ok' - else 'alarm' - end as status, - case - when infrastructure_encryption = 'Enabled' then s.name || ' infrastructure encryption enabled.' - else s.name || ' infrastructure encryption disabled.' - end as reason - - , s.resource_group as resource_group - , sub.display_name as subscription - from - azure_mysql_server as s, - azure_subscription as sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n s.og_account_id as og_account_id,\n s.og_resource_id as og_resource_id,\n case\n when infrastructure_encryption = 'Enabled' then 'ok'\n else 'alarm'\n end as status,\n case\n when infrastructure_encryption = 'Enabled' then s.name || ' infrastructure encryption enabled.'\n else s.name || ' infrastructure encryption disabled.'\n end as reason\n \n , s.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_mysql_server as s,\n azure_subscription as sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: azure_mysql_server ListOfTables: - - azure_mysql_server - - azure_subscription + - azure_mysql_server + - azure_subscription Parameters: [] Severity: high Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/MySQL + - Azure/MySQL +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mysql_server_min_tls_1_2.yaml b/compliance/controls/azure/azure_mysql_server_min_tls_1_2.yaml index cbdee9241..53c816f59 100755 --- a/compliance/controls/azure/azure_mysql_server_min_tls_1_2.yaml +++ b/compliance/controls/azure/azure_mysql_server_min_tls_1_2.yaml @@ -1,55 +1,33 @@ ID: azure_mysql_server_min_tls_1_2 Title: "Ensure 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server" Description: "Ensure TLS version on MySQL flexible servers is set to the default value." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - s.og_account_id as og_account_id, - s.og_resource_id as og_resource_id, - case - when minimal_tls_version = 'TLSEnforcementDisabled' then 'alarm' - when minimal_tls_version = 'TLS1_2' then 'ok' - else 'alarm' - end as status, - case - when minimal_tls_version = 'TLSEnforcementDisabled' then s.name || ' TLS enforcement is disabled.' - when minimal_tls_version = 'TLS1_2' then s.name || ' minimum TLS version set to ' || minimal_tls_version || '.' - else s.name || ' minimum TLS version set to ' || minimal_tls_version || '.' - end as reason - - , s.resource_group as resource_group - , sub.display_name as subscription - from - azure_mysql_server as s, - azure_subscription as sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n s.og_account_id as og_account_id,\n s.og_resource_id as og_resource_id,\n case\n when minimal_tls_version = 'TLSEnforcementDisabled' then 'alarm'\n when minimal_tls_version = 'TLS1_2' then 'ok'\n else 'alarm'\n end as status,\n case\n when minimal_tls_version = 'TLSEnforcementDisabled' then s.name || ' TLS enforcement is disabled.'\n when minimal_tls_version = 'TLS1_2' then s.name || ' minimum TLS version set to ' || minimal_tls_version || '.'\n else s.name || ' minimum TLS version set to ' || minimal_tls_version || '.'\n end as reason\n \n , s.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_mysql_server as s,\n azure_subscription as sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: azure_mysql_server ListOfTables: - - azure_mysql_server - - azure_subscription + - azure_mysql_server + - azure_subscription Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - 4.4.2 + - 4.4.2 cis_level: - - "1" + - "1" cis_section_id: - - "4.4" + - "4.4" cis_type: - - automated + - automated cis_version: - - v1.4.0 + - v1.4.0 plugin: - - azure + - azure service: - - Azure/MySQL + - Azure/MySQL +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mysql_server_private_link_used.yaml b/compliance/controls/azure/azure_mysql_server_private_link_used.yaml index 27d05f44d..acde53f97 100755 --- a/compliance/controls/azure/azure_mysql_server_private_link_used.yaml +++ b/compliance/controls/azure/azure_mysql_server_private_link_used.yaml @@ -1,39 +1,19 @@ ID: azure_mysql_server_private_link_used Title: "Private endpoint should be enabled for MySQL servers" Description: "Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when sku_tier = 'Basic' then 'skip' - when private_endpoint_connections @> '[{"privateLinkServiceConnectionStateStatus": "Approved"}]'::jsonb then 'ok' - else 'alarm' - end as status, - case - when sku_tier = 'Basic' then a.name || ' is of ' || sku_tier || ' tier.' - when private_endpoint_connections @> '[{"privateLinkServiceConnectionStateStatus": "Approved"}]'::jsonb then a.name || ' using private link.' - else a.name || ' not using private link.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_mysql_server a, - azure_subscription sub; + QueryToExecute: "select\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when sku_tier = 'Basic' then 'skip'\n when private_endpoint_connections @> '[{\"privateLinkServiceConnectionStateStatus\": \"Approved\"}]'::jsonb then 'ok'\n else 'alarm'\n end as status,\n case\n when sku_tier = 'Basic' then a.name || ' is of ' || sku_tier || ' tier.'\n when private_endpoint_connections @> '[{\"privateLinkServiceConnectionStateStatus\": \"Approved\"}]'::jsonb then a.name || ' using private link.'\n else a.name || ' not using private link.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_mysql_server a,\n azure_subscription sub;\n" PrimaryTable: azure_mysql_server ListOfTables: - - azure_mysql_server - - azure_subscription + - azure_mysql_server + - azure_subscription Parameters: [] Severity: high Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/MySQL + - Azure/MySQL +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mysql_server_public_network_access_disabled.yaml b/compliance/controls/azure/azure_mysql_server_public_network_access_disabled.yaml index 50b2272fe..dcc03d62c 100755 --- a/compliance/controls/azure/azure_mysql_server_public_network_access_disabled.yaml +++ b/compliance/controls/azure/azure_mysql_server_public_network_access_disabled.yaml @@ -1,39 +1,19 @@ ID: azure_mysql_server_public_network_access_disabled Title: "Public network access should be disabled for MySQL servers" Description: "Disable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - s.og_account_id as og_account_id, - s.og_resource_id as og_resource_id, - case - when public_network_access = 'Enabled' then 'alarm' - else 'ok' - end as status, - case - when public_network_access = 'Enabled' then name || ' public network access enabled.' - else name || ' public network access disabled.' - end as reason - - , s.resource_group as resource_group - , sub.display_name as subscription - from - azure_mysql_server as s, - azure_subscription as sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n s.og_account_id as og_account_id,\n s.og_resource_id as og_resource_id,\n case\n when public_network_access = 'Enabled' then 'alarm'\n else 'ok'\n end as status,\n case\n when public_network_access = 'Enabled' then name || ' public network access enabled.'\n else name || ' public network access disabled.'\n end as reason\n \n , s.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_mysql_server as s,\n azure_subscription as sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: azure_mysql_server ListOfTables: - - azure_mysql_server - - azure_subscription + - azure_mysql_server + - azure_subscription Parameters: [] Severity: high Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/MySQL + - Azure/MySQL +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_mysql_ssl_enabled.yaml b/compliance/controls/azure/azure_mysql_ssl_enabled.yaml index 2d7ed8f20..72ab0099d 100755 --- a/compliance/controls/azure/azure_mysql_ssl_enabled.yaml +++ b/compliance/controls/azure/azure_mysql_ssl_enabled.yaml @@ -1,53 +1,33 @@ ID: azure_mysql_ssl_enabled Title: "Enforce SSL connection should be enabled for MySQL database servers" Description: "Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - s.og_account_id as og_account_id, - s.og_resource_id as og_resource_id, - case - when ssl_enforcement = 'Disabled' then 'alarm' - else 'ok' - end as status, - case - when ssl_enforcement = 'Disabled' then s.name || ' SSL connection disabled.' - else s.name || ' SSL connection enabled.' - end as reason - - , s.resource_group as resource_group - , sub.display_name as subscription - from - azure_mysql_server as s, - azure_subscription as sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n s.og_account_id as og_account_id,\n s.og_resource_id as og_resource_id,\n case\n when ssl_enforcement = 'Disabled' then 'alarm'\n else 'ok'\n end as status,\n case\n when ssl_enforcement = 'Disabled' then s.name || ' SSL connection disabled.'\n else s.name || ' SSL connection enabled.'\n end as reason\n \n , s.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_mysql_server as s,\n azure_subscription as sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: azure_mysql_server ListOfTables: - - azure_mysql_server - - azure_subscription + - azure_mysql_server + - azure_subscription Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - 4.3.2 + - 4.3.2 cis_level: - - "1" + - "1" cis_section_id: - - "4.3" + - "4.3" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/MySQL + - Azure/MySQL +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_network_bastion_host_min_1.yaml b/compliance/controls/azure/azure_network_bastion_host_min_1.yaml index 4204accba..56381f280 100755 --- a/compliance/controls/azure/azure_network_bastion_host_min_1.yaml +++ b/compliance/controls/azure/azure_network_bastion_host_min_1.yaml @@ -1,8 +1,6 @@ ID: azure_network_bastion_host_min_1 Title: "Ensure an Azure Bastion Host exists" Description: "The Azure Bastion service allows secure remote access to Azure Virtual Machines over the Internet without exposing remote access protocol ports and services directly to the Internet. The Azure Bastion service provides this access using TLS over 443/TCP, and subscribes to hardened configurations within an organization's Azure Active Directory service." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -40,26 +38,28 @@ Query: left join bastion_hosts as i on i.subscription_id = sub.subscription_id; PrimaryTable: azure_bastion_host ListOfTables: - - azure_bastion_host - - azure_subscription + - azure_bastion_host + - azure_subscription Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "7.1" + - "7.1" cis_level: - - "2" + - "2" cis_section_id: - - "7" + - "7" cis_type: - - automated + - automated cis_version: - - v2.0.0 + - v2.0.0 plugin: - - azure + - azure service: - - Azure/Compute + - Azure/Compute +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_network_ddos_enabled.yaml b/compliance/controls/azure/azure_network_ddos_enabled.yaml index d909da837..8d3b51a39 100755 --- a/compliance/controls/azure/azure_network_ddos_enabled.yaml +++ b/compliance/controls/azure/azure_network_ddos_enabled.yaml @@ -1,48 +1,20 @@ ID: azure_network_ddos_enabled Title: "Azure DDoS Protection Standard should be enabled" Description: "DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with application_gateway_subnet as ( - select - distinct (split_part(c -> 'properties' -> 'subnet' ->> 'id', '/', 9)) as vn_name - from - azure_application_gateway as ag, - jsonb_array_elements(gateway_ip_configurations) as c - ) - select - a.name as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when b.vn_name is null then 'ok' - when b.vn_name is not null and enable_ddos_protection::bool then 'ok' - else 'alarm' - end as status, - case - when b.vn_name is null then 'DDoS protection not required.' - when b.vn_name is not null and enable_ddos_protection::bool then a.name || ' DDoS protection enabled.' - else a.name || ' DDoS protection disabled.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_virtual_network as a - left join application_gateway_subnet as b on a.name = b.vn_name - join azure_subscription sub on sub.subscription_id = a.subscription_id; + QueryToExecute: "with application_gateway_subnet as (\n select\n distinct (split_part(c -> 'properties' -> 'subnet' ->> 'id', '/', 9)) as vn_name\n from\n azure_application_gateway as ag,\n jsonb_array_elements(gateway_ip_configurations) as c\n)\nselect\n a.name as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when b.vn_name is null then 'ok'\n when b.vn_name is not null and enable_ddos_protection::bool then 'ok'\n else 'alarm'\n end as status,\n case\n when b.vn_name is null then 'DDoS protection not required.'\n when b.vn_name is not null and enable_ddos_protection::bool then a.name || ' DDoS protection enabled.'\n else a.name || ' DDoS protection disabled.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_virtual_network as a\n left join application_gateway_subnet as b on a.name = b.vn_name\n join azure_subscription sub on sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_virtual_network ListOfTables: - - azure_application_gateway - - azure_subscription - - azure_virtual_network + - azure_application_gateway + - azure_subscription + - azure_virtual_network Parameters: [] Severity: high Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/Network + - Azure/Network +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_network_interface_ip_forwarding_disabled.yaml b/compliance/controls/azure/azure_network_interface_ip_forwarding_disabled.yaml index 9fd72c24a..80a9c86dc 100755 --- a/compliance/controls/azure/azure_network_interface_ip_forwarding_disabled.yaml +++ b/compliance/controls/azure/azure_network_interface_ip_forwarding_disabled.yaml @@ -1,54 +1,20 @@ ID: azure_network_interface_ip_forwarding_disabled Title: "IP Forwarding on your virtual machine should be disabled" Description: "Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with vm_using_nic as ( - select - id as vm_id, - name as vm_name, - resource_group, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - _ctx, - region, - subscription_id, - b ->> 'id' as nic_id - from - azure_compute_virtual_machine as c, - jsonb_array_elements(network_interfaces) as b - ) - select - v.vm_id as resource, - v.og_account_id as og_account_id, - v.og_resource_id as og_resource_id, - case - when i.enable_ip_forwarding then 'alarm' - else 'ok' - end as status, - case - when i.enable_ip_forwarding then v.vm_name || ' using ' || i.name || ' network interface enabled with IP forwarding.' - else v.vm_name || ' using ' || i.name || ' network interface disabled with IP forwarding.' - end as reason - - , v.resource_group as resource_group - , sub.display_name as subscription - from - azure_subscription as sub, - vm_using_nic as v - left join azure_network_interface as i on i.id = v.nic_id; + QueryToExecute: "with vm_using_nic as (\n select\n id as vm_id,\n name as vm_name,\n resource_group,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n _ctx,\n region,\n subscription_id,\n b ->> 'id' as nic_id\n from\n azure_compute_virtual_machine as c,\n jsonb_array_elements(network_interfaces) as b\n)\nselect\n v.vm_id as resource,\n v.og_account_id as og_account_id,\n v.og_resource_id as og_resource_id,\n case\n when i.enable_ip_forwarding then 'alarm'\n else 'ok'\n end as status,\n case\n when i.enable_ip_forwarding then v.vm_name || ' using ' || i.name || ' network interface enabled with IP forwarding.'\n else v.vm_name || ' using ' || i.name || ' network interface disabled with IP forwarding.'\n end as reason\n \n , v.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_subscription as sub,\n vm_using_nic as v\n left join azure_network_interface as i on i.id = v.nic_id;\n" PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_network_interface - - azure_subscription + - azure_compute_virtual_machine + - azure_network_interface + - azure_subscription Parameters: [] Severity: medium Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/Compute + - Azure/Compute +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_network_lb_no_basic_sku.yaml b/compliance/controls/azure/azure_network_lb_no_basic_sku.yaml index 77674ff55..120914c15 100755 --- a/compliance/controls/azure/azure_network_lb_no_basic_sku.yaml +++ b/compliance/controls/azure/azure_network_lb_no_basic_sku.yaml @@ -1,39 +1,19 @@ ID: azure_network_lb_no_basic_sku Title: "Network load balancers should use standard SKUs as a minimum" Description: "The use of Basic or Free SKUs in Azure whilst cost effective have significant limitations in terms of what can be monitored and what support can be realized from Microsoft. Typically, these SKU’s do not have a service SLA and Microsoft will usually refuse to provide support for them. Consequently Basic/Free SKUs should never be used for production workloads." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - l.id as resource, - l.og_account_id as og_account_id, - l.og_resource_id as og_resource_id, - case - when l.sku_name = 'Basic' then 'alarm' - else 'ok' - end as status, - case - when l.sku_name = 'Basic' then l.title || ' using basic SKU.' - else l.title || ' using ' || sku_name || ' SKU.' - end as reason - - , l.resource_group as resource_group - , sub.display_name as subscription - from - azure_lb as l, - azure_subscription as sub - where - sub.subscription_id = l.subscription_id; + QueryToExecute: "select\n l.id as resource,\n l.og_account_id as og_account_id,\n l.og_resource_id as og_resource_id,\n case\n when l.sku_name = 'Basic' then 'alarm'\n else 'ok'\n end as status,\n case\n when l.sku_name = 'Basic' then l.title || ' using basic SKU.'\n else l.title || ' using ' || sku_name || ' SKU.'\n end as reason\n \n , l.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_lb as l,\n azure_subscription as sub\nwhere\n sub.subscription_id = l.subscription_id;\n" PrimaryTable: azure_lb ListOfTables: - - azure_lb - - azure_subscription + - azure_lb + - azure_subscription Parameters: [] Severity: medium Tags: cis: - - "true" + - "true" service: - - Azure/Network + - Azure/Network +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_network_network_peering_connected.yaml b/compliance/controls/azure/azure_network_network_peering_connected.yaml index 0e0fc4f31..1e05ae10c 100755 --- a/compliance/controls/azure/azure_network_network_peering_connected.yaml +++ b/compliance/controls/azure/azure_network_network_peering_connected.yaml @@ -1,8 +1,6 @@ ID: azure_network_network_peering_connected Title: "Virtual network network peering should be in connected state" Description: "This control ensures whether virtual network network peering is in connetecd state. This contol is non-compliant if network peering is not in connected state." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -35,8 +33,10 @@ Query: join azure_subscription sub on sub.subscription_id = n.subscription_id; PrimaryTable: azure_virtual_network ListOfTables: - - azure_virtual_network - - azure_subscription + - azure_virtual_network + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_network_public_ip_no_basic_sku.yaml b/compliance/controls/azure/azure_network_public_ip_no_basic_sku.yaml index d3ac66ab3..d7f5c9c62 100755 --- a/compliance/controls/azure/azure_network_public_ip_no_basic_sku.yaml +++ b/compliance/controls/azure/azure_network_public_ip_no_basic_sku.yaml @@ -1,39 +1,19 @@ ID: azure_network_public_ip_no_basic_sku Title: "Network public IPs should use standard SKUs as a minimum" Description: "The use of Basic or Free SKUs in Azure whilst cost effective have significant limitations in terms of what can be monitored and what support can be realized from Microsoft. Typically, these SKU’s do not have a service SLA and Microsoft will usually refuse to provide support for them. Consequently Basic/Free SKUs should never be used for production workloads." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - i.id as resource, - i.og_account_id as og_account_id, - i.og_resource_id as og_resource_id, - case - when i.sku_name = 'Basic' then 'alarm' - else 'ok' - end as status, - case - when i.sku_name = 'Basic' then i.title || ' using basic SKU.' - else i.title || ' using ' || sku_name || ' SKU.' - end as reason - - , i.resource_group as resource_group - , sub.display_name as subscription - from - azure_public_ip as i, - azure_subscription as sub - where - sub.subscription_id = i.subscription_id; + QueryToExecute: "select\n i.id as resource,\n i.og_account_id as og_account_id,\n i.og_resource_id as og_resource_id,\n case\n when i.sku_name = 'Basic' then 'alarm'\n else 'ok'\n end as status,\n case\n when i.sku_name = 'Basic' then i.title || ' using basic SKU.'\n else i.title || ' using ' || sku_name || ' SKU.'\n end as reason\n \n , i.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_public_ip as i,\n azure_subscription as sub\nwhere\n sub.subscription_id = i.subscription_id;\n" PrimaryTable: azure_public_ip ListOfTables: - - azure_public_ip - - azure_subscription + - azure_public_ip + - azure_subscription Parameters: [] Severity: low Tags: cis: - - "true" + - "true" service: - - Azure/Network + - Azure/Network +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_network_security_group_diagnostic_setting_deployed.yaml b/compliance/controls/azure/azure_network_security_group_diagnostic_setting_deployed.yaml index 9e246e9c2..12f1e1cf7 100755 --- a/compliance/controls/azure/azure_network_security_group_diagnostic_setting_deployed.yaml +++ b/compliance/controls/azure/azure_network_security_group_diagnostic_setting_deployed.yaml @@ -1,52 +1,19 @@ ID: azure_network_security_group_diagnostic_setting_deployed Title: "Deploy Diagnostic Settings for Network Security Groups" Description: "This policy automatically deploys diagnostic settings to network security groups. A storage account with name '{storagePrefixParameter}{NSGLocation}' will be automatically created." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with logging_details as ( - select - distinct name as nsg_name - from - azure_network_security_group, - jsonb_array_elements(diagnostic_settings) setting - where - diagnostic_settings is not null - and setting ->> 'name' = 'setbypolicy' - ) - select - a.resource_guid as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when a.diagnostic_settings is null then 'alarm' - when l.nsg_name is null then 'alarm' - else 'ok' - end as status, - case - when a.diagnostic_settings is null then a.name || ' logging not enabled.' - when l.nsg_name is null then a.name || ' logging not enabled.' - else a.name || ' logging enabled.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_network_security_group as a - left join logging_details as l on a.name = l.nsg_name, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with logging_details as (\n select\n distinct name as nsg_name\n from\n azure_network_security_group,\n jsonb_array_elements(diagnostic_settings) setting\n where\n diagnostic_settings is not null\n and setting ->> 'name' = 'setbypolicy'\n)\nselect\n a.resource_guid as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when a.diagnostic_settings is null then 'alarm'\n when l.nsg_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when a.diagnostic_settings is null then a.name || ' logging not enabled.'\n when l.nsg_name is null then a.name || ' logging not enabled.'\n else a.name || ' logging enabled.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_network_security_group as a\n left join logging_details as l on a.name = l.nsg_name,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_subscription + - azure_network_security_group + - azure_subscription Parameters: [] Severity: medium Tags: hipaa_hitrust_v92: - - "true" + - "true" service: - - Azure/Network + - Azure/Network +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_network_security_group_https_access_restricted.yaml b/compliance/controls/azure/azure_network_security_group_https_access_restricted.yaml index 1d346e15f..fc7decc79 100755 --- a/compliance/controls/azure/azure_network_security_group_https_access_restricted.yaml +++ b/compliance/controls/azure/azure_network_security_group_https_access_restricted.yaml @@ -1,8 +1,6 @@ ID: azure_network_security_group_https_access_restricted Title: "Ensure that HTTP(S) access from the Internet is evaluated and restricted" Description: "Network security groups should be periodically evaluated for port misconfigurations. Where certain ports and protocols may be exposed to the Internet, they should be evaluated for necessity and restricted wherever they are not explicitly required and narrowly configured." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -59,7 +57,7 @@ Query: when nsg.sg_name is null then sg.title || ' restricts HTTPS access from internet.' else sg.title || ' allows HTTPS access from internet.' end as reason - + , sg.resource_group as resource_group , sub.display_name as subscription from @@ -68,26 +66,28 @@ Query: join azure_subscription sub on sub.subscription_id = sg.subscription_id; PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_subscription + - azure_network_security_group + - azure_subscription Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "6.4" + - "6.4" cis_level: - - "1" + - "1" cis_section_id: - - "6" + - "6" cis_type: - - automated + - automated cis_version: - - v1.5.0 + - v1.5.0 plugin: - - azure + - azure service: - - Azure/Network + - Azure/Network +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_network_security_group_not_configured_gateway_subnets.yaml b/compliance/controls/azure/azure_network_security_group_not_configured_gateway_subnets.yaml index 8baabac27..27d3d1071 100755 --- a/compliance/controls/azure/azure_network_security_group_not_configured_gateway_subnets.yaml +++ b/compliance/controls/azure/azure_network_security_group_not_configured_gateway_subnets.yaml @@ -1,8 +1,6 @@ ID: azure_network_security_group_not_configured_gateway_subnets Title: "Gateway subnets should not be configured with a network security group" Description: "Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -27,12 +25,14 @@ Query: join azure_subscription as sub on sub.subscription_id = subnet.subscription_id; PrimaryTable: azure_subnet ListOfTables: - - azure_subnet - - azure_subscription + - azure_subnet + - azure_subscription Parameters: [] Severity: high Tags: hipaa_hitrust_v92: - - "true" + - "true" service: - - Azure/Network + - Azure/Network +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_network_security_group_outbound_access_restricted.yaml b/compliance/controls/azure/azure_network_security_group_outbound_access_restricted.yaml index 3b8ab3142..9c78cc6bd 100755 --- a/compliance/controls/azure/azure_network_security_group_outbound_access_restricted.yaml +++ b/compliance/controls/azure/azure_network_security_group_outbound_access_restricted.yaml @@ -1,8 +1,6 @@ ID: azure_network_security_group_outbound_access_restricted Title: "Network security groups should restrict outbound access from internet" Description: "Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted outbound access." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -46,8 +44,10 @@ Query: join azure_subscription sub on sub.subscription_id = sg.subscription_id; PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_subscription + - azure_network_security_group + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_network_security_group_rdp_access_restricted.yaml b/compliance/controls/azure/azure_network_security_group_rdp_access_restricted.yaml index 4f41ad6b0..dfbdaca96 100755 --- a/compliance/controls/azure/azure_network_security_group_rdp_access_restricted.yaml +++ b/compliance/controls/azure/azure_network_security_group_rdp_access_restricted.yaml @@ -1,8 +1,6 @@ ID: azure_network_security_group_rdp_access_restricted Title: "Windows machines should meet requirements for 'User Rights Assignment'" Description: "Windows machines should have the specified Group Policy settings in the category 'User Rights Assignment' for allowing log on locally, RDP, access from the network, and many other user activities. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -45,7 +43,7 @@ Query: then sg.title || ' restricts RDP access from internet.' else sg.title || ' allows RDP access from internet.' end as reason - + , sg.resource_group as resource_group , sub.display_name as subscription from @@ -54,26 +52,28 @@ Query: join azure_subscription sub on sub.subscription_id = sg.subscription_id; PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_subscription + - azure_network_security_group + - azure_subscription Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "6.1" + - "6.1" cis_level: - - "1" + - "1" cis_section_id: - - "6" + - "6" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/Network + - Azure/Network +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_network_security_group_remote_access_restricted.yaml b/compliance/controls/azure/azure_network_security_group_remote_access_restricted.yaml index 618f66f95..1d6cd3cd5 100755 --- a/compliance/controls/azure/azure_network_security_group_remote_access_restricted.yaml +++ b/compliance/controls/azure/azure_network_security_group_remote_access_restricted.yaml @@ -1,70 +1,21 @@ ID: azure_network_security_group_remote_access_restricted Title: "Management ports should be closed on your virtual machines" Description: "Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with network_sg as ( - select - distinct name sg_name - from - azure_network_security_group nsg, - jsonb_array_elements(security_rules) sg, - jsonb_array_elements_text(sg -> 'properties' -> 'destinationPortRanges' || (sg -> 'properties' -> 'destinationPortRange') :: jsonb) dport, - jsonb_array_elements_text(sg -> 'properties' -> 'sourceAddressPrefixes' || (sg -> 'properties' -> 'sourceAddressPrefix') :: jsonb) sip - where - sg -> 'properties' ->> 'access' = 'Allow' - and sg -> 'properties' ->> 'direction' = 'Inbound' - and (sg -> 'properties' ->> 'protocol' ilike 'TCP' or sg -> 'properties' ->> 'protocol' = '*') - and sip in ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0') - and ( - dport in ('22', '3389', '*') - or ( - dport like '%-%' - and ( - ( - split_part(dport, '-', 1) :: integer <= 3389 - and split_part(dport, '-', 2) :: integer >= 3389 - ) - or ( - split_part(dport, '-', 1) :: integer <= 22 - and split_part(dport, '-', 2) :: integer >= 22 - ) - ) - ) - ) - ) - select - sg.id resource, - sg.og_account_id as og_account_id, - sg.og_resource_id as og_resource_id, - case - when nsg.sg_name is null then 'ok' - else 'alarm' - end as status, - case - when nsg.sg_name is null then sg.title || ' restricts remote access from internet.' - else sg.title || ' allows remote access from internet.' - end as reason - - , sg.resource_group as resource_group - , sub.display_name as subscription - from - azure_network_security_group as sg - left join network_sg as nsg on nsg.sg_name = sg.name - join azure_subscription as sub on sub.subscription_id = sg.subscription_id; + QueryToExecute: "with network_sg as (\n select\n distinct name sg_name\n from\n azure_network_security_group nsg,\n jsonb_array_elements(security_rules) sg,\n jsonb_array_elements_text(sg -> 'properties' -> 'destinationPortRanges' || (sg -> 'properties' -> 'destinationPortRange') :: jsonb) dport,\n jsonb_array_elements_text(sg -> 'properties' -> 'sourceAddressPrefixes' || (sg -> 'properties' -> 'sourceAddressPrefix') :: jsonb) sip\n where\n sg -> 'properties' ->> 'access' = 'Allow'\n and sg -> 'properties' ->> 'direction' = 'Inbound'\n and (sg -> 'properties' ->> 'protocol' ilike 'TCP' or sg -> 'properties' ->> 'protocol' = '*')\n and sip in ('*', '0.0.0.0', '0.0.0.0/0', 'Internet', 'any', '/0', '/0')\n and (\n dport in ('22', '3389', '*')\n or (\n dport like '%-%'\n and (\n (\n split_part(dport, '-', 1) :: integer <= 3389\n and split_part(dport, '-', 2) :: integer >= 3389\n )\n or (\n split_part(dport, '-', 1) :: integer <= 22\n and split_part(dport, '-', 2) :: integer >= 22\n )\n )\n )\n )\n)\nselect\n sg.id resource,\n sg.og_account_id as og_account_id,\n sg.og_resource_id as og_resource_id,\n case\n when nsg.sg_name is null then 'ok'\n else 'alarm'\n end as status,\n case\n when nsg.sg_name is null then sg.title || ' restricts remote access from internet.'\n else sg.title || ' allows remote access from internet.'\n end as reason\n \n , sg.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_network_security_group as sg\n left join network_sg as nsg on nsg.sg_name = sg.name\n join azure_subscription as sub on sub.subscription_id = sg.subscription_id;\n" PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_subscription + - azure_network_security_group + - azure_subscription Parameters: [] Severity: high Tags: hipaa_hitrust_v92: - - "true" + - "true" nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/Network + - Azure/Network +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_network_security_group_restrict_inbound_icmp_port.yaml b/compliance/controls/azure/azure_network_security_group_restrict_inbound_icmp_port.yaml index 51ad1d3eb..b5c0dd2d8 100755 --- a/compliance/controls/azure/azure_network_security_group_restrict_inbound_icmp_port.yaml +++ b/compliance/controls/azure/azure_network_security_group_restrict_inbound_icmp_port.yaml @@ -1,8 +1,6 @@ ID: azure_network_security_group_restrict_inbound_icmp_port Title: "Network security groups should restrict inbound ICMP port access from internet" Description: "Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to ICMP port." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -58,8 +56,10 @@ Query: ``` PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_subscription + - azure_network_security_group + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_135.yaml b/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_135.yaml index b18fa2811..c72036de3 100755 --- a/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_135.yaml +++ b/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_135.yaml @@ -1,8 +1,6 @@ ID: azure_network_security_group_restrict_inbound_tcp_port_135 Title: "Network security groups should restrict inbound TCP port 135 access from internet" Description: "Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to TCP port 135." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -56,8 +54,10 @@ Query: join azure_subscription sub on sub.subscription_id = sg.subscription_id; PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_subscription + - azure_network_security_group + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_1433.yaml b/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_1433.yaml index cfc73da42..4df756e41 100755 --- a/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_1433.yaml +++ b/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_1433.yaml @@ -1,8 +1,6 @@ ID: azure_network_security_group_restrict_inbound_tcp_port_1433 Title: "Network security groups should restrict inbound TCP port 1433 access from internet" Description: "Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to TCP port 1433." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -58,8 +56,10 @@ Query: ``` PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_subscription + - azure_network_security_group + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_20.yaml b/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_20.yaml index e8d7681aa..9b1495187 100755 --- a/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_20.yaml +++ b/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_20.yaml @@ -1,8 +1,6 @@ ID: azure_network_security_group_restrict_inbound_tcp_port_20 Title: "Network security groups should restrict inbound TCP port 20 access from internet" Description: "Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to TCP port 20." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -56,8 +54,10 @@ Query: ``` PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_subscription + - azure_network_security_group + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_21.yaml b/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_21.yaml index b5a07bfc7..784d0ab91 100755 --- a/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_21.yaml +++ b/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_21.yaml @@ -1,8 +1,6 @@ ID: azure_network_security_group_restrict_inbound_tcp_port_21 Title: "Network security groups should restrict inbound TCP port 21 access from internet" Description: "Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to TCP port 20." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -56,8 +54,10 @@ Query: ``` PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_subscription + - azure_network_security_group + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_23.yaml b/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_23.yaml index 1d3b76641..f8f2c849e 100755 --- a/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_23.yaml +++ b/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_23.yaml @@ -1,8 +1,6 @@ ID: azure_network_security_group_restrict_inbound_tcp_port_23 Title: "Network security groups should restrict inbound TCP port 23 access from internet" Description: "Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to TCP port 23." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -58,8 +56,10 @@ Query: ``` PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_subscription + - azure_network_security_group + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_25.yaml b/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_25.yaml index d434bd334..509b31c49 100755 --- a/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_25.yaml +++ b/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_25.yaml @@ -1,8 +1,6 @@ ID: azure_network_security_group_restrict_inbound_tcp_port_25 Title: "Network security groups should restrict inbound TCP port 25 access from internet" Description: "Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to TCP port 25." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -58,8 +56,10 @@ Query: ``` PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_subscription + - azure_network_security_group + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_3306.yaml b/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_3306.yaml index 268393798..9a748819c 100755 --- a/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_3306.yaml +++ b/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_3306.yaml @@ -1,8 +1,6 @@ ID: azure_network_security_group_restrict_inbound_tcp_port_3306 Title: "Network security groups should restrict inbound TCP port 3306 access from internet" Description: "Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to TCP port 3306." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -58,8 +56,10 @@ Query: ``` PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_subscription + - azure_network_security_group + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_4333.yaml b/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_4333.yaml index dd76dbea3..04e60171b 100755 --- a/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_4333.yaml +++ b/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_4333.yaml @@ -1,8 +1,6 @@ ID: azure_network_security_group_restrict_inbound_tcp_port_4333 Title: "Network security groups should restrict inbound TCP port 4333 access from internet" Description: "Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to TCP port 4333." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -58,8 +56,10 @@ Query: ``` PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_subscription + - azure_network_security_group + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_445.yaml b/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_445.yaml index 296eb2b78..7b6f3af7c 100755 --- a/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_445.yaml +++ b/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_445.yaml @@ -1,8 +1,6 @@ ID: azure_network_security_group_restrict_inbound_tcp_port_445 Title: "Network security groups should restrict inbound TCP port 445 access from internet" Description: "Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to TCP port 445." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -56,8 +54,10 @@ Query: join azure_subscription sub on sub.subscription_id = sg.subscription_id; PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_subscription + - azure_network_security_group + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_53.yaml b/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_53.yaml index 0799f9334..5c4b50054 100755 --- a/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_53.yaml +++ b/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_53.yaml @@ -1,8 +1,6 @@ ID: azure_network_security_group_restrict_inbound_tcp_port_53 Title: "Network security groups should restrict inbound TCP port 53 access from internet" Description: "Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to TCP port 53." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -58,8 +56,10 @@ Query: ``` PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_subscription + - azure_network_security_group + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_5432.yaml b/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_5432.yaml index db507b01a..2caa4f13e 100755 --- a/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_5432.yaml +++ b/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_5432.yaml @@ -1,8 +1,6 @@ ID: azure_network_security_group_restrict_inbound_tcp_port_5432 Title: "Network security groups should restrict inbound TCP port 5432 access from internet" Description: "Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to TCP port 5432." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -56,8 +54,10 @@ Query: join azure_subscription sub on sub.subscription_id = sg.subscription_id; PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_subscription + - azure_network_security_group + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_5500.yaml b/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_5500.yaml index 1c9be8584..4e5d3e52d 100755 --- a/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_5500.yaml +++ b/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_5500.yaml @@ -1,8 +1,6 @@ ID: azure_network_security_group_restrict_inbound_tcp_port_5500 Title: "Network security groups should restrict inbound TCP port 5500 access from internet" Description: "Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to TCP port 5500." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -58,8 +56,10 @@ Query: ``` PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_subscription + - azure_network_security_group + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_5900.yaml b/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_5900.yaml index 53fe05b89..ed16d8d43 100755 --- a/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_5900.yaml +++ b/compliance/controls/azure/azure_network_security_group_restrict_inbound_tcp_port_5900.yaml @@ -1,8 +1,6 @@ ID: azure_network_security_group_restrict_inbound_tcp_port_5900 Title: "Network security groups should restrict inbound TCP port 5900 access from internet" Description: "Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to TCP port 5900." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -56,8 +54,10 @@ Query: join azure_subscription sub on sub.subscription_id = sg.subscription_id; PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_subscription + - azure_network_security_group + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_network_security_group_restrict_inbound_udp_port_137.yaml b/compliance/controls/azure/azure_network_security_group_restrict_inbound_udp_port_137.yaml index 7a5232b7f..c1258f92f 100755 --- a/compliance/controls/azure/azure_network_security_group_restrict_inbound_udp_port_137.yaml +++ b/compliance/controls/azure/azure_network_security_group_restrict_inbound_udp_port_137.yaml @@ -1,8 +1,6 @@ ID: azure_network_security_group_restrict_inbound_udp_port_137 Title: "Network security groups should restrict inbound UDP port 137 access from internet" Description: "Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to UDP port 137." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -58,8 +56,10 @@ Query: ``` PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_subscription + - azure_network_security_group + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_network_security_group_restrict_inbound_udp_port_138.yaml b/compliance/controls/azure/azure_network_security_group_restrict_inbound_udp_port_138.yaml index 03448fd2d..650ec6174 100755 --- a/compliance/controls/azure/azure_network_security_group_restrict_inbound_udp_port_138.yaml +++ b/compliance/controls/azure/azure_network_security_group_restrict_inbound_udp_port_138.yaml @@ -1,8 +1,6 @@ ID: azure_network_security_group_restrict_inbound_udp_port_138 Title: "Network security groups should restrict inbound UDP port 137 access from internet" Description: "Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to UDP port 137." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -58,8 +56,10 @@ Query: ``` PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_subscription + - azure_network_security_group + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_network_security_group_restrict_inbound_udp_port_1434.yaml b/compliance/controls/azure/azure_network_security_group_restrict_inbound_udp_port_1434.yaml index 1ae713d89..ea9c3762e 100755 --- a/compliance/controls/azure/azure_network_security_group_restrict_inbound_udp_port_1434.yaml +++ b/compliance/controls/azure/azure_network_security_group_restrict_inbound_udp_port_1434.yaml @@ -1,8 +1,6 @@ ID: azure_network_security_group_restrict_inbound_udp_port_1434 Title: "Network security groups should restrict inbound UDP port 1434 access from internet" Description: "Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to UDP port 1434." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -56,8 +54,10 @@ Query: join azure_subscription sub on sub.subscription_id = sg.subscription_id; PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_subscription + - azure_network_security_group + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_network_security_group_restrict_inbound_udp_port_445.yaml b/compliance/controls/azure/azure_network_security_group_restrict_inbound_udp_port_445.yaml index fd458f97c..0a3601ff7 100755 --- a/compliance/controls/azure/azure_network_security_group_restrict_inbound_udp_port_445.yaml +++ b/compliance/controls/azure/azure_network_security_group_restrict_inbound_udp_port_445.yaml @@ -1,8 +1,6 @@ ID: azure_network_security_group_restrict_inbound_udp_port_445 Title: "Network security groups should restrict inbound UDP port 445 access from internet" Description: "Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to UDP port 445." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -56,8 +54,10 @@ Query: ``` PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_subscription + - azure_network_security_group + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_network_security_group_restrict_inbound_udp_port_53.yaml b/compliance/controls/azure/azure_network_security_group_restrict_inbound_udp_port_53.yaml index b97943d58..f2ca9bd17 100755 --- a/compliance/controls/azure/azure_network_security_group_restrict_inbound_udp_port_53.yaml +++ b/compliance/controls/azure/azure_network_security_group_restrict_inbound_udp_port_53.yaml @@ -1,8 +1,6 @@ ID: azure_network_security_group_restrict_inbound_udp_port_53 Title: "Network security groups should restrict inbound UDP port 53 access from internet" Description: "Network security group provide stateful filtering of inbound/outbound network traffic to Azure resources. It is recommended that no network security group allows unrestricted inbound access to UDP port 53." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -58,8 +56,10 @@ Query: ``` PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_subscription + - azure_network_security_group + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_network_security_group_ssh_access_restricted.yaml b/compliance/controls/azure/azure_network_security_group_ssh_access_restricted.yaml index 84b88894e..56b041eac 100755 --- a/compliance/controls/azure/azure_network_security_group_ssh_access_restricted.yaml +++ b/compliance/controls/azure/azure_network_security_group_ssh_access_restricted.yaml @@ -1,8 +1,6 @@ ID: azure_network_security_group_ssh_access_restricted Title: "Ensure that SSH access is restricted from the internet" Description: "Disable SSH access on network security groups from the Internet." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -45,7 +43,7 @@ Query: then sg.title || ' restricts SSH access from internet.' else sg.title || ' allows SSH access from internet.' end as reason - + , sg.resource_group as resource_group , sub.display_name as subscription from @@ -54,26 +52,28 @@ Query: join azure_subscription sub on sub.subscription_id = sg.subscription_id; PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_subscription + - azure_network_security_group + - azure_subscription Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "6.2" + - "6.2" cis_level: - - "1" + - "1" cis_section_id: - - "6" + - "6" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/Network + - Azure/Network +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_network_security_group_subnet_associated.yaml b/compliance/controls/azure/azure_network_security_group_subnet_associated.yaml index 82d3e3f7f..544c86de2 100755 --- a/compliance/controls/azure/azure_network_security_group_subnet_associated.yaml +++ b/compliance/controls/azure/azure_network_security_group_subnet_associated.yaml @@ -1,40 +1,21 @@ ID: azure_network_security_group_subnet_associated Title: "Subnets should be associated with a Network Security Group" Description: "This policy denies if a gateway subnet is configured with a network security group. Assigning a network security group to a gateway subnet will cause the gateway to stop functioning." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - sg.id resource, - sg.og_account_id as og_account_id, - sg.og_resource_id as og_resource_id, - case - when subnets is null then 'alarm' - else 'ok' - end as status, - case - when subnets is null then name || ' not associated with subnet.' - else name || ' associated with ' || split_part(rtrim((subnet -> 'id') :: text, '"'), '/subnets/',2) || '.' - end as reason - - , sg.resource_group as resource_group - , sub.display_name as subscription - from - azure_network_security_group as sg - join azure_subscription as sub on sub.subscription_id = sg.subscription_id - left join jsonb_array_elements(subnets) as subnet on true; + QueryToExecute: "select\n sg.id resource,\n sg.og_account_id as og_account_id,\n sg.og_resource_id as og_resource_id,\n case\n when subnets is null then 'alarm'\n else 'ok'\n end as status,\n case\n when subnets is null then name || ' not associated with subnet.'\n else name || ' associated with ' || split_part(rtrim((subnet -> 'id') :: text, '\"'), '/subnets/',2) || '.'\n end as reason\n \n , sg.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_network_security_group as sg\n join azure_subscription as sub on sub.subscription_id = sg.subscription_id\n left join jsonb_array_elements(subnets) as subnet on true;\n" PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_subscription + - azure_network_security_group + - azure_subscription Parameters: [] Severity: high Tags: hipaa_hitrust_v92: - - "true" + - "true" nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/Network + - Azure/Network +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_network_security_group_udp_service_restricted.yaml b/compliance/controls/azure/azure_network_security_group_udp_service_restricted.yaml index ed8cbbd7c..9d4713433 100755 --- a/compliance/controls/azure/azure_network_security_group_udp_service_restricted.yaml +++ b/compliance/controls/azure/azure_network_security_group_udp_service_restricted.yaml @@ -1,8 +1,6 @@ ID: azure_network_security_group_udp_service_restricted Title: "Ensure that UDP Services are restricted from the Internet" Description: "Disable Internet exposed UDP ports on network security groups." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -50,7 +48,7 @@ Query: then sg.title || ' restricts UDP services from internet.' else sg.title || ' allows UDP services from internet.' end as reason - + , sg.resource_group as resource_group , sub.display_name as subscription from @@ -59,26 +57,28 @@ Query: join azure_subscription sub on sub.subscription_id = sg.subscription_id; PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_subscription + - azure_network_security_group + - azure_subscription Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "6.6" + - "6.6" cis_level: - - "1" + - "1" cis_section_id: - - "6" + - "6" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/Network + - Azure/Network +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_network_sg_flowlog_enabled.yaml b/compliance/controls/azure/azure_network_sg_flowlog_enabled.yaml index 3cf677b47..305ed9bd7 100755 --- a/compliance/controls/azure/azure_network_sg_flowlog_enabled.yaml +++ b/compliance/controls/azure/azure_network_sg_flowlog_enabled.yaml @@ -1,8 +1,6 @@ ID: azure_network_sg_flowlog_enabled Title: "Flow logs should be configured for every network security group" Description: "Audit for network security groups to verify if flow logs are configured. Enabling flow logs allows to log information about IP traffic flowing through network security group. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -23,8 +21,10 @@ Query: join azure_subscription sub on sub.subscription_id = sg.subscription_id; PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_subscription + - azure_network_security_group + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_network_sg_flowlog_retention_period_greater_than_90.yaml b/compliance/controls/azure/azure_network_sg_flowlog_retention_period_greater_than_90.yaml index ed8febc42..2ad110b5f 100755 --- a/compliance/controls/azure/azure_network_sg_flowlog_retention_period_greater_than_90.yaml +++ b/compliance/controls/azure/azure_network_sg_flowlog_retention_period_greater_than_90.yaml @@ -1,56 +1,34 @@ ID: azure_network_sg_flowlog_retention_period_greater_than_90 Title: "Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'" Description: "Network Security Group Flow Logs should be enabled and the retention period is set to greater than or equal to 90 days." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - sg.id resource, - sg.og_account_id as og_account_id, - sg.og_resource_id as og_resource_id, - case - when fl.id is null or not fl.enabled or fl.retention_policy_days < 90 then 'alarm' - else 'ok' - end as status, - case - when fl.id is null or not fl.enabled - then sg.name || ' flowlog not enabled.' - when fl.retention_policy_days < 90 - then sg.name || ' flowlog ' || fl.title || ' retention period is less than 90 days.' - else sg.name || ' flowlog ' || fl.title || ' retention period is ' || fl.retention_policy_days || ' days.' - end as reason - - , sg.resource_group as resource_group - , sub.display_name as subscription - from - azure_network_security_group sg - left join azure_network_watcher_flow_log fl on sg.id = fl.target_resource_id - join azure_subscription sub on sub.subscription_id = sg.subscription_id; + QueryToExecute: "select\n sg.id resource,\n sg.og_account_id as og_account_id,\n sg.og_resource_id as og_resource_id,\n case\n when fl.id is null or not fl.enabled or fl.retention_policy_days < 90 then 'alarm'\n else 'ok'\n end as status,\n case\n when fl.id is null or not fl.enabled\n then sg.name || ' flowlog not enabled.'\n when fl.retention_policy_days < 90\n then sg.name || ' flowlog ' || fl.title || ' retention period is less than 90 days.'\n else sg.name || ' flowlog ' || fl.title || ' retention period is ' || fl.retention_policy_days || ' days.'\n end as reason\n \n , sg.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_network_security_group sg\n left join azure_network_watcher_flow_log fl on sg.id = fl.target_resource_id\n join azure_subscription sub on sub.subscription_id = sg.subscription_id;\n" PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_network_watcher_flow_log - - azure_subscription + - azure_network_security_group + - azure_network_watcher_flow_log + - azure_subscription Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "6.4" + - "6.4" cis_level: - - "2" + - "2" cis_section_id: - - "6" + - "6" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/Network + - Azure/Network +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_network_subnet_protected_by_firewall.yaml b/compliance/controls/azure/azure_network_subnet_protected_by_firewall.yaml index 4c0de4caa..95b625e7f 100755 --- a/compliance/controls/azure/azure_network_subnet_protected_by_firewall.yaml +++ b/compliance/controls/azure/azure_network_subnet_protected_by_firewall.yaml @@ -1,8 +1,6 @@ ID: azure_network_subnet_protected_by_firewall Title: "All Internet traffic should be routed via your deployed Azure Firewall" Description: "Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_network_virtual_network_gateway_no_basic_sku.yaml b/compliance/controls/azure/azure_network_virtual_network_gateway_no_basic_sku.yaml index 7d4e840fc..42c8dcea2 100755 --- a/compliance/controls/azure/azure_network_virtual_network_gateway_no_basic_sku.yaml +++ b/compliance/controls/azure/azure_network_virtual_network_gateway_no_basic_sku.yaml @@ -1,39 +1,19 @@ ID: azure_network_virtual_network_gateway_no_basic_sku Title: "Virtual network gateways should use standard SKUs as a minimum" Description: "The use of Basic or Free SKUs in Azure whilst cost effective have significant limitations in terms of what can be monitored and what support can be realized from Microsoft. Typically, these SKU’s do not have a service SLA and Microsoft will usually refuse to provide support for them. Consequently Basic/Free SKUs should never be used for production workloads." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - g.id as resource, - g.og_account_id as og_account_id, - g.og_resource_id as og_resource_id, - case - when g.sku_name = 'Basic' then 'alarm' - else 'ok' - end as status, - case - when g.sku_name = 'Basic' then g.title || ' using basic SKU.' - else g.title || ' using ' || sku_name || ' SKU.' - end as reason - - , g.resource_group as resource_group - , sub.display_name as subscription - from - azure_virtual_network_gateway as g, - azure_subscription as sub - where - sub.subscription_id = g.subscription_id; + QueryToExecute: "select\n g.id as resource,\n g.og_account_id as og_account_id,\n g.og_resource_id as og_resource_id,\n case\n when g.sku_name = 'Basic' then 'alarm'\n else 'ok'\n end as status,\n case\n when g.sku_name = 'Basic' then g.title || ' using basic SKU.'\n else g.title || ' using ' || sku_name || ' SKU.'\n end as reason\n \n , g.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_virtual_network_gateway as g,\n azure_subscription as sub\nwhere\n sub.subscription_id = g.subscription_id;\n" PrimaryTable: azure_virtual_network_gateway ListOfTables: - - azure_subscription - - azure_virtual_network_gateway + - azure_subscription + - azure_virtual_network_gateway Parameters: [] Severity: medium Tags: cis: - - "true" + - "true" service: - - Azure/Network + - Azure/Network +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_network_watcher_enabled.yaml b/compliance/controls/azure/azure_network_watcher_enabled.yaml index a882c351c..c1f6e2be6 100755 --- a/compliance/controls/azure/azure_network_watcher_enabled.yaml +++ b/compliance/controls/azure/azure_network_watcher_enabled.yaml @@ -1,54 +1,34 @@ ID: azure_network_watcher_enabled Title: "Network Watcher should be enabled" Description: "Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. It is required to have a network watcher resource group to be created in every region where a virtual network is present. An alert is enabled if a network watcher resource group is not available in a particular region." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - loc.id resource, - loc.og_account_id as og_account_id, - loc.og_resource_id as og_resource_id, - case - when watcher.id is null then 'alarm' - else 'ok' - end as status, - case - when watcher.id is null then 'Network watcher not enabled in ' || loc.name || '.' - else 'Network watcher enabled in ' || loc.name || '.' - end as reason, - loc.name - - - , sub.display_name as subscription - from - azure_location loc - left join azure_network_watcher watcher on watcher.region = loc.name - join azure_subscription sub on sub.subscription_id = loc.subscription_id; + QueryToExecute: "select\n loc.id resource,\n loc.og_account_id as og_account_id,\n loc.og_resource_id as og_resource_id,\n case\n when watcher.id is null then 'alarm'\n else 'ok'\n end as status,\n case\n when watcher.id is null then 'Network watcher not enabled in ' || loc.name || '.'\n else 'Network watcher enabled in ' || loc.name || '.'\n end as reason,\n loc.name\n \n \n , sub.display_name as subscription\nfrom\n azure_location loc\n left join azure_network_watcher watcher on watcher.region = loc.name\n join azure_subscription sub on sub.subscription_id = loc.subscription_id;\n" PrimaryTable: azure_location ListOfTables: - - azure_location - - azure_network_watcher - - azure_subscription + - azure_location + - azure_network_watcher + - azure_subscription Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "6.5" + - "6.5" cis_level: - - "1" + - "1" cis_section_id: - - "6" + - "6" cis_type: - - manual + - manual cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/Network + - Azure/Network +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_network_watcher_flow_log_enabled.yaml b/compliance/controls/azure/azure_network_watcher_flow_log_enabled.yaml index 2dbdefcde..65eb216f1 100755 --- a/compliance/controls/azure/azure_network_watcher_flow_log_enabled.yaml +++ b/compliance/controls/azure/azure_network_watcher_flow_log_enabled.yaml @@ -1,8 +1,6 @@ ID: azure_network_watcher_flow_log_enabled Title: "All flow log resources should be in enabled state" Description: "Audit for flow log resources to verify if flow log status is enabled. Enabling flow logs allows to log information about IP traffic flowing. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -23,8 +21,10 @@ Query: join azure_subscription sub on sub.subscription_id = sg.subscription_id; PrimaryTable: azure_network_watcher_flow_log ListOfTables: - - azure_network_watcher_flow_log - - azure_subscription + - azure_network_watcher_flow_log + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_network_watcher_flow_log_traffic_analytics_enabled.yaml b/compliance/controls/azure/azure_network_watcher_flow_log_traffic_analytics_enabled.yaml index d99adf4cb..02ad1d81f 100755 --- a/compliance/controls/azure/azure_network_watcher_flow_log_traffic_analytics_enabled.yaml +++ b/compliance/controls/azure/azure_network_watcher_flow_log_traffic_analytics_enabled.yaml @@ -1,8 +1,6 @@ ID: azure_network_watcher_flow_log_traffic_analytics_enabled Title: "Network Watcher flow logs should have traffic analytics enabled" Description: "Traffic analytics analyzes flow logs to provide insights into traffic flow in your Azure cloud. It can be used to visualize network activity across your Azure subscriptions and identify hot spots, identify security threats, understand traffic flow patterns, pinpoint network misconfigurations and more." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -23,8 +21,10 @@ Query: join azure_subscription sub on sub.subscription_id = sg.subscription_id; PrimaryTable: azure_network_watcher_flow_log ListOfTables: - - azure_network_watcher_flow_log - - azure_subscription + - azure_network_watcher_flow_log + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_network_watcher_in_regions_with_virtual_network.yaml b/compliance/controls/azure/azure_network_watcher_in_regions_with_virtual_network.yaml index 8418913b0..fc90165a4 100755 --- a/compliance/controls/azure/azure_network_watcher_in_regions_with_virtual_network.yaml +++ b/compliance/controls/azure/azure_network_watcher_in_regions_with_virtual_network.yaml @@ -1,41 +1,20 @@ ID: azure_network_watcher_in_regions_with_virtual_network Title: "Deploy network watcher when virtual networks are created" Description: "This policy creates a network watcher resource in regions with virtual networks. You need to ensure existence of a resource group named networkWatcherRG, which will be used to deploy network watcher instances." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - a.id resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when b.region is null then 'alarm' - when lower(b.resource_group) = 'networkwatcherrg' then 'ok' - else 'alarm' - end as status, - case - when b.region is null then 'Network watcher does not exist in region' || a.region || '.' - when lower(b.resource_group) = 'networkwatcherrg' then b.name || ' exist in networkWatcherRG resource group.' - else b.name || ' does not exist in networkWatcherRG resource group.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_virtual_network as a - left join azure_network_watcher as b on a.region = b.region - join azure_subscription sub on sub.subscription_id = a.subscription_id; + QueryToExecute: "select\n a.id resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when b.region is null then 'alarm'\n when lower(b.resource_group) = 'networkwatcherrg' then 'ok'\n else 'alarm'\n end as status,\n case\n when b.region is null then 'Network watcher does not exist in region' || a.region || '.'\n when lower(b.resource_group) = 'networkwatcherrg' then b.name || ' exist in networkWatcherRG resource group.'\n else b.name || ' does not exist in networkWatcherRG resource group.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_virtual_network as a\n left join azure_network_watcher as b on a.region = b.region\n join azure_subscription sub on sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_virtual_network ListOfTables: - - azure_network_watcher - - azure_subscription - - azure_virtual_network + - azure_network_watcher + - azure_subscription + - azure_virtual_network Parameters: [] Severity: medium Tags: hipaa_hitrust_v92: - - "true" + - "true" service: - - Azure/Network + - Azure/Network +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_postgres_db_server_allow_access_to_azure_services_disabled.yaml b/compliance/controls/azure/azure_postgres_db_server_allow_access_to_azure_services_disabled.yaml index 452ee5964..52872adde 100755 --- a/compliance/controls/azure/azure_postgres_db_server_allow_access_to_azure_services_disabled.yaml +++ b/compliance/controls/azure/azure_postgres_db_server_allow_access_to_azure_services_disabled.yaml @@ -1,65 +1,34 @@ ID: azure_postgres_db_server_allow_access_to_azure_services_disabled Title: "Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled" Description: "Disable access from Azure services to PostgreSQL Database Server." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with postgres_db_with_allow_access_to_azure_services as ( - select - id - from - azure_postgresql_server, - jsonb_array_elements(firewall_rules) as r - where - r -> 'properties' ->> 'endIpAddress' = '255.255.255.255' - and r -> 'properties' ->> 'startIpAddress' = '0.0.0.0' - ) - select - s.id as resource, - s.og_account_id as og_account_id, - s.og_resource_id as og_resource_id, - case - when a.id is not null then 'alarm' - else 'ok' - end as status, - case - when a.id is not null then s.title || ' does not restrict access to azure services.' - else s.title || ' restricts access to azure services.' - end as reason - - , s.resource_group as resource_group - , sub.display_name as subscription - from - azure_postgresql_server as s - left join postgres_db_with_allow_access_to_azure_services as a on a.id = s.id, - azure_subscription as sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "with postgres_db_with_allow_access_to_azure_services as (\n select\n id\n from\n azure_postgresql_server,\n jsonb_array_elements(firewall_rules) as r\n where\n r -> 'properties' ->> 'endIpAddress' = '255.255.255.255'\n and r -> 'properties' ->> 'startIpAddress' = '0.0.0.0'\n)\nselect\n s.id as resource,\n s.og_account_id as og_account_id,\n s.og_resource_id as og_resource_id,\n case\n when a.id is not null then 'alarm'\n else 'ok'\n end as status,\n case\n when a.id is not null then s.title || ' does not restrict access to azure services.'\n else s.title || ' restricts access to azure services.'\n end as reason\n \n , s.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_postgresql_server as s\n left join postgres_db_with_allow_access_to_azure_services as a on a.id = s.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: azure_postgresql_server ListOfTables: - - azure_postgresql_server - - azure_services - - azure_subscription + - azure_postgresql_server + - azure_services + - azure_subscription Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - 4.3.7 + - 4.3.7 cis_level: - - "1" + - "1" cis_section_id: - - "4.3" + - "4.3" cis_type: - - automated + - automated cis_version: - - v2.0.0 + - v2.0.0 plugin: - - azure + - azure service: - - Azure/PostgreSQL + - Azure/PostgreSQL +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_postgres_db_server_connection_throttling_on.yaml b/compliance/controls/azure/azure_postgres_db_server_connection_throttling_on.yaml index 9f40f7df7..cd6a145de 100755 --- a/compliance/controls/azure/azure_postgres_db_server_connection_throttling_on.yaml +++ b/compliance/controls/azure/azure_postgres_db_server_connection_throttling_on.yaml @@ -1,55 +1,33 @@ ID: azure_postgres_db_server_connection_throttling_on Title: "Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server" Description: "Enable connection_throttling on PostgreSQL Servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - s.og_account_id as og_account_id, - s.og_resource_id as og_resource_id, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then 'alarm' - else 'ok' - end as status, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then s.name || ' server parameter connection_throttling off.' - else s.name || ' server parameter connection_throttling on.' - end as reason - - , s.resource_group as resource_group - , sub.display_name as subscription - from - azure_postgresql_server s, - jsonb_array_elements(server_configurations) config, - azure_subscription sub - where - config ->> 'Name' = 'connection_throttling' - and sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n s.og_account_id as og_account_id,\n s.og_resource_id as og_resource_id,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then 'alarm'\n else 'ok'\n end as status,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then s.name || ' server parameter connection_throttling off.'\n else s.name || ' server parameter connection_throttling on.'\n end as reason\n \n , s.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_postgresql_server s,\n jsonb_array_elements(server_configurations) config,\n azure_subscription sub\nwhere\n config ->> 'Name' = 'connection_throttling'\n and sub.subscription_id = s.subscription_id;\n" PrimaryTable: azure_postgresql_server ListOfTables: - - azure_postgresql_server - - azure_subscription + - azure_postgresql_server + - azure_subscription Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - 4.3.6 + - 4.3.6 cis_level: - - "1" + - "1" cis_section_id: - - "4.3" + - "4.3" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/PostgreSQL + - Azure/PostgreSQL +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_postgres_db_server_geo_redundant_backup_enabled.yaml b/compliance/controls/azure/azure_postgres_db_server_geo_redundant_backup_enabled.yaml index f39633089..4589d6c60 100755 --- a/compliance/controls/azure/azure_postgres_db_server_geo_redundant_backup_enabled.yaml +++ b/compliance/controls/azure/azure_postgres_db_server_geo_redundant_backup_enabled.yaml @@ -1,41 +1,21 @@ ID: azure_postgres_db_server_geo_redundant_backup_enabled Title: "Geo-redundant backup should be enabled for Azure Database for PostgreSQL" Description: "Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - s.og_account_id as og_account_id, - s.og_resource_id as og_resource_id, - case - when geo_redundant_backup = 'Enabled' then 'ok' - else 'alarm' - end as status, - case - when geo_redundant_backup = 'Enabled' then name || ' Geo-redundant backup enabled.' - else name || ' Geo-redundant backup disabled.' - end as reason - - , s.resource_group as resource_group - , sub.display_name as subscription - from - azure_postgresql_server as s, - azure_subscription as sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n s.og_account_id as og_account_id,\n s.og_resource_id as og_resource_id,\n case\n when geo_redundant_backup = 'Enabled' then 'ok'\n else 'alarm'\n end as status,\n case\n when geo_redundant_backup = 'Enabled' then name || ' Geo-redundant backup enabled.'\n else name || ' Geo-redundant backup disabled.'\n end as reason\n \n , s.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_postgresql_server as s,\n azure_subscription as sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: azure_postgresql_server ListOfTables: - - azure_postgresql_server - - azure_subscription + - azure_postgresql_server + - azure_subscription Parameters: [] Severity: medium Tags: hipaa_hitrust_v92: - - "true" + - "true" nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/PostgreSQL + - Azure/PostgreSQL +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_postgres_db_server_latest_tls_version.yaml b/compliance/controls/azure/azure_postgres_db_server_latest_tls_version.yaml index bb886d1e8..809fc9b9b 100755 --- a/compliance/controls/azure/azure_postgres_db_server_latest_tls_version.yaml +++ b/compliance/controls/azure/azure_postgres_db_server_latest_tls_version.yaml @@ -1,8 +1,6 @@ ID: azure_postgres_db_server_latest_tls_version Title: "PostgreSQL servers should have the latest TLS version" Description: "This control checks if the PostgreSQL server is upgraded to the latest TLS version." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = s.subscription_id; PrimaryTable: azure_postgresql_server ListOfTables: - - azure_postgresql_server - - azure_subscription + - azure_postgresql_server + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_postgres_db_server_log_checkpoints_on.yaml b/compliance/controls/azure/azure_postgres_db_server_log_checkpoints_on.yaml index 7d9ab8aab..1e24a4712 100755 --- a/compliance/controls/azure/azure_postgres_db_server_log_checkpoints_on.yaml +++ b/compliance/controls/azure/azure_postgres_db_server_log_checkpoints_on.yaml @@ -1,55 +1,33 @@ ID: azure_postgres_db_server_log_checkpoints_on Title: "Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server" Description: "Enable log_checkpoints on PostgreSQL Servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - s.og_account_id as og_account_id, - s.og_resource_id as og_resource_id, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then 'alarm' - else 'ok' - end as status, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then s.name || ' server parameter log_checkpoints off.' - else s.name || ' server parameter log_checkpoints on.' - end as reason - - , s.resource_group as resource_group - , sub.display_name as subscription - from - azure_postgresql_server s, - jsonb_array_elements(server_configurations) config, - azure_subscription sub - where - config ->> 'Name' = 'log_checkpoints' - and sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n s.og_account_id as og_account_id,\n s.og_resource_id as og_resource_id,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then 'alarm'\n else 'ok'\n end as status,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then s.name || ' server parameter log_checkpoints off.'\n else s.name || ' server parameter log_checkpoints on.'\n end as reason\n \n , s.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_postgresql_server s,\n jsonb_array_elements(server_configurations) config,\n azure_subscription sub\nwhere\n config ->> 'Name' = 'log_checkpoints'\n and sub.subscription_id = s.subscription_id;\n" PrimaryTable: azure_postgresql_server ListOfTables: - - azure_postgresql_server - - azure_subscription + - azure_postgresql_server + - azure_subscription Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - 4.3.3 + - 4.3.3 cis_level: - - "1" + - "1" cis_section_id: - - "4.3" + - "4.3" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/PostgreSQL + - Azure/PostgreSQL +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_postgres_db_server_log_connections_on.yaml b/compliance/controls/azure/azure_postgres_db_server_log_connections_on.yaml index f16d26245..8e6b4f1ec 100755 --- a/compliance/controls/azure/azure_postgres_db_server_log_connections_on.yaml +++ b/compliance/controls/azure/azure_postgres_db_server_log_connections_on.yaml @@ -1,55 +1,33 @@ ID: azure_postgres_db_server_log_connections_on Title: "Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server" Description: "Enable log_connections on PostgreSQL Servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - s.og_account_id as og_account_id, - s.og_resource_id as og_resource_id, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then 'alarm' - else 'ok' - end as status, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then s.name || ' server parameter log_connections off.' - else s.name || ' server parameter log_connections on.' - end as reason - - , s.resource_group as resource_group - , sub.display_name as subscription - from - azure_postgresql_server s, - jsonb_array_elements(server_configurations) config, - azure_subscription sub - where - config ->> 'Name' = 'log_connections' - and sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n s.og_account_id as og_account_id,\n s.og_resource_id as og_resource_id,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then 'alarm'\n else 'ok'\n end as status,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then s.name || ' server parameter log_connections off.'\n else s.name || ' server parameter log_connections on.'\n end as reason\n \n , s.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_postgresql_server s,\n jsonb_array_elements(server_configurations) config,\n azure_subscription sub\nwhere\n config ->> 'Name' = 'log_connections'\n and sub.subscription_id = s.subscription_id;\n" PrimaryTable: azure_postgresql_server ListOfTables: - - azure_postgresql_server - - azure_subscription + - azure_postgresql_server + - azure_subscription Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - 4.3.4 + - 4.3.4 cis_level: - - "1" + - "1" cis_section_id: - - "4.3" + - "4.3" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/PostgreSQL + - Azure/PostgreSQL +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_postgres_db_server_log_disconnections_on.yaml b/compliance/controls/azure/azure_postgres_db_server_log_disconnections_on.yaml index e5d8ce853..36d872667 100755 --- a/compliance/controls/azure/azure_postgres_db_server_log_disconnections_on.yaml +++ b/compliance/controls/azure/azure_postgres_db_server_log_disconnections_on.yaml @@ -1,55 +1,33 @@ ID: azure_postgres_db_server_log_disconnections_on Title: "Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server" Description: "Enable log_disconnections on PostgreSQL Servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - s.og_account_id as og_account_id, - s.og_resource_id as og_resource_id, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then 'alarm' - else 'ok' - end as status, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then name || ' server parameter log_disconnections off.' - else name || ' server parameter log_disconnections on.' - end as reason - - , s.resource_group as resource_group - , sub.display_name as subscription - from - azure_postgresql_server s, - jsonb_array_elements(server_configurations) config, - azure_subscription sub - where - config ->> 'Name' = 'log_disconnections' - and sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n s.og_account_id as og_account_id,\n s.og_resource_id as og_resource_id,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then 'alarm'\n else 'ok'\n end as status,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then name || ' server parameter log_disconnections off.'\n else name || ' server parameter log_disconnections on.'\n end as reason\n \n , s.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_postgresql_server s,\n jsonb_array_elements(server_configurations) config,\n azure_subscription sub\nwhere\n config ->> 'Name' = 'log_disconnections'\n and sub.subscription_id = s.subscription_id;\n" PrimaryTable: azure_postgresql_server ListOfTables: - - azure_postgresql_server - - azure_subscription + - azure_postgresql_server + - azure_subscription Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - 4.3.5 + - 4.3.5 cis_level: - - "1" + - "1" cis_section_id: - - "4.3" + - "4.3" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/PostgreSQL + - Azure/PostgreSQL +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_postgres_db_server_log_retention_days_3.yaml b/compliance/controls/azure/azure_postgres_db_server_log_retention_days_3.yaml index 9a3cabfaf..53ea78828 100755 --- a/compliance/controls/azure/azure_postgres_db_server_log_retention_days_3.yaml +++ b/compliance/controls/azure/azure_postgres_db_server_log_retention_days_3.yaml @@ -1,55 +1,33 @@ ID: azure_postgres_db_server_log_retention_days_3 Title: "Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server" Description: "Enable log_retention_days on PostgreSQL Servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - s.og_account_id as og_account_id, - s.og_resource_id as og_resource_id, - case - when (config -> 'ConfigurationProperties' ->> 'value')::integer <= 3 then 'alarm' - else 'ok' - end as status, - case - when (config -> 'ConfigurationProperties' ->> 'value')::integer <= 3 then s.name || ' log files are retained for 3 days or lesser.' - else s.name || ' log files are retained for more than 3 days.' - end as reason - - , s.resource_group as resource_group - , sub.display_name as subscription - from - azure_postgresql_server s, - jsonb_array_elements(server_configurations) as config, - azure_subscription sub - where - config ->> 'Name' = 'log_retention_days' - and sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n s.og_account_id as og_account_id,\n s.og_resource_id as og_resource_id,\n case\n when (config -> 'ConfigurationProperties' ->> 'value')::integer <= 3 then 'alarm'\n else 'ok'\n end as status,\n case\n when (config -> 'ConfigurationProperties' ->> 'value')::integer <= 3 then s.name || ' log files are retained for 3 days or lesser.'\n else s.name || ' log files are retained for more than 3 days.'\n end as reason\n \n , s.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_postgresql_server s,\n jsonb_array_elements(server_configurations) as config,\n azure_subscription sub\nwhere\n config ->> 'Name' = 'log_retention_days'\n and sub.subscription_id = s.subscription_id;\n" PrimaryTable: azure_postgresql_server ListOfTables: - - azure_postgresql_server - - azure_subscription + - azure_postgresql_server + - azure_subscription Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - 4.3.7 + - 4.3.7 cis_level: - - "1" + - "1" cis_section_id: - - "4.3" + - "4.3" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/PostgreSQL + - Azure/PostgreSQL +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_postgres_server_private_link_used.yaml b/compliance/controls/azure/azure_postgres_server_private_link_used.yaml index de33edeff..688288294 100755 --- a/compliance/controls/azure/azure_postgres_server_private_link_used.yaml +++ b/compliance/controls/azure/azure_postgres_server_private_link_used.yaml @@ -1,40 +1,19 @@ ID: azure_postgres_server_private_link_used Title: "Private endpoint should be enabled for PostgreSQL servers" Description: "Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - -- Only applicable to standard tier - when sku_tier = 'Basic' then 'skip' - when private_endpoint_connections @> '[{"privateLinkServiceConnectionStateStatus": "Approved"}]'::jsonb then 'ok' - else 'alarm' - end as status, - case - when sku_tier = 'Basic' then a.name || ' is of ' || sku_tier || ' tier.' - when private_endpoint_connections @> '[{"privateLinkServiceConnectionStateStatus": "Approved"}]'::jsonb then a.name || ' using private link.' - else a.name || ' not using private link.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_postgresql_server a, - azure_subscription sub; + QueryToExecute: "select\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n -- Only applicable to standard tier\n when sku_tier = 'Basic' then 'skip'\n when private_endpoint_connections @> '[{\"privateLinkServiceConnectionStateStatus\": \"Approved\"}]'::jsonb then 'ok'\n else 'alarm'\n end as status,\n case\n when sku_tier = 'Basic' then a.name || ' is of ' || sku_tier || ' tier.'\n when private_endpoint_connections @> '[{\"privateLinkServiceConnectionStateStatus\": \"Approved\"}]'::jsonb then a.name || ' using private link.'\n else a.name || ' not using private link.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_postgresql_server a,\n azure_subscription sub;\n" PrimaryTable: azure_postgresql_server ListOfTables: - - azure_postgresql_server - - azure_subscription + - azure_postgresql_server + - azure_subscription Parameters: [] Severity: high Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/PostgreSQL + - Azure/PostgreSQL +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_postgres_sql_server_encrypted_at_rest_using_cmk.yaml b/compliance/controls/azure/azure_postgres_sql_server_encrypted_at_rest_using_cmk.yaml index 812cd0110..d33a32b35 100755 --- a/compliance/controls/azure/azure_postgres_sql_server_encrypted_at_rest_using_cmk.yaml +++ b/compliance/controls/azure/azure_postgres_sql_server_encrypted_at_rest_using_cmk.yaml @@ -1,51 +1,20 @@ ID: azure_postgres_sql_server_encrypted_at_rest_using_cmk Title: "PostgreSQL servers should use customer-managed keys to encrypt data at rest" Description: "Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with pgql_server_encrypted as ( - select - distinct i.id as id - from - azure_mysql_server as i, - jsonb_array_elements(server_keys) a - where - a ->> 'serverKeyType' = 'AzureKeyVault' - and a ->> 'uri' is not null - ) - select - s.id as resource, - s.og_account_id as og_account_id, - s.og_resource_id as og_resource_id, - case - when a.id is not null then 'ok' - else 'alarm' - end as status, - case - when a.id is not null then s.title || ' encrypted with CMK.' - else s.title || ' not encrypted with CMK.' - end as reason - - , s.resource_group as resource_group - , sub.display_name as subscription - from - azure_postgresql_server as s - left join pgql_server_encrypted as a on s.id = a.id, - azure_subscription as sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "with pgql_server_encrypted as (\n select\n distinct i.id as id\n from\n azure_mysql_server as i,\n jsonb_array_elements(server_keys) a\n where\n a ->> 'serverKeyType' = 'AzureKeyVault'\n and a ->> 'uri' is not null\n)\nselect\n s.id as resource,\n s.og_account_id as og_account_id,\n s.og_resource_id as og_resource_id,\n case\n when a.id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when a.id is not null then s.title || ' encrypted with CMK.'\n else s.title || ' not encrypted with CMK.'\n end as reason\n \n , s.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_postgresql_server as s\n left join pgql_server_encrypted as a on s.id = a.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: azure_postgresql_server ListOfTables: - - azure_mysql_server - - azure_postgresql_server - - azure_subscription + - azure_mysql_server + - azure_postgresql_server + - azure_subscription Parameters: [] Severity: high Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/PostgreSQL + - Azure/PostgreSQL +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_postgres_sql_ssl_enabled.yaml b/compliance/controls/azure/azure_postgres_sql_ssl_enabled.yaml index 555e384a9..fa5189837 100755 --- a/compliance/controls/azure/azure_postgres_sql_ssl_enabled.yaml +++ b/compliance/controls/azure/azure_postgres_sql_ssl_enabled.yaml @@ -1,53 +1,33 @@ ID: azure_postgres_sql_ssl_enabled Title: "Enforce SSL connection should be enabled for PostgreSQL database servers" Description: "Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server" -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - s.og_account_id as og_account_id, - s.og_resource_id as og_resource_id, - case - when ssl_enforcement = 'Disabled' then 'alarm' - else 'ok' - end as status, - case - when ssl_enforcement = 'Disabled' then name || ' SSL connection disabled.' - else name || ' SSL connection enabled.' - end as reason - - , s.resource_group as resource_group - , sub.display_name as subscription - from - azure_postgresql_server s, - azure_subscription sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n s.og_account_id as og_account_id,\n s.og_resource_id as og_resource_id,\n case\n when ssl_enforcement = 'Disabled' then 'alarm'\n else 'ok'\n end as status,\n case\n when ssl_enforcement = 'Disabled' then name || ' SSL connection disabled.'\n else name || ' SSL connection enabled.'\n end as reason\n \n , s.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_postgresql_server s,\n azure_subscription sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: azure_postgresql_server ListOfTables: - - azure_postgresql_server - - azure_subscription + - azure_postgresql_server + - azure_subscription Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - 4.3.1 + - 4.3.1 cis_level: - - "1" + - "1" cis_section_id: - - "4.3" + - "4.3" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/PostgreSQL + - Azure/PostgreSQL +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_postgresql_server_infrastructure_encryption_enabled.yaml b/compliance/controls/azure/azure_postgresql_server_infrastructure_encryption_enabled.yaml index 15231ee71..307ab356c 100755 --- a/compliance/controls/azure/azure_postgresql_server_infrastructure_encryption_enabled.yaml +++ b/compliance/controls/azure/azure_postgresql_server_infrastructure_encryption_enabled.yaml @@ -1,53 +1,33 @@ ID: azure_postgresql_server_infrastructure_encryption_enabled Title: "Infrastructure encryption should be enabled for Azure Database for PostgreSQL servers" Description: "Enable infrastructure encryption for Azure Database for PostgreSQL servers to have higher level of assurance that the data is secure. When infrastructure encryption is enabled, the data at rest is encrypted twice using FIPS 140-2 compliant Microsoft managed keys." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - s.og_account_id as og_account_id, - s.og_resource_id as og_resource_id, - case - when infrastructure_encryption = 'Enabled' then 'ok' - else 'alarm' - end as status, - case - when infrastructure_encryption = 'Enabled' then name || ' infrastructure encryption enabled.' - else name || ' infrastructure encryption disabled.' - end as reason - - , s.resource_group as resource_group - , sub.display_name as subscription - from - azure_postgresql_server as s, - azure_subscription as sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n s.og_account_id as og_account_id,\n s.og_resource_id as og_resource_id,\n case\n when infrastructure_encryption = 'Enabled' then 'ok'\n else 'alarm'\n end as status,\n case\n when infrastructure_encryption = 'Enabled' then name || ' infrastructure encryption enabled.'\n else name || ' infrastructure encryption disabled.'\n end as reason\n \n , s.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_postgresql_server as s,\n azure_subscription as sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: azure_postgresql_server ListOfTables: - - azure_postgresql_server - - azure_subscription + - azure_postgresql_server + - azure_subscription Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - 4.3.8 + - 4.3.8 cis_level: - - "1" + - "1" cis_section_id: - - "4.3" + - "4.3" cis_type: - - manual + - manual cis_version: - - v1.4.0 + - v1.4.0 plugin: - - azure + - azure service: - - Azure/PostgreSQL + - Azure/PostgreSQL +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_postgresql_server_public_network_access_disabled.yaml b/compliance/controls/azure/azure_postgresql_server_public_network_access_disabled.yaml index 979e8e110..88a7251c0 100755 --- a/compliance/controls/azure/azure_postgresql_server_public_network_access_disabled.yaml +++ b/compliance/controls/azure/azure_postgresql_server_public_network_access_disabled.yaml @@ -1,39 +1,19 @@ ID: azure_postgresql_server_public_network_access_disabled Title: "Public network access should be disabled for PostgreSQL servers" Description: "Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - s.og_account_id as og_account_id, - s.og_resource_id as og_resource_id, - case - when public_network_access = 'Enabled' then 'alarm' - else 'ok' - end as status, - case - when public_network_access = 'Enabled' then name || ' public network access enabled.' - else name || ' public network access disabled.' - end as reason - - , s.resource_group as resource_group - , sub.display_name as subscription - from - azure_postgresql_server as s, - azure_subscription as sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n s.og_account_id as og_account_id,\n s.og_resource_id as og_resource_id,\n case\n when public_network_access = 'Enabled' then 'alarm'\n else 'ok'\n end as status,\n case\n when public_network_access = 'Enabled' then name || ' public network access enabled.'\n else name || ' public network access disabled.'\n end as reason\n \n , s.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_postgresql_server as s,\n azure_subscription as sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: azure_postgresql_server ListOfTables: - - azure_postgresql_server - - azure_subscription + - azure_postgresql_server + - azure_subscription Parameters: [] Severity: high Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/PostgreSQL + - Azure/PostgreSQL +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_recovery_service_vault_encrypted_with_cmk.yaml b/compliance/controls/azure/azure_recovery_service_vault_encrypted_with_cmk.yaml index 4a9ef5571..58b2d60b5 100755 --- a/compliance/controls/azure/azure_recovery_service_vault_encrypted_with_cmk.yaml +++ b/compliance/controls/azure/azure_recovery_service_vault_encrypted_with_cmk.yaml @@ -1,8 +1,6 @@ ID: azure_recovery_service_vault_encrypted_with_cmk Title: "Azure Recovery Services vaults should use customer-managed keys for encrypting backup data" Description: "Use customer-managed keys to manage the encryption at rest of your backup data. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/AB-CmkEncryption." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_recovery_service_vault_uses_managed_identity.yaml b/compliance/controls/azure/azure_recovery_service_vault_uses_managed_identity.yaml index ae039b291..89ba06dea 100755 --- a/compliance/controls/azure/azure_recovery_service_vault_uses_managed_identity.yaml +++ b/compliance/controls/azure/azure_recovery_service_vault_uses_managed_identity.yaml @@ -1,8 +1,6 @@ ID: azure_recovery_service_vault_uses_managed_identity Title: "Recovery Services vaults should use managed identity" Description: "Recovery Services vaults should use a managed identity for enhanced authentication security." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = s.subscription_id; PrimaryTable: azure_recovery_services_vault ListOfTables: - - azure_recovery_services_vault - - azure_subscription + - azure_recovery_services_vault + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_recovery_service_vault_uses_private_link.yaml b/compliance/controls/azure/azure_recovery_service_vault_uses_private_link.yaml index 40d28a009..41690fd73 100755 --- a/compliance/controls/azure/azure_recovery_service_vault_uses_private_link.yaml +++ b/compliance/controls/azure/azure_recovery_service_vault_uses_private_link.yaml @@ -1,8 +1,6 @@ ID: azure_recovery_service_vault_uses_private_link Title: "Recovery Services vaults should use private link" Description: "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Recovery Services vaults, data leakage risks are reduced. Learn more about private links for Azure Site Recovery at: https://aka.ms/HybridScenarios-PrivateLink and https://aka.ms/AzureToAzure-PrivateLink." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = s.subscription_id; PrimaryTable: azure_recovery_services_vault ListOfTables: - - azure_recovery_services_vault - - azure_subscription + - azure_recovery_services_vault + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_recovery_service_vault_uses_private_link_for_backup.yaml b/compliance/controls/azure/azure_recovery_service_vault_uses_private_link_for_backup.yaml index 5d8054ceb..bba9ccbac 100755 --- a/compliance/controls/azure/azure_recovery_service_vault_uses_private_link_for_backup.yaml +++ b/compliance/controls/azure/azure_recovery_service_vault_uses_private_link_for_backup.yaml @@ -1,8 +1,6 @@ ID: azure_recovery_service_vault_uses_private_link_for_backup Title: "Azure Recovery Services vaults should use private link for backup" Description: "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Recovery Services vaults, data leakage risks are reduced. Learn more about private links at: https://aka.ms/AB-PrivateEndpoints." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -25,8 +23,10 @@ Query: sub.subscription_id = s.subscription_id; PrimaryTable: azure_recovery_services_vault ListOfTables: - - azure_recovery_services_vault - - azure_subscription + - azure_recovery_services_vault + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_redis_cache_in_virtual_network.yaml b/compliance/controls/azure/azure_redis_cache_in_virtual_network.yaml index bc292a857..576267103 100755 --- a/compliance/controls/azure/azure_redis_cache_in_virtual_network.yaml +++ b/compliance/controls/azure/azure_redis_cache_in_virtual_network.yaml @@ -1,8 +1,6 @@ ID: azure_redis_cache_in_virtual_network Title: "Azure Cache for Redis should reside within a virtual network" Description: "Azure Virtual Network deployment provides enhanced security and isolation for your Azure Cache for Redis, as well as subnets, access control policies, and other features to further restrict access.When an Azure Cache for Redis instance is configured with a virtual network, it is not publicly addressable and can only be accessed from virtual machines and applications within the virtual network." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = redis.subscription_id; PrimaryTable: azure_redis_cache ListOfTables: - - azure_redis_cache - - azure_subscription + - azure_redis_cache + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_redis_cache_min_tls_1_2.yaml b/compliance/controls/azure/azure_redis_cache_min_tls_1_2.yaml index 0eb15d9e8..c47a4f64f 100755 --- a/compliance/controls/azure/azure_redis_cache_min_tls_1_2.yaml +++ b/compliance/controls/azure/azure_redis_cache_min_tls_1_2.yaml @@ -1,8 +1,6 @@ ID: azure_redis_cache_min_tls_1_2 Title: "Redis Caches 'Minimum TLS version' should be set to 'Version 1.2'" Description: "This control checks whether 'Minimum TLS version' is set to 1.2. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to later protocols such as TLS 1.2." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -26,8 +24,10 @@ Query: sub.subscription_id = c.subscription_id; PrimaryTable: azure_redis_cache ListOfTables: - - azure_redis_cache - - azure_subscription + - azure_redis_cache + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_redis_cache_no_basic_sku.yaml b/compliance/controls/azure/azure_redis_cache_no_basic_sku.yaml index c76de5b64..72a45e292 100755 --- a/compliance/controls/azure/azure_redis_cache_no_basic_sku.yaml +++ b/compliance/controls/azure/azure_redis_cache_no_basic_sku.yaml @@ -1,39 +1,19 @@ ID: azure_redis_cache_no_basic_sku Title: "Azure Cache for Redis should use standard SKUs as a minimum" Description: "The use of Basic or Free SKUs in Azure whilst cost effective have significant limitations in terms of what can be monitored and what support can be realized from Microsoft. Typically, these SKU’s do not have a service SLA and Microsoft will usually refuse to provide support for them. Consequently Basic/Free SKUs should never be used for production workloads." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - c.id as resource, - c.og_account_id as og_account_id, - c.og_resource_id as og_resource_id, - case - when c.sku_name = 'Basic' then 'alarm' - else 'ok' - end as status, - case - when c.sku_name = 'Basic' then c.title || ' using basic SKU.' - else c.title || ' using ' || sku_name || ' SKU.' - end as reason - - , c.resource_group as resource_group - , sub.display_name as subscription - from - azure_redis_cache as c, - azure_subscription as sub - where - sub.subscription_id = c.subscription_id; + QueryToExecute: "select\n c.id as resource,\n c.og_account_id as og_account_id,\n c.og_resource_id as og_resource_id,\n case\n when c.sku_name = 'Basic' then 'alarm'\n else 'ok'\n end as status,\n case\n when c.sku_name = 'Basic' then c.title || ' using basic SKU.'\n else c.title || ' using ' || sku_name || ' SKU.'\n end as reason\n \n , c.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_redis_cache as c,\n azure_subscription as sub\nwhere\n sub.subscription_id = c.subscription_id;\n" PrimaryTable: azure_redis_cache ListOfTables: - - azure_redis_cache - - azure_subscription + - azure_redis_cache + - azure_subscription Parameters: [] Severity: medium Tags: cis: - - "true" + - "true" service: - - Azure/Redis + - Azure/Redis +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_redis_cache_ssl_enabled.yaml b/compliance/controls/azure/azure_redis_cache_ssl_enabled.yaml index 82a464907..3d0d53b18 100755 --- a/compliance/controls/azure/azure_redis_cache_ssl_enabled.yaml +++ b/compliance/controls/azure/azure_redis_cache_ssl_enabled.yaml @@ -1,8 +1,6 @@ ID: azure_redis_cache_ssl_enabled Title: "Only secure connections to your Azure Cache for Redis should be enabled" Description: "Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = redis.subscription_id; PrimaryTable: azure_redis_cache ListOfTables: - - azure_redis_cache - - azure_subscription + - azure_redis_cache + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_redis_cache_uses_private_link.yaml b/compliance/controls/azure/azure_redis_cache_uses_private_link.yaml index ab6b2d5a3..ecde62211 100755 --- a/compliance/controls/azure/azure_redis_cache_uses_private_link.yaml +++ b/compliance/controls/azure/azure_redis_cache_uses_private_link.yaml @@ -1,8 +1,6 @@ ID: azure_redis_cache_uses_private_link Title: "Azure Cache for Redis should use private link" Description: "Private endpoints lets you connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cache for Redis instances, data leakage risks are reduced." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -35,8 +33,10 @@ Query: sub.subscription_id = a.subscription_id; PrimaryTable: azure_redis_cache ListOfTables: - - azure_redis_cache - - azure_subscription + - azure_redis_cache + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_search_service_logging_enabled.yaml b/compliance/controls/azure/azure_search_service_logging_enabled.yaml index 14310f672..b10cbfab2 100755 --- a/compliance/controls/azure/azure_search_service_logging_enabled.yaml +++ b/compliance/controls/azure/azure_search_service_logging_enabled.yaml @@ -1,69 +1,21 @@ ID: azure_search_service_logging_enabled Title: "Resource logs in Search services should be enabled" Description: "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with logging_details as ( - select - distinct name as search_service_name - from - azure_search_service, - jsonb_array_elements(diagnostic_settings) setting, - jsonb_array_elements(setting -> 'properties' -> 'logs') log - where - diagnostic_settings is not null - and ( - ( - (log ->> 'enabled') :: boolean - and (log -> 'retentionPolicy' ->> 'enabled') :: boolean - and (log -> 'retentionPolicy') :: JSONB ? 'days' - ) - or - ( - (log ->> 'enabled') :: boolean - and ( - log -> 'retentionPolicy' ->> 'enabled' <> 'true' - or setting -> 'properties' ->> 'storageAccountId' = '' - ) - ) - ) - ) - select - v.id as resource, - v.og_account_id as og_account_id, - v.og_resource_id as og_resource_id, - case - when v.diagnostic_settings is null then 'alarm' - when l.search_service_name is null then 'alarm' - else 'ok' - end as status, - case - when v.diagnostic_settings is null then v.name || ' logging not enabled.' - when l.search_service_name is null then v.name || ' logging not enabled.' - else v.name || ' logging enabled.' - end as reason - - , v.resource_group as resource_group - , sub.display_name as subscription - from - azure_search_service as v - left join logging_details as l on v.name = l.search_service_name, - azure_subscription as sub - where - sub.subscription_id = v.subscription_id; + QueryToExecute: "with logging_details as (\n select\n distinct name as search_service_name\n from\n azure_search_service,\n jsonb_array_elements(diagnostic_settings) setting,\n jsonb_array_elements(setting -> 'properties' -> 'logs') log\n where\n diagnostic_settings is not null\n and (\n (\n (log ->> 'enabled') :: boolean\n and (log -> 'retentionPolicy' ->> 'enabled') :: boolean\n and (log -> 'retentionPolicy') :: JSONB ? 'days'\n )\n or\n (\n (log ->> 'enabled') :: boolean\n and (\n log -> 'retentionPolicy' ->> 'enabled' <> 'true'\n or setting -> 'properties' ->> 'storageAccountId' = ''\n )\n )\n )\n)\nselect\n v.id as resource,\n v.og_account_id as og_account_id,\n v.og_resource_id as og_resource_id,\n case\n when v.diagnostic_settings is null then 'alarm'\n when l.search_service_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when v.diagnostic_settings is null then v.name || ' logging not enabled.'\n when l.search_service_name is null then v.name || ' logging not enabled.'\n else v.name || ' logging enabled.'\n end as reason\n \n , v.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_search_service as v\n left join logging_details as l on v.name = l.search_service_name,\n azure_subscription as sub\nwhere\n sub.subscription_id = v.subscription_id;\n" PrimaryTable: azure_search_service ListOfTables: - - azure_search_service - - azure_subscription + - azure_search_service + - azure_subscription Parameters: [] Severity: medium Tags: hipaa_hitrust_v92: - - "true" + - "true" nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/CognitiveSearch + - Azure/CognitiveSearch +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_search_service_public_network_access_disabled.yaml b/compliance/controls/azure/azure_search_service_public_network_access_disabled.yaml index d420c78ac..6488a1e04 100755 --- a/compliance/controls/azure/azure_search_service_public_network_access_disabled.yaml +++ b/compliance/controls/azure/azure_search_service_public_network_access_disabled.yaml @@ -1,39 +1,19 @@ ID: azure_search_service_public_network_access_disabled Title: "Azure Cognitive Search services should disable public network access" Description: "Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - s.og_account_id as og_account_id, - s.og_resource_id as og_resource_id, - case - when public_network_access = 'Enabled' then 'alarm' - else 'ok' - end as status, - case - when public_network_access = 'Enabled' then name || ' public network access enabled.' - else name || ' public network access disabled.' - end as reason - - , s.resource_group as resource_group - , sub.display_name as subscription - from - azure_search_service as s, - azure_subscription as sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n s.og_account_id as og_account_id,\n s.og_resource_id as og_resource_id,\n case\n when public_network_access = 'Enabled' then 'alarm'\n else 'ok'\n end as status,\n case\n when public_network_access = 'Enabled' then name || ' public network access enabled.'\n else name || ' public network access disabled.'\n end as reason\n \n , s.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_search_service as s,\n azure_subscription as sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: azure_search_service ListOfTables: - - azure_search_service - - azure_subscription + - azure_search_service + - azure_subscription Parameters: [] Severity: high Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/CognitiveSearch + - Azure/CognitiveSearch +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_search_service_replica_count_3.yaml b/compliance/controls/azure/azure_search_service_replica_count_3.yaml index 84bd7558e..0454bdf0b 100755 --- a/compliance/controls/azure/azure_search_service_replica_count_3.yaml +++ b/compliance/controls/azure/azure_search_service_replica_count_3.yaml @@ -1,8 +1,6 @@ ID: azure_search_service_replica_count_3 Title: "Cognitive Search services should maintain SLA for index updates" Description: "This control checks if Cognitive Search maintains SLA for index updates." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,8 +20,10 @@ Query: sub.subscription_id = s.subscription_id; PrimaryTable: azure_search_service ListOfTables: - - azure_search_service - - azure_subscription + - azure_search_service + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_search_service_uses_managed_identity.yaml b/compliance/controls/azure/azure_search_service_uses_managed_identity.yaml index 0fe6ba500..972370d10 100755 --- a/compliance/controls/azure/azure_search_service_uses_managed_identity.yaml +++ b/compliance/controls/azure/azure_search_service_uses_managed_identity.yaml @@ -1,8 +1,6 @@ ID: azure_search_service_uses_managed_identity Title: "Cognitive Search services should use managed identity" Description: "Cognitive Search services should use a managed identity for enhanced authentication security." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = s.subscription_id; PrimaryTable: azure_search_service ListOfTables: - - azure_search_service - - azure_subscription + - azure_search_service + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_search_service_uses_private_link.yaml b/compliance/controls/azure/azure_search_service_uses_private_link.yaml index 9a2f5b141..b73b5c687 100755 --- a/compliance/controls/azure/azure_search_service_uses_private_link.yaml +++ b/compliance/controls/azure/azure_search_service_uses_private_link.yaml @@ -1,49 +1,19 @@ ID: azure_search_service_uses_private_link Title: "Azure Cognitive Search services should use private link" Description: "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Cognitive Search, data leakage risks are reduced." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with search_service_connection as ( - select - distinct a.id - from - azure_search_service as a, - jsonb_array_elements(private_endpoint_connections) as connection - where - connection -> 'properties' -> 'privateLinkServiceConnectionState' ->> 'status' = 'Approved' - ) - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when c.id is null then 'alarm' - else 'ok' - end as status, - case - when c.id is null then a.title || ' not uses private link.' - else a.title || ' uses private link.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_search_service as a - left join search_service_connection as c on c.id = a.id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with search_service_connection as (\n select\n distinct a.id\n from\n azure_search_service as a,\n jsonb_array_elements(private_endpoint_connections) as connection\n where\n connection -> 'properties' -> 'privateLinkServiceConnectionState' ->> 'status' = 'Approved'\n)\nselect\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when c.id is null then 'alarm'\n else 'ok'\n end as status,\n case\n when c.id is null then a.title || ' not uses private link.'\n else a.title || ' uses private link.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_search_service as a\n left join search_service_connection as c on c.id = a.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_search_service ListOfTables: - - azure_search_service - - azure_subscription + - azure_search_service + - azure_subscription Parameters: [] Severity: medium Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/CognitiveSearch + - Azure/CognitiveSearch +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_search_service_uses_sku_supporting_private_link.yaml b/compliance/controls/azure/azure_search_service_uses_sku_supporting_private_link.yaml index 8a6cdfdca..1c4a202b3 100755 --- a/compliance/controls/azure/azure_search_service_uses_sku_supporting_private_link.yaml +++ b/compliance/controls/azure/azure_search_service_uses_sku_supporting_private_link.yaml @@ -1,39 +1,19 @@ ID: azure_search_service_uses_sku_supporting_private_link Title: "Azure Cognitive Search service should use a SKU that supports private link" Description: "With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - s.og_account_id as og_account_id, - s.og_resource_id as og_resource_id, - case - when sku_name = 'free' then 'alarm' - else 'ok' - end as status, - case - when sku_name = 'free' then s.title || ' SKU does not supports private link.' - else s.title || ' SKU supports private link.' - end as reason - - , s.resource_group as resource_group - , sub.display_name as subscription - from - azure_search_service as s, - azure_subscription as sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n s.og_account_id as og_account_id,\n s.og_resource_id as og_resource_id,\n case\n when sku_name = 'free' then 'alarm'\n else 'ok'\n end as status,\n case\n when sku_name = 'free' then s.title || ' SKU does not supports private link.'\n else s.title || ' SKU supports private link.'\n end as reason\n \n , s.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_search_service as s,\n azure_subscription as sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: azure_search_service ListOfTables: - - azure_search_service - - azure_subscription + - azure_search_service + - azure_subscription Parameters: [] Severity: medium Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/CognitiveSearch + - Azure/CognitiveSearch +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_securitycenter_additional_email_configured.yaml b/compliance/controls/azure/azure_securitycenter_additional_email_configured.yaml index 5172de131..c7a3837e5 100755 --- a/compliance/controls/azure/azure_securitycenter_additional_email_configured.yaml +++ b/compliance/controls/azure/azure_securitycenter_additional_email_configured.yaml @@ -1,64 +1,33 @@ ID: azure_securitycenter_additional_email_configured Title: "Ensure 'Additional email addresses' is configured with a security contact email" Description: "Security Center emails the subscription owners whenever a high-severity alert is triggered for their subscription. You should provide a security contact email address as an additional email address." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with contact_info as ( - select - jsonb_agg(email) filter (where name = 'default' and email != '') as default_email, - count(*) filter (where name != 'default') as non_default_count, - count(*) filter (where name = 'default') as default_count, - subscription_id - from - azure_security_center_contact - group by - subscription_id - limit 1 - ) - select - sub.subscription_id as resource, - sub.og_account_id as og_account_id, - sub.og_resource_id as og_resource_id, - case - when non_default_count > 0 then 'ok' - when default_count = 1 and jsonb_array_length(default_email) != 0 then 'ok' - else 'alarm' - end as status, - case - when non_default_count > 0 then 'Additional email addresses configured.' - when default_count = 1 and default_email is not null then'Additional email addresses configured.' - else 'Additional email addresses not configured.' - end as reason - - , sub.display_name as subscription - from - azure_subscription sub - left join contact_info ci on sub.subscription_id = ci.subscription_id; + QueryToExecute: "with contact_info as (\n select\n jsonb_agg(email) filter (where name = 'default' and email != '') as default_email,\n count(*) filter (where name != 'default') as non_default_count,\n count(*) filter (where name = 'default') as default_count,\n subscription_id\n from\n azure_security_center_contact\n group by\n subscription_id\n limit 1\n)\nselect\n sub.subscription_id as resource,\n sub.og_account_id as og_account_id,\n sub.og_resource_id as og_resource_id,\n case\n when non_default_count > 0 then 'ok'\n when default_count = 1 and jsonb_array_length(default_email) != 0 then 'ok'\n else 'alarm'\n end as status,\n case\n when non_default_count > 0 then 'Additional email addresses configured.'\n when default_count = 1 and default_email is not null then'Additional email addresses configured.'\n else 'Additional email addresses not configured.'\n end as reason\n \n , sub.display_name as subscription\nfrom\n azure_subscription sub\n left join contact_info ci on sub.subscription_id = ci.subscription_id;\n" PrimaryTable: azure_security_center_contact ListOfTables: - - azure_security_center_contact - - azure_subscription + - azure_security_center_contact + - azure_subscription Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "2.13" + - "2.13" cis_level: - - "1" + - "1" cis_section_id: - - "2" + - "2" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/SecurityCenter + - Azure/SecurityCenter +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_securitycenter_asc_default_setting_not_disabled.yaml b/compliance/controls/azure/azure_securitycenter_asc_default_setting_not_disabled.yaml index 78aa5a5b9..210aec119 100755 --- a/compliance/controls/azure/azure_securitycenter_asc_default_setting_not_disabled.yaml +++ b/compliance/controls/azure/azure_securitycenter_asc_default_setting_not_disabled.yaml @@ -1,72 +1,33 @@ ID: azure_securitycenter_asc_default_setting_not_disabled Title: "Ensure any of the ASC Default policy setting is not set to \\\"Disabled\\\"" Description: "None of the settings offered by ASC Default policy should be set to effect \\\"Disabled\\\"." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with policy_assignment_parameters as ( - select - id, - name, - key, - parameters -> key ->> 'value' as value, - subscription_id - from - azure_policy_assignment, - jsonb_object_keys(parameters) as key - where - name = 'SecurityCenterBuiltIn' - ) - select - sub.id as resource, - sub.og_account_id as og_account_id, - sub.og_resource_id as og_resource_id, - case - when count(value = 'Disabled') > 0 then 'alarm' - else 'ok' - end as status, - case - when count(value = 'Disabled') > 0 then 'Settings disabled for ' || count(*) filter (where value = 'Disabled') || ' parameters.' - else 'Settings enabled for all the parameters.' - end as reason - - , sub.display_name as subscription - from - policy_assignment_parameters pol_assignment - right join azure_subscription sub on pol_assignment.subscription_id = sub.subscription_id - group by - sub.id, - sub.og_account_id, - sub.og_resource_id, - pol_assignment.id, - sub._ctx, - sub.subscription_id, - pol_assignment.subscription_id, - sub.display_name; + QueryToExecute: "with policy_assignment_parameters as (\n select\n id,\n name,\n key,\n parameters -> key ->> 'value' as value,\n subscription_id\n from\n azure_policy_assignment,\n jsonb_object_keys(parameters) as key\n where\n name = 'SecurityCenterBuiltIn'\n)\nselect\n sub.id as resource,\n sub.og_account_id as og_account_id,\n sub.og_resource_id as og_resource_id,\n case\n when count(value = 'Disabled') > 0 then 'alarm'\n else 'ok'\n end as status,\n case\n when count(value = 'Disabled') > 0 then 'Settings disabled for ' || count(*) filter (where value = 'Disabled') || ' parameters.'\n else 'Settings enabled for all the parameters.'\n end as reason\n \n , sub.display_name as subscription\nfrom\n policy_assignment_parameters pol_assignment\n right join azure_subscription sub on pol_assignment.subscription_id = sub.subscription_id\ngroup by\n sub.id,\n sub.og_account_id,\n sub.og_resource_id,\n pol_assignment.id,\n sub._ctx,\n sub.subscription_id,\n pol_assignment.subscription_id,\n sub.display_name;\n" PrimaryTable: azure_policy_assignment ListOfTables: - - azure_policy_assignment - - azure_subscription + - azure_policy_assignment + - azure_subscription Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "2.12" + - "2.12" cis_level: - - "1" + - "1" cis_section_id: - - "2" + - "2" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/SecurityCenter + - Azure/SecurityCenter +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_securitycenter_automatic_provisioning_monitoring_agent_on.yaml b/compliance/controls/azure/azure_securitycenter_automatic_provisioning_monitoring_agent_on.yaml index 35d4e6de2..59a68c730 100755 --- a/compliance/controls/azure/azure_securitycenter_automatic_provisioning_monitoring_agent_on.yaml +++ b/compliance/controls/azure/azure_securitycenter_automatic_provisioning_monitoring_agent_on.yaml @@ -1,50 +1,33 @@ ID: azure_securitycenter_automatic_provisioning_monitoring_agent_on Title: "Auto provisioning of the Log Analytics agent should be enabled on your subscription" Description: "To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - sc_prov.id as resource, - sc_prov.og_account_id as og_account_id, - sc_prov.og_resource_id as og_resource_id, - case - when auto_provision = 'On' then 'ok' - else 'alarm' - end as status, - case - when auto_provision = 'On' then 'Automatic provisioning of monitoring agent is on.' - else 'Automatic provisioning of monitoring agent is off.' - end as reason - - , sub.display_name as subscription - from - azure_security_center_auto_provisioning sc_prov - right join azure_subscription sub on sc_prov.subscription_id = sub.subscription_id; + QueryToExecute: "select\n sc_prov.id as resource,\n sc_prov.og_account_id as og_account_id,\n sc_prov.og_resource_id as og_resource_id,\n case\n when auto_provision = 'On' then 'ok'\n else 'alarm'\n end as status,\n case\n when auto_provision = 'On' then 'Automatic provisioning of monitoring agent is on.'\n else 'Automatic provisioning of monitoring agent is off.'\n end as reason\n \n , sub.display_name as subscription\nfrom\n azure_security_center_auto_provisioning sc_prov\n right join azure_subscription sub on sc_prov.subscription_id = sub.subscription_id;\n" PrimaryTable: azure_security_center_auto_provisioning ListOfTables: - - azure_security_center_auto_provisioning - - azure_subscription + - azure_security_center_auto_provisioning + - azure_subscription Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "2.11" + - "2.11" cis_level: - - "1" + - "1" cis_section_id: - - "2" + - "2" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/SecurityCenter + - Azure/SecurityCenter +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_appservice.yaml b/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_appservice.yaml index 51b151975..a56a77e6b 100755 --- a/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_appservice.yaml +++ b/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_appservice.yaml @@ -1,52 +1,33 @@ ID: azure_securitycenter_azure_defender_on_for_appservice Title: "Azure Defender for App Service should be enabled" Description: "Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - sub_pricing.id as resource, - sub_pricing.og_account_id as og_account_id, - sub_pricing.og_resource_id as og_resource_id, - case - when pricing_tier = 'Standard' then 'ok' - else 'alarm' - end as status, - case - when pricing_tier = 'Standard' then 'Azure Defender on for App Services.' - else 'Azure Defender off for App Services.' - end as reason - - , sub.display_name as subscription - from - azure_security_center_subscription_pricing sub_pricing - right join azure_subscription sub on sub_pricing.subscription_id = sub.subscription_id - where - name = 'AppServices'; + QueryToExecute: "select\n sub_pricing.id as resource,\n sub_pricing.og_account_id as og_account_id,\n sub_pricing.og_resource_id as og_resource_id,\n case\n when pricing_tier = 'Standard' then 'ok'\n else 'alarm'\n end as status,\n case\n when pricing_tier = 'Standard' then 'Azure Defender on for App Services.'\n else 'Azure Defender off for App Services.'\n end as reason\n \n , sub.display_name as subscription\nfrom\n azure_security_center_subscription_pricing sub_pricing\n right join azure_subscription sub on sub_pricing.subscription_id = sub.subscription_id\nwhere\n name = 'AppServices';\n" PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: low Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "2.2" + - "2.2" cis_level: - - "2" + - "2" cis_section_id: - - "2" + - "2" cis_type: - - manual + - manual cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/SecurityCenter + - Azure/SecurityCenter +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_containerregistry.yaml b/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_containerregistry.yaml index 3e40db51b..4fa95f37e 100755 --- a/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_containerregistry.yaml +++ b/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_containerregistry.yaml @@ -1,52 +1,33 @@ ID: azure_securitycenter_azure_defender_on_for_containerregistry Title: "Azure Defender for container registries should be enabled" Description: "Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - sub_pricing.id as resource, - sub_pricing.og_account_id as og_account_id, - sub_pricing.og_resource_id as og_resource_id, - case - when pricing_tier = 'Standard' then 'ok' - else 'alarm' - end as status, - case - when pricing_tier = 'Standard' then 'Azure Defender on for Container Registry.' - else 'Azure Defender off for Container Registry.' - end as reason - - , sub.display_name as subscription - from - azure_security_center_subscription_pricing sub_pricing - right join azure_subscription sub on sub_pricing.subscription_id = sub.subscription_id - where - name = 'ContainerRegistry'; + QueryToExecute: "select\n sub_pricing.id as resource,\n sub_pricing.og_account_id as og_account_id,\n sub_pricing.og_resource_id as og_resource_id,\n case\n when pricing_tier = 'Standard' then 'ok'\n else 'alarm'\n end as status,\n case\n when pricing_tier = 'Standard' then 'Azure Defender on for Container Registry.'\n else 'Azure Defender off for Container Registry.'\n end as reason\n \n , sub.display_name as subscription\nfrom\n azure_security_center_subscription_pricing sub_pricing\n right join azure_subscription sub on sub_pricing.subscription_id = sub.subscription_id\nwhere\n name = 'ContainerRegistry';\n" PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: low Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "2.7" + - "2.7" cis_level: - - "2" + - "2" cis_section_id: - - "2" + - "2" cis_type: - - manual + - manual cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/SecurityCenter + - Azure/SecurityCenter +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_containers.yaml b/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_containers.yaml index 281730b14..7c0b95ef2 100755 --- a/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_containers.yaml +++ b/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_containers.yaml @@ -1,8 +1,6 @@ ID: azure_securitycenter_azure_defender_on_for_containers Title: "Microsoft Defender for Containers should be enabled" Description: "Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: name = 'Containers'; PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_cosmosdb.yaml b/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_cosmosdb.yaml index d14d17f3f..913b74ba4 100755 --- a/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_cosmosdb.yaml +++ b/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_cosmosdb.yaml @@ -1,8 +1,6 @@ ID: azure_securitycenter_azure_defender_on_for_cosmosdb Title: "Ensure That Microsoft Defender for Azure Cosmos DB is set to 'On'" Description: "Microsoft Defender for Azure Cosmos DB scans all incoming network requests for threats to your Azure Cosmos DB resources." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -18,7 +16,7 @@ Query: when pricing_tier = 'Standard' then 'Azure Defender on for Cosmos DB.' else 'Azure Defender off for Cosmos DB.' end as reason - + , sub.display_name as subscription from azure_security_center_subscription_pricing sub_pricing @@ -27,26 +25,28 @@ Query: sub_pricing.title = 'CosmosDbs'; PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - 2.1.9 + - 2.1.9 cis_level: - - "2" + - "2" cis_section_id: - - "2.1" + - "2.1" cis_type: - - manual + - manual cis_version: - - v1.5.0 + - v1.5.0 plugin: - - azure + - azure service: - - Azure/SecurityCenter + - Azure/SecurityCenter +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_database.yaml b/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_database.yaml index de01ce74d..8601178c6 100755 --- a/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_database.yaml +++ b/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_database.yaml @@ -1,71 +1,33 @@ ID: azure_securitycenter_azure_defender_on_for_database Title: "Ensure That Microsoft Defender for Databases is set to 'On'" Description: "Turning on Microsoft Defender for Databases enables threat detection for the instances running your database software. This provides threat intelligence, anomaly detection, and behavior analytics in the Azure Microsoft Defender for Cloud. Instead of being enabled on services like Platform as a Service (PaaS), this implementation will run within your instances as Infrastructure as a Service (IaaS) on the Operating Systems hosting your databases." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with defender_list as ( - select - json_object_agg(name, pricing_tier) as data, - subscription_id - from - azure_security_center_subscription_pricing - where - title = any(ARRAY ['CosmosDbs', 'OpenSourceRelationalDatabases', 'SqlServerVirtualMachines', 'SqlServers']) - group by - subscription_id - ) - select - sub.id as resource, - sub.og_account_id as og_account_id, - sub.og_resource_id as og_resource_id, - case - when - data ->> 'CosmosDbs' = 'Standard' - and data ->> 'OpenSourceRelationalDatabases' = 'Standard' - and data ->> 'SqlServerVirtualMachines' = 'Standard' - and data ->> 'SqlServers' = 'Standard' - then 'ok' - else 'alarm' - end as status, - case - when - data ->> 'CosmosDbs' = 'Standard' - and data ->> 'OpenSourceRelationalDatabases' = 'Standard' - and data ->> 'SqlServerVirtualMachines' = 'Standard' - and data ->> 'SqlServers' = 'Standard' - then 'Azure Defender on for Databases.' - else 'Azure Defender off for Databases.' - end as reason - - , sub.display_name as subscription - from - azure_subscription as sub - left join defender_list as l on l.subscription_id = sub.subscription_id; + QueryToExecute: "with defender_list as (\n select\n json_object_agg(name, pricing_tier) as data,\n subscription_id\n from\n azure_security_center_subscription_pricing\n where\n title = any(ARRAY ['CosmosDbs', 'OpenSourceRelationalDatabases', 'SqlServerVirtualMachines', 'SqlServers'])\n group by\n subscription_id\n)\nselect\n sub.id as resource,\n sub.og_account_id as og_account_id,\n sub.og_resource_id as og_resource_id,\n case\n when\n data ->> 'CosmosDbs' = 'Standard'\n and data ->> 'OpenSourceRelationalDatabases' = 'Standard'\n and data ->> 'SqlServerVirtualMachines' = 'Standard'\n and data ->> 'SqlServers' = 'Standard'\n then 'ok'\n else 'alarm'\n end as status,\n case\n when\n data ->> 'CosmosDbs' = 'Standard'\n and data ->> 'OpenSourceRelationalDatabases' = 'Standard'\n and data ->> 'SqlServerVirtualMachines' = 'Standard'\n and data ->> 'SqlServers' = 'Standard'\n then 'Azure Defender on for Databases.'\n else 'Azure Defender off for Databases.'\n end as reason\n \n , sub.display_name as subscription\nfrom\n azure_subscription as sub\n left join defender_list as l on l.subscription_id = sub.subscription_id;\n" PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - 2.1.3 + - 2.1.3 cis_level: - - "2" + - "2" cis_section_id: - - "2.1" + - "2.1" cis_type: - - manual + - manual cis_version: - - v1.5.0 + - v1.5.0 plugin: - - azure + - azure service: - - Azure/SecurityCenter + - Azure/SecurityCenter +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_dns.yaml b/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_dns.yaml index 5f8bac2ec..7daa3f25c 100755 --- a/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_dns.yaml +++ b/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_dns.yaml @@ -1,52 +1,33 @@ ID: azure_securitycenter_azure_defender_on_for_dns Title: "Azure Defender for DNS should be enabled" Description: "Azure Defender for DNS provides an additional layer of protection for your cloud resources by continuously monitoring all DNS queries from your Azure resources. Azure Defender alerts you about suspicious activity at the DNS layer." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - sub_pricing.id as resource, - sub_pricing.og_account_id as og_account_id, - sub_pricing.og_resource_id as og_resource_id, - case - when pricing_tier = 'Standard' then 'ok' - else 'alarm' - end as status, - case - when pricing_tier = 'Standard' then 'Azure Defender on for DNS.' - else 'Azure Defender off for DNS.' - end as reason - - , sub.display_name as subscription - from - azure_security_center_subscription_pricing sub_pricing - right join azure_subscription sub on sub_pricing.subscription_id = sub.subscription_id - where - name = 'Dns'; + QueryToExecute: "select\n sub_pricing.id as resource,\n sub_pricing.og_account_id as og_account_id,\n sub_pricing.og_resource_id as og_resource_id,\n case\n when pricing_tier = 'Standard' then 'ok'\n else 'alarm'\n end as status,\n case\n when pricing_tier = 'Standard' then 'Azure Defender on for DNS.'\n else 'Azure Defender off for DNS.'\n end as reason\n \n , sub.display_name as subscription\nfrom\n azure_security_center_subscription_pricing sub_pricing\n right join azure_subscription sub on sub_pricing.subscription_id = sub.subscription_id\nwhere\n name = 'Dns';\n" PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - 2.1.11 + - 2.1.11 cis_level: - - "2" + - "2" cis_section_id: - - "2.1" + - "2.1" cis_type: - - manual + - manual cis_version: - - v1.5.0 + - v1.5.0 plugin: - - azure + - azure service: - - Azure/SecurityCenter + - Azure/SecurityCenter +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_k8s.yaml b/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_k8s.yaml index df8e793f2..6980e6b0d 100755 --- a/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_k8s.yaml +++ b/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_k8s.yaml @@ -1,52 +1,33 @@ ID: azure_securitycenter_azure_defender_on_for_k8s Title: "Azure Defender for Kubernetes should be enabled" Description: "Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - sub_pricing.id as resource, - sub_pricing.og_account_id as og_account_id, - sub_pricing.og_resource_id as og_resource_id, - case - when pricing_tier = 'Standard' then 'ok' - else 'alarm' - end as status, - case - when pricing_tier = 'Standard' then 'Azure Defender on for Kubernetes.' - else 'Azure Defender off for Kubernetes.' - end as reason - - , sub.display_name as subscription - from - azure_security_center_subscription_pricing sub_pricing - right join azure_subscription sub on sub_pricing.subscription_id = sub.subscription_id - where - name = 'KubernetesService'; + QueryToExecute: "select\n sub_pricing.id as resource,\n sub_pricing.og_account_id as og_account_id,\n sub_pricing.og_resource_id as og_resource_id,\n case\n when pricing_tier = 'Standard' then 'ok'\n else 'alarm'\n end as status,\n case\n when pricing_tier = 'Standard' then 'Azure Defender on for Kubernetes.'\n else 'Azure Defender off for Kubernetes.'\n end as reason\n \n , sub.display_name as subscription\nfrom\n azure_security_center_subscription_pricing sub_pricing\n right join azure_subscription sub on sub_pricing.subscription_id = sub.subscription_id\nwhere\n name = 'KubernetesService';\n" PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "2.6" + - "2.6" cis_level: - - "2" + - "2" cis_section_id: - - "2" + - "2" cis_type: - - manual + - manual cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/SecurityCenter + - Azure/SecurityCenter +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_keyvault.yaml b/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_keyvault.yaml index 2e6014697..b66aac8ab 100755 --- a/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_keyvault.yaml +++ b/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_keyvault.yaml @@ -1,52 +1,33 @@ ID: azure_securitycenter_azure_defender_on_for_keyvault Title: "Azure Defender for Key Vault should be enabled" Description: "Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - sub_pricing.id as resource, - sub_pricing.og_account_id as og_account_id, - sub_pricing.og_resource_id as og_resource_id, - case - when pricing_tier = 'Standard' then 'ok' - else 'alarm' - end as status, - case - when pricing_tier = 'Standard' then 'Azure Defender on for Key Vaults.' - else 'Azure Defender off for Key Vaults.' - end as reason - - , sub.display_name as subscription - from - azure_security_center_subscription_pricing sub_pricing - right join azure_subscription sub on sub_pricing.subscription_id = sub.subscription_id - where - name = 'KeyVaults'; + QueryToExecute: "select\n sub_pricing.id as resource,\n sub_pricing.og_account_id as og_account_id,\n sub_pricing.og_resource_id as og_resource_id,\n case\n when pricing_tier = 'Standard' then 'ok'\n else 'alarm'\n end as status,\n case\n when pricing_tier = 'Standard' then 'Azure Defender on for Key Vaults.'\n else 'Azure Defender off for Key Vaults.'\n end as reason\n \n , sub.display_name as subscription\nfrom\n azure_security_center_subscription_pricing sub_pricing\n right join azure_subscription sub on sub_pricing.subscription_id = sub.subscription_id\nwhere\n name = 'KeyVaults';\n" PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: low Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "2.8" + - "2.8" cis_level: - - "2" + - "2" cis_section_id: - - "2" + - "2" cis_type: - - manual + - manual cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/SecurityCenter + - Azure/SecurityCenter +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_opensource_relational_db.yaml b/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_opensource_relational_db.yaml index b96a0850d..8bbb0ecd9 100755 --- a/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_opensource_relational_db.yaml +++ b/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_opensource_relational_db.yaml @@ -1,52 +1,33 @@ ID: azure_securitycenter_azure_defender_on_for_opensource_relational_db Title: "Ensure That Microsoft Defender for Open-Source Relational Databases is set to 'On'" Description: "Turning on Microsoft Defender for Open-source relational databases enables threat detection for Open-source relational databases, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - sub_pricing.id as resource, - sub_pricing.og_account_id as og_account_id, - sub_pricing.og_resource_id as og_resource_id, - case - when pricing_tier = 'Standard' then 'ok' - else 'alarm' - end as status, - case - when pricing_tier = 'Standard' then 'Azure Defender on for Open Source Relational Databases.' - else 'Azure Defender off for Open Source Relational Databases.' - end as reason - - , sub.display_name as subscription - from - azure_security_center_subscription_pricing sub_pricing - right join azure_subscription sub on sub_pricing.subscription_id = sub.subscription_id - where - sub_pricing.title = 'OpenSourceRelationalDatabases'; + QueryToExecute: "select\n sub_pricing.id as resource,\n sub_pricing.og_account_id as og_account_id,\n sub_pricing.og_resource_id as og_resource_id,\n case\n when pricing_tier = 'Standard' then 'ok'\n else 'alarm'\n end as status,\n case\n when pricing_tier = 'Standard' then 'Azure Defender on for Open Source Relational Databases.'\n else 'Azure Defender off for Open Source Relational Databases.'\n end as reason\n \n , sub.display_name as subscription\nfrom\n azure_security_center_subscription_pricing sub_pricing\n right join azure_subscription sub on sub_pricing.subscription_id = sub.subscription_id\nwhere\n sub_pricing.title = 'OpenSourceRelationalDatabases';\n" PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - 2.1.6 + - 2.1.6 cis_level: - - "2" + - "2" cis_section_id: - - "2.1" + - "2.1" cis_type: - - manual + - manual cis_version: - - v1.5.0 + - v1.5.0 plugin: - - azure + - azure service: - - Azure/SecurityCenter + - Azure/SecurityCenter +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_resource_manager.yaml b/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_resource_manager.yaml index 6317d097d..9544938b6 100755 --- a/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_resource_manager.yaml +++ b/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_resource_manager.yaml @@ -1,52 +1,33 @@ ID: azure_securitycenter_azure_defender_on_for_resource_manager Title: "Azure Defender for Resource Manager should be enabled" Description: "Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - sub_pricing.id as resource, - sub_pricing.og_account_id as og_account_id, - sub_pricing.og_resource_id as og_resource_id, - case - when pricing_tier = 'Standard' then 'ok' - else 'alarm' - end as status, - case - when pricing_tier = 'Standard' then 'Azure Defender on for Resource Manager.' - else 'Azure Defender off for Resource Manager.' - end as reason - - , sub.display_name as subscription - from - azure_security_center_subscription_pricing sub_pricing - right join azure_subscription sub on sub_pricing.subscription_id = sub.subscription_id - where - name = 'Arm'; + QueryToExecute: "select\n sub_pricing.id as resource,\n sub_pricing.og_account_id as og_account_id,\n sub_pricing.og_resource_id as og_resource_id,\n case\n when pricing_tier = 'Standard' then 'ok'\n else 'alarm'\n end as status,\n case\n when pricing_tier = 'Standard' then 'Azure Defender on for Resource Manager.'\n else 'Azure Defender off for Resource Manager.'\n end as reason\n \n , sub.display_name as subscription\nfrom\n azure_security_center_subscription_pricing sub_pricing\n right join azure_subscription sub on sub_pricing.subscription_id = sub.subscription_id\nwhere\n name = 'Arm';\n" PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - 2.1.13 + - 2.1.13 cis_level: - - "2" + - "2" cis_section_id: - - "2.1" + - "2.1" cis_type: - - manual + - manual cis_version: - - v1.5.0 + - v1.5.0 plugin: - - azure + - azure service: - - Azure/SecurityCenter + - Azure/SecurityCenter +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_server.yaml b/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_server.yaml index 060a8956a..d15712133 100755 --- a/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_server.yaml +++ b/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_server.yaml @@ -1,52 +1,33 @@ ID: azure_securitycenter_azure_defender_on_for_server Title: "Azure Defender for servers should be enabled" Description: "Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - sub_pricing.id as resource, - sub_pricing.og_account_id as og_account_id, - sub_pricing.og_resource_id as og_resource_id, - case - when pricing_tier = 'Standard' then 'ok' - else 'alarm' - end as status, - case - when pricing_tier = 'Standard' then 'Azure Defender on for Servers.' - else 'Azure Defender off for Servers.' - end as reason - - , sub.display_name as subscription - from - azure_security_center_subscription_pricing sub_pricing - right join azure_subscription sub on sub_pricing.subscription_id = sub.subscription_id - where - name = 'VirtualMachines'; + QueryToExecute: "select\n sub_pricing.id as resource,\n sub_pricing.og_account_id as og_account_id,\n sub_pricing.og_resource_id as og_resource_id,\n case\n when pricing_tier = 'Standard' then 'ok'\n else 'alarm'\n end as status,\n case\n when pricing_tier = 'Standard' then 'Azure Defender on for Servers.'\n else 'Azure Defender off for Servers.'\n end as reason\n \n , sub.display_name as subscription\nfrom\n azure_security_center_subscription_pricing sub_pricing\n right join azure_subscription sub on sub_pricing.subscription_id = sub.subscription_id\nwhere\n name = 'VirtualMachines';\n" PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: low Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "2.1" + - "2.1" cis_level: - - "2" + - "2" cis_section_id: - - "2" + - "2" cis_type: - - manual + - manual cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/SecurityCenter + - Azure/SecurityCenter +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_sqldb.yaml b/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_sqldb.yaml index 1180f1122..2bdf66873 100755 --- a/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_sqldb.yaml +++ b/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_sqldb.yaml @@ -1,52 +1,33 @@ ID: azure_securitycenter_azure_defender_on_for_sqldb Title: "Azure Defender for Azure SQL Database servers should be enabled" Description: "Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - sub_pricing.id as resource, - sub_pricing.og_account_id as og_account_id, - sub_pricing.og_resource_id as og_resource_id, - case - when pricing_tier = 'Standard' then 'ok' - else 'alarm' - end as status, - case - when pricing_tier = 'Standard' then 'Azure Defender on for SQL database servers.' - else 'Azure Defender off for SQL database servers.' - end as reason - - , sub.display_name as subscription - from - azure_security_center_subscription_pricing sub_pricing - right join azure_subscription sub on sub_pricing.subscription_id = sub.subscription_id - where - name = 'SqlServers'; + QueryToExecute: "select\n sub_pricing.id as resource,\n sub_pricing.og_account_id as og_account_id,\n sub_pricing.og_resource_id as og_resource_id,\n case\n when pricing_tier = 'Standard' then 'ok'\n else 'alarm'\n end as status,\n case\n when pricing_tier = 'Standard' then 'Azure Defender on for SQL database servers.'\n else 'Azure Defender off for SQL database servers.'\n end as reason\n \n , sub.display_name as subscription\nfrom\n azure_security_center_subscription_pricing sub_pricing\n right join azure_subscription sub on sub_pricing.subscription_id = sub.subscription_id\nwhere\n name = 'SqlServers';\n" PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: low Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "2.3" + - "2.3" cis_level: - - "2" + - "2" cis_section_id: - - "2" + - "2" cis_type: - - manual + - manual cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/SecurityCenter + - Azure/SecurityCenter +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_sqlservervm.yaml b/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_sqlservervm.yaml index 1698d4f56..8ac6b94cc 100755 --- a/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_sqlservervm.yaml +++ b/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_sqlservervm.yaml @@ -1,52 +1,33 @@ ID: azure_securitycenter_azure_defender_on_for_sqlservervm Title: "Azure Defender for SQL should be enabled for unprotected SQL Managed Instances" Description: "Audit each SQL Managed Instance without advanced data security." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - sub_pricing.id as resource, - sub_pricing.og_account_id as og_account_id, - sub_pricing.og_resource_id as og_resource_id, - case - when pricing_tier = 'Standard' then 'ok' - else 'alarm' - end as status, - case - when pricing_tier = 'Standard' then 'Azure Defender on for SQL servers on machines.' - else 'Azure Defender off for SQL servers on machines.' - end as reason - - , sub.display_name as subscription - from - azure_security_center_subscription_pricing sub_pricing - right join azure_subscription sub on sub_pricing.subscription_id = sub.subscription_id - where - name = 'SqlServerVirtualMachines'; + QueryToExecute: "select\n sub_pricing.id as resource,\n sub_pricing.og_account_id as og_account_id,\n sub_pricing.og_resource_id as og_resource_id,\n case\n when pricing_tier = 'Standard' then 'ok'\n else 'alarm'\n end as status,\n case\n when pricing_tier = 'Standard' then 'Azure Defender on for SQL servers on machines.'\n else 'Azure Defender off for SQL servers on machines.'\n end as reason\n \n , sub.display_name as subscription\nfrom\n azure_security_center_subscription_pricing sub_pricing\n right join azure_subscription sub on sub_pricing.subscription_id = sub.subscription_id\nwhere\n name = 'SqlServerVirtualMachines';\n" PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: low Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "2.4" + - "2.4" cis_level: - - "2" + - "2" cis_section_id: - - "2" + - "2" cis_type: - - manual + - manual cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/SecurityCenter + - Azure/SecurityCenter +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_storage.yaml b/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_storage.yaml index 41cd7d010..bfe725883 100755 --- a/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_storage.yaml +++ b/compliance/controls/azure/azure_securitycenter_azure_defender_on_for_storage.yaml @@ -1,52 +1,33 @@ ID: azure_securitycenter_azure_defender_on_for_storage Title: "Microsoft Defender for Storage (Classic) should be enabled" Description: "Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - sub_pricing.id as resource, - sub_pricing.og_account_id as og_account_id, - sub_pricing.og_resource_id as og_resource_id, - case - when pricing_tier = 'Standard' then 'ok' - else 'alarm' - end as status, - case - when pricing_tier = 'Standard' then 'Azure Defender on for Storage.' - else 'Azure Defender off for Storage.' - end as reason - - , sub.display_name as subscription - from - azure_security_center_subscription_pricing sub_pricing - right join azure_subscription sub on sub_pricing.subscription_id = sub.subscription_id - where - name = 'StorageAccounts'; + QueryToExecute: "select\n sub_pricing.id as resource,\n sub_pricing.og_account_id as og_account_id,\n sub_pricing.og_resource_id as og_resource_id,\n case\n when pricing_tier = 'Standard' then 'ok'\n else 'alarm'\n end as status,\n case\n when pricing_tier = 'Standard' then 'Azure Defender on for Storage.'\n else 'Azure Defender off for Storage.'\n end as reason\n \n , sub.display_name as subscription\nfrom\n azure_security_center_subscription_pricing sub_pricing\n right join azure_subscription sub on sub_pricing.subscription_id = sub.subscription_id\nwhere\n name = 'StorageAccounts';\n" PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "2.5" + - "2.5" cis_level: - - "2" + - "2" cis_section_id: - - "2" + - "2" cis_type: - - manual + - manual cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/SecurityCenter + - Azure/SecurityCenter +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_securitycenter_container_image_scan_enabled.yaml b/compliance/controls/azure/azure_securitycenter_container_image_scan_enabled.yaml index 05b8ae563..e4d77706f 100755 --- a/compliance/controls/azure/azure_securitycenter_container_image_scan_enabled.yaml +++ b/compliance/controls/azure/azure_securitycenter_container_image_scan_enabled.yaml @@ -1,30 +1,15 @@ ID: azure_securitycenter_container_image_scan_enabled Title: "Security Center container image scan should be enabled" Description: "This control ensures that image scan for container registries are enabled." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: |- - select - sub_assessment.id as resource, - sub_assessment.og_account_id as og_account_id, - sub_assessment.og_resource_id as og_resource_id, - case - when container_registry_vulnerability_properties ->> 'AssessedResourceType' = 'ContainerRegistryVulnerability' then 'ok' - else 'alarm' - end as status, - case - when container_registry_vulnerability_properties ->> 'AssessedResourceType' = 'ContainerRegistryVulnerability' then sub_assessment.name || ' container image scan enabled.' - else sub_assessment.name || ' container image scan disabled.' - end as reason - from - azure_security_center_sub_assessment sub_assessment - right join azure_subscription sub on sub_assessment.subscription_id = sub.subscription_id; + QueryToExecute: "select\n sub_assessment.id as resource,\n sub_assessment.og_account_id as og_account_id,\n sub_assessment.og_resource_id as og_resource_id,\n case\n when container_registry_vulnerability_properties ->> 'AssessedResourceType' = 'ContainerRegistryVulnerability' then 'ok'\n else 'alarm'\n end as status,\n case\n when container_registry_vulnerability_properties ->> 'AssessedResourceType' = 'ContainerRegistryVulnerability' then sub_assessment.name || ' container image scan enabled.'\n else sub_assessment.name || ' container image scan disabled.'\n end as reason \nfrom\n azure_security_center_sub_assessment sub_assessment\n right join azure_subscription sub on sub_assessment.subscription_id = sub.subscription_id;" PrimaryTable: azure_security_center_sub_assessment ListOfTables: - - azure_security_center_sub_assessment - - azure_subscription + - azure_security_center_sub_assessment + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_securitycenter_email_configured.yaml b/compliance/controls/azure/azure_securitycenter_email_configured.yaml index b803b0928..73b576d92 100755 --- a/compliance/controls/azure/azure_securitycenter_email_configured.yaml +++ b/compliance/controls/azure/azure_securitycenter_email_configured.yaml @@ -1,50 +1,19 @@ ID: azure_securitycenter_email_configured Title: "Subscriptions should have a contact email address for security issues" Description: "To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with contact_info as ( - select - jsonb_agg(email) filter (where name = 'default' and email != '') as default_email, - count(*) filter (where name != 'default') as non_default_count, - count(*) filter (where name = 'default') as default_count, - subscription_id - from - azure_security_center_contact - group by - subscription_id - limit 1 - ) - select - sub.subscription_id as resource, - sub.og_account_id as og_account_id, - sub.og_resource_id as og_resource_id, - case - when non_default_count > 0 then 'ok' - when default_count = 1 and jsonb_array_length(default_email) != 0 then 'ok' - else 'alarm' - end as status, - case - when non_default_count > 0 then 'Additional email addresses configured.' - when default_count = 1 and default_email is not null then'Additional email addresses configured.' - else 'Additional email addresses not configured.' - end as reason - - , sub.display_name as subscription - from - azure_subscription sub - left join contact_info ci on sub.subscription_id = ci.subscription_id; + QueryToExecute: "with contact_info as (\n select\n jsonb_agg(email) filter (where name = 'default' and email != '') as default_email,\n count(*) filter (where name != 'default') as non_default_count,\n count(*) filter (where name = 'default') as default_count,\n subscription_id\n from\n azure_security_center_contact\n group by\n subscription_id\n limit 1\n)\nselect\n sub.subscription_id as resource,\n sub.og_account_id as og_account_id,\n sub.og_resource_id as og_resource_id,\n case\n when non_default_count > 0 then 'ok'\n when default_count = 1 and jsonb_array_length(default_email) != 0 then 'ok'\n else 'alarm'\n end as status,\n case\n when non_default_count > 0 then 'Additional email addresses configured.'\n when default_count = 1 and default_email is not null then'Additional email addresses configured.'\n else 'Additional email addresses not configured.'\n end as reason\n \n , sub.display_name as subscription\nfrom\n azure_subscription sub\n left join contact_info ci on sub.subscription_id = ci.subscription_id;\n" PrimaryTable: azure_security_center_contact ListOfTables: - - azure_security_center_contact - - azure_subscription + - azure_security_center_contact + - azure_subscription Parameters: [] Severity: medium Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/SecurityCenter + - Azure/SecurityCenter +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_securitycenter_mcas_integration.yaml b/compliance/controls/azure/azure_securitycenter_mcas_integration.yaml index 01e36c8a8..7974ee592 100755 --- a/compliance/controls/azure/azure_securitycenter_mcas_integration.yaml +++ b/compliance/controls/azure/azure_securitycenter_mcas_integration.yaml @@ -1,52 +1,33 @@ ID: azure_securitycenter_mcas_integration Title: "Ensure that Microsoft Defender for Cloud Apps (MCAS) Integration with Microsoft Defender for Cloud is selected" Description: "This setting enables Microsoft Defender for Cloud Apps (MCAS) integration with Microsoft Defender for Cloud." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - sc_sett.id as resource, - sc_sett.og_account_id as og_account_id, - sc_sett.og_resource_id as og_resource_id, - case - when enabled then 'ok' - else 'alarm' - end as status, - case - when enabled then 'Windows Defender ATP (WDATP) integrated with Security Center.' - else 'Windows Defender ATP (WDATP) not integrated with Security Center.' - end as reason - - , sub.display_name as subscription - from - azure_security_center_setting sc_sett - right join azure_subscription sub on sc_sett.subscription_id = sub.subscription_id - where - name = 'MCAS'; + QueryToExecute: "select\n sc_sett.id as resource,\n sc_sett.og_account_id as og_account_id,\n sc_sett.og_resource_id as og_resource_id,\n case\n when enabled then 'ok'\n else 'alarm'\n end as status,\n case\n when enabled then 'Windows Defender ATP (WDATP) integrated with Security Center.'\n else 'Windows Defender ATP (WDATP) not integrated with Security Center.'\n end as reason\n \n , sub.display_name as subscription\nfrom\n azure_security_center_setting sc_sett\n right join azure_subscription sub on sc_sett.subscription_id = sub.subscription_id\nwhere\n name = 'MCAS';\n" PrimaryTable: azure_security_center_setting ListOfTables: - - azure_security_center_setting - - azure_subscription + - azure_security_center_setting + - azure_subscription Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "2.10" + - "2.10" cis_level: - - "2" + - "2" cis_section_id: - - "2" + - "2" cis_type: - - manual + - manual cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/SecurityCenter + - Azure/SecurityCenter +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_securitycenter_notify_alerts_configured.yaml b/compliance/controls/azure/azure_securitycenter_notify_alerts_configured.yaml index 226082949..153b69961 100755 --- a/compliance/controls/azure/azure_securitycenter_notify_alerts_configured.yaml +++ b/compliance/controls/azure/azure_securitycenter_notify_alerts_configured.yaml @@ -1,60 +1,33 @@ ID: azure_securitycenter_notify_alerts_configured Title: "Email notification for high severity alerts should be enabled" Description: "To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with contact_info as ( - select - count(*) filter (where alert_notifications = 'On') as notification_alert_count, - subscription_id - from - azure_security_center_contact - group by - subscription_id - limit 1 - ) - select - sub.subscription_id as resource, - sub.og_account_id as og_account_id, - sub.og_resource_id as og_resource_id, - case - when notification_alert_count > 0 then 'ok' - else 'alarm' - end as status, - case - when notification_alert_count > 0 then '"Notify about alerts with the following severity" set to High.' - else '"Notify about alerts with the following severity" not set to High.' - end as reason - - , sub.display_name as subscription - from - azure_subscription sub - left join contact_info ci on sub.subscription_id = ci.subscription_id; + QueryToExecute: "with contact_info as (\n select\n count(*) filter (where alert_notifications = 'On') as notification_alert_count,\n subscription_id\n from\n azure_security_center_contact\n group by\n subscription_id\n limit 1\n)\nselect\n sub.subscription_id as resource,\n sub.og_account_id as og_account_id,\n sub.og_resource_id as og_resource_id,\n case\n when notification_alert_count > 0 then 'ok'\n else 'alarm'\n end as status,\n case\n when notification_alert_count > 0 then '\"Notify about alerts with the following severity\" set to High.'\n else '\"Notify about alerts with the following severity\" not set to High.'\n end as reason\n \n , sub.display_name as subscription\nfrom\n azure_subscription sub\n left join contact_info ci on sub.subscription_id = ci.subscription_id;\n" PrimaryTable: azure_security_center_contact ListOfTables: - - azure_security_center_contact - - azure_subscription + - azure_security_center_contact + - azure_subscription Parameters: [] Severity: low Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "2.14" + - "2.14" cis_level: - - "1" + - "1" cis_section_id: - - "2" + - "2" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/SecurityCenter + - Azure/SecurityCenter +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_securitycenter_pricing_standard.yaml b/compliance/controls/azure/azure_securitycenter_pricing_standard.yaml index f7243c0af..ba085472e 100755 --- a/compliance/controls/azure/azure_securitycenter_pricing_standard.yaml +++ b/compliance/controls/azure/azure_securitycenter_pricing_standard.yaml @@ -1,8 +1,6 @@ ID: azure_securitycenter_pricing_standard Title: "Security center pricing should be set to standard" Description: "This control checks whether Security center pricing is set to standard. This control is non-compliant if pricing is set to free." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -20,8 +18,10 @@ Query: right join azure_subscription sub on sub_pricing.subscription_id = sub.subscription_id; PrimaryTable: azure_security_center_subscription_pricing ListOfTables: - - azure_security_center_subscription_pricing - - azure_subscription + - azure_security_center_subscription_pricing + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_securitycenter_security_alerts_to_owner_enabled.yaml b/compliance/controls/azure/azure_securitycenter_security_alerts_to_owner_enabled.yaml index ba35c9a2a..4e8de836a 100755 --- a/compliance/controls/azure/azure_securitycenter_security_alerts_to_owner_enabled.yaml +++ b/compliance/controls/azure/azure_securitycenter_security_alerts_to_owner_enabled.yaml @@ -1,60 +1,33 @@ ID: azure_securitycenter_security_alerts_to_owner_enabled Title: "Email notification to subscription owner for high severity alerts should be enabled" Description: "To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with contact_info as ( - select - count(*) filter (where alerts_to_admins = 'On') as admin_alert_count, - subscription_id - from - azure_security_center_contact - group by - subscription_id - limit 1 - ) - select - sub.subscription_id as resource, - sub.og_account_id as og_account_id, - sub.og_resource_id as og_resource_id, - case - when admin_alert_count > 0 then 'ok' - else 'alarm' - end as status, - case - when admin_alert_count > 0 then '"All users with the following roles" set to Owner' - else '"All users with the following roles" not set to Owner.' - end as reason - - , sub.display_name as subscription - from - azure_subscription sub - left join contact_info ci on sub.subscription_id = ci.subscription_id; + QueryToExecute: "with contact_info as (\n select\n count(*) filter (where alerts_to_admins = 'On') as admin_alert_count,\n subscription_id\n from\n azure_security_center_contact\n group by\n subscription_id\n limit 1\n)\nselect\n sub.subscription_id as resource,\n sub.og_account_id as og_account_id,\n sub.og_resource_id as og_resource_id,\n case\n when admin_alert_count > 0 then 'ok'\n else 'alarm'\n end as status,\n case\n when admin_alert_count > 0 then '\"All users with the following roles\" set to Owner'\n else '\"All users with the following roles\" not set to Owner.'\n end as reason\n \n , sub.display_name as subscription\nfrom\n azure_subscription sub\n left join contact_info ci on sub.subscription_id = ci.subscription_id;\n" PrimaryTable: azure_security_center_contact ListOfTables: - - azure_security_center_contact - - azure_subscription + - azure_security_center_contact + - azure_subscription Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "2.15" + - "2.15" cis_level: - - "1" + - "1" cis_section_id: - - "2" + - "2" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/SecurityCenter + - Azure/SecurityCenter +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_securitycenter_wdatp_integration.yaml b/compliance/controls/azure/azure_securitycenter_wdatp_integration.yaml index 4d45b7da0..4ad3625af 100755 --- a/compliance/controls/azure/azure_securitycenter_wdatp_integration.yaml +++ b/compliance/controls/azure/azure_securitycenter_wdatp_integration.yaml @@ -1,52 +1,33 @@ ID: azure_securitycenter_wdatp_integration Title: "Ensure that Windows Defender ATP (WDATP) integration with Security Center is selected" Description: "This setting enables Windows Defender ATP (WDATP) integration with Security Center." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - sc_sett.id as resource, - sc_sett.og_account_id as og_account_id, - sc_sett.og_resource_id as og_resource_id, - case - when enabled then 'ok' - else 'alarm' - end as status, - case - when enabled then 'Microsoft Cloud App Security (MCAS) integrated with Security Center.' - else 'Microsoft Cloud App Security (MCAS) not integrated with Security Center.' - end as reason - - , sub.display_name as subscription - from - azure_security_center_setting sc_sett - right join azure_subscription sub on sc_sett.subscription_id = sub.subscription_id - where - sc_sett.title = 'WDATP'; + QueryToExecute: "select\n sc_sett.id as resource,\n sc_sett.og_account_id as og_account_id,\n sc_sett.og_resource_id as og_resource_id,\n case\n when enabled then 'ok'\n else 'alarm'\n end as status,\n case\n when enabled then 'Microsoft Cloud App Security (MCAS) integrated with Security Center.'\n else 'Microsoft Cloud App Security (MCAS) not integrated with Security Center.'\n end as reason\n \n , sub.display_name as subscription\nfrom\n azure_security_center_setting sc_sett\n right join azure_subscription sub on sc_sett.subscription_id = sub.subscription_id\nwhere\n sc_sett.title = 'WDATP';\n" PrimaryTable: azure_security_center_setting ListOfTables: - - azure_security_center_setting - - azure_subscription + - azure_security_center_setting + - azure_subscription Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "2.9" + - "2.9" cis_level: - - "2" + - "2" cis_section_id: - - "2" + - "2" cis_type: - - manual + - manual cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/SecurityCenter + - Azure/SecurityCenter +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_servicebus_name_space_private_link_used.yaml b/compliance/controls/azure/azure_servicebus_name_space_private_link_used.yaml index 376bae28e..679f5610f 100755 --- a/compliance/controls/azure/azure_servicebus_name_space_private_link_used.yaml +++ b/compliance/controls/azure/azure_servicebus_name_space_private_link_used.yaml @@ -1,42 +1,19 @@ ID: azure_servicebus_name_space_private_link_used Title: "Azure Service Bus namespaces should use private link" Description: "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Service Bus namespaces, data leakage risks are reduced." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when sku_name in ('Basic', 'Standard') then 'skip' - when private_endpoint_connections is null then 'info' - when private_endpoint_connections @> '[{"privateLinkServiceConnectionStateStatus": "Approved"}]'::jsonb then 'ok' - else 'alarm' - end as status, - case - when sku_name in ('Basic', 'Standard') then a.name || ' is of ' || sku_name || ' tier.' - when private_endpoint_connections is null then a.name || ' no private link exists.' - when private_endpoint_connections @> '[{"privateLinkServiceConnectionStateStatus": "Approved"}]'::jsonb - then a.name || ' using private link.' - else a.name || ' not using private link.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_servicebus_namespace a, - azure_subscription sub; + QueryToExecute: "select\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when sku_name in ('Basic', 'Standard') then 'skip'\n when private_endpoint_connections is null then 'info'\n when private_endpoint_connections @> '[{\"privateLinkServiceConnectionStateStatus\": \"Approved\"}]'::jsonb then 'ok'\n else 'alarm'\n end as status,\n case\n when sku_name in ('Basic', 'Standard') then a.name || ' is of ' || sku_name || ' tier.'\n when private_endpoint_connections is null then a.name || ' no private link exists.'\n when private_endpoint_connections @> '[{\"privateLinkServiceConnectionStateStatus\": \"Approved\"}]'::jsonb\n then a.name || ' using private link.'\n else a.name || ' not using private link.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_servicebus_namespace a,\n azure_subscription sub;\n" PrimaryTable: azure_servicebus_namespace ListOfTables: - - azure_servicebus_namespace - - azure_subscription + - azure_servicebus_namespace + - azure_subscription Parameters: [] Severity: medium Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/ServiceBus + - Azure/ServiceBus +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_servicebus_namespace_azure_ad_authentication_enabled.yaml b/compliance/controls/azure/azure_servicebus_namespace_azure_ad_authentication_enabled.yaml index c4eb3da53..84f638946 100755 --- a/compliance/controls/azure/azure_servicebus_namespace_azure_ad_authentication_enabled.yaml +++ b/compliance/controls/azure/azure_servicebus_namespace_azure_ad_authentication_enabled.yaml @@ -1,8 +1,6 @@ ID: azure_servicebus_namespace_azure_ad_authentication_enabled Title: "Service bus namespace should be configured with Azure Active Directory (Azure AD) authentication" Description: "This policy identifies Service bus namespaces that are not configured with Azure Active Directory (Azure AD) authentication and are enabled with local authentication. Azure AD provides superior security and ease of use over shared access signatures (SAS). With Azure AD, there's no need to store the tokens in your code and risk potential security vulnerabilities. It is recommended to configure the Service bus namespaces with Azure AD authentication so that all actions are strongly authenticated." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: azure_subscription sub; PrimaryTable: azure_servicebus_namespace ListOfTables: - - azure_servicebus_namespace - - azure_subscription + - azure_servicebus_namespace + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_servicebus_namespace_logging_enabled.yaml b/compliance/controls/azure/azure_servicebus_namespace_logging_enabled.yaml index b29459024..9b3fcfc73 100755 --- a/compliance/controls/azure/azure_servicebus_namespace_logging_enabled.yaml +++ b/compliance/controls/azure/azure_servicebus_namespace_logging_enabled.yaml @@ -1,69 +1,21 @@ ID: azure_servicebus_namespace_logging_enabled Title: "Resource logs in Service Bus should be enabled" Description: "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with logging_details as ( - select - distinct name as namespace_name - from - azure_servicebus_namespace, - jsonb_array_elements(diagnostic_settings) setting, - jsonb_array_elements(setting -> 'properties' -> 'logs') log - where - diagnostic_settings is not null - and ( - ( - (log ->> 'enabled') :: boolean - and (log -> 'retentionPolicy' ->> 'enabled') :: boolean - and (log -> 'retentionPolicy') :: JSONB ? 'days' - ) - or - ( - (log ->> 'enabled') :: boolean - and ( - log -> 'retentionPolicy' ->> 'enabled' <> 'true' - or setting -> 'properties' ->> 'storageAccountId' = '' - ) - ) - ) - ) - select - v.id as resource, - v.og_account_id as og_account_id, - v.og_resource_id as og_resource_id, - case - when v.diagnostic_settings is null then 'alarm' - when l.namespace_name is null then 'alarm' - else 'ok' - end as status, - case - when v.diagnostic_settings is null then v.name || ' logging not enabled.' - when l.namespace_name is null then v.name || ' logging not enabled.' - else v.name || ' logging enabled.' - end as reason - - , v.resource_group as resource_group - , sub.display_name as subscription - from - azure_servicebus_namespace as v - left join logging_details as l on v.name = l.namespace_name, - azure_subscription as sub - where - sub.subscription_id = v.subscription_id; + QueryToExecute: "with logging_details as (\n select\n distinct name as namespace_name\n from\n azure_servicebus_namespace,\n jsonb_array_elements(diagnostic_settings) setting,\n jsonb_array_elements(setting -> 'properties' -> 'logs') log\n where\n diagnostic_settings is not null\n and (\n (\n (log ->> 'enabled') :: boolean\n and (log -> 'retentionPolicy' ->> 'enabled') :: boolean\n and (log -> 'retentionPolicy') :: JSONB ? 'days'\n )\n or\n (\n (log ->> 'enabled') :: boolean\n and (\n log -> 'retentionPolicy' ->> 'enabled' <> 'true'\n or setting -> 'properties' ->> 'storageAccountId' = ''\n )\n )\n )\n)\nselect\n v.id as resource,\n v.og_account_id as og_account_id,\n v.og_resource_id as og_resource_id,\n case\n when v.diagnostic_settings is null then 'alarm'\n when l.namespace_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when v.diagnostic_settings is null then v.name || ' logging not enabled.'\n when l.namespace_name is null then v.name || ' logging not enabled.'\n else v.name || ' logging enabled.'\n end as reason\n \n , v.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_servicebus_namespace as v\n left join logging_details as l on v.name = l.namespace_name,\n azure_subscription as sub\nwhere\n sub.subscription_id = v.subscription_id;\n" PrimaryTable: azure_servicebus_namespace ListOfTables: - - azure_servicebus_namespace - - azure_subscription + - azure_servicebus_namespace + - azure_subscription Parameters: [] Severity: medium Tags: hipaa_hitrust_v92: - - "true" + - "true" nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/ServiceBus + - Azure/ServiceBus +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_servicebus_namespace_no_overly_permissive_network_access.yaml b/compliance/controls/azure/azure_servicebus_namespace_no_overly_permissive_network_access.yaml index 0b356a162..90cfb43a7 100755 --- a/compliance/controls/azure/azure_servicebus_namespace_no_overly_permissive_network_access.yaml +++ b/compliance/controls/azure/azure_servicebus_namespace_no_overly_permissive_network_access.yaml @@ -1,8 +1,6 @@ ID: azure_servicebus_namespace_no_overly_permissive_network_access Title: "Service bus namespace should not be configured with overly permissive network access" Description: "This policy identifies Azure Service bus namespaces configured with overly permissive network access. By default, Service Bus namespaces are accessible from the internet as long as the request comes with valid authentication and authorization. With an IP firewall, you can restrict it further to only a set of IPv4 addresses or IPv4 address ranges. With Virtual Networks, the network traffic path is secured on both ends. It is recommended to configure the Service bus namespace with an IP firewall or by Virtual Network; so that the Service bus namespace is accessible only to restricted entities." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -29,8 +27,10 @@ Query: azure_subscription sub; PrimaryTable: azure_servicebus_namespace ListOfTables: - - azure_servicebus_namespace - - azure_subscription + - azure_servicebus_namespace + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_servicebus_premium_namespace_cmk_encrypted.yaml b/compliance/controls/azure/azure_servicebus_premium_namespace_cmk_encrypted.yaml index ff6a9931b..1e9dd1ffc 100755 --- a/compliance/controls/azure/azure_servicebus_premium_namespace_cmk_encrypted.yaml +++ b/compliance/controls/azure/azure_servicebus_premium_namespace_cmk_encrypted.yaml @@ -1,39 +1,19 @@ ID: azure_servicebus_premium_namespace_cmk_encrypted Title: "Service Bus Premium namespaces should use a customer-managed key for encryption" Description: "Azure Service Bus supports the option of encrypting data at rest with either Microsoft-managed keys (default) or customer-managed keys. Choosing to encrypt data using customer-managed keys enables you to assign, rotate, disable, and revoke access to the keys that Service Bus will use to encrypt data in your namespace. Note that Service Bus only supports encryption with customer-managed keys for premium namespaces." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when sku_tier <> 'Premium' then 'skip' - when encryption -> 'keySource' = '"Microsoft.KeyVault"' then 'ok' - else 'alarm' - end as status, - case - when sku_tier <> 'Premium' then a.name || ' is of ' || sku_tier || ' tier.' - when encryption -> 'keySource' = '"Microsoft.KeyVault"' then a.name || ' encrypted using CMK.' - else a.name || ' not encrypted using CMK.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_servicebus_namespace a, - azure_subscription sub; + QueryToExecute: "select\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when sku_tier <> 'Premium' then 'skip'\n when encryption -> 'keySource' = '\"Microsoft.KeyVault\"' then 'ok'\n else 'alarm'\n end as status,\n case\n when sku_tier <> 'Premium' then a.name || ' is of ' || sku_tier || ' tier.'\n when encryption -> 'keySource' = '\"Microsoft.KeyVault\"' then a.name || ' encrypted using CMK.'\n else a.name || ' not encrypted using CMK.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_servicebus_namespace a,\n azure_subscription sub;\n" PrimaryTable: azure_servicebus_namespace ListOfTables: - - azure_servicebus_namespace - - azure_subscription + - azure_servicebus_namespace + - azure_subscription Parameters: [] Severity: medium Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/ServiceBus + - Azure/ServiceBus +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_servicebus_use_virtual_service_endpoint.yaml b/compliance/controls/azure/azure_servicebus_use_virtual_service_endpoint.yaml index 515100ff9..d75329552 100755 --- a/compliance/controls/azure/azure_servicebus_use_virtual_service_endpoint.yaml +++ b/compliance/controls/azure/azure_servicebus_use_virtual_service_endpoint.yaml @@ -1,8 +1,6 @@ ID: azure_servicebus_use_virtual_service_endpoint Title: "Service Bus should use virtual service endpoint" Description: "Ensure that Service Bus uses virtual service endpoint. This contol is non-compliant if service bus does not uses virtual service endpoint." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -47,8 +45,10 @@ Query: sub.subscription_id = bus.subscription_id; PrimaryTable: azure_servicebus_namespace ListOfTables: - - azure_servicebus_namespace - - azure_subscription + - azure_servicebus_namespace + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_servicefabric_cluster_active_directory_authentication_enabled.yaml b/compliance/controls/azure/azure_servicefabric_cluster_active_directory_authentication_enabled.yaml index 1c45b1f83..d5d4e1a00 100755 --- a/compliance/controls/azure/azure_servicefabric_cluster_active_directory_authentication_enabled.yaml +++ b/compliance/controls/azure/azure_servicefabric_cluster_active_directory_authentication_enabled.yaml @@ -1,38 +1,20 @@ ID: azure_servicefabric_cluster_active_directory_authentication_enabled Title: "Service Fabric clusters should only use Azure Active Directory for client authentication" Description: "Audit usage of client authentication only via Azure Active Directory in Service Fabric." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when azure_active_directory is not null then 'ok' - else 'alarm' - end as status, - case - when azure_active_directory is not null then a.name || ' using Azure Active Directory for client authentication.' - else a.name || ' not using Azure Active Directory for client authentication.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_service_fabric_cluster a, - azure_subscription sub; + QueryToExecute: "select\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when azure_active_directory is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when azure_active_directory is not null then a.name || ' using Azure Active Directory for client authentication.'\n else a.name || ' not using Azure Active Directory for client authentication.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_service_fabric_cluster a,\n azure_subscription sub;\n" PrimaryTable: azure_service_fabric_cluster ListOfTables: - - azure_active_directory - - azure_service_fabric_cluster - - azure_subscription + - azure_active_directory + - azure_service_fabric_cluster + - azure_subscription Parameters: [] Severity: medium Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/ServiceFabric + - Azure/ServiceFabric +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_servicefabric_cluster_protection_level_as_encrypt_and_sign.yaml b/compliance/controls/azure/azure_servicefabric_cluster_protection_level_as_encrypt_and_sign.yaml index 4d036e616..2f737c987 100755 --- a/compliance/controls/azure/azure_servicefabric_cluster_protection_level_as_encrypt_and_sign.yaml +++ b/compliance/controls/azure/azure_servicefabric_cluster_protection_level_as_encrypt_and_sign.yaml @@ -1,39 +1,21 @@ ID: azure_servicefabric_cluster_protection_level_as_encrypt_and_sign Title: "Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign" Description: "Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when fabric_settings @> '[{"parameters":[{"value": "EncryptAndSign"}]}]'::jsonb then 'ok' - else 'alarm' - end as status, - case - when fabric_settings @> '[{"parameters":[{"value": "EncryptAndSign"}]}]'::jsonb then a.name || ' ClusterProtectionLevel property set to EncryptAndSign.' - else a.name || ' ClusterProtectionLevel property not set to EncryptAndSign.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_service_fabric_cluster a, - azure_subscription sub; + QueryToExecute: "select\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when fabric_settings @> '[{\"parameters\":[{\"value\": \"EncryptAndSign\"}]}]'::jsonb then 'ok'\n else 'alarm'\n end as status,\n case\n when fabric_settings @> '[{\"parameters\":[{\"value\": \"EncryptAndSign\"}]}]'::jsonb then a.name || ' ClusterProtectionLevel property set to EncryptAndSign.'\n else a.name || ' ClusterProtectionLevel property not set to EncryptAndSign.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_service_fabric_cluster a,\n azure_subscription sub;\n" PrimaryTable: azure_service_fabric_cluster ListOfTables: - - azure_service_fabric_cluster - - azure_subscription + - azure_service_fabric_cluster + - azure_subscription Parameters: [] Severity: high Tags: nist_sp_800_53_rev_5: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" service: - - Azure/ServiceFabric + - Azure/ServiceFabric +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_signalr_service_no_free_tier_sku.yaml b/compliance/controls/azure/azure_signalr_service_no_free_tier_sku.yaml index 8035ffa09..af2d8fd3f 100755 --- a/compliance/controls/azure/azure_signalr_service_no_free_tier_sku.yaml +++ b/compliance/controls/azure/azure_signalr_service_no_free_tier_sku.yaml @@ -1,8 +1,6 @@ ID: azure_signalr_service_no_free_tier_sku Title: "SignalR Service should not use free tier SKU" Description: "This control checks whether SignalR service uses paid SKU for its SLA." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -22,8 +20,10 @@ Query: sub.subscription_id = a.subscription_id; PrimaryTable: azure_signalr_service ListOfTables: - - azure_signalr_service - - azure_subscription + - azure_signalr_service + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_signalr_service_private_link_used.yaml b/compliance/controls/azure/azure_signalr_service_private_link_used.yaml index 985c33e88..c840b20af 100755 --- a/compliance/controls/azure/azure_signalr_service_private_link_used.yaml +++ b/compliance/controls/azure/azure_signalr_service_private_link_used.yaml @@ -1,51 +1,19 @@ ID: azure_signalr_service_private_link_used Title: "Azure SignalR Service should use private link" Description: "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure SignalR Service resource instead of the entire service, you'll reduce your data leakage risks." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with signalr_service_connection as ( - select - distinct a.id - from - azure_signalr_service as a, - jsonb_array_elements(private_endpoint_connections) as connection - where - connection -> 'PrivateLinkServiceConnectionState' ->> 'status' = 'Approved' - ) - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when sku ->> 'tier' = 'Free' then 'skip' - when c.id is null then 'alarm' - else 'ok' - end as status, - case - when sku ->>'tier' = 'Free' then a.name || ' is of ' || (sku ->>'tier' )|| ' tier.' - when c.id is null then a.name || ' not uses private link.' - else a.name || ' uses private link.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_signalr_service as a - left join signalr_service_connection as c on c.id = a.id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with signalr_service_connection as (\n select\n distinct a.id\n from\n azure_signalr_service as a,\n jsonb_array_elements(private_endpoint_connections) as connection\n where\n connection -> 'PrivateLinkServiceConnectionState' ->> 'status' = 'Approved'\n)\nselect\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when sku ->> 'tier' = 'Free' then 'skip'\n when c.id is null then 'alarm'\n else 'ok'\n end as status,\n case\n when sku ->>'tier' = 'Free' then a.name || ' is of ' || (sku ->>'tier' )|| ' tier.'\n when c.id is null then a.name || ' not uses private link.'\n else a.name || ' uses private link.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_signalr_service as a\n left join signalr_service_connection as c on c.id = a.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_signalr_service ListOfTables: - - azure_signalr_service - - azure_subscription + - azure_signalr_service + - azure_subscription Parameters: [] Severity: high Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/SignalRService + - Azure/SignalRService +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_spring_cloud_service_network_injection_enabled.yaml b/compliance/controls/azure/azure_spring_cloud_service_network_injection_enabled.yaml index 89931097b..f61ecffe0 100755 --- a/compliance/controls/azure/azure_spring_cloud_service_network_injection_enabled.yaml +++ b/compliance/controls/azure/azure_spring_cloud_service_network_injection_enabled.yaml @@ -1,41 +1,19 @@ ID: azure_spring_cloud_service_network_injection_enabled Title: "Azure Spring Cloud should use network injection" Description: "Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - distinct a.name as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when sku_tier <> 'Standard' then 'Skip' - when sku_tier = 'Standard' and network_profile ->> 'ServiceRuntimeSubnetID' is not null then 'ok' - else 'alarm' - end as status, - case - when sku_tier <> 'Standard' then a.name || ' is of ' || sku_tier || ' tier.' - when sku_tier = 'Standard' and network_profile ->> 'ServiceRuntimeSubnetID' is not null then a.name || ' network injection enabled.' - else a.name || ' network injection disabled.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_spring_cloud_service as a, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "select\n distinct a.name as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when sku_tier <> 'Standard' then 'Skip'\n when sku_tier = 'Standard' and network_profile ->> 'ServiceRuntimeSubnetID' is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when sku_tier <> 'Standard' then a.name || ' is of ' || sku_tier || ' tier.'\n when sku_tier = 'Standard' and network_profile ->> 'ServiceRuntimeSubnetID' is not null then a.name || ' network injection enabled.'\n else a.name || ' network injection disabled.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_spring_cloud_service as a,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_spring_cloud_service ListOfTables: - - azure_spring_cloud_service - - azure_subscription + - azure_spring_cloud_service + - azure_subscription Parameters: [] Severity: high Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/SpringCloud + - Azure/SpringCloud +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_sql_database_allow_internet_access.yaml b/compliance/controls/azure/azure_sql_database_allow_internet_access.yaml index d40aab939..8c3c2d1d6 100755 --- a/compliance/controls/azure/azure_sql_database_allow_internet_access.yaml +++ b/compliance/controls/azure/azure_sql_database_allow_internet_access.yaml @@ -1,57 +1,33 @@ ID: azure_sql_database_allow_internet_access Title: "Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP)" Description: "Ensure that no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id resource, - s.og_account_id as og_account_id, - s.og_resource_id as og_resource_id, - case - when firewall_rules @> '[{"properties":{"endIpAddress":"0.0.0.0","startIpAddress":"0.0.0.0"}}]' - or firewall_rules @> '[{"properties":{"endIpAddress":"255.255.255.255","startIpAddress":"0.0.0.0"}}]' - then 'alarm' - else 'ok' - end as status, - case - when firewall_rules @> '[{"properties":{"endIpAddress":"0.0.0.0","startIpAddress":"0.0.0.0"}}]' - or firewall_rules @> '[{"properties":{"endIpAddress":"255.255.255.255","startIpAddress":"0.0.0.0"}}]' - then s.title || ' allows ingress 0.0.0.0/0 or any ip over internet.' - else s.title || ' not allows ingress 0.0.0.0/0 or any ip over internet.' - end as reason - - , s.resource_group as resource_group - , sub.display_name as subscription - from - azure_sql_server s, - azure_subscription sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id resource,\n s.og_account_id as og_account_id,\n s.og_resource_id as og_resource_id,\n case\n when firewall_rules @> '[{\"properties\":{\"endIpAddress\":\"0.0.0.0\",\"startIpAddress\":\"0.0.0.0\"}}]'\n or firewall_rules @> '[{\"properties\":{\"endIpAddress\":\"255.255.255.255\",\"startIpAddress\":\"0.0.0.0\"}}]'\n then 'alarm'\n else 'ok'\n end as status,\n case\n when firewall_rules @> '[{\"properties\":{\"endIpAddress\":\"0.0.0.0\",\"startIpAddress\":\"0.0.0.0\"}}]'\n or firewall_rules @> '[{\"properties\":{\"endIpAddress\":\"255.255.255.255\",\"startIpAddress\":\"0.0.0.0\"}}]'\n then s.title || ' allows ingress 0.0.0.0/0 or any ip over internet.'\n else s.title || ' not allows ingress 0.0.0.0/0 or any ip over internet.'\n end as reason\n \n , s.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_sql_server s,\n azure_subscription sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: azure_sql_server ListOfTables: - - azure_sql_server - - azure_subscription + - azure_sql_server + - azure_subscription Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "6.3" + - "6.3" cis_level: - - "1" + - "1" cis_section_id: - - "6" + - "6" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/Network + - Azure/Network +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_sql_database_long_term_geo_redundant_backup_enabled.yaml b/compliance/controls/azure/azure_sql_database_long_term_geo_redundant_backup_enabled.yaml index 92081a2bf..2f7656698 100755 --- a/compliance/controls/azure/azure_sql_database_long_term_geo_redundant_backup_enabled.yaml +++ b/compliance/controls/azure/azure_sql_database_long_term_geo_redundant_backup_enabled.yaml @@ -1,48 +1,21 @@ ID: azure_sql_database_long_term_geo_redundant_backup_enabled Title: "Long-term geo-redundant backup should be enabled for Azure SQL Databases" Description: "This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.database_id resource, - s.og_account_id as og_account_id, - s.og_resource_id as og_resource_id, - case - when retention_policy_property ->> 'monthlyRetention' <> 'PT0S' - or retention_policy_property ->> 'weeklyRetention' <> 'PT0S' - or retention_policy_property ->> 'yearlyRetention' <> 'PT0S' - then 'ok' - else 'alarm' - end as status, - case - when retention_policy_property ->> 'monthlyRetention' <> 'PT0S' - or retention_policy_property ->> 'weeklyRetention' <> 'PT0S' - or retention_policy_property ->> 'yearlyRetention' <> 'PT0S' - then s.title || ' long-term geo-redundant backup enabled.' - else s.title || ' long-term geo-redundant backup disabled.' - end as reason - - , s.resource_group as resource_group - , sub.display_name as subscription - from - azure_sql_database s, - azure_subscription sub - where - sub.subscription_id = s.subscription_id - and s.name <> 'master'; + QueryToExecute: "select\n s.database_id resource,\n s.og_account_id as og_account_id,\n s.og_resource_id as og_resource_id,\n case\n when retention_policy_property ->> 'monthlyRetention' <> 'PT0S'\n or retention_policy_property ->> 'weeklyRetention' <> 'PT0S'\n or retention_policy_property ->> 'yearlyRetention' <> 'PT0S'\n then 'ok'\n else 'alarm'\n end as status,\n case\n when retention_policy_property ->> 'monthlyRetention' <> 'PT0S'\n or retention_policy_property ->> 'weeklyRetention' <> 'PT0S'\n or retention_policy_property ->> 'yearlyRetention' <> 'PT0S'\n then s.title || ' long-term geo-redundant backup enabled.'\n else s.title || ' long-term geo-redundant backup disabled.'\n end as reason\n \n , s.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_sql_database s,\n azure_subscription sub\nwhere\n sub.subscription_id = s.subscription_id\n and s.name <> 'master';\n" PrimaryTable: azure_sql_database ListOfTables: - - azure_sql_database - - azure_subscription + - azure_sql_database + - azure_subscription Parameters: [] Severity: medium Tags: hipaa_hitrust_v92: - - "true" + - "true" nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/SQL + - Azure/SQL +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_sql_database_transparent_data_encryption_enabled.yaml b/compliance/controls/azure/azure_sql_database_transparent_data_encryption_enabled.yaml index e7666704d..6d9f450ae 100755 --- a/compliance/controls/azure/azure_sql_database_transparent_data_encryption_enabled.yaml +++ b/compliance/controls/azure/azure_sql_database_transparent_data_encryption_enabled.yaml @@ -1,54 +1,33 @@ ID: azure_sql_database_transparent_data_encryption_enabled Title: "SQL databases transparent data encryption should be enabled" Description: "Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.database_id resource, - s.og_account_id as og_account_id, - s.og_resource_id as og_resource_id, - case - when transparent_data_encryption ->> 'status' = 'Enabled' or transparent_data_encryption ->> 'state' = 'Enabled' then 'ok' - else 'alarm' - end as status, - case - when transparent_data_encryption ->> 'status' = 'Enabled' or transparent_data_encryption ->> 'state' = 'Enabled' then s.title || ' transparent data encryption enabled.' - else s.title || ' transparent data encryption disabled.' - end as reason - - , s.resource_group as resource_group - , sub.display_name as subscription - from - azure_sql_database as s, - azure_subscription as sub - where - sub.subscription_id = s.subscription_id - and s.name <> 'master'; + QueryToExecute: "select\n s.database_id resource,\n s.og_account_id as og_account_id,\n s.og_resource_id as og_resource_id,\n case\n when transparent_data_encryption ->> 'status' = 'Enabled' or transparent_data_encryption ->> 'state' = 'Enabled' then 'ok'\n else 'alarm'\n end as status,\n case\n when transparent_data_encryption ->> 'status' = 'Enabled' or transparent_data_encryption ->> 'state' = 'Enabled' then s.title || ' transparent data encryption enabled.'\n else s.title || ' transparent data encryption disabled.'\n end as reason\n \n , s.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_sql_database as s,\n azure_subscription as sub\nwhere\n sub.subscription_id = s.subscription_id\n and s.name <> 'master';\n" PrimaryTable: azure_sql_database ListOfTables: - - azure_sql_database - - azure_subscription + - azure_sql_database + - azure_subscription Parameters: [] Severity: The text does not provide information about a specific Azure Control to determine its suggested severity. Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - 4.1.2 + - 4.1.2 cis_level: - - "1" + - "1" cis_section_id: - - "4.1" + - "4.1" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/SQL + - Azure/SQL +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_sql_database_vulnerability_findings_resolved.yaml b/compliance/controls/azure/azure_sql_database_vulnerability_findings_resolved.yaml index 28715cfec..2e5f26fd3 100755 --- a/compliance/controls/azure/azure_sql_database_vulnerability_findings_resolved.yaml +++ b/compliance/controls/azure/azure_sql_database_vulnerability_findings_resolved.yaml @@ -1,58 +1,23 @@ ID: azure_sql_database_vulnerability_findings_resolved Title: "SQL databases should have vulnerability findings resolved" Description: "Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with vulnerability_findings as ( - select - db.id as database_id, - scan ->> 'endTime' latest_scan_end_time, - scan ->> 'numberOfFailedSecurityChecks' no_of_failed_sec_checks - from - azure_sql_database as db, - jsonb_array_elements(vulnerability_assessment_scan_records) as scan - where - (scan ->> 'numberOfFailedSecurityChecks')::int = 0 - order by scan ->> 'endTime' desc nulls last - limit 1 - ) - select - distinct a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when s.database_id is not null then 'ok' - else 'alarm' - end as status, - case - when s.database_id is not null then a.name || ' vulnerability findings resolved.' - else a.title || ' vulnerability findings not resolved.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_sql_database as a - left join vulnerability_findings as s on a.id = s.database_id, - azure_subscription as sub - where - a.name <> 'master' - and sub.subscription_id = a.subscription_id; + QueryToExecute: "with vulnerability_findings as (\n select\n db.id as database_id,\n scan ->> 'endTime' latest_scan_end_time,\n scan ->> 'numberOfFailedSecurityChecks' no_of_failed_sec_checks\n from\n azure_sql_database as db,\n jsonb_array_elements(vulnerability_assessment_scan_records) as scan\n where\n (scan ->> 'numberOfFailedSecurityChecks')::int = 0\n order by scan ->> 'endTime' desc nulls last\n limit 1\n)\nselect\n distinct a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when s.database_id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when s.database_id is not null then a.name || ' vulnerability findings resolved.'\n else a.title || ' vulnerability findings not resolved.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_sql_database as a\n left join vulnerability_findings as s on a.id = s.database_id,\n azure_subscription as sub\nwhere\n a.name <> 'master'\n and sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_sql_database ListOfTables: - - azure_sql_database - - azure_subscription + - azure_sql_database + - azure_subscription Parameters: [] Severity: high Tags: hipaa_hitrust_v92: - - "true" + - "true" nist_sp_800_53_rev_5: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" service: - - Azure/SQL + - Azure/SQL +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_sql_db_active_directory_admin_configured.yaml b/compliance/controls/azure/azure_sql_db_active_directory_admin_configured.yaml index 33b69a8d0..0af528da3 100755 --- a/compliance/controls/azure/azure_sql_db_active_directory_admin_configured.yaml +++ b/compliance/controls/azure/azure_sql_db_active_directory_admin_configured.yaml @@ -1,54 +1,34 @@ ID: azure_sql_db_active_directory_admin_configured Title: "Ensure that Azure Active Directory Admin is configured" Description: "Use Azure Active Directory Authentication for authentication with SQL Database." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - s.og_account_id as og_account_id, - s.og_resource_id as og_resource_id, - case - when server_azure_ad_administrator is null then 'alarm' - else 'ok' - end as status, - case - when server_azure_ad_administrator is null then name || ' Azure AD authentication not configured.' - else name || ' Azure AD authentication configured.' - end as reason - - , s.resource_group as resource_group - , sub.display_name as subscription - from - azure_sql_server s, - azure_subscription sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n s.og_account_id as og_account_id,\n s.og_resource_id as og_resource_id,\n case\n when server_azure_ad_administrator is null then 'alarm'\n else 'ok'\n end as status,\n case\n when server_azure_ad_administrator is null then name || ' Azure AD authentication not configured.'\n else name || ' Azure AD authentication configured.'\n end as reason\n \n , s.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_sql_server s,\n azure_subscription sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: azure_sql_server ListOfTables: - - azure_ad_administrator - - azure_sql_server - - azure_subscription + - azure_ad_administrator + - azure_sql_server + - azure_subscription Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "4.4" + - "4.4" cis_level: - - "1" + - "1" cis_section_id: - - "4" + - "4" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/SQL + - Azure/SQL +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_sql_db_public_network_access_disabled.yaml b/compliance/controls/azure/azure_sql_db_public_network_access_disabled.yaml index cbb7174f6..6544614d8 100755 --- a/compliance/controls/azure/azure_sql_db_public_network_access_disabled.yaml +++ b/compliance/controls/azure/azure_sql_db_public_network_access_disabled.yaml @@ -1,39 +1,19 @@ ID: azure_sql_db_public_network_access_disabled Title: "Public network access on Azure SQL Database should be disabled" Description: "Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - s.og_account_id as og_account_id, - s.og_resource_id as og_resource_id, - case - when public_network_access = 'Enabled' then 'alarm' - else 'ok' - end as status, - case - when public_network_access = 'Enabled' then name || ' public network access enabled.' - else name || ' public network access disabled.' - end as reason - - , s.resource_group as resource_group - , sub.display_name as subscription - from - azure_sql_server as s, - azure_subscription as sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n s.og_account_id as og_account_id,\n s.og_resource_id as og_resource_id,\n case\n when public_network_access = 'Enabled' then 'alarm'\n else 'ok'\n end as status,\n case\n when public_network_access = 'Enabled' then name || ' public network access enabled.'\n else name || ' public network access disabled.'\n end as reason\n \n , s.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_sql_server as s,\n azure_subscription as sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: azure_sql_server ListOfTables: - - azure_sql_server - - azure_subscription + - azure_sql_server + - azure_subscription Parameters: [] Severity: high Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/SQL + - Azure/SQL +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_sql_server_and_databases_va_enabled.yaml b/compliance/controls/azure/azure_sql_server_and_databases_va_enabled.yaml index e5d4f6a08..1d9cfce57 100755 --- a/compliance/controls/azure/azure_sql_server_and_databases_va_enabled.yaml +++ b/compliance/controls/azure/azure_sql_server_and_databases_va_enabled.yaml @@ -1,55 +1,33 @@ ID: azure_sql_server_and_databases_va_enabled Title: "Vulnerability assessment should be enabled on your SQL servers" Description: "Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - s.og_account_id as og_account_id, - s.og_resource_id as og_resource_id, - case - when security -> 'properties' ->> 'state' = 'Disabled' then 'alarm' - else 'ok' - end as status, - case - when security -> 'properties' ->> 'state' = 'Disabled' then s.name || ' VA setting disabled.' - else s.name || ' VA setting enabled.' - end as reason - - , s.resource_group as resource_group - , sub.display_name as subscription - from - azure_sql_server s, - jsonb_array_elements(server_security_alert_policy) security, - jsonb_array_elements(server_vulnerability_assessment) assessment, - azure_subscription sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n s.og_account_id as og_account_id,\n s.og_resource_id as og_resource_id,\n case\n when security -> 'properties' ->> 'state' = 'Disabled' then 'alarm'\n else 'ok'\n end as status,\n case\n when security -> 'properties' ->> 'state' = 'Disabled' then s.name || ' VA setting disabled.'\n else s.name || ' VA setting enabled.'\n end as reason\n \n , s.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_sql_server s,\n jsonb_array_elements(server_security_alert_policy) security,\n jsonb_array_elements(server_vulnerability_assessment) assessment,\n azure_subscription sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: azure_sql_server ListOfTables: - - azure_sql_server - - azure_subscription + - azure_sql_server + - azure_subscription Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - 4.2.2 + - 4.2.2 cis_level: - - "2" + - "2" cis_section_id: - - "4.2" + - "4.2" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/SQL + - Azure/SQL +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_sql_server_atp_enabled.yaml b/compliance/controls/azure/azure_sql_server_atp_enabled.yaml index cb6c9604c..d27e37b2e 100755 --- a/compliance/controls/azure/azure_sql_server_atp_enabled.yaml +++ b/compliance/controls/azure/azure_sql_server_atp_enabled.yaml @@ -1,54 +1,33 @@ ID: azure_sql_server_atp_enabled Title: "Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers" Description: "Enable \\\"Azure Defender for SQL\\\" on critical SQL Servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - s.og_account_id as og_account_id, - s.og_resource_id as og_resource_id, - case - when security -> 'properties' ->> 'state' = 'Disabled' then 'alarm' - else 'ok' - end as status, - case - when security -> 'properties' ->> 'state' = 'Disabled' then s.name || ' Azure defender disabled.' - else s.name || ' Azure defender enabled.' - end as reason - - , s.resource_group as resource_group - , sub.display_name as subscription - from - azure_sql_server s, - jsonb_array_elements(server_security_alert_policy) security, - azure_subscription sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n s.og_account_id as og_account_id,\n s.og_resource_id as og_resource_id,\n case\n when security -> 'properties' ->> 'state' = 'Disabled' then 'alarm'\n else 'ok'\n end as status,\n case\n when security -> 'properties' ->> 'state' = 'Disabled' then s.name || ' Azure defender disabled.'\n else s.name || ' Azure defender enabled.'\n end as reason\n \n , s.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_sql_server s,\n jsonb_array_elements(server_security_alert_policy) security,\n azure_subscription sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: azure_sql_server ListOfTables: - - azure_sql_server - - azure_subscription + - azure_sql_server + - azure_subscription Parameters: [] Severity: critical Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - 4.2.1 + - 4.2.1 cis_level: - - "2" + - "2" cis_section_id: - - "4.2" + - "4.2" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/SQL + - Azure/SQL +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_sql_server_auditing_on.yaml b/compliance/controls/azure/azure_sql_server_auditing_on.yaml index 5a6e5699f..6239f5fc1 100755 --- a/compliance/controls/azure/azure_sql_server_auditing_on.yaml +++ b/compliance/controls/azure/azure_sql_server_auditing_on.yaml @@ -1,54 +1,33 @@ ID: azure_sql_server_auditing_on Title: "Auditing on SQL server should be enabled" Description: "Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - s.og_account_id as og_account_id, - s.og_resource_id as og_resource_id, - case - when audit -> 'properties' ->> 'state' = 'Disabled' then 'alarm' - else 'ok' - end as status, - case - when audit -> 'properties' ->> 'state' = 'Disabled' then name || ' auditing disabled.' - else name || ' auditing enabled.' - end as reason - - , s.resource_group as resource_group - , sub.display_name as subscription - from - azure_sql_server s, - jsonb_array_elements(server_audit_policy) audit, - azure_subscription sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n s.og_account_id as og_account_id,\n s.og_resource_id as og_resource_id,\n case\n when audit -> 'properties' ->> 'state' = 'Disabled' then 'alarm'\n else 'ok'\n end as status,\n case\n when audit -> 'properties' ->> 'state' = 'Disabled' then name || ' auditing disabled.'\n else name || ' auditing enabled.'\n end as reason\n \n , s.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_sql_server s,\n jsonb_array_elements(server_audit_policy) audit,\n azure_subscription sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: azure_sql_server ListOfTables: - - azure_sql_server - - azure_subscription + - azure_sql_server + - azure_subscription Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - 4.1.1 + - 4.1.1 cis_level: - - "1" + - "1" cis_section_id: - - "4.1" + - "4.1" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/SQL + - Azure/SQL +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_sql_server_auditing_retention_period_90.yaml b/compliance/controls/azure/azure_sql_server_auditing_retention_period_90.yaml index 83ae2f03b..645aea8a8 100755 --- a/compliance/controls/azure/azure_sql_server_auditing_retention_period_90.yaml +++ b/compliance/controls/azure/azure_sql_server_auditing_retention_period_90.yaml @@ -1,56 +1,33 @@ ID: azure_sql_server_auditing_retention_period_90 Title: "Ensure that 'Auditing' Retention is 'greater than 90 days'" Description: "SQL Server Audit Retention should be configured to be greater than 90 days." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - s.og_account_id as og_account_id, - s.og_resource_id as og_resource_id, - case - when (audit -> 'properties' ->> 'retentionDays')::integer = 0 then 'ok' - when (audit -> 'properties' ->> 'retentionDays')::integer >= 90 then 'ok' - else 'alarm' - end as status, - case - when (audit -> 'properties' ->> 'retentionDays')::integer = 0 then name || ' audit retention set to unlimited days.' - when (audit -> 'properties' ->> 'retentionDays')::integer >= 90 then name || ' audit retention greater than 90 days.' - else name || ' audit retention less than 90 days.' - end as reason - - , s.resource_group as resource_group - , sub.display_name as subscription - from - azure_sql_server s, - jsonb_array_elements(server_audit_policy) audit, - azure_subscription sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n s.og_account_id as og_account_id,\n s.og_resource_id as og_resource_id,\n case\n when (audit -> 'properties' ->> 'retentionDays')::integer = 0 then 'ok'\n when (audit -> 'properties' ->> 'retentionDays')::integer >= 90 then 'ok'\n else 'alarm'\n end as status,\n case\n when (audit -> 'properties' ->> 'retentionDays')::integer = 0 then name || ' audit retention set to unlimited days.'\n when (audit -> 'properties' ->> 'retentionDays')::integer >= 90 then name || ' audit retention greater than 90 days.'\n else name || ' audit retention less than 90 days.'\n end as reason\n \n , s.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_sql_server s,\n jsonb_array_elements(server_audit_policy) audit,\n azure_subscription sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: azure_sql_server ListOfTables: - - azure_sql_server - - azure_subscription + - azure_sql_server + - azure_subscription Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - 4.1.3 + - 4.1.3 cis_level: - - "1" + - "1" cis_section_id: - - "4.1" + - "4.1" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/SQL + - Azure/SQL +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_sql_server_auditing_storage_account_destination_retention_90_days.yaml b/compliance/controls/azure/azure_sql_server_auditing_storage_account_destination_retention_90_days.yaml index e0fc6e1ab..28a3aa4b2 100755 --- a/compliance/controls/azure/azure_sql_server_auditing_storage_account_destination_retention_90_days.yaml +++ b/compliance/controls/azure/azure_sql_server_auditing_storage_account_destination_retention_90_days.yaml @@ -1,59 +1,19 @@ ID: azure_sql_server_auditing_storage_account_destination_retention_90_days Title: "SQL servers with auditing to storage account destination should be configured with 90 days retention or higher" Description: "For incident investigation purposes, we recommend setting the data retention for your SQL Server' auditing to storage account destination to at least 90 days. Confirm that you are meeting the necessary retention rules for the regions in which you are operating. This is sometimes required for compliance with regulatory standards." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with sql_server as( - select - id, - name, - subscription_id, - resource_group, - p -> 'properties' ->> 'retentionDays' as retentionDays - from - azure_sql_server, - jsonb_array_elements(server_audit_policy) as p - where - p -> 'properties' ->> 'state' = 'Enabled' - and p -> 'properties' ->> 'storageEndpoint' is not null - ) - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when s.id is null then 'skip' - -- The value in days of the retention period (0 is an indication for unlimited retention). - when s.retentionDays::Integer = 0 then 'ok' - when s.retentionDays::Integer >= 90 then 'ok' - else 'alarm' - end as status, - case - when s.id is null then a.name || ' auditing to storage account destination not enabled.' - when s.retentionDays::Integer = 0 then a.name || ' auditing to storage account destination configured with unlimited retention days.' - when s.retentionDays::Integer >= 90 then a.name || ' auditing to storage account destination configured with 90 days retention or higher.' - else a.name || ' auditing to storage account destination not configured with 90 days retention or higher.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_sql_server as a - left join sql_server as s on s.id = a.id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with sql_server as(\n select\n id,\n name,\n subscription_id,\n resource_group,\n p -> 'properties' ->> 'retentionDays' as retentionDays\n from\n azure_sql_server,\n jsonb_array_elements(server_audit_policy) as p\n where\n p -> 'properties' ->> 'state' = 'Enabled'\n and p -> 'properties' ->> 'storageEndpoint' is not null\n)\nselect\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when s.id is null then 'skip'\n -- The value in days of the retention period (0 is an indication for unlimited retention).\n when s.retentionDays::Integer = 0 then 'ok'\n when s.retentionDays::Integer >= 90 then 'ok'\n else 'alarm'\n end as status,\n case\n when s.id is null then a.name || ' auditing to storage account destination not enabled.'\n when s.retentionDays::Integer = 0 then a.name || ' auditing to storage account destination configured with unlimited retention days.'\n when s.retentionDays::Integer >= 90 then a.name || ' auditing to storage account destination configured with 90 days retention or higher.'\n else a.name || ' auditing to storage account destination not configured with 90 days retention or higher.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_sql_server as a\n left join sql_server as s on s.id = a.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_sql_server ListOfTables: - - azure_sql_server - - azure_subscription + - azure_sql_server + - azure_subscription Parameters: [] Severity: medium Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/SQL + - Azure/SQL +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_sql_server_azure_ad_authentication_enabled.yaml b/compliance/controls/azure/azure_sql_server_azure_ad_authentication_enabled.yaml index 63039ccd3..8cda0fce5 100755 --- a/compliance/controls/azure/azure_sql_server_azure_ad_authentication_enabled.yaml +++ b/compliance/controls/azure/azure_sql_server_azure_ad_authentication_enabled.yaml @@ -1,52 +1,22 @@ ID: azure_sql_server_azure_ad_authentication_enabled Title: "An Azure Active Directory administrator should be provisioned for SQL servers" Description: "Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with sever_with_ad_admin as ( - select - distinct a.id - from - azure_sql_server as a, - jsonb_array_elements(server_azure_ad_administrator) as ad_admin - where - ad_admin ->> 'type' = 'Microsoft.Sql/servers/administrators' - ) - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when s.id is not null then 'ok' - else 'alarm' - end as status, - case - when s.id is not null then a.name || ' azure AD authentication enabled.' - else a.name || ' azure AD authentication disabled.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_sql_server as a - left join sever_with_ad_admin as s on a.id = s.id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with sever_with_ad_admin as (\n select\n distinct a.id\n from\n azure_sql_server as a,\n jsonb_array_elements(server_azure_ad_administrator) as ad_admin\n where\n ad_admin ->> 'type' = 'Microsoft.Sql/servers/administrators'\n)\nselect\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when s.id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when s.id is not null then a.name || ' azure AD authentication enabled.'\n else a.name || ' azure AD authentication disabled.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_sql_server as a\n left join sever_with_ad_admin as s on a.id = s.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_sql_server ListOfTables: - - azure_ad_administrator - - azure_sql_server - - azure_subscription + - azure_ad_administrator + - azure_sql_server + - azure_subscription Parameters: [] Severity: medium Tags: nist_sp_800_53_rev_5: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" service: - - Azure/SQL + - Azure/SQL +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_sql_server_azure_defender_enabled.yaml b/compliance/controls/azure/azure_sql_server_azure_defender_enabled.yaml index d3cfc6b8c..c8aee27ff 100755 --- a/compliance/controls/azure/azure_sql_server_azure_defender_enabled.yaml +++ b/compliance/controls/azure/azure_sql_server_azure_defender_enabled.yaml @@ -1,52 +1,19 @@ ID: azure_sql_server_azure_defender_enabled Title: "Azure Defender for SQL should be enabled for unprotected Azure SQL servers" Description: "Audit SQL servers without Advanced Data Security." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with sql_server_policy as ( - select - distinct a.name - from - azure_sql_server as a, - jsonb_array_elements(server_security_alert_policy) as policy - where - policy ->> 'name' = 'Default' - and policy -> 'properties' ->> 'state' = 'Enabled' - ) - select - distinct a.name as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when kind like '%analytics%' then 'skip' - when s.name is null then 'alarm' - else 'ok' - end as status, - case - when kind like '%analytics%' then a.name || ' azure defender not applicable.' - when s.name is null then a.name || 'sql azure defender disabled.' - else a.name || ' sql azure defender enabled.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_sql_server as a - left join sql_server_policy as s on a.name = s.name, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with sql_server_policy as (\n select\n distinct a.name\n from\n azure_sql_server as a,\n jsonb_array_elements(server_security_alert_policy) as policy\n where\n policy ->> 'name' = 'Default'\n and policy -> 'properties' ->> 'state' = 'Enabled'\n)\nselect\n distinct a.name as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when kind like '%analytics%' then 'skip'\n when s.name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when kind like '%analytics%' then a.name || ' azure defender not applicable.'\n when s.name is null then a.name || 'sql azure defender disabled.'\n else a.name || ' sql azure defender enabled.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_sql_server as a\n left join sql_server_policy as s on a.name = s.name,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_sql_server ListOfTables: - - azure_sql_server - - azure_subscription + - azure_sql_server + - azure_subscription Parameters: [] Severity: high Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/SQL + - Azure/SQL +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_sql_server_tde_protector_cmk_encrypted.yaml b/compliance/controls/azure/azure_sql_server_tde_protector_cmk_encrypted.yaml index f7b40de42..14cd6daed 100755 --- a/compliance/controls/azure/azure_sql_server_tde_protector_cmk_encrypted.yaml +++ b/compliance/controls/azure/azure_sql_server_tde_protector_cmk_encrypted.yaml @@ -1,54 +1,33 @@ ID: azure_sql_server_tde_protector_cmk_encrypted Title: "SQL servers should use customer-managed keys to encrypt data at rest" Description: "Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - s.og_account_id as og_account_id, - s.og_resource_id as og_resource_id, - case - when encryption ->> 'kind' = 'servicemanaged' then 'alarm' - else 'ok' - end as status, - case - when encryption ->> 'kind' = 'servicemanaged' then s.name || ' TDE protector not encrypted with CMK.' - else s.name || ' TDE protector encrypted with CMK.' - end as reason - - , s.resource_group as resource_group - , sub.display_name as subscription - from - azure_sql_server s, - jsonb_array_elements(encryption_protector) encryption, - azure_subscription sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n s.og_account_id as og_account_id,\n s.og_resource_id as og_resource_id,\n case\n when encryption ->> 'kind' = 'servicemanaged' then 'alarm'\n else 'ok'\n end as status,\n case\n when encryption ->> 'kind' = 'servicemanaged' then s.name || ' TDE protector not encrypted with CMK.'\n else s.name || ' TDE protector encrypted with CMK.'\n end as reason\n \n , s.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_sql_server s,\n jsonb_array_elements(encryption_protector) encryption,\n azure_subscription sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: azure_sql_server ListOfTables: - - azure_sql_server - - azure_subscription + - azure_sql_server + - azure_subscription Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "4.5" + - "4.5" cis_level: - - "2" + - "2" cis_section_id: - - "4" + - "4" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/SQL + - Azure/SQL +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_sql_server_threat_detection_all_enabled.yaml b/compliance/controls/azure/azure_sql_server_threat_detection_all_enabled.yaml index 90654d930..ec561d5c9 100755 --- a/compliance/controls/azure/azure_sql_server_threat_detection_all_enabled.yaml +++ b/compliance/controls/azure/azure_sql_server_threat_detection_all_enabled.yaml @@ -1,8 +1,6 @@ ID: azure_sql_server_threat_detection_all_enabled Title: "SQL server threat detection should be enabled for all" Description: "This control ensures that SQL server threat detection is enabled for all." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -35,8 +33,10 @@ Query: sub.subscription_id = s.subscription_id; PrimaryTable: azure_sql_server ListOfTables: - - azure_sql_server - - azure_subscription + - azure_sql_server + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_sql_server_transparent_data_encryption_enabled.yaml b/compliance/controls/azure/azure_sql_server_transparent_data_encryption_enabled.yaml index 5f9d67dff..259d63164 100755 --- a/compliance/controls/azure/azure_sql_server_transparent_data_encryption_enabled.yaml +++ b/compliance/controls/azure/azure_sql_server_transparent_data_encryption_enabled.yaml @@ -1,39 +1,19 @@ ID: azure_sql_server_transparent_data_encryption_enabled Title: "Transparent Data Encryption on SQL databases should be enabled" Description: "Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - db.id as resource, - db.og_account_id as og_account_id, - db.og_resource_id as og_resource_id, - case - when transparent_data_encryption ->> 'status' = 'Disabled' then 'alarm' - else 'ok' - end as status, - case - when transparent_data_encryption ->> 'status' = 'Disabled' then db.name || ' transparent data encryption off.' - else db.name || ' transparent data encryption on.' - end as reason - - , db.resource_group as resource_group - , sub.display_name as subscription - from - azure_sql_database db, - azure_subscription sub - where - sub.subscription_id = db.subscription_id; + QueryToExecute: "select\n db.id as resource,\n db.og_account_id as og_account_id,\n db.og_resource_id as og_resource_id,\n case\n when transparent_data_encryption ->> 'status' = 'Disabled' then 'alarm'\n else 'ok'\n end as status,\n case\n when transparent_data_encryption ->> 'status' = 'Disabled' then db.name || ' transparent data encryption off.'\n else db.name || ' transparent data encryption on.'\n end as reason\n \n , db.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_sql_database db,\n azure_subscription sub\nwhere\n sub.subscription_id = db.subscription_id;\n" PrimaryTable: azure_sql_database ListOfTables: - - azure_sql_database - - azure_subscription + - azure_sql_database + - azure_subscription Parameters: [] Severity: high Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/SQL + - Azure/SQL +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_sql_server_use_virtual_service_endpoint.yaml b/compliance/controls/azure/azure_sql_server_use_virtual_service_endpoint.yaml index 3c07e7a0c..ba7aa1d72 100755 --- a/compliance/controls/azure/azure_sql_server_use_virtual_service_endpoint.yaml +++ b/compliance/controls/azure/azure_sql_server_use_virtual_service_endpoint.yaml @@ -1,48 +1,19 @@ ID: azure_sql_server_use_virtual_service_endpoint Title: "SQL Server should use a virtual network service endpoint" Description: "This policy audits any SQL Server not configured to use a virtual network service endpoint." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with sql_server_subnet as ( - select - distinct a.name, - rule -> 'properties' -> 'virtualNetworkSubnetId' as subnet_id - from - azure_sql_server as a, - jsonb_array_elements(virtual_network_rules) as rule - ) - select - distinct a.name as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when s.name is null then 'alarm' - else 'ok' - end as status, - case - when s.name is null then a.name || ' not configured with virtual service endpoint.' - else a.name || ' configured with virtual service endpoint.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_sql_server as a - left join sql_server_subnet as s on a.name = s.name, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with sql_server_subnet as (\n select\n distinct a.name,\n rule -> 'properties' -> 'virtualNetworkSubnetId' as subnet_id\n from\n azure_sql_server as a,\n jsonb_array_elements(virtual_network_rules) as rule\n)\nselect\n distinct a.name as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when s.name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when s.name is null then a.name || ' not configured with virtual service endpoint.'\n else a.name || ' configured with virtual service endpoint.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_sql_server as a\n left join sql_server_subnet as s on a.name = s.name,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_sql_server ListOfTables: - - azure_sql_server - - azure_subscription + - azure_sql_server + - azure_subscription Parameters: [] Severity: medium Tags: hipaa_hitrust_v92: - - "true" + - "true" service: - - Azure/SQL + - Azure/SQL +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_sql_server_uses_private_link.yaml b/compliance/controls/azure/azure_sql_server_uses_private_link.yaml index e84738c5c..84606de51 100755 --- a/compliance/controls/azure/azure_sql_server_uses_private_link.yaml +++ b/compliance/controls/azure/azure_sql_server_uses_private_link.yaml @@ -1,49 +1,19 @@ ID: azure_sql_server_uses_private_link Title: "Private endpoint connections on Azure SQL Database should be enabled" Description: "Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with sql_server_private_connection as ( - select - distinct a.id - from - azure_sql_server as a, - jsonb_array_elements(private_endpoint_connections) as connection - where - connection ->> 'PrivateLinkServiceConnectionStateStatus' = 'Approved' - ) - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when c.id is null then 'alarm' - else 'ok' - end as status, - case - when c.id is null then a.name || ' not uses private link.' - else a.name || ' uses private link.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_sql_server as a - left join sql_server_private_connection as c on c.id = a.id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with sql_server_private_connection as (\n select\n distinct a.id\n from\n azure_sql_server as a,\n jsonb_array_elements(private_endpoint_connections) as connection\n where\n connection ->> 'PrivateLinkServiceConnectionStateStatus' = 'Approved'\n)\nselect\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when c.id is null then 'alarm'\n else 'ok'\n end as status,\n case\n when c.id is null then a.name || ' not uses private link.'\n else a.name || ' uses private link.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_sql_server as a\n left join sql_server_private_connection as c on c.id = a.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_sql_server ListOfTables: - - azure_sql_server - - azure_subscription + - azure_sql_server + - azure_subscription Parameters: [] Severity: high Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/SQL + - Azure/SQL +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_sql_server_va_setting_periodic_scan_enabled.yaml b/compliance/controls/azure/azure_sql_server_va_setting_periodic_scan_enabled.yaml index accf2ba42..c89956374 100755 --- a/compliance/controls/azure/azure_sql_server_va_setting_periodic_scan_enabled.yaml +++ b/compliance/controls/azure/azure_sql_server_va_setting_periodic_scan_enabled.yaml @@ -1,71 +1,33 @@ ID: azure_sql_server_va_setting_periodic_scan_enabled Title: "Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server" Description: "Enable Vulnerability Assessment (VA) Periodic recurring scans for critical SQL servers and corresponding SQL databases." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - s.og_account_id as og_account_id, - s.og_resource_id as og_resource_id, - case - when - security -> 'properties' ->> 'state' = 'Disabled' - or - ( - security -> 'properties' ->> 'state' = 'Enabled' - and assessment -> 'properties' ->> 'storageContainerPath' is not null - and assessment -> 'properties' -> 'recurringScans' ->> 'isEnabled' = 'false' - ) - then 'alarm' - else 'ok' - end as status, - case - when - security -> 'properties' ->> 'state' = 'Disabled' - or - ( - security -> 'properties' ->> 'state' = 'Enabled' - and assessment -> 'properties' ->> 'storageContainerPath' is not null - and assessment -> 'properties' -> 'recurringScans' ->> 'isEnabled' = 'false' - ) - then s.name || ' VA setting periodic recurring scans disabled.' - else s.name || ' VA setting periodic recurring scans enabled.' - end as reason - - , s.resource_group as resource_group - , sub.display_name as subscription - from - azure_sql_server s, - jsonb_array_elements(server_security_alert_policy) security, - jsonb_array_elements(server_vulnerability_assessment) assessment, - azure_subscription sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n s.og_account_id as og_account_id,\n s.og_resource_id as og_resource_id,\n case\n when\n security -> 'properties' ->> 'state' = 'Disabled'\n or\n (\n security -> 'properties' ->> 'state' = 'Enabled'\n and assessment -> 'properties' ->> 'storageContainerPath' is not null\n and assessment -> 'properties' -> 'recurringScans' ->> 'isEnabled' = 'false'\n )\n then 'alarm'\n else 'ok'\n end as status,\n case\n when\n security -> 'properties' ->> 'state' = 'Disabled'\n or\n (\n security -> 'properties' ->> 'state' = 'Enabled'\n and assessment -> 'properties' ->> 'storageContainerPath' is not null\n and assessment -> 'properties' -> 'recurringScans' ->> 'isEnabled' = 'false'\n )\n then s.name || ' VA setting periodic recurring scans disabled.'\n else s.name || ' VA setting periodic recurring scans enabled.'\n end as reason\n \n , s.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_sql_server s,\n jsonb_array_elements(server_security_alert_policy) security,\n jsonb_array_elements(server_vulnerability_assessment) assessment,\n azure_subscription sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: azure_sql_server ListOfTables: - - azure_sql_server - - azure_subscription + - azure_sql_server + - azure_subscription Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - 4.2.3 + - 4.2.3 cis_level: - - "2" + - "2" cis_section_id: - - "4.2" + - "4.2" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/SQL + - Azure/SQL +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_sql_server_va_setting_reports_notify_admins.yaml b/compliance/controls/azure/azure_sql_server_va_setting_reports_notify_admins.yaml index 4e4f70069..1e6ed56e5 100755 --- a/compliance/controls/azure/azure_sql_server_va_setting_reports_notify_admins.yaml +++ b/compliance/controls/azure/azure_sql_server_va_setting_reports_notify_admins.yaml @@ -1,71 +1,33 @@ ID: azure_sql_server_va_setting_reports_notify_admins Title: "Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server" Description: "Enable Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners'." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - s.og_account_id as og_account_id, - s.og_resource_id as og_resource_id, - case - when - security -> 'properties' ->> 'state' = 'Disabled' - or - ( - security -> 'properties' ->> 'state' = 'Enabled' - and assessment -> 'properties' ->> 'storageContainerPath' is not null - and assessment -> 'properties' -> 'recurringScans' ->> 'emailSubscriptionAdmins' = 'false' - ) - then 'alarm' - else 'ok' - end as status, - case - when - security -> 'properties' ->> 'state' = 'Disabled' - or - ( - security -> 'properties' ->> 'state' = 'Enabled' - and assessment -> 'properties' ->> 'storageContainerPath' is not null - and assessment -> 'properties' -> 'recurringScans' ->> 'emailSubscriptionAdmins' = 'false' - ) - then s.name || ' VA setting not configured to send email notifications to subscription admins and owners.' - else s.name || ' VA setting configured to send email notifications to subscription admins and owners.' - end as reason - - , s.resource_group as resource_group - , sub.display_name as subscription - from - azure_sql_server s, - jsonb_array_elements(server_security_alert_policy) security, - jsonb_array_elements(server_vulnerability_assessment) assessment, - azure_subscription sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n s.og_account_id as og_account_id,\n s.og_resource_id as og_resource_id,\n case\n when\n security -> 'properties' ->> 'state' = 'Disabled'\n or\n (\n security -> 'properties' ->> 'state' = 'Enabled'\n and assessment -> 'properties' ->> 'storageContainerPath' is not null\n and assessment -> 'properties' -> 'recurringScans' ->> 'emailSubscriptionAdmins' = 'false'\n )\n then 'alarm'\n else 'ok'\n end as status,\n case\n when\n security -> 'properties' ->> 'state' = 'Disabled'\n or\n (\n security -> 'properties' ->> 'state' = 'Enabled'\n and assessment -> 'properties' ->> 'storageContainerPath' is not null\n and assessment -> 'properties' -> 'recurringScans' ->> 'emailSubscriptionAdmins' = 'false'\n )\n then s.name || ' VA setting not configured to send email notifications to subscription admins and owners.'\n else s.name || ' VA setting configured to send email notifications to subscription admins and owners.'\n end as reason\n \n , s.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_sql_server s,\n jsonb_array_elements(server_security_alert_policy) security,\n jsonb_array_elements(server_vulnerability_assessment) assessment,\n azure_subscription sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: azure_sql_server ListOfTables: - - azure_sql_server - - azure_subscription + - azure_sql_server + - azure_subscription Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - 4.2.5 + - 4.2.5 cis_level: - - "2" + - "2" cis_section_id: - - "4.2" + - "4.2" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/SQL + - Azure/SQL +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_sql_server_va_setting_scan_reports_configured.yaml b/compliance/controls/azure/azure_sql_server_va_setting_scan_reports_configured.yaml index 701dce2fe..3d3b8b374 100755 --- a/compliance/controls/azure/azure_sql_server_va_setting_scan_reports_configured.yaml +++ b/compliance/controls/azure/azure_sql_server_va_setting_scan_reports_configured.yaml @@ -1,71 +1,33 @@ ID: azure_sql_server_va_setting_scan_reports_configured Title: "Ensure that VA setting 'Send scan reports to' is configured for a SQL server" Description: "Configure 'Send scan reports to' with email ids of concerned data owners/stakeholders for a critical SQL servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - s.og_account_id as og_account_id, - s.og_resource_id as og_resource_id, - case - when - security -> 'properties' ->> 'state' = 'Disabled' - or - ( - security -> 'properties' ->> 'state' = 'Enabled' - and assessment -> 'properties' ->> 'storageContainerPath' is not null - and assessment -> 'properties' -> 'recurringScans' ->> 'emails' = '[]' - ) - then 'alarm' - else 'ok' - end as status, - case - when - security -> 'properties' ->> 'state' = 'Disabled' - or - ( - security -> 'properties' ->> 'state' = 'Enabled' - and assessment -> 'properties' ->> 'storageContainerPath' is not null - and assessment -> 'properties' -> 'recurringScans' ->> 'emails' = '[]' - ) - then s.name || ' VA scan reports and alerts not configured send email.' - else s.name || ' VA scan reports and alerts configured to send email.' - end as reason - - , s.resource_group as resource_group - , sub.display_name as subscription - from - azure_sql_server s, - jsonb_array_elements(server_security_alert_policy) security, - jsonb_array_elements(server_vulnerability_assessment) assessment, - azure_subscription sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n s.og_account_id as og_account_id,\n s.og_resource_id as og_resource_id,\n case\n when\n security -> 'properties' ->> 'state' = 'Disabled'\n or\n (\n security -> 'properties' ->> 'state' = 'Enabled'\n and assessment -> 'properties' ->> 'storageContainerPath' is not null\n and assessment -> 'properties' -> 'recurringScans' ->> 'emails' = '[]'\n )\n then 'alarm'\n else 'ok'\n end as status,\n case\n when\n security -> 'properties' ->> 'state' = 'Disabled'\n or\n (\n security -> 'properties' ->> 'state' = 'Enabled'\n and assessment -> 'properties' ->> 'storageContainerPath' is not null\n and assessment -> 'properties' -> 'recurringScans' ->> 'emails' = '[]'\n )\n then s.name || ' VA scan reports and alerts not configured send email.'\n else s.name || ' VA scan reports and alerts configured to send email.'\n end as reason\n \n , s.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_sql_server s,\n jsonb_array_elements(server_security_alert_policy) security,\n jsonb_array_elements(server_vulnerability_assessment) assessment,\n azure_subscription sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: azure_sql_server ListOfTables: - - azure_sql_server - - azure_subscription + - azure_sql_server + - azure_subscription Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - 4.2.4 + - 4.2.4 cis_level: - - "2" + - "2" cis_section_id: - - "4.2" + - "4.2" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/SQL + - Azure/SQL +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_storage_account_blob_containers_public_access_private.yaml b/compliance/controls/azure/azure_storage_account_blob_containers_public_access_private.yaml index 5e35c4b91..fc2b21dae 100755 --- a/compliance/controls/azure/azure_storage_account_blob_containers_public_access_private.yaml +++ b/compliance/controls/azure/azure_storage_account_blob_containers_public_access_private.yaml @@ -1,54 +1,34 @@ ID: azure_storage_account_blob_containers_public_access_private Title: "Ensure that 'Public access level' is set to Private for blob containers" Description: "Disable anonymous access to blob containers and disallow blob public access on storage account." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - container.id as resource, - container.og_account_id as og_account_id, - container.og_resource_id as og_resource_id, - case - when not account.allow_blob_public_access and container.public_access = 'None' then 'ok' - else 'alarm' - end as status, - case - when not account.allow_blob_public_access and container.public_access = 'None' - then account.name || ' container ' || container.name || ' doesn''t allow anonymous access.' - else account.name || ' container ' || container.name || ' allows anonymous access.' - end as reason - - , container.resource_group as resource_group - , sub.display_name as subscription - from - azure_storage_container container - join azure_storage_account account on container.account_name = account.name - join azure_subscription sub on sub.subscription_id = account.subscription_id; + QueryToExecute: "select\n container.id as resource,\n container.og_account_id as og_account_id,\n container.og_resource_id as og_resource_id,\n case\n when not account.allow_blob_public_access and container.public_access = 'None' then 'ok'\n else 'alarm'\n end as status,\n case\n when not account.allow_blob_public_access and container.public_access = 'None'\n then account.name || ' container ' || container.name || ' doesn''t allow anonymous access.'\n else account.name || ' container ' || container.name || ' allows anonymous access.'\n end as reason\n \n , container.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_storage_container container\n join azure_storage_account account on container.account_name = account.name\n join azure_subscription sub on sub.subscription_id = account.subscription_id;\n" PrimaryTable: azure_storage_container ListOfTables: - - azure_storage_account - - azure_storage_container - - azure_subscription + - azure_storage_account + - azure_storage_container + - azure_subscription Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "3.5" + - "3.5" cis_level: - - "1" + - "1" cis_section_id: - - "3" + - "3" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/Storage + - Azure/Storage +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_storage_account_blob_service_logging_enabled.yaml b/compliance/controls/azure/azure_storage_account_blob_service_logging_enabled.yaml index 547adb163..75dfc0917 100755 --- a/compliance/controls/azure/azure_storage_account_blob_service_logging_enabled.yaml +++ b/compliance/controls/azure/azure_storage_account_blob_service_logging_enabled.yaml @@ -1,62 +1,33 @@ ID: azure_storage_account_blob_service_logging_enabled Title: "Ensure Storage logging is enabled for Blob service for read, write, and delete requests" Description: "The Storage Blob service provides scalable, cost-efficient objective storage in the cloud. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the blobs. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details, concurrency information, and the sizes of the request and response messages." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - sa.id as resource, - sa.og_account_id as og_account_id, - sa.og_resource_id as og_resource_id, - case - when not (sa.blob_service_logging ->> 'Read') :: boolean - or not (sa.blob_service_logging ->> 'Write') :: boolean - or not (sa.blob_service_logging ->> 'Delete') :: boolean then 'alarm' - else 'ok' - end as status, - case - when not (sa.blob_service_logging ->> 'Read') :: boolean - or not (sa.blob_service_logging ->> 'Write') :: boolean - or not (sa.blob_service_logging ->> 'Delete') :: boolean then name || ' blob service logging not enabled for ' || - concat_ws(', ', - case when not (sa.blob_service_logging ->> 'Write') :: boolean then 'write' end, - case when not (sa.blob_service_logging ->> 'Read') :: boolean then 'read' end, - case when not (sa.blob_service_logging ->> 'Delete') :: boolean then 'delete' end - ) || ' requests.' - else name || ' blob service logging enabled for read, write, delete requests.' - end as reason - - , sa.resource_group as resource_group - , sub.display_name as subscription - from - azure_storage_account sa, - azure_subscription sub - where - sub.subscription_id = sa.subscription_id; + QueryToExecute: "select\n sa.id as resource,\n sa.og_account_id as og_account_id,\n sa.og_resource_id as og_resource_id,\n case\n when not (sa.blob_service_logging ->> 'Read') :: boolean\n or not (sa.blob_service_logging ->> 'Write') :: boolean\n or not (sa.blob_service_logging ->> 'Delete') :: boolean then 'alarm'\n else 'ok'\n end as status,\n case\n when not (sa.blob_service_logging ->> 'Read') :: boolean\n or not (sa.blob_service_logging ->> 'Write') :: boolean\n or not (sa.blob_service_logging ->> 'Delete') :: boolean then name || ' blob service logging not enabled for ' ||\n concat_ws(', ',\n case when not (sa.blob_service_logging ->> 'Write') :: boolean then 'write' end,\n case when not (sa.blob_service_logging ->> 'Read') :: boolean then 'read' end,\n case when not (sa.blob_service_logging ->> 'Delete') :: boolean then 'delete' end\n ) || ' requests.'\n else name || ' blob service logging enabled for read, write, delete requests.'\n end as reason\n \n , sa.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_storage_account sa,\n azure_subscription sub\nwhere\n sub.subscription_id = sa.subscription_id;\n" PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "3.10" + - "3.10" cis_level: - - "2" + - "2" cis_section_id: - - "3" + - "3" cis_type: - - manual + - manual cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/Storage + - Azure/Storage +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_storage_account_blobs_logging_enabled.yaml b/compliance/controls/azure/azure_storage_account_blobs_logging_enabled.yaml index ac0a380b7..04b927e6a 100755 --- a/compliance/controls/azure/azure_storage_account_blobs_logging_enabled.yaml +++ b/compliance/controls/azure/azure_storage_account_blobs_logging_enabled.yaml @@ -1,8 +1,6 @@ ID: azure_storage_account_blobs_logging_enabled Title: "Storage account logging (Classic Diagnostic Setting) for blobs should be enabled" Description: "Storage Logging records details of requests (read, write, and delete operations) against your Azure blobs. This policy identifies Azure storage accounts that do not have logging enabled for blobs. As a best practice, enable logging for read, write, and delete request types on blobs." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -36,8 +34,10 @@ Query: sub.subscription_id = sa.subscription_id; PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_storage_account_block_public_access.yaml b/compliance/controls/azure/azure_storage_account_block_public_access.yaml index f78858d26..c2a2801b0 100755 --- a/compliance/controls/azure/azure_storage_account_block_public_access.yaml +++ b/compliance/controls/azure/azure_storage_account_block_public_access.yaml @@ -1,45 +1,19 @@ ID: azure_storage_account_block_public_access Title: "Storage account public access should be disallowed" Description: "Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - sa.id as resource, - sa.og_account_id as og_account_id, - sa.og_resource_id as og_resource_id, - case - when sa.id not like '%/resourceGroups/aro-%' - and (sa.name not like 'cluster%' or sa.name not like 'imageregistry%') - and sa.allow_blob_public_access = 'false' - then 'ok' - else 'alarm' - end as status, - case - when sa.id not like '%/resourceGroups/aro-%' - and (sa.name not like 'cluster%' or sa.name not like 'imageregistry%') - and sa.allow_blob_public_access = 'false' - then sa.name || ' not publicy accessible.' - else sa.name || ' publicy accessible.' - end as reason - - , sa.resource_group as resource_group - , sub.display_name as subscription - from - azure_storage_account sa, - azure_subscription sub - where - sub.subscription_id = sa.subscription_id; + QueryToExecute: "select\n sa.id as resource,\n sa.og_account_id as og_account_id,\n sa.og_resource_id as og_resource_id,\n case\n when sa.id not like '%/resourceGroups/aro-%'\n and (sa.name not like 'cluster%' or sa.name not like 'imageregistry%')\n and sa.allow_blob_public_access = 'false'\n then 'ok'\n else 'alarm'\n end as status,\n case\n when sa.id not like '%/resourceGroups/aro-%'\n and (sa.name not like 'cluster%' or sa.name not like 'imageregistry%')\n and sa.allow_blob_public_access = 'false'\n then sa.name || ' not publicy accessible.'\n else sa.name || ' publicy accessible.'\n end as reason\n \n , sa.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_storage_account sa,\n azure_subscription sub\nwhere\n sub.subscription_id = sa.subscription_id;\n" PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: high Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/Storage + - Azure/Storage +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_storage_account_default_network_access_rule_denied.yaml b/compliance/controls/azure/azure_storage_account_default_network_access_rule_denied.yaml index 518e7ede2..0e5c871d8 100755 --- a/compliance/controls/azure/azure_storage_account_default_network_access_rule_denied.yaml +++ b/compliance/controls/azure/azure_storage_account_default_network_access_rule_denied.yaml @@ -1,53 +1,33 @@ ID: azure_storage_account_default_network_access_rule_denied Title: "Storage accounts should restrict network access" Description: "Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - sa.id as resource, - sa.og_account_id as og_account_id, - sa.og_resource_id as og_resource_id, - case - when sa.network_rule_default_action = 'Allow' then 'alarm' - else 'ok' - end as status, - case - when sa.network_rule_default_action = 'Allow' then name || ' allows traffic from all networks.' - else name || ' allows traffic from specific networks.' - end as reason - - , sa.resource_group as resource_group - , sub.display_name as subscription - from - azure_storage_account sa, - azure_subscription sub - where - sub.subscription_id = sa.subscription_id; + QueryToExecute: "select\n sa.id as resource,\n sa.og_account_id as og_account_id,\n sa.og_resource_id as og_resource_id,\n case\n when sa.network_rule_default_action = 'Allow' then 'alarm'\n else 'ok'\n end as status,\n case\n when sa.network_rule_default_action = 'Allow' then name || ' allows traffic from all networks.'\n else name || ' allows traffic from specific networks.'\n end as reason\n \n , sa.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_storage_account sa,\n azure_subscription sub\nwhere\n sub.subscription_id = sa.subscription_id;\n" PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "3.6" + - "3.6" cis_level: - - "2" + - "2" cis_section_id: - - "3" + - "3" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/Storage + - Azure/Storage +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_storage_account_encryption_at_rest_using_cmk.yaml b/compliance/controls/azure/azure_storage_account_encryption_at_rest_using_cmk.yaml index fd70629ea..149acc160 100755 --- a/compliance/controls/azure/azure_storage_account_encryption_at_rest_using_cmk.yaml +++ b/compliance/controls/azure/azure_storage_account_encryption_at_rest_using_cmk.yaml @@ -1,53 +1,33 @@ ID: azure_storage_account_encryption_at_rest_using_cmk Title: "Storage accounts should use customer-managed key for encryption" Description: "Secure your storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - sa.id as resource, - sa.og_account_id as og_account_id, - sa.og_resource_id as og_resource_id, - case - when sa.encryption_key_source = 'Microsoft.Storage' then 'alarm' - else 'ok' - end as status, - case - when sa.encryption_key_source = 'Microsoft.Storage' then sa.name || ' not encrypted with CMK.' - else sa.name || ' encrypted with CMK.' - end as reason - - , sa.resource_group as resource_group - , sub.display_name as subscription - from - azure_storage_account sa, - azure_subscription sub - where - sub.subscription_id = sa.subscription_id; + QueryToExecute: "select\n sa.id as resource,\n sa.og_account_id as og_account_id,\n sa.og_resource_id as og_resource_id,\n case\n when sa.encryption_key_source = 'Microsoft.Storage' then 'alarm'\n else 'ok'\n end as status,\n case\n when sa.encryption_key_source = 'Microsoft.Storage' then sa.name || ' not encrypted with CMK.'\n else sa.name || ' encrypted with CMK.'\n end as reason\n \n , sa.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_storage_account sa,\n azure_subscription sub\nwhere\n sub.subscription_id = sa.subscription_id;\n" PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "3.9" + - "3.9" cis_level: - - "2" + - "2" cis_section_id: - - "3" + - "3" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/Storage + - Azure/Storage +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_storage_account_encryption_scopes_encrypted_at_rest_with_cmk.yaml b/compliance/controls/azure/azure_storage_account_encryption_scopes_encrypted_at_rest_with_cmk.yaml index b64291194..00b7e25f0 100755 --- a/compliance/controls/azure/azure_storage_account_encryption_scopes_encrypted_at_rest_with_cmk.yaml +++ b/compliance/controls/azure/azure_storage_account_encryption_scopes_encrypted_at_rest_with_cmk.yaml @@ -1,8 +1,6 @@ ID: azure_storage_account_encryption_scopes_encrypted_at_rest_with_cmk Title: "Storage account encryption scopes should use customer-managed keys to encrypt data at rest" Description: "Use customer-managed keys to manage the encryption at rest of your storage account encryption scopes. Customer-managed keys enable the data to be encrypted with an Azure key-vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -42,12 +40,14 @@ Query: sub.subscription_id = s.subscription_id; PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: medium Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/Storage + - Azure/Storage +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_storage_account_geo_redundant_enabled.yaml b/compliance/controls/azure/azure_storage_account_geo_redundant_enabled.yaml index b2380ec84..905c5229c 100755 --- a/compliance/controls/azure/azure_storage_account_geo_redundant_enabled.yaml +++ b/compliance/controls/azure/azure_storage_account_geo_redundant_enabled.yaml @@ -1,39 +1,19 @@ ID: azure_storage_account_geo_redundant_enabled Title: "Geo-redundant storage should be enabled for Storage Accounts" Description: "Use geo-redundancy to create highly available applications." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - s.og_account_id as og_account_id, - s.og_resource_id as og_resource_id, - case - when sku_name = any(ARRAY ['Standard_GRS', 'Standard_RAGRS', 'Standard_GZRS', 'Standard_RAGZRS']) then 'ok' - else 'alarm' - end as status, - case - when sku_name = any(ARRAY ['Standard_GRS', 'Standard_RAGRS', 'Standard_GZRS', 'Standard_RAGZRS']) then name || ' geo-redundant enabled.' - else name || ' geo-redundant disabled.' - end as reason - - , s.resource_group as resource_group - , sub.display_name as subscription - from - azure_storage_account as s, - azure_subscription as sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n s.og_account_id as og_account_id,\n s.og_resource_id as og_resource_id,\n case\n when sku_name = any(ARRAY ['Standard_GRS', 'Standard_RAGRS', 'Standard_GZRS', 'Standard_RAGZRS']) then 'ok'\n else 'alarm'\n end as status,\n case\n when sku_name = any(ARRAY ['Standard_GRS', 'Standard_RAGRS', 'Standard_GZRS', 'Standard_RAGZRS']) then name || ' geo-redundant enabled.'\n else name || ' geo-redundant disabled.'\n end as reason\n \n , s.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_storage_account as s,\n azure_subscription as sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: medium Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/Storage + - Azure/Storage +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_storage_account_infrastructure_encryption_enabled.yaml b/compliance/controls/azure/azure_storage_account_infrastructure_encryption_enabled.yaml index 5ba823fdc..342b17e8c 100755 --- a/compliance/controls/azure/azure_storage_account_infrastructure_encryption_enabled.yaml +++ b/compliance/controls/azure/azure_storage_account_infrastructure_encryption_enabled.yaml @@ -1,53 +1,33 @@ ID: azure_storage_account_infrastructure_encryption_enabled Title: "Storage accounts should have infrastructure encryption" Description: "Enable infrastructure encryption for higher level of assurance that the data is secure. When infrastructure encryption is enabled, data in a storage account is encrypted twice." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - s.og_account_id as og_account_id, - s.og_resource_id as og_resource_id, - case - when require_infrastructure_encryption then 'ok' - else 'alarm' - end as status, - case - when require_infrastructure_encryption then name || ' infrastructure encryption enabled.' - else name || ' infrastructure encryption disabled.' - end as reason - - , s.resource_group as resource_group - , sub.display_name as subscription - from - azure_storage_account as s, - azure_subscription as sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n s.og_account_id as og_account_id,\n s.og_resource_id as og_resource_id,\n case\n when require_infrastructure_encryption then 'ok'\n else 'alarm'\n end as status,\n case\n when require_infrastructure_encryption then name || ' infrastructure encryption enabled.'\n else name || ' infrastructure encryption disabled.'\n end as reason\n \n , s.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_storage_account as s,\n azure_subscription as sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "3.2" + - "3.2" cis_level: - - "2" + - "2" cis_section_id: - - "3" + - "3" cis_type: - - manual + - manual cis_version: - - v1.5.0 + - v1.5.0 plugin: - - azure + - azure service: - - Azure/Storage + - Azure/Storage +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_storage_account_min_tls_1_2.yaml b/compliance/controls/azure/azure_storage_account_min_tls_1_2.yaml index 1df8d34d7..6b61706a0 100755 --- a/compliance/controls/azure/azure_storage_account_min_tls_1_2.yaml +++ b/compliance/controls/azure/azure_storage_account_min_tls_1_2.yaml @@ -1,55 +1,33 @@ ID: azure_storage_account_min_tls_1_2 Title: "Ensure the 'Minimum TLS version' for storage accounts is set to 'Version 1.2'" Description: "In some cases, Azure Storage sets the minimum TLS version to be version 1.0 by default. TLS 1.0 is a legacy version and has known vulnerabilities. This minimum TLS version can be configured to be later protocols such as TLS 1.2." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - sa.id as resource, - sa.og_account_id as og_account_id, - sa.og_resource_id as og_resource_id, - case - when minimum_tls_version = 'TLSEnforcementDisabled' then 'alarm' - when minimum_tls_version = 'TLS1_2' then 'ok' - else 'alarm' - end as status, - case - when minimum_tls_version = 'TLSEnforcementDisabled' then sa.name || ' TLS enforcement is disabled.' - when minimum_tls_version = 'TLS1_2' then sa.name || ' minimum TLS version set to ' || minimum_tls_version || '.' - else sa.name || ' minimum TLS version set to ' || minimum_tls_version || '.' - end as reason - - , sa.resource_group as resource_group - , sub.display_name as subscription - from - azure_storage_account sa, - azure_subscription sub - where - sub.subscription_id = sa.subscription_id; + QueryToExecute: "select\n sa.id as resource,\n sa.og_account_id as og_account_id,\n sa.og_resource_id as og_resource_id,\n case\n when minimum_tls_version = 'TLSEnforcementDisabled' then 'alarm'\n when minimum_tls_version = 'TLS1_2' then 'ok'\n else 'alarm'\n end as status,\n case\n when minimum_tls_version = 'TLSEnforcementDisabled' then sa.name || ' TLS enforcement is disabled.'\n when minimum_tls_version = 'TLS1_2' then sa.name || ' minimum TLS version set to ' || minimum_tls_version || '.'\n else sa.name || ' minimum TLS version set to ' || minimum_tls_version || '.'\n end as reason\n \n , sa.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_storage_account sa,\n azure_subscription sub\nwhere\n sub.subscription_id = sa.subscription_id;\n" PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "3.12" + - "3.12" cis_level: - - "1" + - "1" cis_section_id: - - "3" + - "3" cis_type: - - manual + - manual cis_version: - - v1.4.0 + - v1.4.0 plugin: - - azure + - azure service: - - Azure/Storage + - Azure/Storage +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_storage_account_queue_services_logging_enabled.yaml b/compliance/controls/azure/azure_storage_account_queue_services_logging_enabled.yaml index 006d10419..c04d8ac3d 100755 --- a/compliance/controls/azure/azure_storage_account_queue_services_logging_enabled.yaml +++ b/compliance/controls/azure/azure_storage_account_queue_services_logging_enabled.yaml @@ -1,59 +1,33 @@ ID: azure_storage_account_queue_services_logging_enabled Title: "Ensure Storage logging is enabled for Queue service for read, write, and delete requests" Description: "The Storage Queue service stores messages that may be read by any client who has access to the storage account. A queue can contain an unlimited number of messages, each of which can be up to 64KB in size using version 2011-08-18 or newer. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the queues. Storage Logging log entries contain the following information about individual requests: Timing information such as start time, end-to-end latency, and server latency, authentication details, concurrency information, and the sizes of the request and response messages." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - sa.id as resource, - sa.og_account_id as og_account_id, - sa.og_resource_id as og_resource_id, - case - when queue_logging_read and queue_logging_write and queue_logging_delete then 'ok' - else 'alarm' - end as status, - case - when queue_logging_read and queue_logging_write and queue_logging_delete - then sa.name || ' queue service logging enabled for read, write, delete requests.' - else sa.name || ' queue service logging not enabled for: ' || - concat_ws(', ', - case when not queue_logging_write then 'write' end, - case when not queue_logging_read then 'read' end, - case when not queue_logging_delete then 'delete' end - ) || ' requests.' - end as reason - - , sa.resource_group as resource_group - , sub.display_name as subscription - from - azure_storage_account sa, - azure_subscription sub - where - sub.subscription_id = sa.subscription_id; + QueryToExecute: "select\n sa.id as resource,\n sa.og_account_id as og_account_id,\n sa.og_resource_id as og_resource_id,\n case\n when queue_logging_read and queue_logging_write and queue_logging_delete then 'ok'\n else 'alarm'\n end as status,\n case\n when queue_logging_read and queue_logging_write and queue_logging_delete\n then sa.name || ' queue service logging enabled for read, write, delete requests.'\n else sa.name || ' queue service logging not enabled for: ' ||\n concat_ws(', ',\n case when not queue_logging_write then 'write' end,\n case when not queue_logging_read then 'read' end,\n case when not queue_logging_delete then 'delete' end\n ) || ' requests.'\n end as reason\n \n , sa.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_storage_account sa,\n azure_subscription sub\nwhere\n sub.subscription_id = sa.subscription_id;\n" PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "3.3" + - "3.3" cis_level: - - "2" + - "2" cis_section_id: - - "3" + - "3" cis_type: - - manual + - manual cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/Storage + - Azure/Storage +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_storage_account_restrict_network_access.yaml b/compliance/controls/azure/azure_storage_account_restrict_network_access.yaml index 5a21e4e63..a8f439a11 100755 --- a/compliance/controls/azure/azure_storage_account_restrict_network_access.yaml +++ b/compliance/controls/azure/azure_storage_account_restrict_network_access.yaml @@ -1,41 +1,21 @@ ID: azure_storage_account_restrict_network_access Title: "Storage accounts should restrict network access using virtual network rules" Description: "Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - sa.id as resource, - sa.og_account_id as og_account_id, - sa.og_resource_id as og_resource_id, - case - when network_rule_default_action = 'Deny' then 'ok' - else 'alarm' - end as status, - case - when network_rule_default_action = 'Deny' then sa.name || ' blocks network access.' - else sa.name || ' allows network access.' - end as reason - - , sa.resource_group as resource_group - , sub.display_name as subscription - from - azure_storage_account sa, - azure_subscription sub - where - sub.subscription_id = sa.subscription_id; + QueryToExecute: "select\n sa.id as resource,\n sa.og_account_id as og_account_id,\n sa.og_resource_id as og_resource_id,\n case\n when network_rule_default_action = 'Deny' then 'ok'\n else 'alarm'\n end as status,\n case\n when network_rule_default_action = 'Deny' then sa.name || ' blocks network access.'\n else sa.name || ' allows network access.'\n end as reason\n \n , sa.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_storage_account sa,\n azure_subscription sub\nwhere\n sub.subscription_id = sa.subscription_id;\n" PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: high Tags: nist_sp_800_53_rev_5: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" service: - - Azure/Storage + - Azure/Storage +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_storage_account_secure_transfer_required_enabled.yaml b/compliance/controls/azure/azure_storage_account_secure_transfer_required_enabled.yaml index 742cc0d7f..e2d86c082 100755 --- a/compliance/controls/azure/azure_storage_account_secure_transfer_required_enabled.yaml +++ b/compliance/controls/azure/azure_storage_account_secure_transfer_required_enabled.yaml @@ -1,53 +1,33 @@ ID: azure_storage_account_secure_transfer_required_enabled Title: "Secure transfer to storage accounts should be enabled" Description: "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - sa.id as resource, - sa.og_account_id as og_account_id, - sa.og_resource_id as og_resource_id, - case - when not enable_https_traffic_only then 'alarm' - else 'ok' - end as status, - case - when not enable_https_traffic_only then sa.name || ' encryption in transit not enabled.' - else sa.name || ' encryption in transit enabled.' - end as reason - - , sa.resource_group as resource_group - , sub.display_name as subscription - from - azure_storage_account sa, - azure_subscription sub - where - sub.subscription_id = sa.subscription_id; + QueryToExecute: "select\n sa.id as resource,\n sa.og_account_id as og_account_id,\n sa.og_resource_id as og_resource_id,\n case\n when not enable_https_traffic_only then 'alarm'\n else 'ok'\n end as status,\n case\n when not enable_https_traffic_only then sa.name || ' encryption in transit not enabled.'\n else sa.name || ' encryption in transit enabled.'\n end as reason\n \n , sa.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_storage_account sa,\n azure_subscription sub\nwhere\n sub.subscription_id = sa.subscription_id;\n" PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "3.1" + - "3.1" cis_level: - - "1" + - "1" cis_section_id: - - "3" + - "3" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/Storage + - Azure/Storage +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_storage_account_soft_delete_enabled.yaml b/compliance/controls/azure/azure_storage_account_soft_delete_enabled.yaml index 838011f16..87fb91855 100755 --- a/compliance/controls/azure/azure_storage_account_soft_delete_enabled.yaml +++ b/compliance/controls/azure/azure_storage_account_soft_delete_enabled.yaml @@ -1,53 +1,33 @@ ID: azure_storage_account_soft_delete_enabled Title: "Ensure soft delete is enabled for Azure Storage" Description: "The Azure Storage blobs contain data like ePHI, Financial, secret or personal. Erroneously modified or deleted accidentally by an application or other storage account user cause data loss or data unavailability. It is recommended the Azure Storage be made recoverable by enabling soft delete configuration. This is to save and recover data when blobs or blob snapshots are deleted." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - sa.id as resource, - sa.og_account_id as og_account_id, - sa.og_resource_id as og_resource_id, - case - when not blob_soft_delete_enabled then 'alarm' - else 'ok' - end as status, - case - when not blob_soft_delete_enabled then sa.name || ' blobs soft delete disabled.' - else sa.name || ' blobs soft delete enabled.' - end as reason - - , sa.resource_group as resource_group - , sub.display_name as subscription - from - azure_storage_account sa, - azure_subscription sub - where - sub.subscription_id = sa.subscription_id; + QueryToExecute: "select\n sa.id as resource,\n sa.og_account_id as og_account_id,\n sa.og_resource_id as og_resource_id,\n case\n when not blob_soft_delete_enabled then 'alarm'\n else 'ok'\n end as status,\n case\n when not blob_soft_delete_enabled then sa.name || ' blobs soft delete disabled.'\n else sa.name || ' blobs soft delete enabled.'\n end as reason\n \n , sa.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_storage_account sa,\n azure_subscription sub\nwhere\n sub.subscription_id = sa.subscription_id;\n" PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "3.8" + - "3.8" cis_level: - - "1" + - "1" cis_section_id: - - "3" + - "3" cis_type: - - automated + - automated cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/Storage + - Azure/Storage +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_storage_account_table_service_logging_enabled.yaml b/compliance/controls/azure/azure_storage_account_table_service_logging_enabled.yaml index 40a2fc1f0..4c555ffdc 100755 --- a/compliance/controls/azure/azure_storage_account_table_service_logging_enabled.yaml +++ b/compliance/controls/azure/azure_storage_account_table_service_logging_enabled.yaml @@ -1,59 +1,33 @@ ID: azure_storage_account_table_service_logging_enabled Title: "Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' requests" Description: "Azure Table storage is a service that stores structured NoSQL data in the cloud, providing a key/attribute store with a schema-less design. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the tables. Storage Logging log entries contain the following information about individual requests: timing information such as start time, end-to-end latency, and server latency; authentication details; concurrency information; and the sizes of the request and response messages." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - sa.id as resource, - sa.og_account_id as og_account_id, - sa.og_resource_id as og_resource_id, - case - when table_logging_write and table_logging_read and table_logging_delete then 'ok' - else 'alarm' - end as status, - case - when table_logging_write and table_logging_read and table_logging_delete - then sa.name || ' table service logging enabled for read, write, delete requests.' - else sa.name || ' table service logging not enabled for: ' || - concat_ws(', ', - case when not table_logging_write then 'write' end, - case when not table_logging_read then 'read' end, - case when not table_logging_delete then 'delete' end - ) || ' requests.' - end as reason - - , sa.resource_group as resource_group - , sub.display_name as subscription - from - azure_storage_account as sa, - azure_subscription as sub - where - sub.subscription_id = sa.subscription_id; + QueryToExecute: "select\n sa.id as resource,\n sa.og_account_id as og_account_id,\n sa.og_resource_id as og_resource_id,\n case\n when table_logging_write and table_logging_read and table_logging_delete then 'ok'\n else 'alarm'\n end as status,\n case\n when table_logging_write and table_logging_read and table_logging_delete\n then sa.name || ' table service logging enabled for read, write, delete requests.'\n else sa.name || ' table service logging not enabled for: ' ||\n concat_ws(', ',\n case when not table_logging_write then 'write' end,\n case when not table_logging_read then 'read' end,\n case when not table_logging_delete then 'delete' end\n ) || ' requests.'\n end as reason\n \n , sa.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_storage_account as sa,\n azure_subscription as sub\nwhere\n sub.subscription_id = sa.subscription_id;\n" PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "3.14" + - "3.14" cis_level: - - "2" + - "2" cis_section_id: - - "3" + - "3" cis_type: - - automated + - automated cis_version: - - v1.5.0 + - v1.5.0 plugin: - - azure + - azure service: - - Azure/Storage + - Azure/Storage +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_storage_account_tables_logging_enabled.yaml b/compliance/controls/azure/azure_storage_account_tables_logging_enabled.yaml index 1d67aecb4..3888d55ea 100755 --- a/compliance/controls/azure/azure_storage_account_tables_logging_enabled.yaml +++ b/compliance/controls/azure/azure_storage_account_tables_logging_enabled.yaml @@ -1,8 +1,6 @@ ID: azure_storage_account_tables_logging_enabled Title: "Storage account logging (Classic Diagnostic Setting) for tables should be enabled" Description: "Storage Logging records details of requests (read, write, and delete operations) against your Azure tables. This policy identifies Azure storage accounts that do not have logging enabled for tables. As a best practice, enable logging for read, write, and delete request types on tables." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -33,8 +31,10 @@ Query: sub.subscription_id = sa.subscription_id; PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_storage_account_trusted_microsoft_services_enabled.yaml b/compliance/controls/azure/azure_storage_account_trusted_microsoft_services_enabled.yaml index d66a824a1..12baed863 100755 --- a/compliance/controls/azure/azure_storage_account_trusted_microsoft_services_enabled.yaml +++ b/compliance/controls/azure/azure_storage_account_trusted_microsoft_services_enabled.yaml @@ -1,53 +1,33 @@ ID: azure_storage_account_trusted_microsoft_services_enabled Title: "Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access" Description: "Some Azure services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Azure services to bypass the network rules. These services will then use strong authentication to access the storage account." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - sa.id as resource, - sa.og_account_id as og_account_id, - sa.og_resource_id as og_resource_id, - case - when network_rule_bypass not like '%AzureServices%' then 'alarm' - else 'ok' - end as status, - case - when network_rule_bypass not like '%AzureServices%' then sa.name || ' trusted Microsoft services not enabled.' - else sa.name || ' trusted Microsoft services enabled.' - end as reason - - , sa.resource_group as resource_group - , sub.display_name as subscription - from - azure_storage_account sa, - azure_subscription sub - where - sub.subscription_id = sa.subscription_id; + QueryToExecute: "select\n sa.id as resource,\n sa.og_account_id as og_account_id,\n sa.og_resource_id as og_resource_id,\n case\n when network_rule_bypass not like '%AzureServices%' then 'alarm'\n else 'ok'\n end as status,\n case\n when network_rule_bypass not like '%AzureServices%' then sa.name || ' trusted Microsoft services not enabled.'\n else sa.name || ' trusted Microsoft services enabled.'\n end as reason\n \n , sa.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_storage_account sa,\n azure_subscription sub\nwhere\n sub.subscription_id = sa.subscription_id;\n" PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: medium Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "3.7" + - "3.7" cis_level: - - "2" + - "2" cis_section_id: - - "3" + - "3" cis_type: - - manual + - manual cis_version: - - v1.3.0 + - v1.3.0 plugin: - - azure + - azure service: - - Azure/Storage + - Azure/Storage +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_storage_account_use_virtual_service_endpoint.yaml b/compliance/controls/azure/azure_storage_account_use_virtual_service_endpoint.yaml index 53f94ae30..f96df594c 100755 --- a/compliance/controls/azure/azure_storage_account_use_virtual_service_endpoint.yaml +++ b/compliance/controls/azure/azure_storage_account_use_virtual_service_endpoint.yaml @@ -1,55 +1,20 @@ ID: azure_storage_account_use_virtual_service_endpoint Title: "Storage Accounts should use a virtual network service endpoint" Description: "This policy audits any Storage Account not configured to use a virtual network service endpoint." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with storage_account_subnet as ( - select - distinct a.id as storage_account_id, - rule ->> 'id' as id - from - azure_storage_account as a, - jsonb_array_elements(virtual_network_rules) as rule, - azure_subnet as subnet, - jsonb_array_elements(service_endpoints) as endpoints - where - endpoints ->> 'service' like '%Microsoft.Storage%' - ) - select - distinct a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when network_rule_default_action <> 'Deny' then 'alarm' - when s.storage_account_id is null then 'alarm' - else 'ok' - end as status, - case - when network_rule_default_action <> 'Deny' then a.name || ' not configured with virtual service endpoint.' - when s.storage_account_id is null then a.name || ' not configured with virtual service endpoint.' - else a.name || ' configured with virtual service endpoint.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_storage_account as a - left join storage_account_subnet as s on a.id = s.storage_account_id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with storage_account_subnet as (\n select\n distinct a.id as storage_account_id,\n rule ->> 'id' as id\n from\n azure_storage_account as a,\n jsonb_array_elements(virtual_network_rules) as rule,\n azure_subnet as subnet,\n jsonb_array_elements(service_endpoints) as endpoints\n where\n endpoints ->> 'service' like '%Microsoft.Storage%'\n)\nselect\n distinct a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when network_rule_default_action <> 'Deny' then 'alarm'\n when s.storage_account_id is null then 'alarm'\n else 'ok'\n end as status,\n case\n when network_rule_default_action <> 'Deny' then a.name || ' not configured with virtual service endpoint.'\n when s.storage_account_id is null then a.name || ' not configured with virtual service endpoint.'\n else a.name || ' configured with virtual service endpoint.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_storage_account as a\n left join storage_account_subnet as s on a.id = s.storage_account_id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subnet - - azure_subscription + - azure_storage_account + - azure_subnet + - azure_subscription Parameters: [] Severity: medium Tags: hipaa_hitrust_v92: - - "true" + - "true" service: - - Azure/Storage + - Azure/Storage +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_storage_account_uses_azure_resource_manager.yaml b/compliance/controls/azure/azure_storage_account_uses_azure_resource_manager.yaml index 854a7acb2..6cef334da 100755 --- a/compliance/controls/azure/azure_storage_account_uses_azure_resource_manager.yaml +++ b/compliance/controls/azure/azure_storage_account_uses_azure_resource_manager.yaml @@ -1,41 +1,21 @@ ID: azure_storage_account_uses_azure_resource_manager Title: "Storage accounts should be migrated to new Azure Resource Manager resources" Description: "Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - s.og_account_id as og_account_id, - s.og_resource_id as og_resource_id, - case - when resource_group is not null then 'ok' - else 'alarm' - end as status, - case - when resource_group is not null then s.title || ' uses azure resource manager.' - else s.title || ' not uses azure resource manager.' - end as reason - - , s.resource_group as resource_group - , sub.display_name as subscription - from - azure_storage_account as s, - azure_subscription as sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n s.og_account_id as og_account_id,\n s.og_resource_id as og_resource_id,\n case\n when resource_group is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when resource_group is not null then s.title || ' uses azure resource manager.'\n else s.title || ' not uses azure resource manager.'\n end as reason\n \n , s.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_storage_account as s,\n azure_subscription as sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: medium Tags: nist_sp_800_53_rev_5: - - "true" + - "true" pci_dss_v321: - - "true" + - "true" service: - - Azure/Storage + - Azure/Storage +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_storage_account_uses_private_link.yaml b/compliance/controls/azure/azure_storage_account_uses_private_link.yaml index 3915aa48c..13a8746e4 100755 --- a/compliance/controls/azure/azure_storage_account_uses_private_link.yaml +++ b/compliance/controls/azure/azure_storage_account_uses_private_link.yaml @@ -1,63 +1,33 @@ ID: azure_storage_account_uses_private_link Title: "Storage accounts should use private link" Description: "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your storage account, data leakage risks are reduced." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with storage_account_connection as ( - select - distinct a.id - from - azure_storage_account as a, - jsonb_array_elements(private_endpoint_connections) as connection - where - connection -> 'properties' -> 'privateLinkServiceConnectionState' ->> 'status' = 'Approved' - ) - select - distinct a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when s.id is null then 'alarm' - else 'ok' - end as status, - case - when s.id is null then a.name || ' not uses private link.' - else a.name || ' uses private link.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_storage_account as a - left join storage_account_connection as s on a.id = s.id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with storage_account_connection as (\n select\n distinct a.id\n from\n azure_storage_account as a,\n jsonb_array_elements(private_endpoint_connections) as connection\n where\n connection -> 'properties' -> 'privateLinkServiceConnectionState' ->> 'status' = 'Approved'\n)\nselect\n distinct a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when s.id is null then 'alarm'\n else 'ok'\n end as status,\n case\n when s.id is null then a.name || ' not uses private link.'\n else a.name || ' uses private link.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_storage_account as a\n left join storage_account_connection as s on a.id = s.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: high Tags: category: - - Compliance + - Compliance cis: - - "true" + - "true" cis_item_id: - - "3.10" + - "3.10" cis_level: - - "1" + - "1" cis_section_id: - - "3" + - "3" cis_type: - - manual + - manual cis_version: - - v1.5.0 + - v1.5.0 plugin: - - azure + - azure service: - - Azure/Storage + - Azure/Storage +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_storage_sync_private_link_used.yaml b/compliance/controls/azure/azure_storage_sync_private_link_used.yaml index 076fed358..56ef2af4e 100755 --- a/compliance/controls/azure/azure_storage_sync_private_link_used.yaml +++ b/compliance/controls/azure/azure_storage_sync_private_link_used.yaml @@ -1,51 +1,19 @@ ID: azure_storage_sync_private_link_used Title: "Azure File Sync should use private link" Description: "Creating a private endpoint for the indicated Storage Sync Service resource allows you to address your Storage Sync Service resource from within the private IP address space of your organization's network, rather than through the internet-accessible public endpoint. Creating a private endpoint by itself does not disable the public endpoint." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with storagesync_service_connection as ( - select - distinct a.id - from - azure_storage_sync as a, - jsonb_array_elements(private_endpoint_connections) as connection - where - connection -> 'PrivateLinkServiceConnectionState' ->> 'status' = 'Approved' - ) - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when incoming_traffic_policy = 'AllowAllTraffic' then 'alarm' - when c.id is null then 'alarm' - else 'ok' - end as status, - case - when incoming_traffic_policy = 'AllowAllTraffic' then a.name || ' using public networks.' - when c.id is null then a.name || ' not uses private link.' - else a.name || ' uses private link.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_storage_sync as a - left join storagesync_service_connection as c on c.id = a.id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with storagesync_service_connection as (\n select\n distinct a.id\n from\n azure_storage_sync as a,\n jsonb_array_elements(private_endpoint_connections) as connection\n where\n connection -> 'PrivateLinkServiceConnectionState' ->> 'status' = 'Approved'\n)\nselect\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when incoming_traffic_policy = 'AllowAllTraffic' then 'alarm'\n when c.id is null then 'alarm'\n else 'ok'\n end as status,\n case\n when incoming_traffic_policy = 'AllowAllTraffic' then a.name || ' using public networks.'\n when c.id is null then a.name || ' not uses private link.'\n else a.name || ' uses private link.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_storage_sync as a\n left join storagesync_service_connection as c on c.id = a.id,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_storage_sync ListOfTables: - - azure_storage_sync - - azure_subscription + - azure_storage_sync + - azure_subscription Parameters: [] Severity: medium Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/FileSync + - Azure/FileSync +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_stream_analytics_job_encrypted_with_cmk.yaml b/compliance/controls/azure/azure_stream_analytics_job_encrypted_with_cmk.yaml index 0e90d9e7c..3008b9fd7 100755 --- a/compliance/controls/azure/azure_stream_analytics_job_encrypted_with_cmk.yaml +++ b/compliance/controls/azure/azure_stream_analytics_job_encrypted_with_cmk.yaml @@ -1,8 +1,6 @@ ID: azure_stream_analytics_job_encrypted_with_cmk Title: "Azure Stream Analytics jobs should use customer-managed keys to encrypt data" Description: "Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_stream_analytics_job_logging_enabled.yaml b/compliance/controls/azure/azure_stream_analytics_job_logging_enabled.yaml index 48e147f2c..0daaceaa0 100755 --- a/compliance/controls/azure/azure_stream_analytics_job_logging_enabled.yaml +++ b/compliance/controls/azure/azure_stream_analytics_job_logging_enabled.yaml @@ -1,69 +1,21 @@ ID: azure_stream_analytics_job_logging_enabled Title: "Resource logs in Azure Stream Analytics should be enabled" Description: "Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with logging_details as ( - select - distinct name as job_name - from - azure_stream_analytics_job, - jsonb_array_elements(diagnostic_settings) setting, - jsonb_array_elements(setting -> 'properties' -> 'logs') log - where - diagnostic_settings is not null - and ( - ( - (log ->> 'enabled') :: boolean - and (log -> 'retentionPolicy' ->> 'enabled') :: boolean - and (log -> 'retentionPolicy') :: JSONB ? 'days' - ) - or - ( - (log ->> 'enabled') :: boolean - and ( - log -> 'retentionPolicy' ->> 'enabled' <> 'true' - or setting -> 'properties' ->> 'storageAccountId' = '' - ) - ) - ) - ) - select - v.job_id as resource, - v.og_account_id as og_account_id, - v.og_resource_id as og_resource_id, - case - when v.diagnostic_settings is null then 'alarm' - when l.job_name is null then 'alarm' - else 'ok' - end as status, - case - when v.diagnostic_settings is null then v.name || ' logging not enabled.' - when l.job_name is null then v.name || ' logging not enabled.' - else v.name || ' logging enabled.' - end as reason - - , v.resource_group as resource_group - , sub.display_name as subscription - from - azure_stream_analytics_job as v - left join logging_details as l on v.name = l.job_name, - azure_subscription as sub - where - sub.subscription_id = v.subscription_id; + QueryToExecute: "with logging_details as (\n select\n distinct name as job_name\n from\n azure_stream_analytics_job,\n jsonb_array_elements(diagnostic_settings) setting,\n jsonb_array_elements(setting -> 'properties' -> 'logs') log\n where\n diagnostic_settings is not null\n and (\n (\n (log ->> 'enabled') :: boolean\n and (log -> 'retentionPolicy' ->> 'enabled') :: boolean\n and (log -> 'retentionPolicy') :: JSONB ? 'days'\n )\n or\n (\n (log ->> 'enabled') :: boolean\n and (\n log -> 'retentionPolicy' ->> 'enabled' <> 'true'\n or setting -> 'properties' ->> 'storageAccountId' = ''\n )\n )\n )\n)\nselect\n v.job_id as resource,\n v.og_account_id as og_account_id,\n v.og_resource_id as og_resource_id,\n case\n when v.diagnostic_settings is null then 'alarm'\n when l.job_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when v.diagnostic_settings is null then v.name || ' logging not enabled.'\n when l.job_name is null then v.name || ' logging not enabled.'\n else v.name || ' logging enabled.'\n end as reason\n \n , v.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_stream_analytics_job as v\n left join logging_details as l on v.name = l.job_name,\n azure_subscription as sub\nwhere\n sub.subscription_id = v.subscription_id;\n" PrimaryTable: azure_stream_analytics_job ListOfTables: - - azure_stream_analytics_job - - azure_subscription + - azure_stream_analytics_job + - azure_subscription Parameters: [] Severity: medium Tags: hipaa_hitrust_v92: - - "true" + - "true" nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/StreamAnalytics + - Azure/StreamAnalytics +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_synapse_workspace_data_exfiltration_protection_enabled.yaml b/compliance/controls/azure/azure_synapse_workspace_data_exfiltration_protection_enabled.yaml index 949e968fe..454a0fd51 100755 --- a/compliance/controls/azure/azure_synapse_workspace_data_exfiltration_protection_enabled.yaml +++ b/compliance/controls/azure/azure_synapse_workspace_data_exfiltration_protection_enabled.yaml @@ -1,8 +1,6 @@ ID: azure_synapse_workspace_data_exfiltration_protection_enabled Title: "Synapse workspaces should have data exfiltration protection enabled" Description: "This control checks whether Synapse workspace has data exfiltration protection enabled." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -25,8 +23,10 @@ Query: sub.subscription_id = s.subscription_id; PrimaryTable: azure_synapse_workspace ListOfTables: - - azure_synapse_workspace - - azure_subscription + - azure_synapse_workspace + - azure_subscription Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_synapse_workspace_encryption_at_rest_using_cmk.yaml b/compliance/controls/azure/azure_synapse_workspace_encryption_at_rest_using_cmk.yaml index 420ec02b8..bd5c6a8bc 100755 --- a/compliance/controls/azure/azure_synapse_workspace_encryption_at_rest_using_cmk.yaml +++ b/compliance/controls/azure/azure_synapse_workspace_encryption_at_rest_using_cmk.yaml @@ -1,39 +1,19 @@ ID: azure_synapse_workspace_encryption_at_rest_using_cmk Title: "Azure Synapse workspaces should use customer-managed keys to encrypt data at rest" Description: "Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - s.og_account_id as og_account_id, - s.og_resource_id as og_resource_id, - case - when encryption -> 'CmkKey' ->> 'name' is not null then 'ok' - else 'alarm' - end as status, - case - when encryption -> 'CmkKey' ->> 'name' is not null then s.title || ' encrypted with CMK.' - else s.title || ' not encrypted with CMK.' - end as reason - - , s.resource_group as resource_group - , sub.display_name as subscription - from - azure_synapse_workspace as s, - azure_subscription as sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n s.og_account_id as og_account_id,\n s.og_resource_id as og_resource_id,\n case\n when encryption -> 'CmkKey' ->> 'name' is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when encryption -> 'CmkKey' ->> 'name' is not null then s.title || ' encrypted with CMK.'\n else s.title || ' not encrypted with CMK.'\n end as reason\n \n , s.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_synapse_workspace as s,\n azure_subscription as sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: azure_synapse_workspace ListOfTables: - - azure_subscription - - azure_synapse_workspace + - azure_subscription + - azure_synapse_workspace Parameters: [] Severity: high Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/SynapseAnalytics + - Azure/SynapseAnalytics +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_synapse_workspace_private_link_used.yaml b/compliance/controls/azure/azure_synapse_workspace_private_link_used.yaml index ca57c3c31..0a57cc4aa 100755 --- a/compliance/controls/azure/azure_synapse_workspace_private_link_used.yaml +++ b/compliance/controls/azure/azure_synapse_workspace_private_link_used.yaml @@ -1,39 +1,19 @@ ID: azure_synapse_workspace_private_link_used Title: "Azure Synapse workspaces should use private link" Description: "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Synapse workspace, data leakage risks are reduced." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when private_endpoint_connections @> '[{"privateLinkServiceConnectionStateStatus": "Approved"}]' then 'ok' - else 'alarm' - end as status, - case - when private_endpoint_connections @> '[{"privateLinkServiceConnectionStateStatus": "Approved"}]' then a.name || ' uses private link.' - else a.name || ' not uses private link.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_synapse_workspace as a, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "select\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when private_endpoint_connections @> '[{\"privateLinkServiceConnectionStateStatus\": \"Approved\"}]' then 'ok'\n else 'alarm'\n end as status,\n case\n when private_endpoint_connections @> '[{\"privateLinkServiceConnectionStateStatus\": \"Approved\"}]' then a.name || ' uses private link.'\n else a.name || ' not uses private link.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\n azure_synapse_workspace as a,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_synapse_workspace ListOfTables: - - azure_subscription - - azure_synapse_workspace + - azure_subscription + - azure_synapse_workspace Parameters: [] Severity: low Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/SynapseAnalytics + - Azure/SynapseAnalytics +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_synapse_workspace_vulnerability_assessment_enabled.yaml b/compliance/controls/azure/azure_synapse_workspace_vulnerability_assessment_enabled.yaml index b201a9f3d..612399f61 100755 --- a/compliance/controls/azure/azure_synapse_workspace_vulnerability_assessment_enabled.yaml +++ b/compliance/controls/azure/azure_synapse_workspace_vulnerability_assessment_enabled.yaml @@ -1,52 +1,19 @@ ID: azure_synapse_workspace_vulnerability_assessment_enabled Title: "Vulnerability assessment should be enabled on your Synapse workspaces" Description: "Discover, track, and remediate potential vulnerabilities by configuring recurring SQL vulnerability assessment scans on your Synapse workspaces." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with synapse_workspace as( - select - id, - name, - subscription_id, - resource_group - from - azure_synapse_workspace, - jsonb_array_elements(workspace_managed_sql_server_vulnerability_assessments) as w - where - w -> 'properties' -> 'recurringScans' ->> 'isEnabled' = 'true' - ) - select - a.id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when s.id is not null then 'ok' - else 'alarm' - end as status, - case - when s.id is not null then a.name || ' vulnerability assessment enabled.' - else a.name || ' vulnerability assessment disabled.' - end as reason - - , a.resource_group as resource_group - , sub.display_name as subscription - from - azure_synapse_workspace as a - left join synapse_workspace as s on s.id = a.id, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "with synapse_workspace as(\n select\n id,\n name,\n subscription_id,\n resource_group\n from\n azure_synapse_workspace,\n jsonb_array_elements(workspace_managed_sql_server_vulnerability_assessments) as w\n where\n w -> 'properties' -> 'recurringScans' ->> 'isEnabled' = 'true'\n)\nselect\n a.id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when s.id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when s.id is not null then a.name || ' vulnerability assessment enabled.'\n else a.name || ' vulnerability assessment disabled.'\n end as reason\n \n , a.resource_group as resource_group\n , sub.display_name as subscription\nfrom\nazure_synapse_workspace as a\nleft join synapse_workspace as s on s.id = a.id,\nazure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: azure_synapse_workspace ListOfTables: - - azure_subscription - - azure_synapse_workspace + - azure_subscription + - azure_synapse_workspace Parameters: [] Severity: high Tags: nist_sp_800_53_rev_5: - - "true" + - "true" service: - - Azure/SynapseAnalytics + - Azure/SynapseAnalytics +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azure_web_pub_sub_private_link_used.yaml b/compliance/controls/azure/azure_web_pub_sub_private_link_used.yaml index c0052e53b..d4e5b0239 100755 --- a/compliance/controls/azure/azure_web_pub_sub_private_link_used.yaml +++ b/compliance/controls/azure/azure_web_pub_sub_private_link_used.yaml @@ -1,8 +1,6 @@ ID: azure_web_pub_sub_private_link_used Title: "Azure Web PubSub Service should use private link" Description: "Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Web PubSub Service, you can reduce data leakage risks. Learn more about private links at: https://aka.ms/awps/privatelink." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -21,4 +19,6 @@ Query: Severity: low Tags: manual-verification: - - "true" + - "true" +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azuread_spn_with_more_than_one_active_client_secret_created_x_days_ago.yaml b/compliance/controls/azure/azuread_spn_with_more_than_one_active_client_secret_created_x_days_ago.yaml index 7589f5b4c..7d7779c6c 100755 --- a/compliance/controls/azure/azuread_spn_with_more_than_one_active_client_secret_created_x_days_ago.yaml +++ b/compliance/controls/azure/azuread_spn_with_more_than_one_active_client_secret_created_x_days_ago.yaml @@ -1,8 +1,6 @@ ID: azuread_spn_with_active_client_secret_created_x_days_ago Title: "Service Principal Keys in AzureAD need to comply with Key Rotation Policy" Description: "SPNs in AzureAD should not have more than one active Client Secret created X days ago" -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -45,12 +43,14 @@ Query: azuread_spn PrimaryTable: azuread_service_principal ListOfTables: - - azuread_service_principal - - azuread_spn + - azuread_service_principal + - azuread_spn Parameters: - Key: azureadClientSecretExpireDays Required: true Severity: high Tags: score_service_name: - - Azure Active Directory (Azure AD) + - Azure Active Directory (Azure AD) +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/azure/azuread_user_should_have_mfa_enabled_with_azure_subscription_role_assignment.yaml b/compliance/controls/azure/azuread_user_should_have_mfa_enabled_with_azure_subscription_role_assignment.yaml index 2f29fcfa6..f94bdcb8c 100755 --- a/compliance/controls/azure/azuread_user_should_have_mfa_enabled_with_azure_subscription_role_assignment.yaml +++ b/compliance/controls/azure/azuread_user_should_have_mfa_enabled_with_azure_subscription_role_assignment.yaml @@ -1,49 +1,20 @@ ID: azuread_user_should_have_mfa_enabled_with_azure_subscription_role_assignment Title: "AzureAD Users should have MFA Enabled with Azure subscription role assignment" Description: "AzureAD Users should have MFA Enabled with Azure subscription role assignment" -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with users_with_roles as ( - SELECT distinct u.id as id, - u.og_account_id as og_account_id, - u.og_resource_id as og_resource_id, - u.display_name as display_name, - u.subscription_id as subscription_id, - u.account_enabled as account_enabled, - u.tenant_id as tenant_id - FROM (azuread_user AS u JOIN azure_user_effective_access AS ea ON u.id = ea.principal_id) - ) - select - u.id as resource, - u.og_account_id as og_account_id, - u.og_resource_id as og_resource_id, - case - when COALESCE(NULLIF('{{.azureadAccountStatusInclude}}',''), 'true,false,null') not like ('%' || COALESCE(u.account_enabled::text,'null') || '%') then 'skip' - when rd.is_mfa_registered::bool = false or rd.is_mfa_registered::bool is null then 'alarm' - else 'ok' - end as status, - case - when COALESCE(NULLIF('{{.azureadAccountStatusInclude}}',''), 'true,false,null') not like ('%' || COALESCE(u.account_enabled::text,'null') || '%') then 'User is not included' - when rd.is_mfa_registered::bool = false or rd.is_mfa_registered::bool is null then u.display_name || ' does not have MFA enbabled' - else u.display_name || ' has MFA' - end as reason, - u.tenant_id - from - users_with_roles as u - left join azuread_user_registration_details as rd on u.id = rd.id - where exists (select 1 from azure_user_effective_access AS ea where u.id = ea.principal_id) + QueryToExecute: "with users_with_roles as (\n SELECT distinct u.id as id, \n u.og_account_id as og_account_id, \n u.og_resource_id as og_resource_id, \n u.display_name as display_name, \n u.subscription_id as subscription_id,\n u.account_enabled as account_enabled,\n u.tenant_id as tenant_id\n FROM (azuread_user AS u JOIN azure_user_effective_access AS ea ON u.id = ea.principal_id)\n)\nselect \n u.id as resource, \n u.og_account_id as og_account_id,\n u.og_resource_id as og_resource_id,\n case\n when COALESCE(NULLIF('{{.azureadAccountStatusInclude}}',''), 'true,false,null') not like ('%' || COALESCE(u.account_enabled::text,'null') || '%') then 'skip'\n when rd.is_mfa_registered::bool = false or rd.is_mfa_registered::bool is null then 'alarm'\n else 'ok'\n end as status,\n case\n when COALESCE(NULLIF('{{.azureadAccountStatusInclude}}',''), 'true,false,null') not like ('%' || COALESCE(u.account_enabled::text,'null') || '%') then 'User is not included'\n when rd.is_mfa_registered::bool = false or rd.is_mfa_registered::bool is null then u.display_name || ' does not have MFA enbabled'\n else u.display_name || ' has MFA'\n end as reason, \n u.tenant_id\nfrom \n users_with_roles as u \n left join azuread_user_registration_details as rd on u.id = rd.id\nwhere exists (select 1 from azure_user_effective_access AS ea where u.id = ea.principal_id)\n" PrimaryTable: azuread_user ListOfTables: - - azure_user_effective_access - - azuread_user - - azuread_user_registration_details + - azure_user_effective_access + - azuread_user + - azuread_user_registration_details Parameters: - Key: azureadAccountStatusInclude Required: false Severity: high Tags: score_service_name: - - Azure Active Directory (Azure AD) + - Azure Active Directory (Azure AD) +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/aws/IAM/aws_access_keys_during_initial_iam_user_setup.yaml b/compliance/controls/baseline/aws/IAM/aws_access_keys_during_initial_iam_user_setup.yaml index f9935536e..cfe12cf3e 100755 --- a/compliance/controls/baseline/aws/IAM/aws_access_keys_during_initial_iam_user_setup.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_access_keys_during_initial_iam_user_setup.yaml @@ -1,39 +1,22 @@ ID: aws_access_keys_during_initial_iam_user_setup Title: "Access Keys During Initial IAM User Setup" Description: "Ensure no access keys are created during IAM user initial setup with AWS Management Console." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - user_name as resource, - og_account_id, - og_resource_id, - case - when (access_key_1_last_rotated - user_creation_time < '5 second'::interval) and (access_key_1_last_used_date is null) then 'alarm' - else 'ok' - end as status, - case - when (access_key_1_last_rotated - user_creation_time < '5 second'::interval) and (access_key_1_last_used_date is null) then 'access key 1 is considered as unused and is better to be removed' - when (access_key_1_last_rotated is null) then 'access key 1 is not defined' - else 'access key 1 is being used' - end as reason, - region, - account_id - from - aws_iam_credential_report + QueryToExecute: "select\n user_name as resource,\n og_account_id,\n og_resource_id,\n case\n when (access_key_1_last_rotated - user_creation_time < '5 second'::interval) and (access_key_1_last_used_date is null) then 'alarm'\n else 'ok'\n end as status,\n case\n when (access_key_1_last_rotated - user_creation_time < '5 second'::interval) and (access_key_1_last_used_date is null) then 'access key 1 is considered as unused and is better to be removed'\n when (access_key_1_last_rotated is null) then 'access key 1 is not defined'\n else 'access key 1 is being used'\n end as reason,\n region, \n account_id\nfrom\n aws_iam_credential_report\n" PrimaryTable: aws_iam_credential_report ListOfTables: - - aws_iam_credential_report + - aws_iam_credential_report Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) platform_score_use_case: - - Insecure Keys + - Insecure Keys score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) score_tags: - - Insecure Keys + - Insecure Keys +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/IAM/aws_access_keys_rotated_45_days.yaml b/compliance/controls/baseline/aws/IAM/aws_access_keys_rotated_45_days.yaml index dbbbb4273..671177757 100755 --- a/compliance/controls/baseline/aws/IAM/aws_access_keys_rotated_45_days.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_access_keys_rotated_45_days.yaml @@ -1,40 +1,22 @@ ID: aws_access_keys_rotated_45_days Title: "Access Keys Rotated 45 Days" Description: "Ensure AWS IAM access keys are rotated on a periodic basis as a security best practice (45 Days)." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - access_key_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when status <> 'Active' then 'skip' - when create_date + '45 days'::interval < now() then 'alarm' - else 'ok' - end as status, - case - when status <> 'Active' then 'key is not activated' - when create_date + '45 days'::interval < now() then 'key is too old' - else 'key is not old yet' - end as reason - - , region, account_id - from - aws_iam_access_key v + QueryToExecute: "select\n access_key_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when status <> 'Active' then 'skip'\n when create_date + '45 days'::interval < now() then 'alarm'\n else 'ok'\n end as status,\n case\n when status <> 'Active' then 'key is not activated'\n when create_date + '45 days'::interval < now() then 'key is too old'\n else 'key is not old yet'\n end as reason\n \n , region, account_id\nfrom\n aws_iam_access_key v\n" PrimaryTable: aws_iam_access_key ListOfTables: - - aws_iam_access_key + - aws_iam_access_key Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) platform_score_use_case: - - Insecure Keys + - Insecure Keys score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) score_tags: - - Insecure Keys + - Insecure Keys +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/IAM/aws_access_keys_rotated_x_days.yaml b/compliance/controls/baseline/aws/IAM/aws_access_keys_rotated_x_days.yaml index 571225630..08710c90c 100755 --- a/compliance/controls/baseline/aws/IAM/aws_access_keys_rotated_x_days.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_access_keys_rotated_x_days.yaml @@ -1,42 +1,24 @@ ID: aws_access_keys_rotated_x_days Title: "Access Keys Rotated X Days" Description: "Ensure AWS IAM access keys are rotated on a periodic basis as a security best practice (X Days)." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - access_key_id as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when status <> 'Active' then 'skip' - when create_date + ('{{.awsIamAccessKeyAge}}' || ' days')::interval < now() then 'alarm' - else 'ok' - end as status, - case - when status <> 'Active' then 'key is not activated' - when create_date + ('{{.awsIamAccessKeyAge}}' || ' days')::interval < now() then 'key is too old' - else 'key is not old yet' - end as reason - - , region, account_id - from - aws_iam_access_key v + QueryToExecute: "select\n access_key_id as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when status <> 'Active' then 'skip'\n when create_date + ('{{.awsIamAccessKeyAge}}' || ' days')::interval < now() then 'alarm'\n else 'ok'\n end as status,\n case\n when status <> 'Active' then 'key is not activated'\n when create_date + ('{{.awsIamAccessKeyAge}}' || ' days')::interval < now() then 'key is too old'\n else 'key is not old yet'\n end as reason\n \n , region, account_id\nfrom\n aws_iam_access_key v\n" PrimaryTable: aws_iam_access_key ListOfTables: - - aws_iam_access_key + - aws_iam_access_key Parameters: - Key: awsIamAccessKeyAge Required: true Severity: medium Tags: platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) platform_score_use_case: - - Insecure Keys + - Insecure Keys score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) score_tags: - - Insecure Keys + - Insecure Keys +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/IAM/aws_account_alternate_contacts.yaml b/compliance/controls/baseline/aws/IAM/aws_account_alternate_contacts.yaml index 05942517f..e1086b0a6 100755 --- a/compliance/controls/baseline/aws/IAM/aws_account_alternate_contacts.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_account_alternate_contacts.yaml @@ -1,40 +1,23 @@ ID: aws_account_alternate_contacts Title: "Account Alternate Contacts" Description: "Ensure alternate contacts are set to improve the security of your AWS account." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - a.account_id as resource, - a.og_account_id, - a.og_resource_id, - case - when c.name is null then 'alarm' - else 'ok' - end as status, - case - when c.name is null then 'account does not have any alternate contact' - else 'account has an alternate contact' - end as reason, - a.region, - a.account_id - from - aws_account as a - left join aws_account_alternate_contact as c on a.account_id = c.account_id + QueryToExecute: "select\n a.account_id as resource,\n a.og_account_id,\n a.og_resource_id,\n case\n when c.name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when c.name is null then 'account does not have any alternate contact'\n else 'account has an alternate contact'\n end as reason,\n a.region, \n a.account_id\nfrom\n aws_account as a\n left join aws_account_alternate_contact as c on a.account_id = c.account_id\n" PrimaryTable: aws_account ListOfTables: - - aws_account - - aws_account_alternate_contact + - aws_account + - aws_account_alternate_contact Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) platform_score_use_case: - - Problem Identities + - Problem Identities score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) score_tags: - - Problem Identities + - Problem Identities +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/IAM/aws_allow_iam_users_to_change_their_own_password.yaml b/compliance/controls/baseline/aws/IAM/aws_allow_iam_users_to_change_their_own_password.yaml index 8612f461a..848d5782d 100755 --- a/compliance/controls/baseline/aws/IAM/aws_allow_iam_users_to_change_their_own_password.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_allow_iam_users_to_change_their_own_password.yaml @@ -1,38 +1,22 @@ ID: aws_allow_iam_users_to_change_their_own_password Title: "Allow IAM Users to Change Their Own Password" Description: "Ensure that all IAM users are allowed to change their own console password." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - name as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when attached_policy_arns::text LIKE '%arn:aws:iam::aws:policy/IAMUserChangePassword%' then 'ok' - else 'alarm' - end as status, - case - when attached_policy_arns::text LIKE '%arn:aws:iam::aws:policy/IAMUserChangePassword%' then 'user is able to change its own password' - else 'user is not able to change its own password' - end as reason - - , region, account_id - from - aws_iam_user v + QueryToExecute: "select\n name as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when attached_policy_arns::text LIKE '%arn:aws:iam::aws:policy/IAMUserChangePassword%' then 'ok'\n else 'alarm'\n end as status,\n case\n when attached_policy_arns::text LIKE '%arn:aws:iam::aws:policy/IAMUserChangePassword%' then 'user is able to change its own password'\n else 'user is not able to change its own password'\n end as reason\n \n , region, account_id\nfrom\n aws_iam_user v\n" PrimaryTable: aws_iam_user ListOfTables: - - aws_iam_user + - aws_iam_user Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) platform_score_use_case: - - Problem Identities + - Problem Identities score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) score_tags: - - Problem Identities + - Problem Identities +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/IAM/aws_approved_ecs_execute_command_access.yaml b/compliance/controls/baseline/aws/IAM/aws_approved_ecs_execute_command_access.yaml index 46ca28aff..efb8ad467 100755 --- a/compliance/controls/baseline/aws/IAM/aws_approved_ecs_execute_command_access.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_approved_ecs_execute_command_access.yaml @@ -1,120 +1,27 @@ ID: aws_approved_ecs_execute_command_access Title: "Approved ECS Execute Command Access" Description: "Ensure that all access to the ECS Execute Command action is approved" -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - SELECT - name AS resource, - og_account_id, - og_resource_id, - 'aws_iam_user' as og_table_name, - CASE - WHEN (inline_policies_std::text like '%ecs:ExecuteCommand%') and - ('{{.awsEcsExecuteCommandIamArns}}' not like '%' || arn || '%') THEN 'alarm' - WHEN exists( - select 1 from jsonb_array_elements_text(attached_policy_arns) as ap left join aws_iam_policy as p on p.arn = ap - where p.policy::text like '%ecs:ExecuteCommand%' - ) and - ('{{.awsEcsExecuteCommandIamArns}}' not like '%' || arn || '%') THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN (inline_policies_std::text like '%ecs:ExecuteCommand%') and - ('{{.awsEcsExecuteCommandIamArns}}' not like '%' || arn || '%') THEN 'user is not authorized to do this ecs action' - WHEN exists( - select 1 from jsonb_array_elements_text(attached_policy_arns) as ap left join aws_iam_policy as p on p.arn = ap - where p.policy::text like '%ecs:ExecuteCommand%' - ) and - ('{{.awsEcsExecuteCommandIamArns}}' not like '%' || arn || '%') THEN 'user is not authorized to do this ecs action' - ELSE 'ok' - END AS reason, - region, - account_id - FROM - aws_iam_user - - UNION ALL - - SELECT - name AS resource, - og_account_id, - og_resource_id, - 'aws_iam_role' as og_table_name, - CASE - WHEN (inline_policies_std::text like '%ecs:ExecuteCommand%') and - ('{{.awsEcsExecuteCommandIamArns}}' not like '%' || arn || '%') THEN 'alarm' - WHEN exists( - select 1 from jsonb_array_elements_text(attached_policy_arns) as ap left join aws_iam_policy as p on p.arn = ap - where p.policy::text like '%ecs:ExecuteCommand%' - ) and - ('{{.awsEcsExecuteCommandIamArns}}' not like '%' || arn || '%') THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN (inline_policies_std::text like '%ecs:ExecuteCommand%') and - ('{{.awsEcsExecuteCommandIamArns}}' not like '%' || arn || '%') THEN 'user is not authorized to do this ecs action' - WHEN exists( - select 1 from jsonb_array_elements_text(attached_policy_arns) as ap left join aws_iam_policy as p on p.arn = ap - where p.policy::text like '%ecs:ExecuteCommand%' - ) and - ('{{.awsEcsExecuteCommandIamArns}}' not like '%' || arn || '%') THEN 'user is not authorized to do this ecs action' - ELSE 'ok' - END AS reason, - region, - account_id - FROM - aws_iam_role - - UNION ALL - - SELECT - name AS resource, - og_account_id, - og_resource_id, - 'aws_iam_group' as og_table_name, - CASE - WHEN (inline_policies_std::text like '%ecs:ExecuteCommand%') and - ('{{.awsEcsExecuteCommandIamArns}}' not like '%' || arn || '%') THEN 'alarm' - WHEN exists( - select 1 from jsonb_array_elements_text(attached_policy_arns) as ap left join aws_iam_policy as p on p.arn = ap - where p.policy::text like '%ecs:ExecuteCommand%' - ) and - ('{{.awsEcsExecuteCommandIamArns}}' not like '%' || arn || '%') THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN (inline_policies_std::text like '%ecs:ExecuteCommand%') and - ('{{.awsEcsExecuteCommandIamArns}}' not like '%' || arn || '%') THEN 'user is not authorized to do this ecs action' - WHEN exists( - select 1 from jsonb_array_elements_text(attached_policy_arns) as ap left join aws_iam_policy as p on p.arn = ap - where p.policy::text like '%ecs:ExecuteCommand%' - ) and - ('{{.awsEcsExecuteCommandIamArns}}' not like '%' || arn || '%') THEN 'user is not authorized to do this ecs action' - ELSE 'ok' - END AS reason, - region, - account_id - FROM - aws_iam_group + QueryToExecute: "SELECT\n name AS resource,\n og_account_id,\n og_resource_id,\n 'aws_iam_user' as og_table_name,\n CASE\n WHEN (inline_policies_std::text like '%ecs:ExecuteCommand%') and\n ('{{.awsEcsExecuteCommandIamArns}}' not like '%' || arn || '%') THEN 'alarm'\n WHEN exists(\n select 1 from jsonb_array_elements_text(attached_policy_arns) as ap left join aws_iam_policy as p on p.arn = ap\n where p.policy::text like '%ecs:ExecuteCommand%'\n ) and\n ('{{.awsEcsExecuteCommandIamArns}}' not like '%' || arn || '%') THEN 'alarm'\n ELSE 'ok'\n END AS status,\n CASE\n WHEN (inline_policies_std::text like '%ecs:ExecuteCommand%') and\n ('{{.awsEcsExecuteCommandIamArns}}' not like '%' || arn || '%') THEN 'user is not authorized to do this ecs action'\n WHEN exists(\n select 1 from jsonb_array_elements_text(attached_policy_arns) as ap left join aws_iam_policy as p on p.arn = ap\n where p.policy::text like '%ecs:ExecuteCommand%'\n ) and\n ('{{.awsEcsExecuteCommandIamArns}}' not like '%' || arn || '%') THEN 'user is not authorized to do this ecs action'\n ELSE 'ok'\n END AS reason,\n region, \n account_id\nFROM\n aws_iam_user\n\nUNION ALL\n\nSELECT\n name AS resource,\n og_account_id,\n og_resource_id,\n 'aws_iam_role' as og_table_name,\n CASE\n WHEN (inline_policies_std::text like '%ecs:ExecuteCommand%') and\n ('{{.awsEcsExecuteCommandIamArns}}' not like '%' || arn || '%') THEN 'alarm'\n WHEN exists(\n select 1 from jsonb_array_elements_text(attached_policy_arns) as ap left join aws_iam_policy as p on p.arn = ap\n where p.policy::text like '%ecs:ExecuteCommand%'\n ) and\n ('{{.awsEcsExecuteCommandIamArns}}' not like '%' || arn || '%') THEN 'alarm'\n ELSE 'ok'\n END AS status,\n CASE\n WHEN (inline_policies_std::text like '%ecs:ExecuteCommand%') and\n ('{{.awsEcsExecuteCommandIamArns}}' not like '%' || arn || '%') THEN 'user is not authorized to do this ecs action'\n WHEN exists(\n select 1 from jsonb_array_elements_text(attached_policy_arns) as ap left join aws_iam_policy as p on p.arn = ap\n where p.policy::text like '%ecs:ExecuteCommand%'\n ) and\n ('{{.awsEcsExecuteCommandIamArns}}' not like '%' || arn || '%') THEN 'user is not authorized to do this ecs action'\n ELSE 'ok'\n END AS reason,\n region, \n account_id\nFROM\n aws_iam_role\n\nUNION ALL\n\nSELECT\n name AS resource,\n og_account_id,\n og_resource_id,\n 'aws_iam_group' as og_table_name,\n CASE\n WHEN (inline_policies_std::text like '%ecs:ExecuteCommand%') and\n ('{{.awsEcsExecuteCommandIamArns}}' not like '%' || arn || '%') THEN 'alarm'\n WHEN exists(\n select 1 from jsonb_array_elements_text(attached_policy_arns) as ap left join aws_iam_policy as p on p.arn = ap\n where p.policy::text like '%ecs:ExecuteCommand%'\n ) and\n ('{{.awsEcsExecuteCommandIamArns}}' not like '%' || arn || '%') THEN 'alarm'\n ELSE 'ok'\n END AS status,\n CASE\n WHEN (inline_policies_std::text like '%ecs:ExecuteCommand%') and\n ('{{.awsEcsExecuteCommandIamArns}}' not like '%' || arn || '%') THEN 'user is not authorized to do this ecs action'\n WHEN exists(\n select 1 from jsonb_array_elements_text(attached_policy_arns) as ap left join aws_iam_policy as p on p.arn = ap\n where p.policy::text like '%ecs:ExecuteCommand%'\n ) and\n ('{{.awsEcsExecuteCommandIamArns}}' not like '%' || arn || '%') THEN 'user is not authorized to do this ecs action'\n ELSE 'ok'\n END AS reason,\n region, \n account_id\nFROM\n aws_iam_group\n" PrimaryTable: "" ListOfTables: - - aws_iam_group - - aws_iam_policy - - aws_iam_role - - aws_iam_user + - aws_iam_group + - aws_iam_policy + - aws_iam_role + - aws_iam_user Parameters: - Key: awsEcsExecuteCommandIamArns Required: true Severity: medium Tags: platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) platform_score_use_case: - - Problem Identities + - Problem Identities score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) score_tags: - - Problem Identities + - Problem Identities +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/IAM/aws_attach_policy_to_iam_roles_associated_with_app_tier_ec2_instances.yaml b/compliance/controls/baseline/aws/IAM/aws_attach_policy_to_iam_roles_associated_with_app_tier_ec2_instances.yaml index ed499d93a..1ef68a6ca 100755 --- a/compliance/controls/baseline/aws/IAM/aws_attach_policy_to_iam_roles_associated_with_app_tier_ec2_instances.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_attach_policy_to_iam_roles_associated_with_app_tier_ec2_instances.yaml @@ -1,48 +1,25 @@ ID: aws_attach_policy_to_iam_roles_associated_with_app_tier_ec2_instances Title: "Attach Policy to IAM Roles Associated with App-Tier EC2 Instances" Description: "Ensure IAM policy for EC2 IAM roles for app tier is configured." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - instance_id as resource, - i.og_account_id, - i.og_resource_id, - case - when r.inline_policies is null and r.attached_policy_arns is null then 'alarm' - else 'ok' - end as status, - case - when i.iam_instance_profile_arn is null then instance_id || ' has no role attached' - when r.inline_policies is null and r.attached_policy_arns is null then instance_id || ' role does not have any policy' - else instance_id || ' role has policy' - end as reason, - i.region, - i.account_id - from - aws_ec2_instance as i - left join aws_iam_role as r on split_part(i.iam_instance_profile_arn, ':instance-profile/', 2) = r.name - where - i.tags::text like '%' || REPLACE(REPLACE(( - SELECT jsonb_object_agg(key, value)::text - FROM jsonb_each_text('{{.awsAppTierTags}}'::jsonb) - ), '{', ''), '}', '') || '%' + QueryToExecute: "select\n instance_id as resource,\n i.og_account_id,\n i.og_resource_id,\n case\n when r.inline_policies is null and r.attached_policy_arns is null then 'alarm'\n else 'ok'\n end as status,\n case\n when i.iam_instance_profile_arn is null then instance_id || ' has no role attached'\n when r.inline_policies is null and r.attached_policy_arns is null then instance_id || ' role does not have any policy'\n else instance_id || ' role has policy'\n end as reason,\n i.region, \n i.account_id\nfrom\n aws_ec2_instance as i\n left join aws_iam_role as r on split_part(i.iam_instance_profile_arn, ':instance-profile/', 2) = r.name\nwhere\n i.tags::text like '%' || REPLACE(REPLACE((\n SELECT jsonb_object_agg(key, value)::text\n FROM jsonb_each_text('{{.awsAppTierTags}}'::jsonb)\n ), '{', ''), '}', '') || '%'\n" PrimaryTable: aws_ec2_instance ListOfTables: - - aws_ec2_instance - - aws_iam_role + - aws_ec2_instance + - aws_iam_role Parameters: - Key: awsAppTierTags Required: true Severity: medium Tags: platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) platform_score_use_case: - - Problem Identities + - Problem Identities score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) score_tags: - - Problem Identities + - Problem Identities +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/IAM/aws_canary_access_token.yaml b/compliance/controls/baseline/aws/IAM/aws_canary_access_token.yaml index bd7a9204a..ed302224e 100755 --- a/compliance/controls/baseline/aws/IAM/aws_canary_access_token.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_canary_access_token.yaml @@ -1,52 +1,24 @@ ID: aws_canary_access_token Title: "Canary Access Token" Description: "Detects when a canary token access key has been used" -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with users as ( - select - user_id, - u.account_id - from - aws_iam_user as u - left join aws_iam_credential_report as r on r.user_arn = u.arn - where - u.inline_policies is null and u.attached_policy_arns is null and - ((not r.password_enabled::bool) and (r.access_key_1_active or r.access_key_2_active)) - ) - - select - account_id as resource, - og_account_id, - og_resource_id, - case - when exists(select 1 from users as u where u.account_id = a.account_id) then 'ok' - else 'alarm' - end as status, - case - when exists(select 1 from users as u where u.account_id = a.account_id) then 'Canary access tokens are used within your AWS account.' - else ' anary access tokens are not currently used within your AWS account.' - end as reason, - region, - account_id - from - aws_account as a + QueryToExecute: "with users as (\n select\n user_id,\n u.account_id\n from\n aws_iam_user as u\n left join aws_iam_credential_report as r on r.user_arn = u.arn\n where\n u.inline_policies is null and u.attached_policy_arns is null and \n ((not r.password_enabled::bool) and (r.access_key_1_active or r.access_key_2_active))\n)\n\nselect\n account_id as resource,\n og_account_id,\n og_resource_id,\n case\n when exists(select 1 from users as u where u.account_id = a.account_id) then 'ok'\n else 'alarm'\n end as status,\n case\n when exists(select 1 from users as u where u.account_id = a.account_id) then 'Canary access tokens are used within your AWS account.'\n else ' anary access tokens are not currently used within your AWS account.'\n end as reason,\n region, \n account_id\nfrom\n aws_account as a\n" PrimaryTable: aws_account ListOfTables: - - aws_account - - aws_iam_credential_report - - aws_iam_user + - aws_account + - aws_iam_credential_report + - aws_iam_user Parameters: [] Severity: critical Tags: platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) platform_score_use_case: - - Insecure Keys + - Insecure Keys score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) score_tags: - - Insecure Keys + - Insecure Keys +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/IAM/aws_check_for_iam_user_group_membership.yaml b/compliance/controls/baseline/aws/IAM/aws_check_for_iam_user_group_membership.yaml index 800697008..2aeb91313 100755 --- a/compliance/controls/baseline/aws/IAM/aws_check_for_iam_user_group_membership.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_check_for_iam_user_group_membership.yaml @@ -1,38 +1,22 @@ ID: aws_check_for_iam_user_group_membership Title: "Check for IAM User Group Membership" Description: "Ensure that all Amazon IAM users have group memberships." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - SELECT - name as resource, - og_resource_id, - og_account_id, - CASE - WHEN groups is null THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN groups is null THEN name || ' does not belong to any IAM group.' - ELSE name || ' belongs to at least one IAM group.' - END AS reason, - region, - account_id - FROM - aws_iam_user + QueryToExecute: "SELECT \n name as resource,\n og_resource_id,\n og_account_id,\n CASE\n WHEN groups is null THEN 'alarm'\n ELSE 'ok'\n END AS status,\n CASE\n WHEN groups is null THEN name || ' does not belong to any IAM group.' \n ELSE name || ' belongs to at least one IAM group.'\n END AS reason,\n region,\n account_id\nFROM \n aws_iam_user\n" PrimaryTable: aws_iam_user ListOfTables: - - aws_iam_user + - aws_iam_user Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) platform_score_use_case: - - Problem Identities + - Problem Identities score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) score_tags: - - Problem Identities + - Problem Identities +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/IAM/aws_check_for_individual_iam_users.yaml b/compliance/controls/baseline/aws/IAM/aws_check_for_individual_iam_users.yaml index 630f559db..88c55ff55 100755 --- a/compliance/controls/baseline/aws/IAM/aws_check_for_individual_iam_users.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_check_for_individual_iam_users.yaml @@ -1,40 +1,23 @@ ID: aws_check_for_individual_iam_users Title: "Check for Individual IAM Users" Description: "Ensure there is at least one IAM user used to access your AWS cloud account." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - a.account_id as resource, - a.og_account_id, - a.og_resource_id, - case - when user_id is null then 'alarm' - else 'ok' - end as status, - case - when u.user_id is null then a.account_id || ' account has no user' - else a.account_id || ' account has user' - end as reason, - a.region, - a.account_id - from - aws_account as a - left join aws_iam_user as u on a.account_id = u.account_id + QueryToExecute: "select\n a.account_id as resource,\n a.og_account_id,\n a.og_resource_id,\n case\n when user_id is null then 'alarm'\n else 'ok'\n end as status,\n case\n when u.user_id is null then a.account_id || ' account has no user'\n else a.account_id || ' account has user'\n end as reason,\n a.region, \n a.account_id\nfrom\n aws_account as a\n left join aws_iam_user as u on a.account_id = u.account_id\n" PrimaryTable: aws_account ListOfTables: - - aws_account - - aws_iam_user + - aws_account + - aws_iam_user Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) platform_score_use_case: - - Problem Identities + - Problem Identities score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) score_tags: - - Problem Identities + - Problem Identities +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/IAM/aws_check_for_overly_permissive_iam_group_policies.yaml b/compliance/controls/baseline/aws/IAM/aws_check_for_overly_permissive_iam_group_policies.yaml index 71fa6ae31..f21e6fed1 100755 --- a/compliance/controls/baseline/aws/IAM/aws_check_for_overly_permissive_iam_group_policies.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_check_for_overly_permissive_iam_group_policies.yaml @@ -1,73 +1,23 @@ ID: aws_check_for_overly_permissive_iam_group_policies Title: "Check for Overly Permissive IAM Group Policies" Description: "Ensure that Amazon IAM policies attached to IAM groups aren't too permissive." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - WITH too_permissive_policies AS ( - SELECT - arn - FROM - aws_iam_policy, - jsonb_array_elements(policy_std -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Action') AS action - WHERE - action IN ('*', '*:*') - AND s ->> 'Effect' = 'Allow' - ) - - SELECT - name AS resource, - og_account_id, - og_resource_id, - CASE - WHEN EXISTS( - select 1 from jsonb_array_elements_text(attached_policy_arns) as parn - LEFT JOIN too_permissive_policies AS tp ON parn = tp.arn where tp.arn is not null - ) THEN 'alarm' - WHEN EXISTS( - SELECT 1 - FROM jsonb_array_elements(inline_policies_std) AS p, jsonb_array_elements(p -> 'PolicyDocument' -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Action') AS action - WHERE - action IN ('*', '*:*') - AND s ->> 'Effect' = 'Allow' - ) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN EXISTS( - select 1 from jsonb_array_elements_text(attached_policy_arns) as parn - LEFT JOIN too_permissive_policies AS tp ON parn = tp.arn where tp.arn is not null - ) THEN ' there is too permissive attached policy' - WHEN EXISTS( - SELECT 1 - FROM jsonb_array_elements(inline_policies_std) AS p, jsonb_array_elements(p -> 'PolicyDocument' -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Action') AS action - WHERE - action IN ('*', '*:*') - AND s ->> 'Effect' = 'Allow' - ) THEN ' there is too permissive inline policy' - ELSE 'there is no too permissive policy' - END AS reason, - region, - account_id - FROM - aws_iam_group AS g + QueryToExecute: "WITH too_permissive_policies AS (\n SELECT\n arn\n FROM\n aws_iam_policy,\n jsonb_array_elements(policy_std -> 'Statement') AS s,\n jsonb_array_elements_text(s -> 'Action') AS action\n WHERE\n action IN ('*', '*:*')\n AND s ->> 'Effect' = 'Allow'\n)\n\nSELECT\n name AS resource,\n og_account_id,\n og_resource_id,\n CASE\n WHEN EXISTS(\n select 1 from jsonb_array_elements_text(attached_policy_arns) as parn\n LEFT JOIN too_permissive_policies AS tp ON parn = tp.arn where tp.arn is not null\n ) THEN 'alarm'\n WHEN EXISTS(\n SELECT 1 \n FROM jsonb_array_elements(inline_policies_std) AS p, jsonb_array_elements(p -> 'PolicyDocument' -> 'Statement') AS s,\n jsonb_array_elements_text(s -> 'Action') AS action\n WHERE\n action IN ('*', '*:*')\n AND s ->> 'Effect' = 'Allow'\n ) THEN 'alarm'\n ELSE 'ok'\n END AS status,\n CASE\n WHEN EXISTS(\n select 1 from jsonb_array_elements_text(attached_policy_arns) as parn\n LEFT JOIN too_permissive_policies AS tp ON parn = tp.arn where tp.arn is not null\n ) THEN ' there is too permissive attached policy'\n WHEN EXISTS(\n SELECT 1 \n FROM jsonb_array_elements(inline_policies_std) AS p, jsonb_array_elements(p -> 'PolicyDocument' -> 'Statement') AS s,\n jsonb_array_elements_text(s -> 'Action') AS action\n WHERE\n action IN ('*', '*:*')\n AND s ->> 'Effect' = 'Allow'\n ) THEN ' there is too permissive inline policy'\n ELSE 'there is no too permissive policy'\n END AS reason,\n region, \n account_id\nFROM\n aws_iam_group AS g\n" PrimaryTable: aws_iam_group ListOfTables: - - aws_iam_group - - aws_iam_policy + - aws_iam_group + - aws_iam_policy Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) platform_score_use_case: - - Problem Identities + - Problem Identities score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) score_tags: - - Problem Identities + - Problem Identities +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/IAM/aws_check_for_untrusted_cross_account_iam_roles.yaml b/compliance/controls/baseline/aws/IAM/aws_check_for_untrusted_cross_account_iam_roles.yaml index 81f9e4672..e98f70796 100755 --- a/compliance/controls/baseline/aws/IAM/aws_check_for_untrusted_cross_account_iam_roles.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_check_for_untrusted_cross_account_iam_roles.yaml @@ -1,58 +1,24 @@ ID: aws_check_for_untrusted_cross_account_iam_roles Title: "Check for Untrusted Cross-Account IAM Roles" Description: "Ensure that AWS IAM roles cannot be used by untrusted accounts via cross-account access feature." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - SELECT - name as resource, - og_resource_id, - og_account_id, - CASE - WHEN EXISTS ( - SELECT 1 FROM jsonb_array_elements(assume_role_policy::jsonb -> 'Statement') as s - WHERE (s ->> 'Effect') = 'Allow' and ((s ->> 'Principal')::text = '"*"' or - (s ->> 'Principal')::text = '{"AWS": "*"}') - ) THEN 'alarm' - WHEN '{{.awsTrustedAccounts}}' = '' THEN 'ok' - WHEN EXISTS ( - SELECT 1 FROM jsonb_array_elements(assume_role_policy::jsonb -> 'Statement') as s - WHERE (s ->> 'Effect') = 'Allow' and not('{{.awsTrustedAccounts}}' LIKE ('%'||((s -> 'Principal' ->> 'AWS')::text) || '%')) - ) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN EXISTS ( - SELECT 1 FROM jsonb_array_elements(assume_role_policy::jsonb -> 'Statement') as s - WHERE (s ->> 'Effect') = 'Allow' and ((s ->> 'Principal')::text = '"*"' or - (s ->> 'Principal')::text = '{"AWS": "*"}') - ) THEN name || ' is publicly accessible' - WHEN '{{.awsTrustedAccounts}}' = '' THEN 'trusted AWS accounts are not defined' - WHEN EXISTS ( - SELECT 1 FROM jsonb_array_elements(assume_role_policy::jsonb -> 'Statement') as s - WHERE (s ->> 'Effect') = 'Allow' and not('{{.awsTrustedAccounts}}' LIKE ('%'||((s -> 'Principal' ->> 'AWS')::text) || '%')) - ) THEN name || ' is not configured to allow access only to trusted AWS accounts' - ELSE name || ' is configured to allow access only to trusted AWS accounts' - END AS reason, - region, - account_id - FROM - aws_iam_role + QueryToExecute: "SELECT \n name as resource,\n og_resource_id,\n og_account_id,\n CASE\n WHEN EXISTS (\n SELECT 1 FROM jsonb_array_elements(assume_role_policy::jsonb -> 'Statement') as s\n WHERE (s ->> 'Effect') = 'Allow' and ((s ->> 'Principal')::text = '\"*\"' or\n (s ->> 'Principal')::text = '{\"AWS\": \"*\"}')\n ) THEN 'alarm'\n WHEN '{{.awsTrustedAccounts}}' = '' THEN 'ok'\n WHEN EXISTS (\n SELECT 1 FROM jsonb_array_elements(assume_role_policy::jsonb -> 'Statement') as s\n WHERE (s ->> 'Effect') = 'Allow' and not('{{.awsTrustedAccounts}}' LIKE ('%'||((s -> 'Principal' ->> 'AWS')::text) || '%'))\n ) THEN 'alarm'\n ELSE 'ok'\n END AS status,\n CASE\n WHEN EXISTS (\n SELECT 1 FROM jsonb_array_elements(assume_role_policy::jsonb -> 'Statement') as s\n WHERE (s ->> 'Effect') = 'Allow' and ((s ->> 'Principal')::text = '\"*\"' or\n (s ->> 'Principal')::text = '{\"AWS\": \"*\"}')\n ) THEN name || ' is publicly accessible' \n WHEN '{{.awsTrustedAccounts}}' = '' THEN 'trusted AWS accounts are not defined'\n WHEN EXISTS (\n SELECT 1 FROM jsonb_array_elements(assume_role_policy::jsonb -> 'Statement') as s\n WHERE (s ->> 'Effect') = 'Allow' and not('{{.awsTrustedAccounts}}' LIKE ('%'||((s -> 'Principal' ->> 'AWS')::text) || '%'))\n ) THEN name || ' is not configured to allow access only to trusted AWS accounts'\n ELSE name || ' is configured to allow access only to trusted AWS accounts'\n END AS reason,\n region,\n account_id\nFROM \n aws_iam_role\n" PrimaryTable: aws_iam_role ListOfTables: - - aws_iam_role + - aws_iam_role Parameters: - Key: awsTrustedAccounts Required: false Severity: medium Tags: platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) platform_score_use_case: - - Problem Identities + - Problem Identities score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) score_tags: - - Problem Identities + - Problem Identities +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/IAM/aws_check_that_only_safelisted_iam_users_exist.yaml b/compliance/controls/baseline/aws/IAM/aws_check_that_only_safelisted_iam_users_exist.yaml index 55aaaaa37..ce739c27b 100755 --- a/compliance/controls/baseline/aws/IAM/aws_check_that_only_safelisted_iam_users_exist.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_check_that_only_safelisted_iam_users_exist.yaml @@ -1,40 +1,24 @@ ID: aws_check_that_only_safelisted_iam_users_exist Title: "Check that only safelisted IAM Users exist" Description: "Ensure that only safelisted IAM Users exist within your AWS account." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - name as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when '{{.awsApprovedIamUsers}}' LIKE '%' || name || '%' then 'ok' - else 'alarm' - end as status, - case - when '{{.awsApprovedIamUsers}}' LIKE '%' || name || '%' then name || ' user is approved' - else name || ' user is not approved' - end as reason, - region, - account_id - from - aws_iam_user v + QueryToExecute: "select\n name as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when '{{.awsApprovedIamUsers}}' LIKE '%' || name || '%' then 'ok'\n else 'alarm'\n end as status,\n case\n when '{{.awsApprovedIamUsers}}' LIKE '%' || name || '%' then name || ' user is approved'\n else name || ' user is not approved'\n end as reason,\n region, \n account_id\nfrom\n aws_iam_user v\n" PrimaryTable: aws_iam_user ListOfTables: - - aws_iam_user + - aws_iam_user Parameters: - Key: awsApprovedIamUsers Required: true Severity: high Tags: platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) platform_score_use_case: - - Problem Identities + - Problem Identities score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) score_tags: - - Problem Identities + - Problem Identities +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/IAM/aws_credentials_last_used.yaml b/compliance/controls/baseline/aws/IAM/aws_credentials_last_used.yaml index c03968c10..e515b2f6e 100755 --- a/compliance/controls/baseline/aws/IAM/aws_credentials_last_used.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_credentials_last_used.yaml @@ -1,79 +1,22 @@ ID: aws_credentials_last_used Title: "Credentials Last Used" Description: "Ensure that unused AWS IAM credentials are decommissioned to follow security best practices." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - SELECT - user_name, - og_account_id, - og_resource_id, - CASE - WHEN not password_enabled::bool THEN 'skip' - WHEN password_last_used < NOW() - INTERVAL '90 days' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN not password_enabled::bool THEN 'password is disabled' - WHEN password_last_used < NOW() - INTERVAL '90 days' THEN 'the password is considered unused and its better to be removed' - ELSE 'the password is being used' - END AS reason, - region, - account_id - FROM aws_iam_credential_report - - UNION ALL - - SELECT - user_name, - og_account_id, - og_resource_id, - CASE - WHEN not access_key_1_active::bool THEN 'skip' - WHEN access_key_1_last_used_date < NOW() - INTERVAL '90 days' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN not access_key_1_active::bool THEN 'access key 1 is disabled' - WHEN access_key_1_last_used_date < NOW() - INTERVAL '90 days' THEN 'access key 1 is considered unused and its better to be removed' - ELSE 'access key 1 is being used' - END AS reason, - region, - account_id - FROM aws_iam_credential_report - - UNION ALL - - SELECT - user_name, - og_account_id, - og_resource_id, - CASE - WHEN not access_key_2_active::bool THEN 'skip' - WHEN access_key_2_last_used_date < NOW() - INTERVAL '90 days' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN not access_key_2_active::bool THEN 'access key 2 is disabled' - WHEN access_key_2_last_used_date < NOW() - INTERVAL '90 days' THEN 'access key 2 is considered unused and its better to be removed' - ELSE 'access key 2 is being used' - END AS reason, - region, - account_id - FROM aws_iam_credential_report; + QueryToExecute: "SELECT \n user_name, \n og_account_id,\n og_resource_id,\n CASE \n WHEN not password_enabled::bool THEN 'skip'\n WHEN password_last_used < NOW() - INTERVAL '90 days' THEN 'alarm' \n ELSE 'ok'\n END AS status,\n CASE\n WHEN not password_enabled::bool THEN 'password is disabled'\n WHEN password_last_used < NOW() - INTERVAL '90 days' THEN 'the password is considered unused and its better to be removed'\n ELSE 'the password is being used'\n END AS reason,\n region, \n account_id\nFROM aws_iam_credential_report\n\nUNION ALL\n\nSELECT \n user_name, \n og_account_id,\n og_resource_id,\n CASE \n WHEN not access_key_1_active::bool THEN 'skip'\n WHEN access_key_1_last_used_date < NOW() - INTERVAL '90 days' THEN 'alarm' \n ELSE 'ok'\n END AS status,\n CASE\n WHEN not access_key_1_active::bool THEN 'access key 1 is disabled'\n WHEN access_key_1_last_used_date < NOW() - INTERVAL '90 days' THEN 'access key 1 is considered unused and its better to be removed'\n ELSE 'access key 1 is being used'\n END AS reason,\n region, \n account_id\nFROM aws_iam_credential_report\n\nUNION ALL\n\nSELECT \n user_name, \n og_account_id,\n og_resource_id,\n CASE \n WHEN not access_key_2_active::bool THEN 'skip'\n WHEN access_key_2_last_used_date < NOW() - INTERVAL '90 days' THEN 'alarm' \n ELSE 'ok'\n END AS status,\n CASE\n WHEN not access_key_2_active::bool THEN 'access key 2 is disabled'\n WHEN access_key_2_last_used_date < NOW() - INTERVAL '90 days' THEN 'access key 2 is considered unused and its better to be removed'\n ELSE 'access key 2 is being used'\n END AS reason,\n region, \n account_id\nFROM aws_iam_credential_report;\n" PrimaryTable: aws_iam_credential_report ListOfTables: - - aws_iam_credential_report + - aws_iam_credential_report Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) platform_score_use_case: - - Insecure Keys + - Insecure Keys score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) score_tags: - - Insecure Keys + - Insecure Keys +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/IAM/aws_cross_account_access_lacks_external_id_and_mfa.yaml b/compliance/controls/baseline/aws/IAM/aws_cross_account_access_lacks_external_id_and_mfa.yaml index 5ccb4e4e6..389bcd1da 100755 --- a/compliance/controls/baseline/aws/IAM/aws_cross_account_access_lacks_external_id_and_mfa.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_cross_account_access_lacks_external_id_and_mfa.yaml @@ -1,8 +1,6 @@ ID: aws_cross_account_access_lacks_external_id_and_mfa Title: "Cross-Account Access Lacks External ID and MFA" Description: "Ensure cross-account access roles are using Multi-Factor Authentication (MFA) or External IDs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -27,15 +25,17 @@ Query: jsonb_array_elements(assume_role_policy -> 'Statement') as s PrimaryTable: aws_iam_role ListOfTables: - - aws_iam_role + - aws_iam_role Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) platform_score_use_case: - - Problem Identities + - Problem Identities score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) score_tags: - - Problem Identities + - Problem Identities +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/IAM/aws_ec2_purchase_restriction.yaml b/compliance/controls/baseline/aws/IAM/aws_ec2_purchase_restriction.yaml index ef455a290..e1d2863d3 100755 --- a/compliance/controls/baseline/aws/IAM/aws_ec2_purchase_restriction.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_ec2_purchase_restriction.yaml @@ -1,70 +1,21 @@ ID: aws_ec2_purchase_restriction Title: "Amazon EC2 Purchase Restriction" Description: "Restrict unintended IAM users from purchasing Amazon EC2 Reserved Instances and/or Savings Plans." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - WITH too_permissive_policies AS ( - SELECT - arn - FROM - aws_iam_policy, - jsonb_array_elements(policy_std -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Action') AS action - WHERE - action IN ('ec2:PurchaseReservedInstancesOffering', 'savingsplans:CreateSavingsPlan') - ) - - SELECT - name AS resource, - og_account_id, - og_resource_id, - CASE - WHEN EXISTS( - select 1 from jsonb_array_elements_text(attached_policy_arns) as parn - LEFT JOIN too_permissive_policies AS tp ON parn = tp.arn where tp.arn is not null - ) and '{{.awsAllowedUsersPurchaseEc2}}' not like '%' || name || '%' THEN 'alarm' - WHEN EXISTS( - SELECT 1 - FROM jsonb_array_elements(inline_policies_std) AS p, jsonb_array_elements(p -> 'PolicyDocument' -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Action') AS action - WHERE - action IN ('ec2:PurchaseReservedInstancesOffering', 'savingsplans:CreateSavingsPlan') - AND s ->> 'Effect' = 'Allow' - ) and '{{.awsAllowedUsersPurchaseEc2}}' not like '%' || name || '%' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN EXISTS( - select 1 from jsonb_array_elements_text(attached_policy_arns) as parn - LEFT JOIN too_permissive_policies AS tp ON parn = tp.arn where tp.arn is not null - ) and '{{.awsAllowedUsersPurchaseEc2}}' not like '%' || name || '%' THEN 'User has access to purchase ec2 but is not in your organization allowed list' - WHEN EXISTS( - SELECT 1 - FROM jsonb_array_elements(inline_policies_std) AS p, jsonb_array_elements(p -> 'PolicyDocument' -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Action') AS action - WHERE - action IN ('ec2:PurchaseReservedInstancesOffering', 'savingsplans:CreateSavingsPlan') - AND s ->> 'Effect' = 'Allow' - ) and '{{.awsAllowedUsersPurchaseEc2}}' not like '%' || name || '%' THEN 'User has access to purchase ec2 but is not in your organization allowed list' - ELSE 'User either not have the access to purchase ec2 or is in the allowed list' - END AS reason, - region, - account_id - FROM - aws_iam_user + QueryToExecute: "WITH too_permissive_policies AS (\n SELECT\n arn\n FROM\n aws_iam_policy,\n jsonb_array_elements(policy_std -> 'Statement') AS s,\n jsonb_array_elements_text(s -> 'Action') AS action\n WHERE\n action IN ('ec2:PurchaseReservedInstancesOffering', 'savingsplans:CreateSavingsPlan')\n)\n\nSELECT\n name AS resource,\n og_account_id,\n og_resource_id,\n CASE\n WHEN EXISTS(\n select 1 from jsonb_array_elements_text(attached_policy_arns) as parn\n LEFT JOIN too_permissive_policies AS tp ON parn = tp.arn where tp.arn is not null\n ) and '{{.awsAllowedUsersPurchaseEc2}}' not like '%' || name || '%' THEN 'alarm'\n WHEN EXISTS(\n SELECT 1 \n FROM jsonb_array_elements(inline_policies_std) AS p, jsonb_array_elements(p -> 'PolicyDocument' -> 'Statement') AS s,\n jsonb_array_elements_text(s -> 'Action') AS action\n WHERE\n action IN ('ec2:PurchaseReservedInstancesOffering', 'savingsplans:CreateSavingsPlan')\n AND s ->> 'Effect' = 'Allow'\n ) and '{{.awsAllowedUsersPurchaseEc2}}' not like '%' || name || '%' THEN 'alarm'\n ELSE 'ok'\n END AS status,\n CASE\n WHEN EXISTS(\n select 1 from jsonb_array_elements_text(attached_policy_arns) as parn\n LEFT JOIN too_permissive_policies AS tp ON parn = tp.arn where tp.arn is not null\n ) and '{{.awsAllowedUsersPurchaseEc2}}' not like '%' || name || '%' THEN 'User has access to purchase ec2 but is not in your organization allowed list'\n WHEN EXISTS(\n SELECT 1 \n FROM jsonb_array_elements(inline_policies_std) AS p, jsonb_array_elements(p -> 'PolicyDocument' -> 'Statement') AS s,\n jsonb_array_elements_text(s -> 'Action') AS action\n WHERE\n action IN ('ec2:PurchaseReservedInstancesOffering', 'savingsplans:CreateSavingsPlan')\n AND s ->> 'Effect' = 'Allow'\n ) and '{{.awsAllowedUsersPurchaseEc2}}' not like '%' || name || '%' THEN 'User has access to purchase ec2 but is not in your organization allowed list'\n ELSE 'User either not have the access to purchase ec2 or is in the allowed list'\n END AS reason,\n region, \n account_id\nFROM\n aws_iam_user\n" PrimaryTable: aws_iam_user ListOfTables: - - aws_iam_policy - - aws_iam_user + - aws_iam_policy + - aws_iam_user Parameters: - Key: awsAllowedUsersPurchaseEc2 Required: true Severity: medium Tags: platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/IAM/aws_enable_mfa_for_iam_users_with_console_password.yaml b/compliance/controls/baseline/aws/IAM/aws_enable_mfa_for_iam_users_with_console_password.yaml index e9cfbaff4..b0fd9e706 100755 --- a/compliance/controls/baseline/aws/IAM/aws_enable_mfa_for_iam_users_with_console_password.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_enable_mfa_for_iam_users_with_console_password.yaml @@ -1,38 +1,22 @@ ID: aws_enable_mfa_for_iam_users_with_console_password Title: "Enable MFA for IAM Users with Console Password" Description: "Ensure that Multi-Factor Authentication (MFA) is enabled for all Amazon IAM users with console access." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - SELECT - name as resource, - og_resource_id, - og_account_id, - CASE - WHEN mfa_enabled = false or mfa_devices is null THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN mfa_enabled = false or mfa_devices is null THEN name || ' is not MFA-protected.' - ELSE name || ' is MFA-protected.' - END AS reason, - region, - account_id - FROM - aws_iam_user + QueryToExecute: "SELECT \n name as resource,\n og_resource_id,\n og_account_id,\n CASE\n WHEN mfa_enabled = false or mfa_devices is null THEN 'alarm'\n ELSE 'ok'\n END AS status,\n CASE\n WHEN mfa_enabled = false or mfa_devices is null THEN name || ' is not MFA-protected.' \n ELSE name || ' is MFA-protected.'\n END AS reason,\n region,\n account_id\nFROM \n aws_iam_user\n" PrimaryTable: aws_iam_user ListOfTables: - - aws_iam_user + - aws_iam_user Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) platform_score_use_case: - - Problem Identities + - Problem Identities score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) score_tags: - - Problem Identities + - Problem Identities +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/IAM/aws_enforce_infrastructure_as_code_using_iam_policies.yaml b/compliance/controls/baseline/aws/IAM/aws_enforce_infrastructure_as_code_using_iam_policies.yaml index dbd3d91a0..74786604a 100755 --- a/compliance/controls/baseline/aws/IAM/aws_enforce_infrastructure_as_code_using_iam_policies.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_enforce_infrastructure_as_code_using_iam_policies.yaml @@ -1,72 +1,19 @@ ID: aws_enforce_infrastructure_as_code_using_iam_policies Title: "Enforce Infrastructure as Code using IAM Policies" Description: "Enforce Infrastructure as Code by controlling access for requests made on your behalf." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - WITH too_permissive_policies AS ( - SELECT - arn - FROM - aws_iam_policy, - jsonb_array_elements(policy_std -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'NotAction') AS notAction - WHERE - notAction IN ('cloudformation:*') - AND s ->> 'Effect' = 'Deny' - AND (s -> 'Condition' -> 'StringNotEquals' ->> 'aws:CalledViaFirst') = 'cloudformation.amazonaws.com' - ) - - SELECT - name AS resource, - og_account_id, - og_resource_id, - CASE - WHEN EXISTS( - select 1 from jsonb_array_elements_text(attached_policy_arns) as parn - LEFT JOIN too_permissive_policies AS tp ON parn = tp.arn where tp.arn is not null - ) THEN 'ok' - WHEN EXISTS( - SELECT 1 - FROM jsonb_array_elements(inline_policies_std) AS p, jsonb_array_elements(p -> 'PolicyDocument' -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'NotAction') AS notAction - WHERE - notAction IN ('cloudformation:*') - AND s ->> 'Effect' = 'Deny' - AND (s -> 'Condition' -> 'StringNotEquals' ->> 'aws:CalledViaFirst') = 'cloudformation.amazonaws.com' - ) THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN EXISTS( - select 1 from jsonb_array_elements_text(attached_policy_arns) as parn - LEFT JOIN too_permissive_policies AS tp ON parn = tp.arn where tp.arn is not null - ) THEN 'IAM user is forced to deploy AWS resources via CloudFormation only' - WHEN EXISTS( - SELECT 1 - FROM jsonb_array_elements(inline_policies_std) AS p, jsonb_array_elements(p -> 'PolicyDocument' -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'NotAction') AS notAction - WHERE - notAction IN ('cloudformation:*') - AND s ->> 'Effect' = 'Deny' - AND (s -> 'Condition' -> 'StringNotEquals' ->> 'aws:CalledViaFirst') = 'cloudformation.amazonaws.com' - ) THEN 'IAM user is forced to deploy AWS resources via CloudFormation only' - ELSE 'IAM user is not forced to deploy AWS resources via CloudFormation only' - END AS reason, - region, - account_id - FROM - aws_iam_user AS g + QueryToExecute: "WITH too_permissive_policies AS (\n SELECT\n arn\n FROM\n aws_iam_policy,\n jsonb_array_elements(policy_std -> 'Statement') AS s,\n jsonb_array_elements_text(s -> 'NotAction') AS notAction\n WHERE\n notAction IN ('cloudformation:*')\n AND s ->> 'Effect' = 'Deny'\n AND (s -> 'Condition' -> 'StringNotEquals' ->> 'aws:CalledViaFirst') = 'cloudformation.amazonaws.com'\n)\n\nSELECT\n name AS resource,\n og_account_id,\n og_resource_id,\n CASE\n WHEN EXISTS(\n select 1 from jsonb_array_elements_text(attached_policy_arns) as parn\n LEFT JOIN too_permissive_policies AS tp ON parn = tp.arn where tp.arn is not null\n ) THEN 'ok'\n WHEN EXISTS(\n SELECT 1 \n FROM jsonb_array_elements(inline_policies_std) AS p, jsonb_array_elements(p -> 'PolicyDocument' -> 'Statement') AS s,\n jsonb_array_elements_text(s -> 'NotAction') AS notAction\n WHERE\n notAction IN ('cloudformation:*')\n AND s ->> 'Effect' = 'Deny'\n AND (s -> 'Condition' -> 'StringNotEquals' ->> 'aws:CalledViaFirst') = 'cloudformation.amazonaws.com'\n ) THEN 'ok'\n ELSE 'alarm'\n END AS status,\n CASE\n WHEN EXISTS(\n select 1 from jsonb_array_elements_text(attached_policy_arns) as parn\n LEFT JOIN too_permissive_policies AS tp ON parn = tp.arn where tp.arn is not null\n ) THEN 'IAM user is forced to deploy AWS resources via CloudFormation only'\n WHEN EXISTS(\n SELECT 1 \n FROM jsonb_array_elements(inline_policies_std) AS p, jsonb_array_elements(p -> 'PolicyDocument' -> 'Statement') AS s,\n jsonb_array_elements_text(s -> 'NotAction') AS notAction\n WHERE\n notAction IN ('cloudformation:*')\n AND s ->> 'Effect' = 'Deny'\n AND (s -> 'Condition' -> 'StringNotEquals' ->> 'aws:CalledViaFirst') = 'cloudformation.amazonaws.com'\n ) THEN 'IAM user is forced to deploy AWS resources via CloudFormation only'\n ELSE 'IAM user is not forced to deploy AWS resources via CloudFormation only'\n END AS reason,\n region, \n account_id\nFROM\n aws_iam_user AS g\n" PrimaryTable: aws_iam_user ListOfTables: - - aws_iam_policy - - aws_iam_user + - aws_iam_policy + - aws_iam_user Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/IAM/aws_expired_ssl_tls_certificate.yaml b/compliance/controls/baseline/aws/IAM/aws_expired_ssl_tls_certificate.yaml index 09a834994..05d8029d3 100755 --- a/compliance/controls/baseline/aws/IAM/aws_expired_ssl_tls_certificate.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_expired_ssl_tls_certificate.yaml @@ -1,38 +1,22 @@ ID: aws_expired_ssl_tls_certificate Title: "Expired SSL/TLS Certificate" Description: "Ensure expired SSL/TLS certificates are removed from AWS IAM." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - SELECT - name as resource, - og_resource_id, - og_account_id, - CASE - WHEN expiration < now() THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN expiration < now() THEN 'certificate has been expired' - ELSE 'certificate is not expired' - END AS reason, - region, - account_id - FROM - aws_iam_server_certificate + QueryToExecute: "SELECT \n name as resource,\n og_resource_id,\n og_account_id,\n CASE\n WHEN expiration < now() THEN 'alarm'\n ELSE 'ok'\n END AS status,\n CASE\n WHEN expiration < now() THEN 'certificate has been expired'\n ELSE 'certificate is not expired'\n END AS reason,\n region,\n account_id\nFROM \n aws_iam_server_certificate\n" PrimaryTable: aws_iam_server_certificate ListOfTables: - - aws_iam_server_certificate + - aws_iam_server_certificate Parameters: [] Severity: low Tags: platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) platform_score_use_case: - - Expiring Certificates + - Expiring Certificates score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) score_tags: - - Expiring Certificates + - Expiring Certificates +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/IAM/aws_hardware_mfa_for_aws_root_account.yaml b/compliance/controls/baseline/aws/IAM/aws_hardware_mfa_for_aws_root_account.yaml index fcd052e05..6e4182e8e 100755 --- a/compliance/controls/baseline/aws/IAM/aws_hardware_mfa_for_aws_root_account.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_hardware_mfa_for_aws_root_account.yaml @@ -1,44 +1,23 @@ ID: aws_hardware_mfa_for_aws_root_account Title: "Hardware MFA for AWS Root Account" Description: "Ensure hardware MFA is enabled for the 'root' account." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - (r.user_name || ' in account ' || r.account_id) as resource, - r.og_account_id, - r.og_resource_id, - case - when not r.mfa_active::bool then 'alarm' - when m.serial_number is not null then 'alarm' - else 'ok' - end as status, - case - when not r.mfa_active::bool then 'mfa is not activated' - when m.serial_number is not null then 'user is using virtual mfa' - else 'user is using hardware mfs' - end as reason, - r.region, - r.account_id - from - aws_iam_credential_report as r - left join aws_iam_virtual_mfa_device as m on (m.user -> 'Arn')::text = r.user_arn - where - r.user_name = '' + QueryToExecute: "select\n (r.user_name || ' in account ' || r.account_id) as resource,\n r.og_account_id,\n r.og_resource_id,\n case\n when not r.mfa_active::bool then 'alarm'\n when m.serial_number is not null then 'alarm'\n else 'ok'\n end as status,\n case\n when not r.mfa_active::bool then 'mfa is not activated'\n when m.serial_number is not null then 'user is using virtual mfa'\n else 'user is using hardware mfs'\n end as reason,\n r.region, \n r.account_id\nfrom\n aws_iam_credential_report as r\n left join aws_iam_virtual_mfa_device as m on (m.user -> 'Arn')::text = r.user_arn\nwhere\n r.user_name = ''\n" PrimaryTable: aws_iam_credential_report ListOfTables: - - aws_iam_credential_report - - aws_iam_virtual_mfa_device + - aws_iam_credential_report + - aws_iam_virtual_mfa_device Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) platform_score_use_case: - - Problem Identities + - Problem Identities score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) score_tags: - - Problem Identities + - Problem Identities +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/IAM/aws_iam_access_analyzer_findings.yaml b/compliance/controls/baseline/aws/IAM/aws_iam_access_analyzer_findings.yaml index 967a938f0..a6a292ba7 100755 --- a/compliance/controls/baseline/aws/IAM/aws_iam_access_analyzer_findings.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_iam_access_analyzer_findings.yaml @@ -1,42 +1,22 @@ ID: aws_iam_access_analyzer_findings Title: "IAM Access Analyzer Findings" Description: "Ensure that IAM Access Analyzer findings are reviewed and resolved to maintain access security to your AWS resources." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - a.name as resource, - a.og_account_id, - a.og_resource_id, - case - when exists ( - select 1 from jsonb_array_elements(findings) as f where (f ->> 'Status') = 'ACTIVE' - ) then 'alarm' - else 'ok' - end as status, - case - when exists ( - select 1 from jsonb_array_elements(findings) as f where (f ->> 'Status') = 'ACTIVE' - ) then 'There are unresolved findings in this analyzer' - else 'There is no unresolved findings in this analyzer' - end as reason, - a.region, - a.account_id - from - aws_accessanalyzer_analyzer as a + QueryToExecute: "select\n a.name as resource,\n a.og_account_id,\n a.og_resource_id,\n case\n when exists (\n select 1 from jsonb_array_elements(findings) as f where (f ->> 'Status') = 'ACTIVE'\n ) then 'alarm'\n else 'ok'\n end as status,\n case\n when exists (\n select 1 from jsonb_array_elements(findings) as f where (f ->> 'Status') = 'ACTIVE'\n ) then 'There are unresolved findings in this analyzer'\n else 'There is no unresolved findings in this analyzer'\n end as reason,\n a.region, \n a.account_id\nfrom\n aws_accessanalyzer_analyzer as a\n" PrimaryTable: aws_accessanalyzer_analyzer ListOfTables: - - aws_accessanalyzer_analyzer + - aws_accessanalyzer_analyzer Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) platform_score_use_case: - - Problem Identities + - Problem Identities score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) score_tags: - - Problem Identities + - Problem Identities +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/IAM/aws_iam_access_analyzer_in_use.yaml b/compliance/controls/baseline/aws/IAM/aws_iam_access_analyzer_in_use.yaml index 16b1b98c0..1e6e3ed4d 100755 --- a/compliance/controls/baseline/aws/IAM/aws_iam_access_analyzer_in_use.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_iam_access_analyzer_in_use.yaml @@ -1,43 +1,23 @@ ID: aws_iam_access_analyzer_in_use Title: "IAM Access Analyzer in Use" Description: "Ensure that IAM Access Analyzer feature is enabled to maintain access security to your AWS resources." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - a.account_id as resource, - a.og_account_id, - a.og_resource_id, - case - when exists ( - select 1 from aws_accessanalyzer_analyzer as an where a.account_id = an.account_id limit 1 - ) then 'ok' - else 'alarm' - end as status, - case - when exists ( - select 1 from aws_accessanalyzer_analyzer as an where a.account_id = an.account_id limit 1 - ) then 'Amazon IAM Access Analyzer feature is used to protect your cloud resources' - else 'There are no access analyzers available on this account' - end as reason, - a.region, - a.account_id - from - aws_account as a + QueryToExecute: "select\n a.account_id as resource,\n a.og_account_id,\n a.og_resource_id,\n case\n when exists (\n select 1 from aws_accessanalyzer_analyzer as an where a.account_id = an.account_id limit 1\n ) then 'ok'\n else 'alarm'\n end as status,\n case\n when exists (\n select 1 from aws_accessanalyzer_analyzer as an where a.account_id = an.account_id limit 1\n ) then 'Amazon IAM Access Analyzer feature is used to protect your cloud resources'\n else 'There are no access analyzers available on this account'\n end as reason,\n a.region, \n a.account_id\nfrom\n aws_account as a\n" PrimaryTable: aws_account ListOfTables: - - aws_accessanalyzer_analyzer - - aws_account + - aws_accessanalyzer_analyzer + - aws_account Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) platform_score_use_case: - - Problem Identities + - Problem Identities score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) score_tags: - - Problem Identities + - Problem Identities +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/IAM/aws_iam_group_with_inline_policies.yaml b/compliance/controls/baseline/aws/IAM/aws_iam_group_with_inline_policies.yaml index 075b8bbeb..60c2b2b6f 100755 --- a/compliance/controls/baseline/aws/IAM/aws_iam_group_with_inline_policies.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_iam_group_with_inline_policies.yaml @@ -1,38 +1,22 @@ ID: aws_iam_group_with_inline_policies Title: "IAM Group With Inline Policies" Description: "Ensure IAM groups don't have inline policies attached." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - name as resource, - og_account_id, - og_resource_id, - case - when inline_policies is null then 'ok' - else 'alarm' - end as status, - case - when inline_policies is null then name || ' is not using inline policies' - else name || ' is using inline policies' - end as reason, - region, - account_id - from - aws_iam_group + QueryToExecute: "select\n name as resource,\n og_account_id,\n og_resource_id,\n case\n when inline_policies is null then 'ok'\n else 'alarm'\n end as status,\n case\n when inline_policies is null then name || ' is not using inline policies'\n else name || ' is using inline policies'\n end as reason,\n region, \n account_id\nfrom\n aws_iam_group\n" PrimaryTable: aws_iam_group ListOfTables: - - aws_iam_group + - aws_iam_group Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) platform_score_use_case: - - Problem Identities + - Problem Identities score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) score_tags: - - Problem Identities + - Problem Identities +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/IAM/aws_iam_groups_with_administrative_privileges.yaml b/compliance/controls/baseline/aws/IAM/aws_iam_groups_with_administrative_privileges.yaml index 952de8496..63d709d3b 100755 --- a/compliance/controls/baseline/aws/IAM/aws_iam_groups_with_administrative_privileges.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_iam_groups_with_administrative_privileges.yaml @@ -1,38 +1,22 @@ ID: aws_iam_groups_with_administrative_privileges Title: "IAM Groups with Administrative Privileges" Description: "Ensure there are no IAM groups with administrative permissions available in your AWS cloud account." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id, - og_resource_id, - case - when attached_policy_arns::text like '%arn:aws:iam::aws:policy/AdministratorAccess%' then 'alarm' - else 'ok' - end as status, - case - when attached_policy_arns::text like '%arn:aws:iam::aws:policy/AdministratorAccess%' then name || ' iam group has AWS administrator-level permissions' - else name || ' iam group does not have AWS administrator-level permissions' - end as reason, - region, - account_id - from - aws_iam_group + QueryToExecute: "select\n arn as resource,\n og_account_id,\n og_resource_id,\n case\n when attached_policy_arns::text like '%arn:aws:iam::aws:policy/AdministratorAccess%' then 'alarm'\n else 'ok'\n end as status,\n case\n when attached_policy_arns::text like '%arn:aws:iam::aws:policy/AdministratorAccess%' then name || ' iam group has AWS administrator-level permissions'\n else name || ' iam group does not have AWS administrator-level permissions'\n end as reason,\n region, \n account_id\nfrom\n aws_iam_group\n" PrimaryTable: aws_iam_group ListOfTables: - - aws_iam_group + - aws_iam_group Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) platform_score_use_case: - - Problem Identities + - Problem Identities score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) score_tags: - - Problem Identities + - Problem Identities +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/IAM/aws_iam_password_policy.yaml b/compliance/controls/baseline/aws/IAM/aws_iam_password_policy.yaml index 3cc1296a9..81f20c03d 100755 --- a/compliance/controls/baseline/aws/IAM/aws_iam_password_policy.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_iam_password_policy.yaml @@ -1,40 +1,23 @@ ID: aws_iam_password_policy Title: "IAM Password Policy" Description: "Ensure that your AWS cloud account has a strong IAM password policy in use." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - a.account_id as resource, - a.og_account_id as og_account_id, - a.og_resource_id as og_resource_id, - case - when p.account_id is null then 'alarm' - else 'ok' - end as status, - case - when p.account_id is null then a.account_id || ' is not configured with a custom IAM password policy' - else a.account_id || ' is configured with a custom IAM password policy' - end as reason, - a.region, - a.account_id - from - aws_account a - left join aws_iam_account_password_policy as p on p.account_id = a.account_id + QueryToExecute: "select\n a.account_id as resource,\n a.og_account_id as og_account_id,\n a.og_resource_id as og_resource_id,\n case\n when p.account_id is null then 'alarm'\n else 'ok'\n end as status,\n case\n when p.account_id is null then a.account_id || ' is not configured with a custom IAM password policy'\n else a.account_id || ' is configured with a custom IAM password policy'\n end as reason,\n a.region, \n a.account_id\nfrom\n aws_account a\n left join aws_iam_account_password_policy as p on p.account_id = a.account_id\n" PrimaryTable: aws_account ListOfTables: - - aws_account - - aws_iam_account_password_policy + - aws_account + - aws_iam_account_password_policy Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) platform_score_use_case: - - Problem Identities + - Problem Identities score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) score_tags: - - Problem Identities + - Problem Identities +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/IAM/aws_iam_policies_with_effect_set_to_allow_and_notaction.yaml b/compliance/controls/baseline/aws/IAM/aws_iam_policies_with_effect_set_to_allow_and_notaction.yaml index 90a720f8b..3e7cf521a 100755 --- a/compliance/controls/baseline/aws/IAM/aws_iam_policies_with_effect_set_to_allow_and_notaction.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_iam_policies_with_effect_set_to_allow_and_notaction.yaml @@ -1,39 +1,22 @@ ID: aws_iam_policies_with_effect_set_to_allow_and_notaction Title: "IAM Policies with Effect set to Allow and NotAction" Description: "Ensure that IAM policies do not use \"Allow\" in combination with \"NotAction\" element to follow IAM security best practices." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - name as resource, - og_account_id, - og_resource_id, - case - when (s -> 'NotAction' is not null and s ->> 'Effect' = 'Allow') then 'alarm' - else 'ok' - end as status, - case - when (s -> 'NotAction' is not null and s ->> 'Effect' = 'Allow') then name || ' has allowed nonAction policy' - else name || ' does not have allowed nonAction policy' - end as reason, - region, - account_id - from - aws_iam_policy, - jsonb_array_elements(policy_std -> 'Statement') as s + QueryToExecute: "select\n name as resource,\n og_account_id,\n og_resource_id,\n case\n when (s -> 'NotAction' is not null and s ->> 'Effect' = 'Allow') then 'alarm'\n else 'ok'\n end as status,\n case\n when (s -> 'NotAction' is not null and s ->> 'Effect' = 'Allow') then name || ' has allowed nonAction policy'\n else name || ' does not have allowed nonAction policy'\n end as reason,\n region, \n account_id\nfrom\n aws_iam_policy,\n jsonb_array_elements(policy_std -> 'Statement') as s\n" PrimaryTable: aws_iam_policy ListOfTables: - - aws_iam_policy + - aws_iam_policy Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) platform_score_use_case: - - Problem Identities + - Problem Identities score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) score_tags: - - Problem Identities + - Problem Identities +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/IAM/aws_iam_policies_with_full_administrative_privileges.yaml b/compliance/controls/baseline/aws/IAM/aws_iam_policies_with_full_administrative_privileges.yaml index 60cb8d865..2a1efe40f 100755 --- a/compliance/controls/baseline/aws/IAM/aws_iam_policies_with_full_administrative_privileges.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_iam_policies_with_full_administrative_privileges.yaml @@ -1,39 +1,22 @@ ID: aws_iam_policies_with_full_administrative_privileges Title: "IAM Policies With Full Administrative Privileges" Description: "Ensure IAM policies that allow full '*:*' administrative privileges aren't created." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id, - og_resource_id, - case - when exists(select 1 from jsonb_array_elements_text(stmt -> 'Action') as a where a = '*') and stmt ->> 'Effect' = 'Allow' and stmt ->> 'Resource' = '["*"]' then 'alarm' - else 'ok' - end as status, - case - when exists(select 1 from jsonb_array_elements_text(stmt -> 'Action') as a where a = '*') and stmt ->> 'Effect' = 'Allow' and stmt ->> 'Resource' = '["*"]' then 'policy allows full administrative privileges' - else 'policy does not allow full administrative privileges' - end as reason, - region, - account_id - from - aws_iam_policy as p, - jsonb_array_elements(p.policy_std -> 'Statement') as stmt + QueryToExecute: "select\n arn as resource,\n og_account_id,\n og_resource_id,\n case\n when exists(select 1 from jsonb_array_elements_text(stmt -> 'Action') as a where a = '*') and stmt ->> 'Effect' = 'Allow' and stmt ->> 'Resource' = '[\"*\"]' then 'alarm'\n else 'ok'\n end as status,\n case\n when exists(select 1 from jsonb_array_elements_text(stmt -> 'Action') as a where a = '*') and stmt ->> 'Effect' = 'Allow' and stmt ->> 'Resource' = '[\"*\"]' then 'policy allows full administrative privileges'\n else 'policy does not allow full administrative privileges'\n end as reason,\n region, \n account_id\nfrom\n aws_iam_policy as p,\n jsonb_array_elements(p.policy_std -> 'Statement') as stmt\n" PrimaryTable: aws_iam_policy ListOfTables: - - aws_iam_policy + - aws_iam_policy Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) platform_score_use_case: - - Problem Identities + - Problem Identities score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) score_tags: - - Problem Identities + - Problem Identities +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/IAM/aws_iam_role_policy_too_permissive.yaml b/compliance/controls/baseline/aws/IAM/aws_iam_role_policy_too_permissive.yaml index b0dc3d4a5..e2a1e3242 100755 --- a/compliance/controls/baseline/aws/IAM/aws_iam_role_policy_too_permissive.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_iam_role_policy_too_permissive.yaml @@ -1,73 +1,23 @@ ID: aws_iam_role_policy_too_permissive Title: "IAM Role Policy Too Permissive" Description: "Ensure that the access policies attached to your IAM roles adhere to the principle of least privilege." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - WITH too_permissive_policies AS ( - SELECT - arn - FROM - aws_iam_policy, - jsonb_array_elements(policy_std -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Action') AS action - WHERE - action IN ('*', '*:*') - AND s ->> 'Effect' = 'Allow' - ) - - SELECT - name AS resource, - og_account_id, - og_resource_id, - CASE - WHEN EXISTS( - select 1 from jsonb_array_elements_text(attached_policy_arns) as parn - LEFT JOIN too_permissive_policies AS tp ON parn = tp.arn where tp.arn is not null - ) THEN 'alarm' - WHEN EXISTS( - SELECT 1 - FROM jsonb_array_elements(inline_policies_std) AS p, jsonb_array_elements(p -> 'PolicyDocument' -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Action') AS action - WHERE - action IN ('*', '*:*') - AND s ->> 'Effect' = 'Allow' - ) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN EXISTS( - select 1 from jsonb_array_elements_text(attached_policy_arns) as parn - LEFT JOIN too_permissive_policies AS tp ON parn = tp.arn where tp.arn is not null - ) THEN ' there is too permissive attached policy' - WHEN EXISTS( - SELECT 1 - FROM jsonb_array_elements(inline_policies_std) AS p, jsonb_array_elements(p -> 'PolicyDocument' -> 'Statement') AS s, - jsonb_array_elements_text(s -> 'Action') AS action - WHERE - action IN ('*', '*:*') - AND s ->> 'Effect' = 'Allow' - ) THEN ' there is too permissive inline policy' - ELSE 'there is no too permissive policy' - END AS reason, - region, - account_id - FROM - aws_iam_role AS r + QueryToExecute: "WITH too_permissive_policies AS (\n SELECT\n arn\n FROM\n aws_iam_policy,\n jsonb_array_elements(policy_std -> 'Statement') AS s,\n jsonb_array_elements_text(s -> 'Action') AS action\n WHERE\n action IN ('*', '*:*')\n AND s ->> 'Effect' = 'Allow'\n)\n\nSELECT\n name AS resource,\n og_account_id,\n og_resource_id,\n CASE\n WHEN EXISTS(\n select 1 from jsonb_array_elements_text(attached_policy_arns) as parn\n LEFT JOIN too_permissive_policies AS tp ON parn = tp.arn where tp.arn is not null\n ) THEN 'alarm'\n WHEN EXISTS(\n SELECT 1 \n FROM jsonb_array_elements(inline_policies_std) AS p, jsonb_array_elements(p -> 'PolicyDocument' -> 'Statement') AS s,\n jsonb_array_elements_text(s -> 'Action') AS action\n WHERE\n action IN ('*', '*:*')\n AND s ->> 'Effect' = 'Allow'\n ) THEN 'alarm'\n ELSE 'ok'\n END AS status,\n CASE\n WHEN EXISTS(\n select 1 from jsonb_array_elements_text(attached_policy_arns) as parn\n LEFT JOIN too_permissive_policies AS tp ON parn = tp.arn where tp.arn is not null\n ) THEN ' there is too permissive attached policy'\n WHEN EXISTS(\n SELECT 1 \n FROM jsonb_array_elements(inline_policies_std) AS p, jsonb_array_elements(p -> 'PolicyDocument' -> 'Statement') AS s,\n jsonb_array_elements_text(s -> 'Action') AS action\n WHERE\n action IN ('*', '*:*')\n AND s ->> 'Effect' = 'Allow'\n ) THEN ' there is too permissive inline policy'\n ELSE 'there is no too permissive policy'\n END AS reason,\n region, \n account_id\nFROM\n aws_iam_role AS r\n" PrimaryTable: aws_iam_role ListOfTables: - - aws_iam_policy - - aws_iam_role + - aws_iam_policy + - aws_iam_role Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) platform_score_use_case: - - Problem Identities + - Problem Identities score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) score_tags: - - Problem Identities + - Problem Identities +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/IAM/aws_iam_server_certificate_size.yaml b/compliance/controls/baseline/aws/IAM/aws_iam_server_certificate_size.yaml index 3b2c94ccb..8f1cf85e5 100755 --- a/compliance/controls/baseline/aws/IAM/aws_iam_server_certificate_size.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_iam_server_certificate_size.yaml @@ -1,34 +1,18 @@ ID: aws_iam_server_certificate_size Title: "AWS IAM Server Certificate Size" Description: "Ensure that all your SSL/TLS certificates are using either 2048 or 4096 bit RSA keys instead of 1024-bit keys." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - SELECT - name as resource, - og_resource_id, - og_account_id, - CASE - WHEN certificate_body_length < 2048 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN certificate_body_length < 2048 THEN 'The key length is 1024 therefore it is insecure' - ELSE 'Key is secure.' - END AS reason, - region, - account_id - FROM - aws_iam_server_certificate + QueryToExecute: "SELECT \n name as resource,\n og_resource_id,\n og_account_id,\n CASE\n WHEN certificate_body_length < 2048 THEN 'alarm'\n ELSE 'ok'\n END AS status,\n CASE\n WHEN certificate_body_length < 2048 THEN 'The key length is 1024 therefore it is insecure' \n ELSE 'Key is secure.'\n END AS reason,\n region,\n account_id\nFROM \n aws_iam_server_certificate\n" PrimaryTable: aws_iam_server_certificate ListOfTables: - - aws_iam_server_certificate + - aws_iam_server_certificate Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/IAM/aws_iam_support_role.yaml b/compliance/controls/baseline/aws/IAM/aws_iam_support_role.yaml index 9f8f93d6e..1f7e80edb 100755 --- a/compliance/controls/baseline/aws/IAM/aws_iam_support_role.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_iam_support_role.yaml @@ -1,51 +1,24 @@ ID: aws_iam_support_role Title: "IAM Support Role" Description: "Ensure there is an active IAM Support Role available within your AWS cloud account." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with aws_support_access_roles as ( - select - arn, - account_id - from - aws_iam_role - where - attached_policy_arns::text ilike '%arn:aws:iam::aws:policy/AWSSupportAccess%' - ) - - select - a.account_id as resource, - a.og_account_id, - a.og_resource_id, - case - when r.arn is null then 'alarm' - else 'ok' - end as status, - case - when r.arn is null then 'there is no AWS Support Access role for this account' - else 'this account has AWS Support Access role' - end as reason, - a.region, - a.account_id - from - aws_account as a - left join aws_support_access_roles as r on a.account_id = r.account_id + QueryToExecute: "with aws_support_access_roles as (\n select \n arn,\n account_id \n from \n aws_iam_role \n where \n attached_policy_arns::text ilike '%arn:aws:iam::aws:policy/AWSSupportAccess%'\n)\n\nselect\n a.account_id as resource,\n a.og_account_id,\n a.og_resource_id,\n case\n when r.arn is null then 'alarm'\n else 'ok'\n end as status,\n case\n when r.arn is null then 'there is no AWS Support Access role for this account'\n else 'this account has AWS Support Access role'\n end as reason,\n a.region, \n a.account_id\nfrom\n aws_account as a\n left join aws_support_access_roles as r on a.account_id = r.account_id\n" PrimaryTable: aws_account ListOfTables: - - aws_account - - aws_iam_role - - aws_support_access_roles + - aws_account + - aws_iam_role + - aws_support_access_roles Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) platform_score_use_case: - - Problem Identities + - Problem Identities score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) score_tags: - - Problem Identities + - Problem Identities +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/IAM/aws_iam_user_no_policies.yaml b/compliance/controls/baseline/aws/IAM/aws_iam_user_no_policies.yaml index 4036c8042..5e874b9e8 100755 --- a/compliance/controls/baseline/aws/IAM/aws_iam_user_no_policies.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_iam_user_no_policies.yaml @@ -1,38 +1,22 @@ ID: aws_iam_user_no_policies Title: "Receive Permissions via IAM Groups Only" Description: "Ensure that IAM users receive permissions only through IAM groups." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - SELECT - name as resource, - og_resource_id, - og_account_id, - CASE - WHEN attached_policy_arns is null and inline_policies is null THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN attached_policy_arns is null and inline_policies is null THEN name || ' does not receive access permissions through IAM groups only.' - ELSE name || ' does receive access permissions through IAM groups only.' - END AS reason, - region, - account_id - FROM - aws_iam_user + QueryToExecute: "SELECT \n name as resource,\n og_resource_id,\n og_account_id,\n CASE\n WHEN attached_policy_arns is null and inline_policies is null THEN 'ok'\n ELSE 'alarm'\n END AS status,\n CASE\n WHEN attached_policy_arns is null and inline_policies is null THEN name || ' does not receive access permissions through IAM groups only.' \n ELSE name || ' does receive access permissions through IAM groups only.'\n END AS reason,\n region,\n account_id\nFROM \n aws_iam_user\n" PrimaryTable: aws_iam_user ListOfTables: - - aws_iam_user + - aws_iam_user Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) platform_score_use_case: - - Problem Identities + - Problem Identities score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) score_tags: - - Problem Identities + - Problem Identities +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/IAM/aws_iam_user_password_expiry_30_days.yaml b/compliance/controls/baseline/aws/IAM/aws_iam_user_password_expiry_30_days.yaml index 679b795c6..bf13e7d8d 100755 --- a/compliance/controls/baseline/aws/IAM/aws_iam_user_password_expiry_30_days.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_iam_user_password_expiry_30_days.yaml @@ -1,46 +1,23 @@ ID: aws_iam_user_password_expiry_30_days Title: "IAM User Password Expiry 30 Days" Description: "Ensure AWS Identity and Access Management (IAM) user passwords are reset before expiration (30 Days)." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - r.user_name as resource, - r.og_account_id, - r.og_resource_id, - case - when not password_enabled then 'skip' - when password_last_changed is null then 'alarm' - when password_next_rotation is not null then 'ok' - when password_last_changed::timestamp + (COALESCE(p.max_password_age, '90') || ' days')::interval < now() - '30 days'::interval then 'alarm' - else 'ok' - end as status, - case - when not password_enabled then 'password not enabled' - when password_last_changed is null then 'password last change not recognized' - when password_next_rotation is not null then 'password has password policy' - when password_last_changed::timestamp + (COALESCE(p.max_password_age, '90') || ' days')::interval < now() - '30 days'::interval then 'password is about to expire' - else 'password has been reseted recently' - end as reason, - r.region, - r.account_id - from - aws_iam_credential_report as r - left join aws_iam_account_password_policy as p on r.account_id = p.account_id + QueryToExecute: "select\n r.user_name as resource,\n r.og_account_id,\n r.og_resource_id,\n case\n when not password_enabled then 'skip'\n when password_last_changed is null then 'alarm'\n when password_next_rotation is not null then 'ok'\n when password_last_changed::timestamp + (COALESCE(p.max_password_age, '90') || ' days')::interval < now() - '30 days'::interval then 'alarm'\n else 'ok'\n end as status,\n case\n when not password_enabled then 'password not enabled'\n when password_last_changed is null then 'password last change not recognized'\n when password_next_rotation is not null then 'password has password policy'\n when password_last_changed::timestamp + (COALESCE(p.max_password_age, '90') || ' days')::interval < now() - '30 days'::interval then 'password is about to expire'\n else 'password has been reseted recently'\n end as reason,\n r.region, \n r.account_id\nfrom\n aws_iam_credential_report as r\n left join aws_iam_account_password_policy as p on r.account_id = p.account_id\n" PrimaryTable: aws_iam_credential_report ListOfTables: - - aws_iam_account_password_policy - - aws_iam_credential_report + - aws_iam_account_password_policy + - aws_iam_credential_report Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) platform_score_use_case: - - Problem Identities + - Problem Identities score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) score_tags: - - Problem Identities + - Problem Identities +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/IAM/aws_iam_user_password_expiry_7_days.yaml b/compliance/controls/baseline/aws/IAM/aws_iam_user_password_expiry_7_days.yaml index bb1d0c6ec..4693cff89 100755 --- a/compliance/controls/baseline/aws/IAM/aws_iam_user_password_expiry_7_days.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_iam_user_password_expiry_7_days.yaml @@ -1,46 +1,23 @@ ID: aws_iam_user_password_expiry_7_days Title: "IAM User Password Expiry 7 Days" Description: "Ensure AWS Identity and Access Management (IAM) user passwords are reset before expiration (7 Days)." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - r.user_name as resource, - r.og_account_id, - r.og_resource_id, - case - when not password_enabled then 'skip' - when password_last_changed is null then 'alarm' - when password_next_rotation is not null then 'ok' - when password_last_changed::timestamp + (COALESCE(p.max_password_age, '90') || ' days')::interval < now() - '7 days'::interval then 'alarm' - else 'ok' - end as status, - case - when not password_enabled then 'password not enabled' - when password_last_changed is null then 'password last change not recognized' - when password_next_rotation is not null then 'password has password policy' - when password_last_changed::timestamp + (COALESCE(p.max_password_age, '90') || ' days')::interval < now() - '7 days'::interval then 'password is about to expire' - else 'password has been reseted recently' - end as reason, - r.region, - r.account_id - from - aws_iam_credential_report as r - left join aws_iam_account_password_policy as p on r.account_id = p.account_id + QueryToExecute: "select\n r.user_name as resource,\n r.og_account_id,\n r.og_resource_id,\n case\n when not password_enabled then 'skip'\n when password_last_changed is null then 'alarm'\n when password_next_rotation is not null then 'ok'\n when password_last_changed::timestamp + (COALESCE(p.max_password_age, '90') || ' days')::interval < now() - '7 days'::interval then 'alarm'\n else 'ok'\n end as status,\n case\n when not password_enabled then 'password not enabled'\n when password_last_changed is null then 'password last change not recognized'\n when password_next_rotation is not null then 'password has password policy'\n when password_last_changed::timestamp + (COALESCE(p.max_password_age, '90') || ' days')::interval < now() - '7 days'::interval then 'password is about to expire'\n else 'password has been reseted recently'\n end as reason,\n r.region, \n r.account_id\nfrom\n aws_iam_credential_report as r\n left join aws_iam_account_password_policy as p on r.account_id = p.account_id\n" PrimaryTable: aws_iam_credential_report ListOfTables: - - aws_iam_account_password_policy - - aws_iam_credential_report + - aws_iam_account_password_policy + - aws_iam_credential_report Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) platform_score_use_case: - - Problem Identities + - Problem Identities score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) score_tags: - - Problem Identities + - Problem Identities +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/IAM/aws_iam_user_password_expiry_x_days.yaml b/compliance/controls/baseline/aws/IAM/aws_iam_user_password_expiry_x_days.yaml index d0aa9483f..114d346a4 100755 --- a/compliance/controls/baseline/aws/IAM/aws_iam_user_password_expiry_x_days.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_iam_user_password_expiry_x_days.yaml @@ -1,48 +1,25 @@ ID: aws_iam_user_password_expiry_x_days Title: "IAM User Password Expiry X Days" Description: "Ensure AWS Identity and Access Management (IAM) user passwords are reset before expiration (X Days)." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - r.user_name as resource, - r.og_account_id, - r.og_resource_id, - case - when not password_enabled then 'skip' - when password_last_changed is null then 'alarm' - when password_next_rotation is not null then 'ok' - when password_last_changed::timestamp + (COALESCE(p.max_password_age, '90') || ' days')::interval < now() - '{{.awsIamUserPasswordExpirationDays}} days'::interval then 'alarm' - else 'ok' - end as status, - case - when not password_enabled then 'password not enabled' - when password_last_changed is null then 'password last change not recognized' - when password_next_rotation is not null then 'password has password policy' - when password_last_changed::timestamp + (COALESCE(p.max_password_age, '90') || ' days')::interval < now() - '{{.awsIamUserPasswordExpirationDays}} days'::interval then 'password is about to expire' - else 'password has been reseted recently' - end as reason, - r.region, - r.account_id - from - aws_iam_credential_report as r - left join aws_iam_account_password_policy as p on r.account_id = p.account_id + QueryToExecute: "select\n r.user_name as resource,\n r.og_account_id,\n r.og_resource_id,\n case\n when not password_enabled then 'skip'\n when password_last_changed is null then 'alarm'\n when password_next_rotation is not null then 'ok'\n when password_last_changed::timestamp + (COALESCE(p.max_password_age, '90') || ' days')::interval < now() - '{{.awsIamUserPasswordExpirationDays}} days'::interval then 'alarm'\n else 'ok'\n end as status,\n case\n when not password_enabled then 'password not enabled'\n when password_last_changed is null then 'password last change not recognized'\n when password_next_rotation is not null then 'password has password policy'\n when password_last_changed::timestamp + (COALESCE(p.max_password_age, '90') || ' days')::interval < now() - '{{.awsIamUserPasswordExpirationDays}} days'::interval then 'password is about to expire'\n else 'password has been reseted recently'\n end as reason,\n r.region, \n r.account_id\nfrom\n aws_iam_credential_report as r\n left join aws_iam_account_password_policy as p on r.account_id = p.account_id\n" PrimaryTable: aws_iam_credential_report ListOfTables: - - aws_iam_account_password_policy - - aws_iam_credential_report + - aws_iam_account_password_policy + - aws_iam_credential_report Parameters: - Key: awsIamUserPasswordExpirationDays Required: true Severity: high Tags: platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) platform_score_use_case: - - Problem Identities + - Problem Identities score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) score_tags: - - Problem Identities + - Problem Identities +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/IAM/aws_iam_user_policies.yaml b/compliance/controls/baseline/aws/IAM/aws_iam_user_policies.yaml index b9cf94a46..1eeae3459 100755 --- a/compliance/controls/baseline/aws/IAM/aws_iam_user_policies.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_iam_user_policies.yaml @@ -1,38 +1,22 @@ ID: aws_iam_user_policies Title: "IAM User Policies" Description: "Ensure AWS IAM policies are attached to groups instead of users as an IAM best practice." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - u.name as resource, - u.og_account_id, - u.og_resource_id, - case - when attached_policy_arns is null then 'ok' - else 'alarm' - end as status, - case - when attached_policy_arns is null then 'this user does not have any policies attached' - else 'policies are better to be attached to only iam groups' - end as reason, - u.region, - u.account_id - from - aws_iam_user as u + QueryToExecute: "select\n u.name as resource,\n u.og_account_id,\n u.og_resource_id,\n case\n when attached_policy_arns is null then 'ok'\n else 'alarm'\n end as status,\n case\n when attached_policy_arns is null then 'this user does not have any policies attached'\n else 'policies are better to be attached to only iam groups'\n end as reason,\n u.region, \n u.account_id\nfrom\n aws_iam_user as u\n" PrimaryTable: aws_iam_user ListOfTables: - - aws_iam_user + - aws_iam_user Parameters: [] Severity: low Tags: platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) platform_score_use_case: - - Problem Identities + - Problem Identities score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) score_tags: - - Problem Identities + - Problem Identities +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/IAM/aws_iam_user_with_password_and_access_keys.yaml b/compliance/controls/baseline/aws/IAM/aws_iam_user_with_password_and_access_keys.yaml index 0f0e13251..b5fd23478 100755 --- a/compliance/controls/baseline/aws/IAM/aws_iam_user_with_password_and_access_keys.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_iam_user_with_password_and_access_keys.yaml @@ -1,40 +1,23 @@ ID: aws_iam_user_with_password_and_access_keys Title: "IAM User with Password and Access Keys" Description: "Ensure that IAM users have either API access or console access in order to follow IAM security best practices." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - u.name as resource, - u.og_account_id, - u.og_resource_id, - case - when (login_profile ->> 'UserName' is not null) and (k.access_key_id is not null) then 'alarm' - else 'ok' - end as status, - case - when (login_profile ->> 'UserName' is not null) and (k.access_key_id is not null) then u.name || ' is being used for both API access or for management console access ' - else u.name || ' is either being used for API access or for management console access ' - end as reason, - u.region, - u.account_id - from - aws_iam_user as u - left join aws_iam_access_key as k on u.name = k.user_name + QueryToExecute: "select\n u.name as resource,\n u.og_account_id,\n u.og_resource_id,\n case\n when (login_profile ->> 'UserName' is not null) and (k.access_key_id is not null) then 'alarm'\n else 'ok'\n end as status,\n case\n when (login_profile ->> 'UserName' is not null) and (k.access_key_id is not null) then u.name || ' is being used for both API access or for management console access '\n else u.name || ' is either being used for API access or for management console access '\n end as reason,\n u.region, \n u.account_id\nfrom\n aws_iam_user as u\n left join aws_iam_access_key as k on u.name = k.user_name\n" PrimaryTable: aws_iam_user ListOfTables: - - aws_iam_access_key - - aws_iam_user + - aws_iam_access_key + - aws_iam_user Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) platform_score_use_case: - - Problem Identities + - Problem Identities score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) score_tags: - - Problem Identities + - Problem Identities +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/IAM/aws_iam_users_unauthorized_to_edit_access_policies.yaml b/compliance/controls/baseline/aws/IAM/aws_iam_users_unauthorized_to_edit_access_policies.yaml index 11e0114c8..ae771f4ea 100755 --- a/compliance/controls/baseline/aws/IAM/aws_iam_users_unauthorized_to_edit_access_policies.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_iam_users_unauthorized_to_edit_access_policies.yaml @@ -1,81 +1,25 @@ ID: aws_iam_users_unauthorized_to_edit_access_policies Title: "IAM Users Unauthorized to Edit Access Policies" Description: "Ensure AWS IAM users that are not authorized to edit IAM access policies are decommissioned.." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - WITH authorize_to_edit_policy AS ( - SELECT - arn, - (select ARRAY_AGG(action) from jsonb_array_elements_text(s -> 'Action') AS action) - FROM - aws_iam_policy, - jsonb_array_elements(policy_std -> 'Statement') AS s - WHERE - ((select ARRAY_AGG(action) from jsonb_array_elements_text(s -> 'Action') AS action) @> ARRAY[ - 'iam:CreatePolicy', - 'iam:CreatePolicyVersion', - 'iam:DeleteGroupPolicy', - 'iam:DeletePolicy', - 'iam:DeletePolicyVersion', - 'iam:DeleteRolePolicy', - 'iam:DeleteUserPolicy', - 'iam:DetachGroupPolicy', - 'iam:DetachRolePolicy', - 'iam:DetachUserPolicy', - 'iam:PutGroupPolicy', - 'iam:PutRolePolicy', - 'iam:PutUserPolicy', - 'iam:UpdateAssumeRolePolicy' - ] - and - (s ->> 'Effect') = 'Allow') - or - ((select ARRAY_AGG(action) from jsonb_array_elements_text(s -> 'Action') AS action) @> ARRAY[ - 'iam:*' - ] - and - (s ->> 'Effect') = 'Allow') - ) - - SELECT - name AS resource, - og_account_id, - og_resource_id, - CASE - WHEN EXISTS( - select 1 from jsonb_array_elements_text(attached_policy_arns) as parn - LEFT JOIN authorize_to_edit_policy AS ep ON parn = ep.arn where ep.arn is not null - ) and ('{{.awsIamUsersAuthorizedToEditPolicy}}' not like '%' || user_id || '%') THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN EXISTS( - select 1 from jsonb_array_elements_text(attached_policy_arns) as parn - LEFT JOIN authorize_to_edit_policy AS ep ON parn = ep.arn where ep.arn is not null - ) and ('{{.awsIamUsersAuthorizedToEditPolicy}}' not like '%' || user_id || '%') THEN 'this iam user is not authorized to edit policies' - ELSE 'ok' - END AS reason, - region, - account_id - FROM - aws_iam_user + QueryToExecute: "WITH authorize_to_edit_policy AS (\n SELECT\n arn,\n (select ARRAY_AGG(action) from jsonb_array_elements_text(s -> 'Action') AS action)\n FROM\n aws_iam_policy,\n jsonb_array_elements(policy_std -> 'Statement') AS s\n WHERE \n ((select ARRAY_AGG(action) from jsonb_array_elements_text(s -> 'Action') AS action) @> ARRAY[\n 'iam:CreatePolicy',\n 'iam:CreatePolicyVersion',\n 'iam:DeleteGroupPolicy',\n 'iam:DeletePolicy',\n 'iam:DeletePolicyVersion',\n 'iam:DeleteRolePolicy',\n 'iam:DeleteUserPolicy',\n 'iam:DetachGroupPolicy',\n 'iam:DetachRolePolicy',\n 'iam:DetachUserPolicy',\n 'iam:PutGroupPolicy',\n 'iam:PutRolePolicy',\n 'iam:PutUserPolicy',\n 'iam:UpdateAssumeRolePolicy'\n ]\n and\n (s ->> 'Effect') = 'Allow')\n or \n ((select ARRAY_AGG(action) from jsonb_array_elements_text(s -> 'Action') AS action) @> ARRAY[\n 'iam:*'\n ]\n and\n (s ->> 'Effect') = 'Allow')\n )\n\nSELECT\n name AS resource,\n og_account_id,\n og_resource_id,\n CASE\n WHEN EXISTS(\n select 1 from jsonb_array_elements_text(attached_policy_arns) as parn\n LEFT JOIN authorize_to_edit_policy AS ep ON parn = ep.arn where ep.arn is not null\n ) and ('{{.awsIamUsersAuthorizedToEditPolicy}}' not like '%' || user_id || '%') THEN 'alarm'\n ELSE 'ok'\n END AS status,\n CASE\n WHEN EXISTS(\n select 1 from jsonb_array_elements_text(attached_policy_arns) as parn\n LEFT JOIN authorize_to_edit_policy AS ep ON parn = ep.arn where ep.arn is not null\n ) and ('{{.awsIamUsersAuthorizedToEditPolicy}}' not like '%' || user_id || '%') THEN 'this iam user is not authorized to edit policies'\n ELSE 'ok'\n END AS reason,\n region, \n account_id\nFROM\n aws_iam_user\n" PrimaryTable: aws_iam_user ListOfTables: - - aws_iam_policy - - aws_iam_user + - aws_iam_policy + - aws_iam_user Parameters: - Key: awsIamUsersAuthorizedToEditPolicy Required: true Severity: high Tags: platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) platform_score_use_case: - - Problem Identities + - Problem Identities score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) score_tags: - - Problem Identities + - Problem Identities +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/IAM/aws_iam_users_with_administrative_privileges.yaml b/compliance/controls/baseline/aws/IAM/aws_iam_users_with_administrative_privileges.yaml index 67ef9efdc..e7c7bc622 100755 --- a/compliance/controls/baseline/aws/IAM/aws_iam_users_with_administrative_privileges.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_iam_users_with_administrative_privileges.yaml @@ -1,46 +1,22 @@ ID: aws_iam_users_with_administrative_privileges Title: "IAM Users with Administrative Privileges" Description: "Ensure there are no IAM users with administrative permissions available in your AWS cloud account." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - SELECT - name as resource, - og_resource_id, - og_account_id, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements_text(attached_policy_arns::jsonb) AS elem - WHERE SUBSTRING(elem::text FROM 'policy/(.*)') = 'AdministratorAccess' - ) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements_text(attached_policy_arns::jsonb) AS elem - WHERE SUBSTRING(elem::text FROM 'policy/(.*)') = 'AdministratorAccess' - ) THEN name || ' has administrator access' - ELSE name || ' does not have administrator access' - END AS reason, - region, - account_id - FROM - aws_iam_user + QueryToExecute: "SELECT \n name as resource,\n og_resource_id,\n og_account_id,\n CASE\n WHEN EXISTS (\n SELECT 1\n FROM jsonb_array_elements_text(attached_policy_arns::jsonb) AS elem\n WHERE SUBSTRING(elem::text FROM 'policy/(.*)') = 'AdministratorAccess'\n ) THEN 'alarm'\n ELSE 'ok'\n END AS status,\n CASE\n WHEN EXISTS (\n SELECT 1\n FROM jsonb_array_elements_text(attached_policy_arns::jsonb) AS elem\n WHERE SUBSTRING(elem::text FROM 'policy/(.*)') = 'AdministratorAccess'\n ) THEN name || ' has administrator access' \n ELSE name || ' does not have administrator access'\n END AS reason,\n region,\n account_id\nFROM \n aws_iam_user\n" PrimaryTable: aws_iam_user ListOfTables: - - aws_iam_user + - aws_iam_user Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) platform_score_use_case: - - Problem Identities + - Problem Identities score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) score_tags: - - Problem Identities + - Problem Identities +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/IAM/aws_inactive_iam_console_user.yaml b/compliance/controls/baseline/aws/IAM/aws_inactive_iam_console_user.yaml index b31e44d47..d20de5434 100755 --- a/compliance/controls/baseline/aws/IAM/aws_inactive_iam_console_user.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_inactive_iam_console_user.yaml @@ -1,46 +1,23 @@ ID: aws_inactive_iam_console_user Title: "Inactive IAM Console User" Description: "Ensure no AWS IAM users have been inactive for a long (specified) period of time." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - SELECT - name as resource, - u.og_resource_id, - u.og_account_id, - CASE - WHEN (k.access_key_id is null and - (password_last_used is null or - password_last_used::timestamp < now() - '90 days'::interval) - ) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN (k.access_key_id is null and - (password_last_used is null or - password_last_used::timestamp < now() - '90 days'::interval) - ) THEN 'certificate has been expired' - ELSE 'certificate is not expired' - END AS reason, - u.region, - u.account_id - FROM - aws_iam_user AS u - LEFT JOIN aws_iam_access_key AS k ON u.name = k.user_name + QueryToExecute: "SELECT \n name as resource,\n u.og_resource_id,\n u.og_account_id,\n CASE\n WHEN (k.access_key_id is null and \n (password_last_used is null or\n password_last_used::timestamp < now() - '90 days'::interval)\n ) THEN 'alarm'\n ELSE 'ok'\n END AS status,\n CASE\n WHEN (k.access_key_id is null and \n (password_last_used is null or\n password_last_used::timestamp < now() - '90 days'::interval)\n ) THEN 'certificate has been expired'\n ELSE 'certificate is not expired'\n END AS reason,\n u.region,\n u.account_id\nFROM \n aws_iam_user AS u\n LEFT JOIN aws_iam_access_key AS k ON u.name = k.user_name\n" PrimaryTable: aws_iam_user ListOfTables: - - aws_iam_access_key - - aws_iam_user + - aws_iam_access_key + - aws_iam_user Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) platform_score_use_case: - - Problem Identities + - Problem Identities score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) score_tags: - - Problem Identities + - Problem Identities +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/IAM/aws_mfa_device_deactivated.yaml b/compliance/controls/baseline/aws/IAM/aws_mfa_device_deactivated.yaml index b6a34e6f6..e68b32845 100755 --- a/compliance/controls/baseline/aws/IAM/aws_mfa_device_deactivated.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_mfa_device_deactivated.yaml @@ -1,8 +1,6 @@ ID: aws_mfa_device_deactivated Title: "MFA Device Deactivated" Description: "A Multi-Factor Authentication (MFA) device deactivation for an IAM user has been detected." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -25,16 +23,18 @@ Query: left join aws_iam_virtual_mfa_device as mfa on a.user_id = mfa.user_id PrimaryTable: aws_iam_user ListOfTables: - - aws_iam_user - - aws_iam_virtual_mfa_device + - aws_iam_user + - aws_iam_virtual_mfa_device Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) platform_score_use_case: - - Problem Identities + - Problem Identities score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) score_tags: - - Problem Identities + - Problem Identities +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/IAM/aws_multi_account_centralized_management.yaml b/compliance/controls/baseline/aws/IAM/aws_multi_account_centralized_management.yaml index 8bce5ce58..f681f32c3 100755 --- a/compliance/controls/baseline/aws/IAM/aws_multi_account_centralized_management.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_multi_account_centralized_management.yaml @@ -1,40 +1,22 @@ ID: aws_multi_account_centralized_management Title: "AWS Multi-Account Centralized Management" Description: "Set up, organize and manage your AWS accounts for optimal security and manageability." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - SELECT - organization_id as resource, - og_account_id, - og_resource_id, - CASE - WHEN count(*) = 1 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN count(*) = 1 THEN organization_id || ' only has one account' - ELSE organization_id || ' has multiple accounts' - END AS reason - FROM - aws_account - GROUP BY - organization_id, - og_account_id, - og_resource_id; + QueryToExecute: "SELECT \n organization_id as resource,\n og_account_id,\n og_resource_id,\n CASE\n WHEN count(*) = 1 THEN 'alarm'\n ELSE 'ok'\n END AS status,\n CASE\n WHEN count(*) = 1 THEN organization_id || ' only has one account' \n ELSE organization_id || ' has multiple accounts'\n END AS reason\nFROM \n aws_account\nGROUP BY\n organization_id,\n og_account_id,\n og_resource_id;\n" PrimaryTable: aws_account ListOfTables: - - aws_account + - aws_account Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) platform_score_use_case: - - Tolerate Failures + - Tolerate Failures score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) score_tags: - - Tolerate Failures + - Tolerate Failures +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/IAM/aws_pre_heartbleed_server_certificates.yaml b/compliance/controls/baseline/aws/IAM/aws_pre_heartbleed_server_certificates.yaml index a9d40b264..aae748c03 100755 --- a/compliance/controls/baseline/aws/IAM/aws_pre_heartbleed_server_certificates.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_pre_heartbleed_server_certificates.yaml @@ -1,38 +1,22 @@ ID: aws_pre_heartbleed_server_certificates Title: "Pre-Heartbleed Server Certificates" Description: "Ensure that your server certificates are not vulnerable to Heartbleed security bug." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - SELECT - name as resource, - og_resource_id, - og_account_id, - CASE - WHEN upload_date < '2014-04-01' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN upload_date < '2014-04-01' THEN name || ' is vulnerable to Heartbleed security bug.' - ELSE name || ' is vulnerable to Heartbleed security bug.' - END AS reason, - region, - account_id - FROM - aws_iam_server_certificate + QueryToExecute: "SELECT \n name as resource,\n og_resource_id,\n og_account_id,\n CASE\n WHEN upload_date < '2014-04-01' THEN 'alarm'\n ELSE 'ok'\n END AS status,\n CASE\n WHEN upload_date < '2014-04-01' THEN name || ' is vulnerable to Heartbleed security bug.' \n ELSE name || ' is vulnerable to Heartbleed security bug.'\n END AS reason,\n region,\n account_id\nFROM \n aws_iam_server_certificate\n" PrimaryTable: aws_iam_server_certificate ListOfTables: - - aws_iam_server_certificate + - aws_iam_server_certificate Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) platform_score_use_case: - - Problem Identities + - Problem Identities score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) score_tags: - - Problem Identities + - Problem Identities +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/IAM/aws_root_account_access_keys_present.yaml b/compliance/controls/baseline/aws/IAM/aws_root_account_access_keys_present.yaml index e010c9133..955cfec95 100755 --- a/compliance/controls/baseline/aws/IAM/aws_root_account_access_keys_present.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_root_account_access_keys_present.yaml @@ -1,40 +1,23 @@ ID: aws_root_account_access_keys_present Title: "Root Account Access Keys Present" Description: "Ensure that your AWS root account is not using access keys as a security best practice." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - SELECT - name as resource, - u.og_resource_id, - u.og_account_id, - CASE - WHEN r.access_key_1_active or r.access_key_2_active THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN r.access_key_1_active or r.access_key_2_active THEN u.name || ' does not have any active access key pair' - ELSE u.name || ' has at least one active access key pair.' - END AS reason, - u.region, - u.account_id - FROM - aws_iam_user AS u - LEFT JOIN aws_iam_credential_report AS r ON u.name = r.user_name + QueryToExecute: "SELECT \n name as resource,\n u.og_resource_id,\n u.og_account_id,\n CASE\n WHEN r.access_key_1_active or r.access_key_2_active THEN 'ok'\n ELSE 'alarm'\n END AS status,\n CASE\n WHEN r.access_key_1_active or r.access_key_2_active THEN u.name || ' does not have any active access key pair'\n ELSE u.name || ' has at least one active access key pair.'\n END AS reason,\n u.region,\n u.account_id\nFROM \n aws_iam_user AS u\n LEFT JOIN aws_iam_credential_report AS r ON u.name = r.user_name\n" PrimaryTable: aws_iam_user ListOfTables: - - aws_iam_credential_report - - aws_iam_user + - aws_iam_credential_report + - aws_iam_user Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) platform_score_use_case: - - Insecure Keys + - Insecure Keys score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) score_tags: - - Insecure Keys + - Insecure Keys +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/IAM/aws_root_account_active_signing_certificates.yaml b/compliance/controls/baseline/aws/IAM/aws_root_account_active_signing_certificates.yaml index 052f04335..bbce19f82 100755 --- a/compliance/controls/baseline/aws/IAM/aws_root_account_active_signing_certificates.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_root_account_active_signing_certificates.yaml @@ -1,40 +1,22 @@ ID: aws_root_account_active_signing_certificates Title: "Root Account Active Signing Certificates" Description: "Ensure that your AWS root account user is not using X.509 certificates to validate API requests." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - (user_name || ' in account ' || account_id) as resource, - og_account_id, - og_resource_id, - case - when cert_1_active or cert_2_active then 'alarm' - else 'ok' - end as status, - case - when cert_1_active or cert_2_active then 'is using X.509 certificates to perform SOAP-protocol requests to AWS services. It is better to be disabled' - else 'is not using X.509 certificates to perform SOAP-protocol requests to AWS services' - end as reason, - region, - account_id - from - aws_iam_credential_report - where - user_name = '' + QueryToExecute: "select\n (user_name || ' in account ' || account_id) as resource,\n og_account_id,\n og_resource_id,\n case\n when cert_1_active or cert_2_active then 'alarm'\n else 'ok'\n end as status,\n case\n when cert_1_active or cert_2_active then 'is using X.509 certificates to perform SOAP-protocol requests to AWS services. It is better to be disabled'\n else 'is not using X.509 certificates to perform SOAP-protocol requests to AWS services'\n end as reason,\n region, \n account_id\nfrom\n aws_iam_credential_report\nwhere\n user_name = ''\n" PrimaryTable: aws_iam_credential_report ListOfTables: - - aws_iam_credential_report + - aws_iam_credential_report Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) platform_score_use_case: - - Insecure Keys + - Insecure Keys score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) score_tags: - - Insecure Keys + - Insecure Keys +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/IAM/aws_root_account_credentials_usage.yaml b/compliance/controls/baseline/aws/IAM/aws_root_account_credentials_usage.yaml index 0f8f57dac..e1f4e93b9 100755 --- a/compliance/controls/baseline/aws/IAM/aws_root_account_credentials_usage.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_root_account_credentials_usage.yaml @@ -1,40 +1,22 @@ ID: aws_root_account_credentials_usage Title: "Root Account Credentials Usage" Description: "Ensure that root account credentials have not been used recently to access your AWS account." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - (user_name || ' in account ' || account_id) as resource, - og_account_id, - og_resource_id, - case - when password_last_used + '7 days'::interval > now() then 'alarm' - else 'ok' - end as status, - case - when password_last_used + '7 days'::interval > now() then 'root user has been used recently (it is better to minimize root user usage)' - else 'root user has not been used recently' - end as reason, - region, - account_id - from - aws_iam_credential_report - where - user_name = '' + QueryToExecute: "select\n (user_name || ' in account ' || account_id) as resource,\n og_account_id,\n og_resource_id,\n case\n when password_last_used + '7 days'::interval > now() then 'alarm'\n else 'ok'\n end as status,\n case\n when password_last_used + '7 days'::interval > now() then 'root user has been used recently (it is better to minimize root user usage)'\n else 'root user has not been used recently'\n end as reason,\n region, \n account_id\nfrom\n aws_iam_credential_report\nwhere\n user_name = ''\n" PrimaryTable: aws_iam_credential_report ListOfTables: - - aws_iam_credential_report + - aws_iam_credential_report Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) platform_score_use_case: - - Insecure Keys + - Insecure Keys score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) score_tags: - - Insecure Keys + - Insecure Keys +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/IAM/aws_root_mfa_enabled.yaml b/compliance/controls/baseline/aws/IAM/aws_root_mfa_enabled.yaml index 0c455216a..866497ce1 100755 --- a/compliance/controls/baseline/aws/IAM/aws_root_mfa_enabled.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_root_mfa_enabled.yaml @@ -1,40 +1,22 @@ ID: aws_root_mfa_enabled Title: "Root MFA Enabled" Description: "Ensure that Multi-Factor Authentication (MFA) is enabled for your AWS root account." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - (user_name || ' in account ' || account_id) as resource, - og_account_id, - og_resource_id, - case - when mfa_active::bool then 'ok' - else 'alarm' - end as status, - case - when mfa_active::bool then 'mfa is active for root account' - else 'mfa is not active for root account' - end as reason, - region, - account_id - from - aws_iam_credential_report - where - user_name = '' + QueryToExecute: "select\n (user_name || ' in account ' || account_id) as resource,\n og_account_id,\n og_resource_id,\n case\n when mfa_active::bool then 'ok'\n else 'alarm'\n end as status,\n case\n when mfa_active::bool then 'mfa is active for root account'\n else 'mfa is not active for root account'\n end as reason,\n region, \n account_id\nfrom\n aws_iam_credential_report\nwhere\n user_name = ''\n" PrimaryTable: aws_iam_credential_report ListOfTables: - - aws_iam_credential_report + - aws_iam_credential_report Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) platform_score_use_case: - - Problem Identities + - Problem Identities score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) score_tags: - - Problem Identities + - Problem Identities +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/IAM/aws_ssh_public_keys_rotated_45_days.yaml b/compliance/controls/baseline/aws/IAM/aws_ssh_public_keys_rotated_45_days.yaml index 82c8b1d45..c5feb25be 100755 --- a/compliance/controls/baseline/aws/IAM/aws_ssh_public_keys_rotated_45_days.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_ssh_public_keys_rotated_45_days.yaml @@ -1,34 +1,18 @@ ID: aws_ssh_public_keys_rotated_45_days Title: "SSH Public Keys Rotated 45 Days" Description: "Ensure IAM SSH public keys are rotated on a periodic basis to adhere to AWS security best practices." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - SELECT - ssh_public_key_id as resource, - og_resource_id, - og_account_id, - CASE - WHEN now() - update_date > '45 days'::interval THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN now() - update_date > '45 days'::interval THEN 'ssh key is too old and should be removed' - ELSE 'ssh key is not too old' - END AS reason, - region, - account_id - FROM - aws_iam_ssh_public_key + QueryToExecute: "SELECT \n ssh_public_key_id as resource,\n og_resource_id,\n og_account_id,\n CASE\n WHEN now() - update_date > '45 days'::interval THEN 'alarm'\n ELSE 'ok'\n END AS status,\n CASE\n WHEN now() - update_date > '45 days'::interval THEN 'ssh key is too old and should be removed' \n ELSE 'ssh key is not too old'\n END AS reason,\n region,\n account_id\nFROM \n aws_iam_ssh_public_key\n" PrimaryTable: aws_iam_ssh_public_key ListOfTables: - - aws_iam_ssh_public_key + - aws_iam_ssh_public_key Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/IAM/aws_ssh_public_keys_rotated_90_days.yaml b/compliance/controls/baseline/aws/IAM/aws_ssh_public_keys_rotated_90_days.yaml index 5993082f2..2f0a1b0b5 100755 --- a/compliance/controls/baseline/aws/IAM/aws_ssh_public_keys_rotated_90_days.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_ssh_public_keys_rotated_90_days.yaml @@ -1,34 +1,18 @@ ID: aws_ssh_public_keys_rotated_90_days Title: "SSH Public Keys Rotated 90 Days" Description: "Ensure IAM SSH public keys are rotated on a periodic basis to adhere to AWS security best practices." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - SELECT - ssh_public_key_id as resource, - og_resource_id, - og_account_id, - CASE - WHEN now() - update_date > '90 days'::interval THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN now() - update_date > '90 days'::interval THEN 'ssh key is too old and should be removed' - ELSE 'ssh key is not too old' - END AS reason, - region, - account_id - FROM - aws_iam_ssh_public_key + QueryToExecute: "SELECT \n ssh_public_key_id as resource,\n og_resource_id,\n og_account_id,\n CASE\n WHEN now() - update_date > '90 days'::interval THEN 'alarm'\n ELSE 'ok'\n END AS status,\n CASE\n WHEN now() - update_date > '90 days'::interval THEN 'ssh key is too old and should be removed' \n ELSE 'ssh key is not too old'\n END AS reason,\n region,\n account_id\nFROM \n aws_iam_ssh_public_key\n" PrimaryTable: aws_iam_ssh_public_key ListOfTables: - - aws_iam_ssh_public_key + - aws_iam_ssh_public_key Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/IAM/aws_ssh_public_keys_rotated_x_days.yaml b/compliance/controls/baseline/aws/IAM/aws_ssh_public_keys_rotated_x_days.yaml index eefeeecad..bf6904e29 100755 --- a/compliance/controls/baseline/aws/IAM/aws_ssh_public_keys_rotated_x_days.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_ssh_public_keys_rotated_x_days.yaml @@ -1,36 +1,20 @@ ID: aws_ssh_public_keys_rotated_x_days Title: "SSH Public Keys Rotated X Days" Description: "Ensure IAM SSH public keys are rotated on a periodic basis to adhere to AWS security best practices." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - SELECT - ssh_public_key_id as resource, - og_resource_id, - og_account_id, - CASE - WHEN now() - update_date > '{{.awsSshPublicKeyRotateDays}} days'::interval THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN now() - update_date > '{{.awsSshPublicKeyRotateDays}} days'::interval THEN 'ssh key is too old and should be removed' - ELSE 'ssh key is not too old' - END AS reason, - region, - account_id - FROM - aws_iam_ssh_public_key + QueryToExecute: "SELECT \n ssh_public_key_id as resource,\n og_resource_id,\n og_account_id,\n CASE\n WHEN now() - update_date > '{{.awsSshPublicKeyRotateDays}} days'::interval THEN 'alarm'\n ELSE 'ok'\n END AS status,\n CASE\n WHEN now() - update_date > '{{.awsSshPublicKeyRotateDays}} days'::interval THEN 'ssh key is too old and should be removed' \n ELSE 'ssh key is not too old'\n END AS reason,\n region,\n account_id\nFROM \n aws_iam_ssh_public_key\n" PrimaryTable: aws_iam_ssh_public_key ListOfTables: - - aws_iam_ssh_public_key + - aws_iam_ssh_public_key Parameters: - Key: awsSshPublicKeyRotateDays Required: true Severity: medium Tags: platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/IAM/aws_ssl_tls_certificate_expiry_30_days.yaml b/compliance/controls/baseline/aws/IAM/aws_ssl_tls_certificate_expiry_30_days.yaml index aef7bfcd3..61f9bcd1f 100755 --- a/compliance/controls/baseline/aws/IAM/aws_ssl_tls_certificate_expiry_30_days.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_ssl_tls_certificate_expiry_30_days.yaml @@ -1,39 +1,22 @@ ID: aws_ssl_tls_certificate_expiry_30_days Title: "SSL/TLS Certificate Expiry 30 Days" Description: "Ensure SSL/TLS certificates are renewed before their expiration." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - SELECT - name as resource, - og_resource_id, - og_account_id, - CASE - WHEN expiration - '30 days'::interval < now() THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN expiration < now() THEN 'certificate has been expired' - WHEN expiration - '30 days'::interval < now() THEN 'certificate is about to expire in ' || expiration - ELSE 'certificate is not going to expire soon' - END AS reason, - region, - account_id - FROM - aws_iam_server_certificate + QueryToExecute: "SELECT \n name as resource,\n og_resource_id,\n og_account_id,\n CASE\n WHEN expiration - '30 days'::interval < now() THEN 'alarm'\n ELSE 'ok'\n END AS status,\n CASE\n WHEN expiration < now() THEN 'certificate has been expired'\n WHEN expiration - '30 days'::interval < now() THEN 'certificate is about to expire in ' || expiration \n ELSE 'certificate is not going to expire soon'\n END AS reason,\n region,\n account_id\nFROM \n aws_iam_server_certificate\n" PrimaryTable: aws_iam_server_certificate ListOfTables: - - aws_iam_server_certificate + - aws_iam_server_certificate Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) platform_score_use_case: - - Problem Identities + - Problem Identities score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) score_tags: - - Problem Identities + - Problem Identities +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/IAM/aws_ssl_tls_certificate_expiry_x_days.yaml b/compliance/controls/baseline/aws/IAM/aws_ssl_tls_certificate_expiry_x_days.yaml index a71c5d159..925fc0861 100755 --- a/compliance/controls/baseline/aws/IAM/aws_ssl_tls_certificate_expiry_x_days.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_ssl_tls_certificate_expiry_x_days.yaml @@ -1,41 +1,24 @@ ID: aws_ssl_tls_certificate_expiry_x_days Title: "SSL/TLS Certificate Expiry X Days" Description: "Ensure SSL/TLS certificates are renewed before their expiration." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - SELECT - name as resource, - og_resource_id, - og_account_id, - CASE - WHEN expiration - ('{{.awsIamServerCertificateAge}}' || ' days')::interval < now() THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN expiration < now() THEN 'certificate has been expired' - WHEN expiration - ('{{.awsIamServerCertificateAge}}' || ' days')::interval < now() THEN 'certificate is about to expire in ' || expiration - ELSE 'certificate is not going to expire soon' - END AS reason, - region, - account_id - FROM - aws_iam_server_certificate + QueryToExecute: "SELECT \n name as resource,\n og_resource_id,\n og_account_id,\n CASE\n WHEN expiration - ('{{.awsIamServerCertificateAge}}' || ' days')::interval < now() THEN 'alarm'\n ELSE 'ok'\n END AS status,\n CASE\n WHEN expiration < now() THEN 'certificate has been expired'\n WHEN expiration - ('{{.awsIamServerCertificateAge}}' || ' days')::interval < now() THEN 'certificate is about to expire in ' || expiration \n ELSE 'certificate is not going to expire soon'\n END AS reason,\n region,\n account_id\nFROM \n aws_iam_server_certificate\n" PrimaryTable: aws_iam_server_certificate ListOfTables: - - aws_iam_server_certificate + - aws_iam_server_certificate Parameters: - Key: awsIamServerCertificateAge Required: true Severity: high Tags: platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) platform_score_use_case: - - Problem Identities + - Problem Identities score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) score_tags: - - Problem Identities + - Problem Identities +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/IAM/aws_unapproved_iam_policy_in_use.yaml b/compliance/controls/baseline/aws/IAM/aws_unapproved_iam_policy_in_use.yaml index bd3541f17..db269e324 100755 --- a/compliance/controls/baseline/aws/IAM/aws_unapproved_iam_policy_in_use.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_unapproved_iam_policy_in_use.yaml @@ -1,41 +1,24 @@ ID: aws_unapproved_iam_policy_in_use Title: "Unapproved IAM Policy in Use" Description: "Ensure there are no unapproved AWS Identity and Access Management (IAM) policies in use." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - name as resource, - og_account_id, - og_resource_id, - case - when attachment_count > 0 and '{{.awsUnapprovedIamPolicies}}' LIKE '%' || name || '%' then 'alarm' - else 'ok' - end as status, - case - when attachment_count > 0 and '{{.awsUnapprovedIamPolicies}}' LIKE '%' || name || '%' then name || ' is an unapproved iam policy which is being used' - when attachment_count > 0 then name || ' is not unapproved' - else name || ' is not being used' - end as reason, - region, - account_id - from - aws_iam_policy + QueryToExecute: "select\n name as resource,\n og_account_id,\n og_resource_id,\n case\n when attachment_count > 0 and '{{.awsUnapprovedIamPolicies}}' LIKE '%' || name || '%' then 'alarm'\n else 'ok'\n end as status,\n case\n when attachment_count > 0 and '{{.awsUnapprovedIamPolicies}}' LIKE '%' || name || '%' then name || ' is an unapproved iam policy which is being used'\n when attachment_count > 0 then name || ' is not unapproved'\n else name || ' is not being used'\n end as reason,\n region, \n account_id\nfrom\n aws_iam_policy\n" PrimaryTable: aws_iam_policy ListOfTables: - - aws_iam_policy + - aws_iam_policy Parameters: - Key: awsUnapprovedIamPolicies Required: true Severity: medium Tags: platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) platform_score_use_case: - - Problem Identities + - Problem Identities score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) score_tags: - - Problem Identities + - Problem Identities +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/IAM/aws_unnecessary_access_keys.yaml b/compliance/controls/baseline/aws/IAM/aws_unnecessary_access_keys.yaml index 4d94acc5d..fe1e34d17 100755 --- a/compliance/controls/baseline/aws/IAM/aws_unnecessary_access_keys.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_unnecessary_access_keys.yaml @@ -1,40 +1,23 @@ ID: aws_unnecessary_access_keys Title: "Unnecessary Access Keys" Description: "Ensure there is a maximum of one active access key pair available for any single IAM user." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - u.name as resource, - u.og_account_id, - u.og_resource_id, - case - when (select count(*) from aws_iam_access_key as k where u.name = k.user_name) > 1 then 'alarm' - else 'ok' - end as status, - case - when (select count(*) from aws_iam_access_key as k where u.name = k.user_name) > 1 then u.name || ' user has more than one access keys' - when (select count(*) from aws_iam_access_key as k where u.name = k.user_name) = 1 then u.name || ' user has only one access key' - else u.name || ' user has no access key' - end as reason, - u.region, - u.account_id - from - aws_iam_user as u + QueryToExecute: "select\n u.name as resource,\n u.og_account_id,\n u.og_resource_id,\n case\n when (select count(*) from aws_iam_access_key as k where u.name = k.user_name) > 1 then 'alarm'\n else 'ok'\n end as status,\n case\n when (select count(*) from aws_iam_access_key as k where u.name = k.user_name) > 1 then u.name || ' user has more than one access keys'\n when (select count(*) from aws_iam_access_key as k where u.name = k.user_name) = 1 then u.name || ' user has only one access key'\n else u.name || ' user has no access key'\n end as reason,\n u.region, \n u.account_id\nfrom\n aws_iam_user as u\n" PrimaryTable: aws_iam_user ListOfTables: - - aws_iam_access_key - - aws_iam_user + - aws_iam_access_key + - aws_iam_user Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) platform_score_use_case: - - Insecure Keys + - Insecure Keys score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) score_tags: - - Insecure Keys + - Insecure Keys +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/IAM/aws_unnecessary_ssh_public_keys.yaml b/compliance/controls/baseline/aws/IAM/aws_unnecessary_ssh_public_keys.yaml index 47829b7fa..f7a99b349 100755 --- a/compliance/controls/baseline/aws/IAM/aws_unnecessary_ssh_public_keys.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_unnecessary_ssh_public_keys.yaml @@ -1,51 +1,23 @@ ID: aws_unnecessary_ssh_public_keys Title: "Unnecessary SSH Public Keys" Description: "Ensure there is a maximum of one active SSH public keys assigned to any single IAM user." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with active_count AS ( - select - user_name, - count(*) - from - aws_iam_ssh_public_key - where - status = 'Active' - group by - user_name - ) - SELECT - arn as resource, - og_resource_id, - og_account_id, - CASE - WHEN c.count > 1 THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN c.count > 1 THEN u.name || ' has more than one active ssh key' - ELSE u.name || ' does not have more than one active ssh key' - END AS reason, - region, - account_id - FROM - aws_iam_user AS u - left join active_count AS c ON u.name = c.user_name; + QueryToExecute: "with active_count AS (\n select \n user_name, \n count(*) \n from \n aws_iam_ssh_public_key \n where \n status = 'Active' \n group by \n user_name\n)\nSELECT \n arn as resource,\n og_resource_id,\n og_account_id,\n CASE\n WHEN c.count > 1 THEN 'alarm'\n ELSE 'ok'\n END AS status,\n CASE\n WHEN c.count > 1 THEN u.name || ' has more than one active ssh key'\n ELSE u.name || ' does not have more than one active ssh key'\n END AS reason,\n region,\n account_id\nFROM \n aws_iam_user AS u\n left join active_count AS c ON u.name = c.user_name;\n" PrimaryTable: aws_iam_user ListOfTables: - - aws_iam_ssh_public_key - - aws_iam_user + - aws_iam_ssh_public_key + - aws_iam_user Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) platform_score_use_case: - - Insecure Keys + - Insecure Keys score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) score_tags: - - Insecure Keys + - Insecure Keys +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/IAM/aws_unused_iam_group.yaml b/compliance/controls/baseline/aws/IAM/aws_unused_iam_group.yaml index da72ae145..96e3add0e 100755 --- a/compliance/controls/baseline/aws/IAM/aws_unused_iam_group.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_unused_iam_group.yaml @@ -1,38 +1,22 @@ ID: aws_unused_iam_group Title: "Unused IAM Group" Description: "Ensure all IAM groups have at least one user." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - name as resource, - og_account_id, - og_resource_id, - case - when users is null then 'alarm' - else 'ok' - end as status, - case - when users is null then name || ' group is unused and should be removed' - else name || ' group is being used' - end as reason, - region, - account_id - from - aws_iam_group + QueryToExecute: "select\n name as resource,\n og_account_id,\n og_resource_id,\n case\n when users is null then 'alarm'\n else 'ok'\n end as status,\n case\n when users is null then name || ' group is unused and should be removed'\n else name || ' group is being used'\n end as reason,\n region, \n account_id\nfrom\n aws_iam_group\n" PrimaryTable: aws_iam_group ListOfTables: - - aws_iam_group + - aws_iam_group Parameters: [] Severity: low Tags: platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) platform_score_use_case: - - Problem Identities + - Problem Identities score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) score_tags: - - Problem Identities + - Problem Identities +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/IAM/aws_valid_iam_identity_providers.yaml b/compliance/controls/baseline/aws/IAM/aws_valid_iam_identity_providers.yaml index 78aa1e3e1..d45c8e28c 100755 --- a/compliance/controls/baseline/aws/IAM/aws_valid_iam_identity_providers.yaml +++ b/compliance/controls/baseline/aws/IAM/aws_valid_iam_identity_providers.yaml @@ -1,51 +1,24 @@ ID: aws_valid_iam_identity_providers Title: "Valid IAM Identity Providers" Description: "Ensure valid IAM Identity Providers are used within your AWS account for secure user authentication and authorization." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with locations AS ( - SELECT - og_resource_id, unnest(xpath('/md:EntityDescriptor/md:IDPSSODescriptor/md:SingleLogoutService/@Location', unnest(xpath('/md:EntityDescriptor', saml_metadata_document::xml, ARRAY[ARRAY['md', 'urn:oasis:names:tc:SAML:2.0:metadata']])), ARRAY[ARRAY['md', 'urn:oasis:names:tc:SAML:2.0:metadata']]))::text as location - FROM aws_iam_saml_provider - ) - SELECT - arn as resource, - og_resource_id, - og_account_id, - saml_metadata_document, - CASE - WHEN '{{.awsTrustedEndpoints}}' = '' THEN 'ok' - WHEN EXISTS ( - select 1 from locations as l where l.og_resource_id = p.og_resource_id and l.location not like '{{.awsTrustedEndpoints}}' - ) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN '{{.awsTrustedEndpoints}}' = '' THEN 'trusted endpoints not provided' - WHEN EXISTS ( - select 1 from locations as l where l.og_resource_id = p.og_resource_id and l.location not like '{{.awsTrustedEndpoints}}') THEN 'location is not inside trusted endpoints' - ELSE 'is inside trusted endpoints' - END AS reason, - region, - account_id - FROM - aws_iam_saml_provider AS p + QueryToExecute: "with locations AS (\n SELECT\n og_resource_id, unnest(xpath('/md:EntityDescriptor/md:IDPSSODescriptor/md:SingleLogoutService/@Location', unnest(xpath('/md:EntityDescriptor', saml_metadata_document::xml, ARRAY[ARRAY['md', 'urn:oasis:names:tc:SAML:2.0:metadata']])), ARRAY[ARRAY['md', 'urn:oasis:names:tc:SAML:2.0:metadata']]))::text as location\n FROM aws_iam_saml_provider\n)\nSELECT \n arn as resource,\n og_resource_id,\n og_account_id,\n saml_metadata_document,\n CASE\n WHEN '{{.awsTrustedEndpoints}}' = '' THEN 'ok'\n WHEN EXISTS (\n select 1 from locations as l where l.og_resource_id = p.og_resource_id and l.location not like '{{.awsTrustedEndpoints}}'\n ) THEN 'alarm'\n ELSE 'ok'\n END AS status,\n CASE\n WHEN '{{.awsTrustedEndpoints}}' = '' THEN 'trusted endpoints not provided'\n WHEN EXISTS (\n select 1 from locations as l where l.og_resource_id = p.og_resource_id and l.location not like '{{.awsTrustedEndpoints}}') THEN 'location is not inside trusted endpoints'\n ELSE 'is inside trusted endpoints'\n END AS reason,\n region,\n account_id\nFROM \n aws_iam_saml_provider AS p\n" PrimaryTable: aws_iam_saml_provider ListOfTables: - - aws_iam_saml_provider + - aws_iam_saml_provider Parameters: - Key: awsTrustedEndpoints Required: true Severity: high Tags: platform_score_cloud_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) platform_score_use_case: - - Problem Identities + - Problem Identities score_service_name: - - AWS Identity and Access Management (IAM) + - AWS Identity and Access Management (IAM) score_tags: - - Problem Identities + - Problem Identities +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/acm_certificate/aws_acm_certificate_expired.yaml b/compliance/controls/baseline/aws/acm_certificate/aws_acm_certificate_expired.yaml index 80d572d9c..28d967c91 100755 --- a/compliance/controls/baseline/aws/acm_certificate/aws_acm_certificate_expired.yaml +++ b/compliance/controls/baseline/aws/acm_certificate/aws_acm_certificate_expired.yaml @@ -1,38 +1,22 @@ ID: aws_acm_certificate_expired Title: "ACM Certificate Expired" Description: "Ensure expired SSL/TLS certificates are removed from AWS Certificate Manager (ACM)." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - SELECT - certificate_arn as resource, - og_resource_id, - og_account_id, - CASE - WHEN status = 'EXPIRED' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN status = 'EXPIRED' THEN 'certificate has been expired' - ELSE 'certificate not expired' - END AS reason, - region, - account_id - FROM - aws_acm_certificate + QueryToExecute: "SELECT \n certificate_arn as resource,\n og_resource_id,\n og_account_id,\n CASE\n WHEN status = 'EXPIRED' THEN 'alarm'\n ELSE 'ok'\n END AS status,\n CASE\n WHEN status = 'EXPIRED' THEN 'certificate has been expired' \n ELSE 'certificate not expired'\n END AS reason,\n region,\n account_id\nFROM \n aws_acm_certificate\n" PrimaryTable: aws_acm_certificate ListOfTables: - - aws_acm_certificate + - aws_acm_certificate Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Certificate Manager + - AWS Certificate Manager platform_score_use_case: - - Tolerate Failures + - Tolerate Failures score_service_name: - - AWS Certificate Manager + - AWS Certificate Manager score_tags: - - Tolerate Failures + - Tolerate Failures +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/acm_certificate/aws_acm_certificates_renewal_7_days_before_expiration.yaml b/compliance/controls/baseline/aws/acm_certificate/aws_acm_certificates_renewal_7_days_before_expiration.yaml index eb0135998..79595b971 100755 --- a/compliance/controls/baseline/aws/acm_certificate/aws_acm_certificates_renewal_7_days_before_expiration.yaml +++ b/compliance/controls/baseline/aws/acm_certificate/aws_acm_certificates_renewal_7_days_before_expiration.yaml @@ -1,39 +1,22 @@ ID: aws_acm_certificates_renewal_7_days_before_expiration Title: "AWS ACM Certificates Renewal (7 days before expiration)" Description: "Ensure Amazon Certificate Manager (ACM) certificates are renewed before their expiration." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - SELECT - certificate_arn as resource, - og_resource_id, - og_account_id, - CASE - WHEN not_after - '7 days'::interval < now() THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN not_after < now() THEN 'certificate has been expired' - WHEN not_after - '7 days'::interval < now() THEN 'certificate is about to expire in ' || not_after - ELSE 'certificate is not going to expire soon' - END AS reason, - region, - account_id - FROM - aws_acm_certificate + QueryToExecute: "SELECT \n certificate_arn as resource,\n og_resource_id,\n og_account_id,\n CASE\n WHEN not_after - '7 days'::interval < now() THEN 'alarm'\n ELSE 'ok'\n END AS status,\n CASE\n WHEN not_after < now() THEN 'certificate has been expired'\n WHEN not_after - '7 days'::interval < now() THEN 'certificate is about to expire in ' || not_after \n ELSE 'certificate is not going to expire soon'\n END AS reason,\n region,\n account_id\nFROM \n aws_acm_certificate\n" PrimaryTable: aws_acm_certificate ListOfTables: - - aws_acm_certificate + - aws_acm_certificate Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Certificate Manager + - AWS Certificate Manager platform_score_use_case: - - Unencrypted Storage + - Unencrypted Storage score_service_name: - - AWS Certificate Manager + - AWS Certificate Manager score_tags: - - Unencrypted Storage + - Unencrypted Storage +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/acm_certificate/aws_acm_certificates_validity.yaml b/compliance/controls/baseline/aws/acm_certificate/aws_acm_certificates_validity.yaml index f35597bb4..6e5acd86f 100755 --- a/compliance/controls/baseline/aws/acm_certificate/aws_acm_certificates_validity.yaml +++ b/compliance/controls/baseline/aws/acm_certificate/aws_acm_certificates_validity.yaml @@ -1,40 +1,22 @@ ID: aws_acm_certificates_validity Title: "AWS ACM Certificates Validity" Description: "Ensure expired SSL/TLS certificates are removed from AWS Certificate Manager (ACM)." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - SELECT - certificate_arn as resource, - og_resource_id, - og_account_id, - CASE - WHEN status = 'EXPIRED' then 'skip' - WHEN status = 'PENDING_VALIDATION' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN status = 'EXPIRED' then 'certificate has been expired' - WHEN status = 'PENDING_VALIDATION' THEN 'certificate validation is pending' - ELSE 'certificate has been validated' - END AS reason, - region, - account_id - FROM - aws_acm_certificate + QueryToExecute: "SELECT \n certificate_arn as resource,\n og_resource_id,\n og_account_id,\n CASE\n WHEN status = 'EXPIRED' then 'skip'\n WHEN status = 'PENDING_VALIDATION' THEN 'alarm'\n ELSE 'ok'\n END AS status,\n CASE\n WHEN status = 'EXPIRED' then 'certificate has been expired'\n WHEN status = 'PENDING_VALIDATION' THEN 'certificate validation is pending' \n ELSE 'certificate has been validated'\n END AS reason,\n region,\n account_id\nFROM \n aws_acm_certificate\n" PrimaryTable: aws_acm_certificate ListOfTables: - - aws_acm_certificate + - aws_acm_certificate Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS Certificate Manager + - AWS Certificate Manager platform_score_use_case: - - Tolerate Failures + - Tolerate Failures score_service_name: - - AWS Certificate Manager + - AWS Certificate Manager score_tags: - - Tolerate Failures + - Tolerate Failures +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/acm_certificate/aws_acm_certificates_with_wildcard_domain_names.yaml b/compliance/controls/baseline/aws/acm_certificate/aws_acm_certificates_with_wildcard_domain_names.yaml index dc9610bfc..1b1b40b93 100755 --- a/compliance/controls/baseline/aws/acm_certificate/aws_acm_certificates_with_wildcard_domain_names.yaml +++ b/compliance/controls/baseline/aws/acm_certificate/aws_acm_certificates_with_wildcard_domain_names.yaml @@ -1,38 +1,22 @@ ID: aws_acm_certificates_with_wildcard_domain_names Title: "AWS ACM Certificates with Wildcard Domain Names" Description: "Ensure that wildcard certificates issued by Amazon Certificate Manager (ACM) or imported to ACM are not in use." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - SELECT - certificate_arn as resource, - og_resource_id, - og_account_id, - CASE - WHEN domain_name LIKE '*%' then 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN domain_name LIKE '*%' then 'wildcard domain name certificate is used' - ELSE 'single domain name certificate is used' - END AS reason, - region, - account_id - FROM - aws_acm_certificate + QueryToExecute: "SELECT \n certificate_arn as resource,\n og_resource_id,\n og_account_id,\n CASE\n WHEN domain_name LIKE '*%' then 'alarm'\n ELSE 'ok'\n END AS status,\n CASE\n WHEN domain_name LIKE '*%' then 'wildcard domain name certificate is used'\n ELSE 'single domain name certificate is used'\n END AS reason,\n region,\n account_id\nFROM \n aws_acm_certificate\n" PrimaryTable: aws_acm_certificate ListOfTables: - - aws_acm_certificate + - aws_acm_certificate Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Certificate Manager + - AWS Certificate Manager platform_score_use_case: - - Tolerate Failures + - Tolerate Failures score_service_name: - - AWS Certificate Manager + - AWS Certificate Manager score_tags: - - Tolerate Failures + - Tolerate Failures +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/backup/aws_backup_service_lifecycle_configuration.yaml b/compliance/controls/baseline/aws/backup/aws_backup_service_lifecycle_configuration.yaml index 772520bec..6e9df8219 100755 --- a/compliance/controls/baseline/aws/backup/aws_backup_service_lifecycle_configuration.yaml +++ b/compliance/controls/baseline/aws/backup/aws_backup_service_lifecycle_configuration.yaml @@ -1,8 +1,6 @@ ID: aws_backup_service_lifecycle_configuration Title: "AWS Backup Service Lifecycle Configuration" Description: "Ensure Amazon Backup plans have a compliant lifecycle configuration enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -27,7 +25,7 @@ Query: jsonb_array_elements(rules) as r PrimaryTable: aws_backup_plan ListOfTables: - - aws_backup_plan + - aws_backup_plan Parameters: - Key: awsBackupPlanDeleteAfterDays Required: true @@ -36,6 +34,8 @@ Query: Severity: medium Tags: platform_score_cloud_service_name: - - AWS Backup + - AWS Backup score_service_name: - - AWS Backup + - AWS Backup +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/backup/aws_check_for_protected_amazon_backup_resource_types.yaml b/compliance/controls/baseline/aws/backup/aws_check_for_protected_amazon_backup_resource_types.yaml index 063a3eedb..35d8082e6 100755 --- a/compliance/controls/baseline/aws/backup/aws_check_for_protected_amazon_backup_resource_types.yaml +++ b/compliance/controls/baseline/aws/backup/aws_check_for_protected_amazon_backup_resource_types.yaml @@ -1,8 +1,6 @@ ID: aws_check_for_protected_amazon_backup_resource_types Title: "Check for Protected Amazon Backup Resource Types" Description: "Ensure that the appropriate resource types are protected by Amazon Backup within your AWS account." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -24,13 +22,15 @@ Query: aws_backup_region_settings PrimaryTable: aws_backup_region_settings ListOfTables: - - aws_backup_region_settings + - aws_backup_region_settings Parameters: - Key: awsBackupResourceTypeOptInPreference Required: true Severity: medium Tags: platform_score_cloud_service_name: - - AWS Backup + - AWS Backup score_service_name: - - AWS Backup + - AWS Backup +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/backup/aws_configure_aws_backup_vault_access_policy.yaml b/compliance/controls/baseline/aws/backup/aws_configure_aws_backup_vault_access_policy.yaml index 424e1aeff..ed54a4645 100755 --- a/compliance/controls/baseline/aws/backup/aws_configure_aws_backup_vault_access_policy.yaml +++ b/compliance/controls/baseline/aws/backup/aws_configure_aws_backup_vault_access_policy.yaml @@ -1,8 +1,6 @@ ID: aws_configure_aws_backup_vault_access_policy Title: "Configure AWS Backup Vault Access Policy" Description: "Prevent deletion of backups using an Amazon Backup vault resource-based access policy." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -34,15 +32,17 @@ Query: aws_backup_vault PrimaryTable: aws_backup_vault ListOfTables: - - aws_backup_vault + - aws_backup_vault Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Backup + - AWS Backup platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - AWS Backup + - AWS Backup score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/backup/aws_dynamodb_instances_have_backup_with_lifecyclepolicy_above_35_days.yaml b/compliance/controls/baseline/aws/backup/aws_dynamodb_instances_have_backup_with_lifecyclepolicy_above_35_days.yaml index 08da38e74..ab72246ba 100755 --- a/compliance/controls/baseline/aws/backup/aws_dynamodb_instances_have_backup_with_lifecyclepolicy_above_35_days.yaml +++ b/compliance/controls/baseline/aws/backup/aws_dynamodb_instances_have_backup_with_lifecyclepolicy_above_35_days.yaml @@ -1,45 +1,23 @@ ID: aws_dynamodb_instances_have_backup_with_lifecyclepolicy_above_35_days Title: "Dynamodb Instances have backup with lifecyclepolicy above 35 days" Description: "Ensure all DynamoDB are covered by a backup plan with a minimum of Life Cycle Policy 35 days" -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - WITH points AS ( - SELECT recovery_point_arn, resource_arn - FROM aws_backup_recovery_point - WHERE now() - creation_date < '35 days'::interval and (lifecycle ->> 'DeleteAfterDays')::INT >= 35 - and resource_type = 'DynamoDB' and status = 'COMPLETED') - - select - t.arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when p.recovery_point_arn is null then 'alarm' - else 'ok' - end as status, - case - when p.recovery_point_arn is null then 'lacks a backup configuration with a minimum of 35 days' - else '' - end as reason - , region, account_id - from - aws_dynamodb_table as t - left join points as p on t.arn = p.resource_arn + QueryToExecute: "WITH points AS (\n SELECT recovery_point_arn, resource_arn\n FROM aws_backup_recovery_point \n WHERE now() - creation_date < '35 days'::interval and (lifecycle ->> 'DeleteAfterDays')::INT >= 35 \n and resource_type = 'DynamoDB' and status = 'COMPLETED')\n\nselect\n t.arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when p.recovery_point_arn is null then 'alarm'\n else 'ok'\n end as status,\n case\n when p.recovery_point_arn is null then 'lacks a backup configuration with a minimum of 35 days'\n else ''\n end as reason\n , region, account_id \nfrom \n aws_dynamodb_table as t\n left join points as p on t.arn = p.resource_arn\n" PrimaryTable: aws_dynamodb_table ListOfTables: - - aws_backup_recovery_point - - aws_dynamodb_table + - aws_backup_recovery_point + - aws_dynamodb_table Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Amazon DynamoDB + - Amazon DynamoDB platform_score_use_case: - - Missing Backup + - Missing Backup score_service_name: - - Amazon DynamoDB + - Amazon DynamoDB score_tags: - - Missing Backup + - Missing Backup +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/backup/aws_dynamodb_instances_have_backup_withing_48_hours.yaml b/compliance/controls/baseline/aws/backup/aws_dynamodb_instances_have_backup_withing_48_hours.yaml index c963b6726..ccd92bd0c 100755 --- a/compliance/controls/baseline/aws/backup/aws_dynamodb_instances_have_backup_withing_48_hours.yaml +++ b/compliance/controls/baseline/aws/backup/aws_dynamodb_instances_have_backup_withing_48_hours.yaml @@ -1,45 +1,23 @@ ID: aws_dynamodb_instances_have_backup_withing_48_hours Title: "Dynamodb Instances have backup withing 48 hours" Description: "Ensure all Dynamodb have a minimum of one restore point time in the last 48 hrs" -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - WITH points AS ( - SELECT recovery_point_arn, resource_arn - FROM aws_backup_recovery_point - WHERE now() - creation_date < '48 hours'::interval - and resource_type = 'DynamoDB' and status = 'COMPLETED') - - select - t.arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when p.recovery_point_arn is null then 'alarm' - else 'ok' - end as status, - case - when p.recovery_point_arn is null then 'lacks a backup with last 48 hours' - else '' - end as reason - , region, account_id - from - aws_dynamodb_table as t - left join points as p on t.arn = p.resource_arn + QueryToExecute: "WITH points AS (\n SELECT recovery_point_arn, resource_arn\n FROM aws_backup_recovery_point \n WHERE now() - creation_date < '48 hours'::interval \n and resource_type = 'DynamoDB' and status = 'COMPLETED')\n\nselect\n t.arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when p.recovery_point_arn is null then 'alarm'\n else 'ok'\n end as status,\n case\n when p.recovery_point_arn is null then 'lacks a backup with last 48 hours'\n else ''\n end as reason\n , region, account_id \nfrom \n aws_dynamodb_table as t\n left join points as p on t.arn = p.resource_arn\n" PrimaryTable: aws_dynamodb_table ListOfTables: - - aws_backup_recovery_point - - aws_dynamodb_table + - aws_backup_recovery_point + - aws_dynamodb_table Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Amazon DynamoDB + - Amazon DynamoDB platform_score_use_case: - - Missing Backup + - Missing Backup score_service_name: - - Amazon DynamoDB + - Amazon DynamoDB score_tags: - - Missing Backup + - Missing Backup +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/backup/aws_ebs_instances_have_backup_with_lifecyclepolicy_above_35_days.yaml b/compliance/controls/baseline/aws/backup/aws_ebs_instances_have_backup_with_lifecyclepolicy_above_35_days.yaml index 6b348e878..62f3146ef 100755 --- a/compliance/controls/baseline/aws/backup/aws_ebs_instances_have_backup_with_lifecyclepolicy_above_35_days.yaml +++ b/compliance/controls/baseline/aws/backup/aws_ebs_instances_have_backup_with_lifecyclepolicy_above_35_days.yaml @@ -1,45 +1,23 @@ ID: aws_ebs_instances_have_backup_with_lifecyclepolicy_above_35_days Title: "EBS Instances have backup with lifecyclepolicy above 35 days" Description: "Ensure all EBS are covered by a backup plan with a minimum of Life Cycle Policy 35 days" -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - WITH points AS ( - SELECT recovery_point_arn, resource_arn - FROM aws_backup_recovery_point - WHERE now() - creation_date < '35 days'::interval and (lifecycle ->> 'DeleteAfterDays')::INT >= 35 - and resource_type = 'EBS' and status = 'COMPLETED') - - select - v.arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when p.recovery_point_arn is null then 'alarm' - else 'ok' - end as status, - case - when p.recovery_point_arn is null then 'lacks a backup configuration with a minimum of 35 days' - else '' - end as reason - , region, account_id - from - aws_ebs_volume as v - left join points as p on v.arn = p.resource_arn + QueryToExecute: "WITH points AS (\n SELECT recovery_point_arn, resource_arn\n FROM aws_backup_recovery_point \n WHERE now() - creation_date < '35 days'::interval and (lifecycle ->> 'DeleteAfterDays')::INT >= 35 \n and resource_type = 'EBS' and status = 'COMPLETED')\n\nselect\n v.arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when p.recovery_point_arn is null then 'alarm'\n else 'ok'\n end as status,\n case\n when p.recovery_point_arn is null then 'lacks a backup configuration with a minimum of 35 days'\n else ''\n end as reason\n , region, account_id \nfrom \n aws_ebs_volume as v\n left join points as p on v.arn = p.resource_arn\n" PrimaryTable: aws_ebs_volume ListOfTables: - - aws_backup_recovery_point - - aws_ebs_volume + - aws_backup_recovery_point + - aws_ebs_volume Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS Elastic Block Store (EBS) + - AWS Elastic Block Store (EBS) platform_score_use_case: - - Missing Backup + - Missing Backup score_service_name: - - AWS Elastic Block Store (EBS) + - AWS Elastic Block Store (EBS) score_tags: - - Missing Backup + - Missing Backup +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/backup/aws_ebs_instances_have_backup_withing_rpo_period.yaml b/compliance/controls/baseline/aws/backup/aws_ebs_instances_have_backup_withing_rpo_period.yaml index 8e23e5a33..03aaed529 100755 --- a/compliance/controls/baseline/aws/backup/aws_ebs_instances_have_backup_withing_rpo_period.yaml +++ b/compliance/controls/baseline/aws/backup/aws_ebs_instances_have_backup_withing_rpo_period.yaml @@ -1,54 +1,25 @@ ID: aws_ebs_instances_have_backup_withing_rpo_period Title: "Attached EBS Storage Volumes restoration needs meet RPO Standard" Description: "AWS EBS Storage Volumes that are connected need to have restorable backup within the defined period" -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - WITH all_backup AS ( - SELECT recovery_point_arn, resource_arn, creation_date - FROM aws_backup_recovery_point - WHERE now() - creation_date < '2 week'::interval - and resource_type = 'EBS' and status = 'COMPLETED'), - points AS ( - SELECT recovery_point_arn, resource_arn - FROM aws_backup_recovery_point - WHERE now() - creation_date < '{{.awsEbsInstancesBackupPeriod}} hours'::interval - and resource_type = 'EBS' and status = 'COMPLETED') - - select - v.arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when p.recovery_point_arn is null then 'alarm' - else 'ok' - end as status, - case - when p.recovery_point_arn is null and a.recovery_point_arn is null then 'there is no backup for this resource' - when p.recovery_point_arn is null then 'last backup at ' || a.creation_date::text - else '' - end as reason - , region, account_id - from - aws_ebs_volume as v - left join points as p on v.arn = p.resource_arn - left join all_backup as a on v.arn = a.resource_arn + QueryToExecute: "WITH all_backup AS (\n SELECT recovery_point_arn, resource_arn, creation_date\n FROM aws_backup_recovery_point \n WHERE now() - creation_date < '2 week'::interval \n and resource_type = 'EBS' and status = 'COMPLETED'),\npoints AS (\n SELECT recovery_point_arn, resource_arn\n FROM aws_backup_recovery_point \n WHERE now() - creation_date < '{{.awsEbsInstancesBackupPeriod}} hours'::interval \n and resource_type = 'EBS' and status = 'COMPLETED')\n\nselect\n v.arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when p.recovery_point_arn is null then 'alarm'\n else 'ok'\n end as status,\n case\n when p.recovery_point_arn is null and a.recovery_point_arn is null then 'there is no backup for this resource'\n when p.recovery_point_arn is null then 'last backup at ' || a.creation_date::text\n else ''\n end as reason\n , region, account_id \nfrom \n aws_ebs_volume as v\n left join points as p on v.arn = p.resource_arn\n left join all_backup as a on v.arn = a.resource_arn\n" PrimaryTable: aws_ebs_volume ListOfTables: - - aws_backup_recovery_point - - aws_ebs_volume + - aws_backup_recovery_point + - aws_ebs_volume Parameters: - Key: awsEbsInstancesBackupPeriod Required: true Severity: medium Tags: platform_score_cloud_service_name: - - AWS Elastic Block Store (EBS) + - AWS Elastic Block Store (EBS) platform_score_use_case: - - Missing Backup + - Missing Backup score_service_name: - - AWS Elastic Block Store (EBS) + - AWS Elastic Block Store (EBS) score_tags: - - Missing Backup + - Missing Backup +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/backup/aws_ec2_instances_have_backup_with_lifecyclepolicy_above_35_days.yaml b/compliance/controls/baseline/aws/backup/aws_ec2_instances_have_backup_with_lifecyclepolicy_above_35_days.yaml index c3372a94b..340173892 100755 --- a/compliance/controls/baseline/aws/backup/aws_ec2_instances_have_backup_with_lifecyclepolicy_above_35_days.yaml +++ b/compliance/controls/baseline/aws/backup/aws_ec2_instances_have_backup_with_lifecyclepolicy_above_35_days.yaml @@ -1,45 +1,23 @@ ID: aws_ec2_instances_have_backup_with_lifecyclepolicy_above_35_days Title: "EC2 Instances have backup with lifecyclepolicy above 35 days" Description: "Ensure all EC2 are covered by a backup plan with a minimum of Life Cycle Policy 35 days" -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - WITH points AS ( - SELECT recovery_point_arn, resource_arn - FROM aws_backup_recovery_point - WHERE now() - creation_date < '35 days'::interval and (lifecycle ->> 'DeleteAfterDays')::INT >= 35 - and resource_type = 'EC2' and status = 'COMPLETED') - - select - i.arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when p.recovery_point_arn is null then 'alarm' - else 'ok' - end as status, - case - when p.recovery_point_arn is null then 'lacks a backup configuration with a minimum of 35 days' - else '' - end as reason - , region, account_id - from - aws_ec2_instance as i - left join points as p on i.arn = p.resource_arn + QueryToExecute: "WITH points AS (\n SELECT recovery_point_arn, resource_arn\n FROM aws_backup_recovery_point \n WHERE now() - creation_date < '35 days'::interval and (lifecycle ->> 'DeleteAfterDays')::INT >= 35 \n and resource_type = 'EC2' and status = 'COMPLETED')\n\nselect\n i.arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when p.recovery_point_arn is null then 'alarm'\n else 'ok'\n end as status,\n case\n when p.recovery_point_arn is null then 'lacks a backup configuration with a minimum of 35 days'\n else ''\n end as reason\n , region, account_id \nfrom \n aws_ec2_instance as i\n left join points as p on i.arn = p.resource_arn\n" PrimaryTable: aws_ec2_instance ListOfTables: - - aws_backup_recovery_point - - aws_ec2_instance + - aws_backup_recovery_point + - aws_ec2_instance Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS EC2 + - AWS EC2 platform_score_use_case: - - Missing Backup + - Missing Backup score_service_name: - - AWS EC2 + - AWS EC2 score_tags: - - Missing Backup + - Missing Backup +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/backup/aws_ec2_instances_have_backup_withing_48_hours.yaml b/compliance/controls/baseline/aws/backup/aws_ec2_instances_have_backup_withing_48_hours.yaml index cd52f0e95..1a0f36bd8 100755 --- a/compliance/controls/baseline/aws/backup/aws_ec2_instances_have_backup_withing_48_hours.yaml +++ b/compliance/controls/baseline/aws/backup/aws_ec2_instances_have_backup_withing_48_hours.yaml @@ -1,56 +1,23 @@ ID: aws_ec2_instances_have_backup_withing_48_hours Title: "Stateful EC2 Instances have operational backup within 48 hours." Description: "Verify that EC2 Instances, excluding shutdowns, spot VMs, and those under 24 hrs old, have at least one restore point in the past 48 hrs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - WITH all_backup AS ( - SELECT recovery_point_arn, resource_arn, creation_date - FROM aws_backup_recovery_point - WHERE now() - creation_date < '48 hours'::interval - and resource_type = 'EC2' and status = 'COMPLETED'), - points AS ( - SELECT recovery_point_arn, resource_arn - FROM aws_backup_recovery_point - WHERE now() - creation_date < '48 hours'::interval - and resource_type = 'EC2' and status = 'COMPLETED') - select - v.arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when p.recovery_point_arn is null then 'alarm' - else 'ok' - end as status, - case - when p.recovery_point_arn is null and a.recovery_point_arn is null then 'there is no backup for this resource' - when p.recovery_point_arn is null then 'last backup at ' || a.creation_date::text - else 'Last backup at ' || a.creation_date::text - end as reason - , region, account_id - from - aws_ec2_instance as v - left join points as p on v.arn = p.resource_arn - left join all_backup as a on v.arn = a.resource_arn - where - v.instance_lifecycle != 'spot' - and instance_state = 'running' - and state_transition_time <= (current_date - interval '24 hours' - ) + QueryToExecute: "WITH all_backup AS (\n SELECT recovery_point_arn, resource_arn, creation_date\n FROM aws_backup_recovery_point \n WHERE now() - creation_date < '48 hours'::interval \n and resource_type = 'EC2' and status = 'COMPLETED'),\n points AS (\n SELECT recovery_point_arn, resource_arn\n FROM aws_backup_recovery_point \n WHERE now() - creation_date < '48 hours'::interval \n and resource_type = 'EC2' and status = 'COMPLETED')\n select\n v.arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when p.recovery_point_arn is null then 'alarm'\n else 'ok'\n end as status,\n case\n when p.recovery_point_arn is null and a.recovery_point_arn is null then 'there is no backup for this resource'\n when p.recovery_point_arn is null then 'last backup at ' || a.creation_date::text\n else 'Last backup at ' || a.creation_date::text\n end as reason\n , region, account_id \n from \n aws_ec2_instance as v\n left join points as p on v.arn = p.resource_arn\n left join all_backup as a on v.arn = a.resource_arn\n where\n v.instance_lifecycle != 'spot'\n and instance_state = 'running'\n and state_transition_time <= (current_date - interval '24 hours'\n )\n" PrimaryTable: aws_ec2_instance ListOfTables: - - aws_backup_recovery_point - - aws_ec2_instance + - aws_backup_recovery_point + - aws_ec2_instance Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS EC2 + - AWS EC2 platform_score_use_case: - - Missing Backup + - Missing Backup score_service_name: - - AWS EC2 + - AWS EC2 score_tags: - - Missing Backup + - Missing Backup +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/backup/aws_efs_files_have_backup_with_lifecyclepolicy_above_35_days.yaml b/compliance/controls/baseline/aws/backup/aws_efs_files_have_backup_with_lifecyclepolicy_above_35_days.yaml index 196c84e77..6c996c3e9 100755 --- a/compliance/controls/baseline/aws/backup/aws_efs_files_have_backup_with_lifecyclepolicy_above_35_days.yaml +++ b/compliance/controls/baseline/aws/backup/aws_efs_files_have_backup_with_lifecyclepolicy_above_35_days.yaml @@ -1,45 +1,23 @@ ID: aws_efs_files_have_backup_with_lifecyclepolicy_above_35_days Title: "EFS files have backup with lifecyclepolicy above 35 days" Description: "Ensure all EFS files are covered by a backup plan with a minimum of Life Cycle Policy 35 days" -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - WITH points AS ( - SELECT recovery_point_arn, resource_arn - FROM aws_backup_recovery_point - WHERE now() - creation_date < '35 days'::interval and (lifecycle ->> 'DeleteAfterDays')::INT >= 35 - and resource_type = 'EFS' and status = 'COMPLETED') - - select - f.arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when p.recovery_point_arn is null then 'alarm' - else 'ok' - end as status, - case - when p.recovery_point_arn is null then 'lacks a backup configuration with a minimum of 35 days' - else '' - end as reason - , region, account_id - from - aws_efs_file_system as f - left join points as p on f.arn = p.resource_arn + QueryToExecute: "WITH points AS (\n SELECT recovery_point_arn, resource_arn\n FROM aws_backup_recovery_point \n WHERE now() - creation_date < '35 days'::interval and (lifecycle ->> 'DeleteAfterDays')::INT >= 35 \n and resource_type = 'EFS' and status = 'COMPLETED')\n\nselect\n f.arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when p.recovery_point_arn is null then 'alarm'\n else 'ok'\n end as status,\n case\n when p.recovery_point_arn is null then 'lacks a backup configuration with a minimum of 35 days'\n else ''\n end as reason\n , region, account_id \nfrom \n aws_efs_file_system as f\n left join points as p on f.arn = p.resource_arn\n" PrimaryTable: aws_efs_file_system ListOfTables: - - aws_backup_recovery_point - - aws_efs_file_system + - aws_backup_recovery_point + - aws_efs_file_system Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Amazon Elastic File System (EFS) + - Amazon Elastic File System (EFS) platform_score_use_case: - - Missing Backup + - Missing Backup score_service_name: - - Amazon Elastic File System (EFS) + - Amazon Elastic File System (EFS) score_tags: - - Missing Backup + - Missing Backup +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/backup/aws_efs_files_have_backup_withing_48_hours.yaml b/compliance/controls/baseline/aws/backup/aws_efs_files_have_backup_withing_48_hours.yaml index 04d94f55f..89692bc14 100755 --- a/compliance/controls/baseline/aws/backup/aws_efs_files_have_backup_withing_48_hours.yaml +++ b/compliance/controls/baseline/aws/backup/aws_efs_files_have_backup_withing_48_hours.yaml @@ -1,45 +1,23 @@ ID: aws_efs_files_have_backup_withing_48_hours Title: "EFS files have backup withing 48 hours" Description: "Ensure all EFS files have a minimum of one restore point time in the last 48 hrs" -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - WITH points AS ( - SELECT recovery_point_arn, resource_arn - FROM aws_backup_recovery_point - WHERE now() - creation_date < '48 hours'::interval - and resource_type = 'EFS' and status = 'COMPLETED') - - select - f.arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when p.recovery_point_arn is null then 'alarm' - else 'ok' - end as status, - case - when p.recovery_point_arn is null then 'lacks a backup with last 48 hours' - else '' - end as reason - , region, account_id - from - aws_efs_file_system as f - left join points as p on f.arn = p.resource_arn + QueryToExecute: "WITH points AS (\n SELECT recovery_point_arn, resource_arn\n FROM aws_backup_recovery_point \n WHERE now() - creation_date < '48 hours'::interval \n and resource_type = 'EFS' and status = 'COMPLETED')\n\nselect\n f.arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when p.recovery_point_arn is null then 'alarm'\n else 'ok'\n end as status,\n case\n when p.recovery_point_arn is null then 'lacks a backup with last 48 hours'\n else ''\n end as reason\n , region, account_id \nfrom \n aws_efs_file_system as f\n left join points as p on f.arn = p.resource_arn\n" PrimaryTable: aws_efs_file_system ListOfTables: - - aws_backup_recovery_point - - aws_efs_file_system + - aws_backup_recovery_point + - aws_efs_file_system Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Amazon Elastic File System (EFS) + - Amazon Elastic File System (EFS) platform_score_use_case: - - Missing Backup + - Missing Backup score_service_name: - - Amazon Elastic File System (EFS) + - Amazon Elastic File System (EFS) score_tags: - - Missing Backup + - Missing Backup +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/backup/aws_enable_alert_notifications_for_failed_backup_jobs.yaml b/compliance/controls/baseline/aws/backup/aws_enable_alert_notifications_for_failed_backup_jobs.yaml index 385aa52c2..8f0016ef5 100755 --- a/compliance/controls/baseline/aws/backup/aws_enable_alert_notifications_for_failed_backup_jobs.yaml +++ b/compliance/controls/baseline/aws/backup/aws_enable_alert_notifications_for_failed_backup_jobs.yaml @@ -1,8 +1,6 @@ ID: aws_enable_alert_notifications_for_failed_backup_jobs Title: "Enable Alert Notifications for Failed Backup Jobs" Description: "Ensure that email notifications for unsuccessful backup jobs are enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -24,15 +22,17 @@ Query: aws_backup_vault PrimaryTable: aws_backup_vault ListOfTables: - - aws_backup_vault + - aws_backup_vault Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS Backup + - AWS Backup platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - AWS Backup + - AWS Backup score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/backup/aws_rds_database_instances_have_a_minimum_acceptable_backup_policy.yaml b/compliance/controls/baseline/aws/backup/aws_rds_database_instances_have_a_minimum_acceptable_backup_policy.yaml index cb9bff267..59ee4b136 100755 --- a/compliance/controls/baseline/aws/backup/aws_rds_database_instances_have_a_minimum_acceptable_backup_policy.yaml +++ b/compliance/controls/baseline/aws/backup/aws_rds_database_instances_have_a_minimum_acceptable_backup_policy.yaml @@ -1,8 +1,6 @@ ID: aws_rds_database_instances_have_a_minimum_acceptable_backup_policy Title: "AWS RDS Database Instances have a minimum acceptable backup policy" Description: "Check for all AWS RDS Database Instances are covered by configured to be backup for a minimum time period" -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -21,17 +19,19 @@ Query: aws_rds_db_instance; PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_rds_db_instance + - aws_rds_db_instance Parameters: - Key: awsRdsBaselineRetentionPeriodDays Required: true Severity: medium Tags: platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) platform_score_use_case: - - Missing Backup + - Missing Backup score_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) score_tags: - - Missing Backup + - Missing Backup +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/backup/aws_rds_database_instances_must_have_a_minimum_acceptable_restore_time.yaml b/compliance/controls/baseline/aws/backup/aws_rds_database_instances_must_have_a_minimum_acceptable_restore_time.yaml index aa803ee7a..c9a5a41b2 100755 --- a/compliance/controls/baseline/aws/backup/aws_rds_database_instances_must_have_a_minimum_acceptable_restore_time.yaml +++ b/compliance/controls/baseline/aws/backup/aws_rds_database_instances_must_have_a_minimum_acceptable_restore_time.yaml @@ -1,52 +1,25 @@ ID: aws_rds_database_instances_must_have_a_minimum_acceptable_restore_time Title: "AWS RDS Database Instances must have a minimum acceptable restore time" Description: "Check for all AWS RDS Database Instances to see if they are meeting the required restore time defined." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - i.arn as resource, - i.og_account_id, - i.og_resource_id, - case - when c.latest_restorable_time is not null then - case - when now() - c.latest_restorable_time < '{{.awsRdsBaselineRestorableTimeInHrs}} hours'::interval then 'ok' - else 'alarm' - end - else - case - when now() - i.latest_restorable_time < '{{.awsRdsBaselineRestorableTimeInHrs}} hours'::interval then 'ok' - else 'alarm' - end - end as status, - case - when c.latest_restorable_time is not null then - i.title || ' backup retention period set to ' || c.latest_restorable_time || '.' - else - i.title || ' backup retention period set to ' || i.latest_restorable_time || '.' - end as reason, - i.region, - i.account_id - from - aws_rds_db_instance as i - left join aws_rds_db_cluster as c on i.db_cluster_identifier = c.db_cluster_identifier + QueryToExecute: "select\n i.arn as resource,\n i.og_account_id,\n i.og_resource_id,\n case\n when c.latest_restorable_time is not null then \n case\n when now() - c.latest_restorable_time < '{{.awsRdsBaselineRestorableTimeInHrs}} hours'::interval then 'ok'\n else 'alarm'\n end\n else\n case\n when now() - i.latest_restorable_time < '{{.awsRdsBaselineRestorableTimeInHrs}} hours'::interval then 'ok'\n else 'alarm'\n end\n end as status,\n case\n when c.latest_restorable_time is not null then \n i.title || ' backup retention period set to ' || c.latest_restorable_time || '.'\n else\n i.title || ' backup retention period set to ' || i.latest_restorable_time || '.'\n end as reason,\n i.region,\n i.account_id\n from\n aws_rds_db_instance as i\n left join aws_rds_db_cluster as c on i.db_cluster_identifier = c.db_cluster_identifier\n" PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_rds_db_cluster - - aws_rds_db_instance + - aws_rds_db_cluster + - aws_rds_db_instance Parameters: - Key: awsRdsBaselineRestorableTimeInHrs Required: true Severity: medium Tags: platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) platform_score_use_case: - - Missing Backup + - Missing Backup score_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) score_tags: - - Missing Backup + - Missing Backup +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/backup/aws_use_kms_customer_master_keys_for_aws_backup.yaml b/compliance/controls/baseline/aws/backup/aws_use_kms_customer_master_keys_for_aws_backup.yaml index 5ee2b059f..34c95ed7b 100755 --- a/compliance/controls/baseline/aws/backup/aws_use_kms_customer_master_keys_for_aws_backup.yaml +++ b/compliance/controls/baseline/aws/backup/aws_use_kms_customer_master_keys_for_aws_backup.yaml @@ -1,8 +1,6 @@ ID: aws_use_kms_customer_master_keys_for_aws_backup Title: "Use KMS Customer Master Keys for AWS Backup" Description: "Ensure that your backups are encrypted at rest using KMS Customer Master Keys (CMKs)." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -27,16 +25,18 @@ Query: left join aws_kms_key as k on v.encryption_key_arn = k.arn PrimaryTable: aws_backup_vault ListOfTables: - - aws_backup_vault - - aws_kms_key + - aws_backup_vault + - aws_kms_key Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Backup + - AWS Backup platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - AWS Backup + - AWS Backup score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/dynamoDb/aws_unused_dynamodb_table.yaml b/compliance/controls/baseline/aws/dynamoDb/aws_unused_dynamodb_table.yaml index f8346ceb9..2f9c65cd0 100755 --- a/compliance/controls/baseline/aws/dynamoDb/aws_unused_dynamodb_table.yaml +++ b/compliance/controls/baseline/aws/dynamoDb/aws_unused_dynamodb_table.yaml @@ -1,8 +1,6 @@ ID: aws_unused_dynamodb_table Title: "Unused DynamoDb Table" Description: "Identify and remove any unused AWS DynamoDB tables to optimize AWS costs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -28,11 +26,13 @@ Query: aws_dynamodb_table as t PrimaryTable: aws_dynamodb_table ListOfTables: - - aws_dynamodb_table + - aws_dynamodb_table Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Amazon DynamoDB + - Amazon DynamoDB score_service_name: - - Amazon DynamoDB + - Amazon DynamoDB +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/ebs/aws_ebs_encrypted.yaml b/compliance/controls/baseline/aws/ebs/aws_ebs_encrypted.yaml index 74df89ae6..101f08799 100755 --- a/compliance/controls/baseline/aws/ebs/aws_ebs_encrypted.yaml +++ b/compliance/controls/baseline/aws/ebs/aws_ebs_encrypted.yaml @@ -1,8 +1,6 @@ ID: aws_ebs_encrypted Title: "EBS Volumes need to be encrypted" Description: "Ensure EBS volumes are encrypted to meet security and encryption compliance requirements. Encryption is a key mechanism for you to ensure that you are in full control over who has access to your data." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -26,15 +24,17 @@ Query: state = 'in-use' PrimaryTable: aws_ebs_volume ListOfTables: - - aws_ebs_volume + - aws_ebs_volume Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Elastic Block Store (EBS) + - AWS Elastic Block Store (EBS) platform_score_use_case: - - Unencrypted Storage + - Unencrypted Storage score_service_name: - - AWS Elastic Block Store (EBS) + - AWS Elastic Block Store (EBS) score_tags: - - Unencrypted Storage + - Unencrypted Storage +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/ebs/aws_ebs_encrypted_with_kms_customer_master_keys.yaml b/compliance/controls/baseline/aws/ebs/aws_ebs_encrypted_with_kms_customer_master_keys.yaml index a6b8b3e32..95af759ff 100755 --- a/compliance/controls/baseline/aws/ebs/aws_ebs_encrypted_with_kms_customer_master_keys.yaml +++ b/compliance/controls/baseline/aws/ebs/aws_ebs_encrypted_with_kms_customer_master_keys.yaml @@ -1,8 +1,6 @@ ID: aws_ebs_encrypted_with_kms_customer_master_keys Title: "EBS Encrypted With KMS Customer Master Keys" Description: "Ensure EBS volumes are encrypted with CMKs to have full control over encrypting and decrypting data." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -27,16 +25,18 @@ Query: left join aws_kms_key as k on v.kms_key_id = k.arn PrimaryTable: aws_ebs_volume ListOfTables: - - aws_ebs_volume - - aws_kms_key + - aws_ebs_volume + - aws_kms_key Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Elastic Block Store (EBS) + - AWS Elastic Block Store (EBS) platform_score_use_case: - - Unencrypted Storage + - Unencrypted Storage score_service_name: - - AWS Elastic Block Store (EBS) + - AWS Elastic Block Store (EBS) score_tags: - - Unencrypted Storage + - Unencrypted Storage +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/ebs/aws_ebs_public_snapshots.yaml b/compliance/controls/baseline/aws/ebs/aws_ebs_public_snapshots.yaml index 560d06c84..126366dd6 100755 --- a/compliance/controls/baseline/aws/ebs/aws_ebs_public_snapshots.yaml +++ b/compliance/controls/baseline/aws/ebs/aws_ebs_public_snapshots.yaml @@ -1,8 +1,6 @@ ID: aws_ebs_public_snapshots Title: "Amazon EBS Public Snapshots" Description: "Ensure that your Amazon EBS volume snapshots are not accessible to all AWS accounts." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -24,15 +22,17 @@ Query: aws_ebs_snapshot; PrimaryTable: aws_ebs_snapshot ListOfTables: - - aws_ebs_snapshot + - aws_ebs_snapshot Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Elastic Block Store (EBS) + - AWS Elastic Block Store (EBS) platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - AWS Elastic Block Store (EBS) + - AWS Elastic Block Store (EBS) score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/ebs/aws_ebs_snapshot_encrypted.yaml b/compliance/controls/baseline/aws/ebs/aws_ebs_snapshot_encrypted.yaml index a2cf52a9c..fad1b336b 100755 --- a/compliance/controls/baseline/aws/ebs/aws_ebs_snapshot_encrypted.yaml +++ b/compliance/controls/baseline/aws/ebs/aws_ebs_snapshot_encrypted.yaml @@ -1,8 +1,6 @@ ID: aws_ebs_snapshot_encrypted Title: "EBS Snapshot Encrypted" Description: "Ensure Amazon EBS snapshots are encrypted to meet security and compliance requirements." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -24,15 +22,17 @@ Query: aws_ebs_snapshot; PrimaryTable: aws_ebs_snapshot ListOfTables: - - aws_ebs_snapshot + - aws_ebs_snapshot Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS Elastic Block Store (EBS) + - AWS Elastic Block Store (EBS) platform_score_use_case: - - Unencrypted Storage + - Unencrypted Storage score_service_name: - - AWS Elastic Block Store (EBS) + - AWS Elastic Block Store (EBS) score_tags: - - Unencrypted Storage + - Unencrypted Storage +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/ebs/aws_ebs_volume_unused.yaml b/compliance/controls/baseline/aws/ebs/aws_ebs_volume_unused.yaml index 1ebd017ac..9567ab4f1 100755 --- a/compliance/controls/baseline/aws/ebs/aws_ebs_volume_unused.yaml +++ b/compliance/controls/baseline/aws/ebs/aws_ebs_volume_unused.yaml @@ -1,42 +1,22 @@ ID: aws_ebs_volume_unused Title: "Unused EBS Volumes" Description: "Identify any unused Elastic Block Store volumes to improve cost optimization and security." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - og_account_id as og_account_id, - og_resource_id as og_resource_id, - case - when state = 'in-use' then 0 - else (SELECT cost FROM pennywise_cost_estimate where resource_type = 'aws::ec2::volume' and resource_id = v.og_resource_id limit 1) - end as cost_optimization, - case - when state = 'in-use' then 'ok' - else 'alarm' - end as status, - case - when state = 'in-use' then title || ' attached to EC2 instance.' - else title || ' not attached to EC2 instance.' - end as reason - - , region, account_id - from - aws_ebs_volume v + QueryToExecute: "select\n arn as resource,\n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n case\n when state = 'in-use' then 0\n else (SELECT cost FROM pennywise_cost_estimate where resource_type = 'aws::ec2::volume' and resource_id = v.og_resource_id limit 1)\n end as cost_optimization,\n case\n when state = 'in-use' then 'ok'\n else 'alarm'\n end as status,\n case\n when state = 'in-use' then title || ' attached to EC2 instance.'\n else title || ' not attached to EC2 instance.'\n end as reason\n \n , region, account_id\nfrom\n aws_ebs_volume v\n" PrimaryTable: aws_ebs_volume ListOfTables: - - aws_ebs_volume + - aws_ebs_volume Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS Elastic Block Store (EBS) + - AWS Elastic Block Store (EBS) platform_score_use_case: - - Optimization + - Optimization score_service_name: - - AWS Elastic Block Store (EBS) + - AWS Elastic Block Store (EBS) score_tags: - - Optimization + - Optimization +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/ebs/aws_ebs_volumes_attached_to_stopped_ec2_instances.yaml b/compliance/controls/baseline/aws/ebs/aws_ebs_volumes_attached_to_stopped_ec2_instances.yaml index 1ec935114..7081eb79d 100755 --- a/compliance/controls/baseline/aws/ebs/aws_ebs_volumes_attached_to_stopped_ec2_instances.yaml +++ b/compliance/controls/baseline/aws/ebs/aws_ebs_volumes_attached_to_stopped_ec2_instances.yaml @@ -1,45 +1,23 @@ ID: aws_ebs_volumes_attached_to_stopped_ec2_instances Title: "EBS Volumes Attached To Stopped EC2 Instances" Description: "Identify Amazon EBS volumes attached to stopped EC2 instances (i.e. unused EBS volumes)." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - v.volume_id as resource, - v.og_resource_id, - v.og_account_id, - case - when i.instance_state = 'running' then 0 - else (SELECT cost FROM pennywise_cost_estimate where resource_type = 'aws::ec2::volume' and resource_id = v.og_resource_id limit 1) - end as cost_optimization, - case - when i.instance_state = 'running' then 'ok' - else 'alarm' - end as status, - case - when i.instance_state = 'running' then v.volume_id || ' is attached to a running instance' - else v.volume_id || ' is attached to a stopped instance' - end as reason, - v.region, - v.account_id - from - aws_ebs_volume as v, - jsonb_array_elements(attachments) as att - left join aws_ec2_instance as i on att ->> 'InstanceId' = i.instance_id + QueryToExecute: "select\n v.volume_id as resource,\n v.og_resource_id,\n v.og_account_id,\n case\n when i.instance_state = 'running' then 0\n else (SELECT cost FROM pennywise_cost_estimate where resource_type = 'aws::ec2::volume' and resource_id = v.og_resource_id limit 1)\n end as cost_optimization,\n case\n when i.instance_state = 'running' then 'ok'\n else 'alarm'\n end as status,\n case\n when i.instance_state = 'running' then v.volume_id || ' is attached to a running instance'\n else v.volume_id || ' is attached to a stopped instance'\n end as reason,\n v.region,\n v.account_id\nfrom\n aws_ebs_volume as v,\n jsonb_array_elements(attachments) as att\n left join aws_ec2_instance as i on att ->> 'InstanceId' = i.instance_id \n" PrimaryTable: aws_ebs_volume ListOfTables: - - aws_ebs_volume - - aws_ec2_instance + - aws_ebs_volume + - aws_ec2_instance Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Elastic Block Store (EBS) + - AWS Elastic Block Store (EBS) platform_score_use_case: - - Missing Tags + - Missing Tags score_service_name: - - AWS Elastic Block Store (EBS) + - AWS Elastic Block Store (EBS) score_tags: - - Missing Tags + - Missing Tags +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/ebs/aws_ebs_volumes_too_old_snapshots.yaml b/compliance/controls/baseline/aws/ebs/aws_ebs_volumes_too_old_snapshots.yaml index b3e4883b3..0641e66c5 100755 --- a/compliance/controls/baseline/aws/ebs/aws_ebs_volumes_too_old_snapshots.yaml +++ b/compliance/controls/baseline/aws/ebs/aws_ebs_volumes_too_old_snapshots.yaml @@ -1,44 +1,24 @@ ID: aws_ebs_volumes_too_old_snapshots Title: "EBS Volumes Too Old Snapshots" Description: "Identify and remove old AWS Elastic Block Store (EBS) volume snapshots for cost optimization." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - SELECT - snapshot_id as resource, - og_resource_id, - og_account_id, - CASE - WHEN start_time + ({{.awsEbsSnapshotAgeMaxDays}}::INT || ' days')::interval < now() THEN (SELECT cost FROM pennywise_cost_estimate where resource_type = 'aws::ec2::volumesnapshot' and resource_id = es.og_resource_id limit 1) - ELSE 0 - END AS cost_optimization, - CASE - WHEN start_time + ({{.awsEbsSnapshotAgeMaxDays}}::INT || ' days')::interval < now() THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN start_time + ({{.awsEbsSnapshotAgeMaxDays}}::INT || ' days')::interval < now() THEN snapshot_id || ' snapshot is older than 30 days' - ELSE snapshot_id || ' snapshot is not older than 30 days' - END AS reason, - region, - account_id - FROM - aws_ebs_snapshot es + QueryToExecute: "SELECT \n snapshot_id as resource,\n og_resource_id,\n og_account_id,\n CASE\n WHEN start_time + ({{.awsEbsSnapshotAgeMaxDays}}::INT || ' days')::interval < now() THEN (SELECT cost FROM pennywise_cost_estimate where resource_type = 'aws::ec2::volumesnapshot' and resource_id = es.og_resource_id limit 1)\n ELSE 0\n END AS cost_optimization,\n CASE\n WHEN start_time + ({{.awsEbsSnapshotAgeMaxDays}}::INT || ' days')::interval < now() THEN 'alarm'\n ELSE 'ok'\n END AS status,\n CASE\n WHEN start_time + ({{.awsEbsSnapshotAgeMaxDays}}::INT || ' days')::interval < now() THEN snapshot_id || ' snapshot is older than 30 days' \n ELSE snapshot_id || ' snapshot is not older than 30 days'\n END AS reason,\n region,\n account_id\nFROM \n aws_ebs_snapshot es\n" PrimaryTable: aws_ebs_snapshot ListOfTables: - - aws_ebs_snapshot + - aws_ebs_snapshot Parameters: - - key: awsEbsSnapshotAgeMaxDays - required: false + - key: awsEbsSnapshotAgeMaxDays + required: false Severity: high Tags: platform_score_cloud_service_name: - - AWS Elastic Block Store (EBS) + - AWS Elastic Block Store (EBS) platform_score_use_case: - - Optimization + - Optimization score_service_name: - - AWS Elastic Block Store (EBS) + - AWS Elastic Block Store (EBS) score_tags: - - Optimization + - Optimization +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/ebs/aws_use_gp3_not_gp2.yaml b/compliance/controls/baseline/aws/ebs/aws_use_gp3_not_gp2.yaml index d6436a539..a5f1644e5 100755 --- a/compliance/controls/baseline/aws/ebs/aws_use_gp3_not_gp2.yaml +++ b/compliance/controls/baseline/aws/ebs/aws_use_gp3_not_gp2.yaml @@ -1,8 +1,6 @@ ID: aws_use_gp3_not_gp2 Title: "Use GP3, not GP2" Description: "EBS gp2 volumes are legacy, costly, and have lower performance than gp3." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -22,15 +20,17 @@ Query: aws_ebs_volume; PrimaryTable: aws_ebs_volume ListOfTables: - - aws_ebs_volume + - aws_ebs_volume Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS Elastic Block Store (EBS) + - AWS Elastic Block Store (EBS) platform_score_use_case: - - General Efficiency + - General Efficiency score_service_name: - - AWS Elastic Block Store (EBS) + - AWS Elastic Block Store (EBS) score_tags: - - General Efficiency + - General Efficiency +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/ebs/aws_use_io2_not_io1.yaml b/compliance/controls/baseline/aws/ebs/aws_use_io2_not_io1.yaml index 03c05b9f4..28fdb7a68 100755 --- a/compliance/controls/baseline/aws/ebs/aws_use_io2_not_io1.yaml +++ b/compliance/controls/baseline/aws/ebs/aws_use_io2_not_io1.yaml @@ -1,8 +1,6 @@ ID: aws_use_io2_not_io1 Title: "Use io2, not io1" Description: "io1 Volumes are older generation less reliable than io2 for same cost." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -22,15 +20,17 @@ Query: aws_ebs_volume; PrimaryTable: aws_ebs_volume ListOfTables: - - aws_ebs_volume + - aws_ebs_volume Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS Elastic Block Store (EBS) + - AWS Elastic Block Store (EBS) platform_score_use_case: - - Lacking High Availability + - Lacking High Availability score_service_name: - - AWS Elastic Block Store (EBS) + - AWS Elastic Block Store (EBS) score_tags: - - Lacking High Availability + - Lacking High Availability +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/ec2/aws_ami_encryption.yaml b/compliance/controls/baseline/aws/ec2/aws_ami_encryption.yaml index fb47880df..0a318c0ad 100755 --- a/compliance/controls/baseline/aws/ec2/aws_ami_encryption.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_ami_encryption.yaml @@ -1,42 +1,22 @@ ID: aws_ami_encryption Title: "AWS AMI Encryption" Description: "Ensure that your existing AMIs are encrypted to meet security and compliance requirements." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - SELECT - name as resource, - og_resource_id, - og_account_id, - CASE - WHEN EXISTS ( - SELECT 1 FROM jsonb_array_elements(block_device_mappings) AS b WHERE (b -> 'Ebs' ->> 'Encrypted')::bool = False - ) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN EXISTS ( - SELECT 1 FROM jsonb_array_elements(block_device_mappings) AS b WHERE (b -> 'Ebs' ->> 'Encrypted')::bool = False - ) THEN name || ' has unencrypted data' - ELSE name || ' data is encrypted' - END AS reason, - region, - account_id - FROM - aws_ec2_ami + QueryToExecute: "SELECT \n name as resource,\n og_resource_id,\n og_account_id,\n CASE\n WHEN EXISTS (\n SELECT 1 FROM jsonb_array_elements(block_device_mappings) AS b WHERE (b -> 'Ebs' ->> 'Encrypted')::bool = False\n ) THEN 'alarm'\n ELSE 'ok'\n END AS status,\n CASE\n WHEN EXISTS (\n SELECT 1 FROM jsonb_array_elements(block_device_mappings) AS b WHERE (b -> 'Ebs' ->> 'Encrypted')::bool = False\n ) THEN name || ' has unencrypted data' \n ELSE name || ' data is encrypted'\n END AS reason,\n region,\n account_id\nFROM \n aws_ec2_ami\n" PrimaryTable: aws_ec2_ami ListOfTables: - - aws_ec2_ami + - aws_ec2_ami Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS EC2 + - AWS EC2 platform_score_use_case: - - Unencrypted Storage + - Unencrypted Storage score_service_name: - - AWS EC2 + - AWS EC2 score_tags: - - Unencrypted Storage + - Unencrypted Storage +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/ec2/aws_default_security_group_unrestricted.yaml b/compliance/controls/baseline/aws/ec2/aws_default_security_group_unrestricted.yaml index 7805b85ab..116ff8ffd 100755 --- a/compliance/controls/baseline/aws/ec2/aws_default_security_group_unrestricted.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_default_security_group_unrestricted.yaml @@ -1,48 +1,22 @@ ID: aws_default_security_group_unrestricted Title: "Default Security Group Unrestricted" Description: "Ensure the default security group of every VPC restricts all traffic." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - SELECT - group_id as resource, - og_resource_id, - og_account_id, - CASE - WHEN EXISTS ( - SELECT 1 FROM jsonb_array_elements(ip_permissions) AS p - WHERE EXISTS (SELECT 1 FROM jsonb_array_elements((p -> 'IpRanges')::jsonb) as r - WHERE r ->> 'CidrIp' = '0.0.0.0/0') - ) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN EXISTS ( - SELECT 1 FROM jsonb_array_elements(ip_permissions) AS p - WHERE EXISTS (SELECT 1 FROM jsonb_array_elements((p -> 'IpRanges')::jsonb) as r - WHERE r ->> 'CidrIp' = '0.0.0.0/0') - ) THEN group_id || ' is not secure and compliant' - ELSE group_id || ' is secure and compliant' - END AS reason, - region, - account_id - FROM - aws_vpc_security_group - WHERE - group_name = 'default' + QueryToExecute: "SELECT \n group_id as resource,\n og_resource_id,\n og_account_id,\n CASE\n WHEN EXISTS (\n SELECT 1 FROM jsonb_array_elements(ip_permissions) AS p\n WHERE EXISTS (SELECT 1 FROM jsonb_array_elements((p -> 'IpRanges')::jsonb) as r\n WHERE r ->> 'CidrIp' = '0.0.0.0/0')\n ) THEN 'alarm'\n ELSE 'ok'\n END AS status,\n CASE\n WHEN EXISTS (\n SELECT 1 FROM jsonb_array_elements(ip_permissions) AS p\n WHERE EXISTS (SELECT 1 FROM jsonb_array_elements((p -> 'IpRanges')::jsonb) as r\n WHERE r ->> 'CidrIp' = '0.0.0.0/0')\n ) THEN group_id || ' is not secure and compliant' \n ELSE group_id || ' is secure and compliant'\n END AS reason,\n region,\n account_id\nFROM \n aws_vpc_security_group\nWHERE\n group_name = 'default'\n" PrimaryTable: aws_vpc_security_group ListOfTables: - - aws_vpc_security_group + - aws_vpc_security_group Parameters: [] Severity: low Tags: platform_score_cloud_service_name: - - AWS EC2 + - AWS EC2 platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - AWS EC2 + - AWS EC2 score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/ec2/aws_default_security_groups_in_use.yaml b/compliance/controls/baseline/aws/ec2/aws_default_security_groups_in_use.yaml index 465d66a93..2fc1c2103 100755 --- a/compliance/controls/baseline/aws/ec2/aws_default_security_groups_in_use.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_default_security_groups_in_use.yaml @@ -1,44 +1,22 @@ ID: aws_default_security_groups_in_use Title: "Default Security Groups In Use" Description: "Ensure default security groups aren't in use. Instead create unique security groups to better adhere to the principle of least privilege." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - SELECT - instance_id as resource, - og_resource_id, - og_account_id, - CASE - WHEN EXISTS ( - SELECT 1 FROM jsonb_array_elements(security_groups) as sg - WHERE sg ->> 'GroupName' = 'default' - ) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN EXISTS ( - SELECT 1 FROM jsonb_array_elements(security_groups) as sg - WHERE sg ->> 'GroupName' = 'default' - ) THEN instance_id || ' is using default security group' - ELSE instance_id || ' is not using default security group' - END AS reason, - region, - account_id - FROM - aws_ec2_instance + QueryToExecute: "SELECT \n instance_id as resource,\n og_resource_id,\n og_account_id,\n CASE\n WHEN EXISTS (\n SELECT 1 FROM jsonb_array_elements(security_groups) as sg\n WHERE sg ->> 'GroupName' = 'default'\n ) THEN 'alarm'\n ELSE 'ok'\n END AS status,\n CASE\n WHEN EXISTS (\n SELECT 1 FROM jsonb_array_elements(security_groups) as sg\n WHERE sg ->> 'GroupName' = 'default'\n ) THEN instance_id || ' is using default security group' \n ELSE instance_id || ' is not using default security group'\n END AS reason,\n region,\n account_id\nFROM \n aws_ec2_instance\n" PrimaryTable: aws_ec2_instance ListOfTables: - - aws_ec2_instance + - aws_ec2_instance Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS EC2 + - AWS EC2 platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - AWS EC2 + - AWS EC2 score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/ec2/aws_disable_public_ip_address_assignment_for_ec2_instances.yaml b/compliance/controls/baseline/aws/ec2/aws_disable_public_ip_address_assignment_for_ec2_instances.yaml index bab7f646e..aff703b75 100755 --- a/compliance/controls/baseline/aws/ec2/aws_disable_public_ip_address_assignment_for_ec2_instances.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_disable_public_ip_address_assignment_for_ec2_instances.yaml @@ -1,8 +1,6 @@ ID: aws_disable_public_ip_address_assignment_for_ec2_instances Title: "Disable Public IP Address Assignment for EC2 Instances" Description: "Ensure that Amazon EC2 instances are not using public IP addresses." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -24,15 +22,17 @@ Query: aws_ec2_instance; PrimaryTable: aws_ec2_instance ListOfTables: - - aws_ec2_instance + - aws_ec2_instance Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS EC2 + - AWS EC2 platform_score_use_case: - - Lacking High Availability + - Lacking High Availability score_service_name: - - AWS EC2 + - AWS EC2 score_tags: - - Lacking High Availability + - Lacking High Availability +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/ec2/aws_ec2_ami_too_old.yaml b/compliance/controls/baseline/aws/ec2/aws_ec2_ami_too_old.yaml index 1036a7c71..de479602e 100755 --- a/compliance/controls/baseline/aws/ec2/aws_ec2_ami_too_old.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_ec2_ami_too_old.yaml @@ -1,55 +1,26 @@ ID: aws_ec2_ami_too_old Title: "EC2 AMI Too Old" Description: "Ensure EC2 Amazon Machine Images (AMIs) aren't too old" -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - SELECT - image_id as resource, - og_resource_id, - og_account_id, - CASE - WHEN is_aws_backup_managed THEN 'skip' - WHEN root_device_type <> 'ebs' THEN 'skip' - WHEN now() - (creation_date)::timestamp > '{{.awsEbsAmiAgeMaxDays}} days'::interval THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN is_aws_backup_managed THEN name || ' is managed by aws' - WHEN root_device_type <> 'ebs' THEN name || ' is not stored in ebs' - WHEN now() - (creation_date)::timestamp > '{{.awsEbsAmiAgeMaxDays}} days'::interval THEN name || ' needs to be restarted' - ELSE name || ' launch time was not much time ago' - END AS reason, - case - when is_aws_backup_managed then 0 - when root_device_type <> 'ebs' then 0 - when now() - (creation_date)::timestamp > '{{.awsEbsAmiAgeMaxDays}} days'::interval then (SELECT SUM((select cost from pennywise_cost_estimate AS es WHERE es.resource_type = 'aws::ec2::volumesnapshot' - AND es.resource_id = s.arn limit 1)) - FROM jsonb_array_elements(block_device_mappings) AS bdm - LEFT JOIN aws_ebs_snapshot AS s ON s.snapshot_id = bdm -> 'Ebs' ->> 'SnapshotId') - else 0 - end as cost_optimization, - region, - account_id - FROM - aws_ec2_ami + QueryToExecute: "SELECT \n image_id as resource,\n og_resource_id,\n og_account_id,\n CASE\n WHEN is_aws_backup_managed THEN 'skip'\n WHEN root_device_type <> 'ebs' THEN 'skip'\n WHEN now() - (creation_date)::timestamp > '{{.awsEbsAmiAgeMaxDays}} days'::interval THEN 'alarm'\n ELSE 'ok'\n END AS status,\n CASE\n WHEN is_aws_backup_managed THEN name || ' is managed by aws'\n WHEN root_device_type <> 'ebs' THEN name || ' is not stored in ebs'\n WHEN now() - (creation_date)::timestamp > '{{.awsEbsAmiAgeMaxDays}} days'::interval THEN name || ' needs to be restarted' \n ELSE name || ' launch time was not much time ago'\n END AS reason,\n case\n when is_aws_backup_managed then 0\n when root_device_type <> 'ebs' then 0\n when now() - (creation_date)::timestamp > '{{.awsEbsAmiAgeMaxDays}} days'::interval then (SELECT SUM((select cost from pennywise_cost_estimate AS es WHERE es.resource_type = 'aws::ec2::volumesnapshot' \n AND es.resource_id = s.arn limit 1))\n FROM jsonb_array_elements(block_device_mappings) AS bdm\n LEFT JOIN aws_ebs_snapshot AS s ON s.snapshot_id = bdm -> 'Ebs' ->> 'SnapshotId')\n else 0\n end as cost_optimization,\n region,\n account_id\nFROM \n aws_ec2_ami\n" PrimaryTable: aws_ec2_ami ListOfTables: - - aws_backup_managed - - aws_ebs_snapshot - - aws_ec2_ami + - aws_backup_managed + - aws_ebs_snapshot + - aws_ec2_ami Parameters: - Key: awsEbsAmiAgeMaxDays Required: true Severity: high Tags: platform_score_cloud_service_name: - - AWS EC2 + - AWS EC2 platform_score_use_case: - - Lacking High Availability + - Lacking High Availability score_service_name: - - AWS EC2 + - AWS EC2 score_tags: - - Lacking High Availability + - Lacking High Availability +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/ec2/aws_ec2_desired_instance_type.yaml b/compliance/controls/baseline/aws/ec2/aws_ec2_desired_instance_type.yaml index bb8fc1eb2..81ec94490 100755 --- a/compliance/controls/baseline/aws/ec2/aws_ec2_desired_instance_type.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_ec2_desired_instance_type.yaml @@ -1,42 +1,24 @@ ID: aws_ec2_desired_instance_type Title: "EC2 Instances types are Approved" Description: "Ensure all EC2 instances are of a given instance type Optimal and Aligned with our Organization" -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - SELECT - instance_id as resource, - og_resource_id, - og_account_id, - CASE - WHEN '{{.awsAllowedInstanceTypes}}' = '' THEN 'ok' - WHEN '{{.awsAllowedInstanceTypes}}' LIKE '%' || instance_type || '%' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN '{{.awsAllowedInstanceTypes}}' = '' THEN 'allowed instance types not defined' - WHEN '{{.awsAllowedInstanceTypes}}' LIKE '%' || instance_type || '%' THEN instance_id || ' instance type is allowed by your organization' - ELSE instance_id || ' instance type is not allowed by your organization' - END AS reason, - region, - account_id - FROM - aws_ec2_instance + QueryToExecute: "SELECT \n instance_id as resource,\n og_resource_id,\n og_account_id,\n CASE\n WHEN '{{.awsAllowedInstanceTypes}}' = '' THEN 'ok'\n WHEN '{{.awsAllowedInstanceTypes}}' LIKE '%' || instance_type || '%' THEN 'ok'\n ELSE 'alarm'\n END AS status,\n CASE\n WHEN '{{.awsAllowedInstanceTypes}}' = '' THEN 'allowed instance types not defined'\n WHEN '{{.awsAllowedInstanceTypes}}' LIKE '%' || instance_type || '%' THEN instance_id || ' instance type is allowed by your organization' \n ELSE instance_id || ' instance type is not allowed by your organization'\n END AS reason,\n region,\n account_id\nFROM \n aws_ec2_instance\n" PrimaryTable: aws_ec2_instance ListOfTables: - - aws_ec2_instance + - aws_ec2_instance Parameters: - Key: awsAllowedInstanceTypes Required: false Severity: high Tags: platform_score_cloud_service_name: - - AWS EC2 + - AWS EC2 platform_score_use_case: - - Over Utilization + - Over Utilization score_service_name: - - AWS EC2 + - AWS EC2 score_tags: - - Over Utilization + - Over Utilization +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/ec2/aws_ec2_instance_in_vpc.yaml b/compliance/controls/baseline/aws/ec2/aws_ec2_instance_in_vpc.yaml index 457e0c10b..0ea984549 100755 --- a/compliance/controls/baseline/aws/ec2/aws_ec2_instance_in_vpc.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_ec2_instance_in_vpc.yaml @@ -1,8 +1,6 @@ ID: aws_ec2_instance_in_vpc Title: "EC2 Instance In VPC" Description: "Ensure EC2 instances are launched using the EC2-VPC platform instead of EC2-Classic outdated platform." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -25,15 +23,17 @@ Query: where instance_state = 'running'; PrimaryTable: aws_ec2_instance ListOfTables: - - aws_ec2_instance + - aws_ec2_instance Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS EC2 + - AWS EC2 platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - AWS EC2 + - AWS EC2 score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/ec2/aws_ec2_instance_naming_conventions.yaml b/compliance/controls/baseline/aws/ec2/aws_ec2_instance_naming_conventions.yaml index 39c097b2a..b5e1619ef 100755 --- a/compliance/controls/baseline/aws/ec2/aws_ec2_instance_naming_conventions.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_ec2_instance_naming_conventions.yaml @@ -1,42 +1,24 @@ ID: aws_ec2_instance_naming_conventions Title: "EC2 Instance Naming Conventions" Description: "Follow proper naming conventions for EC2 instances." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - SELECT - instance_id as resource, - og_resource_id, - og_account_id, - CASE - WHEN '{{.awsEc2NamingPattern}}' = '' then 'ok' - WHEN tags ->> 'Name' LIKE '{{.awsEc2NamingPattern}}' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN '{{.awsEc2NamingPattern}}' = '' THEN 'ec2 naming pattern not defined' - WHEN tags ->> 'Name' LIKE '{{.awsEc2NamingPattern}}' THEN instance_id || ' name is followed by your organization naming pattern' - ELSE instance_id || ' name is not followed by your organization naming pattern' - END AS reason, - region, - account_id - FROM - aws_ec2_instance + QueryToExecute: "SELECT \n instance_id as resource,\n og_resource_id,\n og_account_id,\n CASE\n WHEN '{{.awsEc2NamingPattern}}' = '' then 'ok'\n WHEN tags ->> 'Name' LIKE '{{.awsEc2NamingPattern}}' THEN 'ok'\n ELSE 'alarm'\n END AS status,\n CASE\n WHEN '{{.awsEc2NamingPattern}}' = '' THEN 'ec2 naming pattern not defined' \n WHEN tags ->> 'Name' LIKE '{{.awsEc2NamingPattern}}' THEN instance_id || ' name is followed by your organization naming pattern' \n ELSE instance_id || ' name is not followed by your organization naming pattern'\n END AS reason,\n region,\n account_id\nFROM \n aws_ec2_instance\n" PrimaryTable: aws_ec2_instance ListOfTables: - - aws_ec2_instance + - aws_ec2_instance Parameters: - Key: awsEc2NamingPattern Required: false Severity: low Tags: platform_score_cloud_service_name: - - AWS EC2 + - AWS EC2 platform_score_use_case: - - Missing Tags + - Missing Tags score_service_name: - - AWS EC2 + - AWS EC2 score_tags: - - Missing Tags + - Missing Tags +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/ec2/aws_ec2_instance_not_in_public_subnet.yaml b/compliance/controls/baseline/aws/ec2/aws_ec2_instance_not_in_public_subnet.yaml index 37e5ed94e..5653c0d76 100755 --- a/compliance/controls/baseline/aws/ec2/aws_ec2_instance_not_in_public_subnet.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_ec2_instance_not_in_public_subnet.yaml @@ -1,8 +1,6 @@ ID: aws_ec2_instance_not_in_public_subnet Title: "EC2 Instance Not In Public Subnet" Description: "Ensure that no backend EC2 instances are provisioned in public subnets." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -24,15 +22,17 @@ Query: aws_ec2_instance; PrimaryTable: aws_ec2_instance ListOfTables: - - aws_ec2_instance + - aws_ec2_instance Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS EC2 + - AWS EC2 platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - AWS EC2 + - AWS EC2 score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/ec2/aws_ec2_instance_termination_protection.yaml b/compliance/controls/baseline/aws/ec2/aws_ec2_instance_termination_protection.yaml index d1e6da751..926f71f21 100755 --- a/compliance/controls/baseline/aws/ec2/aws_ec2_instance_termination_protection.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_ec2_instance_termination_protection.yaml @@ -1,8 +1,6 @@ ID: aws_ec2_instance_termination_protection Title: "EC2 Instance Termination Protection" Description: "Ensure termination protection safety feature is enabled for ec2 instances that aren't part of ASGs" -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -24,11 +22,13 @@ Query: aws_ec2_instance PrimaryTable: aws_ec2_instance ListOfTables: - - aws_ec2_instance + - aws_ec2_instance Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS EC2 + - AWS EC2 score_service_name: - - AWS EC2 + - AWS EC2 +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/ec2/aws_ec2_instance_too_old.yaml b/compliance/controls/baseline/aws/ec2/aws_ec2_instance_too_old.yaml index af74e04db..394f98dd5 100755 --- a/compliance/controls/baseline/aws/ec2/aws_ec2_instance_too_old.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_ec2_instance_too_old.yaml @@ -1,38 +1,22 @@ ID: aws_ec2_instance_too_old Title: "EC2 Instance Too Old" Description: "Ensure EC2 instances aren't too old." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - SELECT - instance_id as resource, - og_resource_id, - og_account_id, - CASE - WHEN now() - (og_description -> 'Instance' ->> 'LaunchTime')::timestamp > '180 days'::interval THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN now() - (og_description -> 'Instance' ->> 'LaunchTime')::timestamp > '180 days'::interval THEN instance_id || ' needs to be restarted' - ELSE instance_id || ' launch time was not much time ago' - END AS reason, - region, - account_id - FROM - aws_ec2_instance + QueryToExecute: "SELECT \n instance_id as resource,\n og_resource_id,\n og_account_id,\n CASE\n WHEN now() - (og_description -> 'Instance' ->> 'LaunchTime')::timestamp > '180 days'::interval THEN 'alarm'\n ELSE 'ok'\n END AS status,\n CASE\n WHEN now() - (og_description -> 'Instance' ->> 'LaunchTime')::timestamp > '180 days'::interval THEN instance_id || ' needs to be restarted' \n ELSE instance_id || ' launch time was not much time ago'\n END AS reason,\n region,\n account_id\nFROM \n aws_ec2_instance\n" PrimaryTable: aws_ec2_instance ListOfTables: - - aws_ec2_instance + - aws_ec2_instance Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS EC2 + - AWS EC2 platform_score_use_case: - - Under Utilization + - Under Utilization score_service_name: - - AWS EC2 + - AWS EC2 score_tags: - - Under Utilization + - Under Utilization +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/ec2/aws_ec2_instances_with_multiple_elastic_network_interfaces.yaml b/compliance/controls/baseline/aws/ec2/aws_ec2_instances_with_multiple_elastic_network_interfaces.yaml index b8dd2b9e3..f76dd1891 100755 --- a/compliance/controls/baseline/aws/ec2/aws_ec2_instances_with_multiple_elastic_network_interfaces.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_ec2_instances_with_multiple_elastic_network_interfaces.yaml @@ -1,45 +1,18 @@ ID: aws_ec2_instances_with_multiple_elastic_network_interfaces Title: "EC2 Instances with Multiple Elastic Network Interfaces" Description: "Ensure that Amazon EC2 instances are not using multiple ENIs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with instance_nis as ( - select - i.instance_id, count(ni) - from - aws_ec2_instance as i, - jsonb_array_elements(network_interfaces) as ni - where ni -> 'Attachment' ->> 'Status' = 'attached' - group by i.instance_id - ) - - select - i.instance_id as resource, - og_resource_id, - og_account_id, - case - when nis.count > 1 then 'alarm' - else 'ok' - end status, - case - when nis.count > 1 then i.instance_id || ' Has more than one network interfaces.' - else i.instance_id || ' Has more than one network interfaces.' - end as reason, - region, - account_id - from - aws_ec2_instance as i left join - instance_nis as nis on i.instance_id = nis.instance_id + QueryToExecute: "with instance_nis as (\n select\n i.instance_id, count(ni)\n from\n aws_ec2_instance as i,\n jsonb_array_elements(network_interfaces) as ni\n where ni -> 'Attachment' ->> 'Status' = 'attached'\n group by i.instance_id\n )\n \n select\n i.instance_id as resource,\n og_resource_id,\n og_account_id,\n case\n when nis.count > 1 then 'alarm'\n else 'ok'\n end status,\n case\n when nis.count > 1 then i.instance_id || ' Has more than one network interfaces.'\n else i.instance_id || ' Has more than one network interfaces.'\n end as reason,\n region,\n account_id\n from\n aws_ec2_instance as i left join\n instance_nis as nis on i.instance_id = nis.instance_id\n" PrimaryTable: aws_ec2_instance ListOfTables: - - aws_ec2_instance + - aws_ec2_instance Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS EC2 + - AWS EC2 score_service_name: - - AWS EC2 + - AWS EC2 +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/ec2/aws_publicly_shared_ami.yaml b/compliance/controls/baseline/aws/ec2/aws_publicly_shared_ami.yaml index 897ac719d..9f9853458 100755 --- a/compliance/controls/baseline/aws/ec2/aws_publicly_shared_ami.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_publicly_shared_ami.yaml @@ -1,8 +1,6 @@ ID: aws_publicly_shared_ami Title: "Publicly Shared AMI" Description: "Ensure AMIs aren't publicly shared to avoid exposing sensitive data." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -24,15 +22,17 @@ Query: aws_ec2_ami; PrimaryTable: aws_ec2_ami ListOfTables: - - aws_ec2_ami + - aws_ec2_ami Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS EC2 + - AWS EC2 platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - AWS EC2 + - AWS EC2 score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/ec2/aws_require_imdsv2_for_ec2_instances.yaml b/compliance/controls/baseline/aws/ec2/aws_require_imdsv2_for_ec2_instances.yaml index 3aa0e9aa2..6f1b01d89 100755 --- a/compliance/controls/baseline/aws/ec2/aws_require_imdsv2_for_ec2_instances.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_require_imdsv2_for_ec2_instances.yaml @@ -1,8 +1,6 @@ ID: aws_require_imdsv2_for_ec2_instances Title: "Require IMDSv2 for EC2 Instances" Description: "Ensure that all the Amazon EC2 instances require the use of Instance Metadata Service Version 2 (IMDSv2)." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -24,15 +22,17 @@ Query: aws_ec2_instance; PrimaryTable: aws_ec2_instance ListOfTables: - - aws_ec2_instance + - aws_ec2_instance Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS EC2 + - AWS EC2 platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - AWS EC2 + - AWS EC2 score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/ec2/aws_security_group_name_prefixed_with_launch_wizard.yaml b/compliance/controls/baseline/aws/ec2/aws_security_group_name_prefixed_with_launch_wizard.yaml index 067209ef8..f359fb183 100755 --- a/compliance/controls/baseline/aws/ec2/aws_security_group_name_prefixed_with_launch_wizard.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_security_group_name_prefixed_with_launch_wizard.yaml @@ -1,8 +1,6 @@ ID: aws_security_group_name_prefixed_with_launch_wizard Title: "Security Group Name Prefixed With 'launch-wizard'" Description: "Ensure no security group name is prefixed with 'launch-wizard'." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -34,15 +32,17 @@ Query: left join launch_wizard_sg_attached_instance as sg on i.arn = sg.arn; PrimaryTable: aws_ec2_instance ListOfTables: - - aws_ec2_instance + - aws_ec2_instance Parameters: [] Severity: low Tags: platform_score_cloud_service_name: - - AWS EC2 + - AWS EC2 platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - AWS EC2 + - AWS EC2 score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/ec2/aws_security_group_port_range.yaml b/compliance/controls/baseline/aws/ec2/aws_security_group_port_range.yaml index 8bc2e70f9..1964fa5ed 100755 --- a/compliance/controls/baseline/aws/ec2/aws_security_group_port_range.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_security_group_port_range.yaml @@ -1,8 +1,6 @@ ID: aws_security_group_port_range Title: "Security Group Port Range" Description: "Ensure no security group opens range of ports." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -36,16 +34,18 @@ Query: left join ingress_sg as isg on sg.group_id = isg.group_id PrimaryTable: aws_vpc_security_group ListOfTables: - - aws_vpc_security_group - - aws_vpc_security_group_rule + - aws_vpc_security_group + - aws_vpc_security_group_rule Parameters: [] Severity: very high Tags: platform_score_cloud_service_name: - - AWS EC2 + - AWS EC2 platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - AWS EC2 + - AWS EC2 score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/ec2/aws_unassociated_elastic_ip_addresses.yaml b/compliance/controls/baseline/aws/ec2/aws_unassociated_elastic_ip_addresses.yaml index 022f58576..d3a9e1181 100755 --- a/compliance/controls/baseline/aws/ec2/aws_unassociated_elastic_ip_addresses.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_unassociated_elastic_ip_addresses.yaml @@ -1,8 +1,6 @@ ID: aws_unassociated_elastic_ip_addresses Title: "Unassociated Elastic IP Addresses" Description: "Identify unassociated Elastic IP addresses, and delete them to help lower the cost of your monthly AWS bill." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -28,15 +26,17 @@ Query: aws_vpc_eip; PrimaryTable: aws_vpc_eip ListOfTables: - - aws_vpc_eip + - aws_vpc_eip Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS EC2 + - AWS EC2 platform_score_use_case: - - Orphaned Resources + - Orphaned Resources score_service_name: - - AWS EC2 + - AWS EC2 score_tags: - - Orphaned Resources + - Orphaned Resources +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/ec2/aws_unrestricted_cifs_access.yaml b/compliance/controls/baseline/aws/ec2/aws_unrestricted_cifs_access.yaml index 4bb4963bd..0e97a5d46 100755 --- a/compliance/controls/baseline/aws/ec2/aws_unrestricted_cifs_access.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_unrestricted_cifs_access.yaml @@ -1,52 +1,24 @@ ID: aws_unrestricted_cifs_access Title: "Unrestricted CIFS Access" Description: "Ensure no security group allows unrestricted inbound access to UDP port 445 (CIFS)." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - SELECT - group_name as resource, - og_resource_id, - og_account_id, - CASE - WHEN exists ( - select 1 - from jsonb_array_elements(ip_permissions) as p, - jsonb_array_elements(p -> 'IpRanges') as r - where ('{{.awsCifsTrustedIpRange}}' not LIKE '%' || (r ->> 'CidrIp') || '%') and ((p ->> 'FromPort') = '445') and ((p ->> 'ToPort') = '445') - ) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN exists ( - select 1 - from jsonb_array_elements(ip_permissions) as p, - jsonb_array_elements(p -> 'IpRanges') as r - where ('{{.awsCifsTrustedIpRange}}' not LIKE '%' || (r ->> 'CidrIp') || '%') and ((p ->> 'FromPort') = '445') and ((p ->> 'ToPort') = '445') - ) THEN group_name || ' has Unrestricted CIFS Access' - ELSE group_name || ' CIFS Access is secure' - END AS reason, - region, - account_id - FROM - aws_vpc_security_group - WHERE - exists (select 1 from jsonb_array_elements(ip_permissions) as p where ((p ->> 'FromPort') = '445') and ((p ->> 'ToPort') = '445')) + QueryToExecute: "SELECT \n group_name as resource,\n og_resource_id,\n og_account_id,\n CASE\n WHEN exists (\n select 1\n from jsonb_array_elements(ip_permissions) as p,\n jsonb_array_elements(p -> 'IpRanges') as r\n where ('{{.awsCifsTrustedIpRange}}' not LIKE '%' || (r ->> 'CidrIp') || '%') and ((p ->> 'FromPort') = '445') and ((p ->> 'ToPort') = '445')\n ) THEN 'alarm'\n ELSE 'ok'\n END AS status,\n CASE\n WHEN exists (\n select 1\n from jsonb_array_elements(ip_permissions) as p,\n jsonb_array_elements(p -> 'IpRanges') as r\n where ('{{.awsCifsTrustedIpRange}}' not LIKE '%' || (r ->> 'CidrIp') || '%') and ((p ->> 'FromPort') = '445') and ((p ->> 'ToPort') = '445')\n ) THEN group_name || ' has Unrestricted CIFS Access' \n ELSE group_name || ' CIFS Access is secure'\n END AS reason,\n region,\n account_id\nFROM \n aws_vpc_security_group\nWHERE\n exists (select 1 from jsonb_array_elements(ip_permissions) as p where ((p ->> 'FromPort') = '445') and ((p ->> 'ToPort') = '445'))\n" PrimaryTable: aws_vpc_security_group ListOfTables: - - aws_vpc_security_group + - aws_vpc_security_group Parameters: - Key: awsCifsTrustedIpRange Required: true Severity: medium Tags: platform_score_cloud_service_name: - - AWS EC2 + - AWS EC2 platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - AWS EC2 + - AWS EC2 score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/ec2/aws_unrestricted_icmp_access.yaml b/compliance/controls/baseline/aws/ec2/aws_unrestricted_icmp_access.yaml index f7970ec32..987cc154d 100755 --- a/compliance/controls/baseline/aws/ec2/aws_unrestricted_icmp_access.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_unrestricted_icmp_access.yaml @@ -1,52 +1,24 @@ ID: aws_unrestricted_icmp_access Title: "Unrestricted ICMP Access" Description: "Ensure no security group allows unrestricted inbound access to ICMP." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - SELECT - group_name as resource, - og_resource_id, - og_account_id, - CASE - WHEN exists ( - select 1 - from jsonb_array_elements(ip_permissions) as p, - jsonb_array_elements(p -> 'IpRanges') as r - where ('{{.awsIcmpTrustedIpRange}}' not LIKE '%' || (r ->> 'CidrIp') || '%') and ((p ->> 'IpProtocol') = 'icmp') - ) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN exists ( - select 1 - from jsonb_array_elements(ip_permissions) as p, - jsonb_array_elements(p -> 'IpRanges') as r - where ('{{.awsIcmpTrustedIpRange}}' not LIKE '%' || (r ->> 'CidrIp') || '%') and ((p ->> 'IpProtocol') = 'icmp') - ) THEN group_name || ' has Unrestricted ICMP Access' - ELSE group_name || ' ICMP Access is secure' - END AS reason, - region, - account_id - FROM - aws_vpc_security_group - WHERE - exists (select 1 from jsonb_array_elements(ip_permissions) as p where (p ->> 'IpProtocol') = 'icmp') + QueryToExecute: "SELECT \n group_name as resource,\n og_resource_id,\n og_account_id,\n CASE\n WHEN exists (\n select 1\n from jsonb_array_elements(ip_permissions) as p,\n jsonb_array_elements(p -> 'IpRanges') as r\n where ('{{.awsIcmpTrustedIpRange}}' not LIKE '%' || (r ->> 'CidrIp') || '%') and ((p ->> 'IpProtocol') = 'icmp')\n ) THEN 'alarm'\n ELSE 'ok'\n END AS status,\n CASE\n WHEN exists (\n select 1\n from jsonb_array_elements(ip_permissions) as p,\n jsonb_array_elements(p -> 'IpRanges') as r\n where ('{{.awsIcmpTrustedIpRange}}' not LIKE '%' || (r ->> 'CidrIp') || '%') and ((p ->> 'IpProtocol') = 'icmp')\n ) THEN group_name || ' has Unrestricted ICMP Access' \n ELSE group_name || ' ICMP Access is secure'\n END AS reason,\n region,\n account_id\nFROM \n aws_vpc_security_group\nWHERE\n exists (select 1 from jsonb_array_elements(ip_permissions) as p where (p ->> 'IpProtocol') = 'icmp')\n" PrimaryTable: aws_vpc_security_group ListOfTables: - - aws_vpc_security_group + - aws_vpc_security_group Parameters: - Key: awsIcmpTrustedIpRange Required: true Severity: medium Tags: platform_score_cloud_service_name: - - AWS EC2 + - AWS EC2 platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - AWS EC2 + - AWS EC2 score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/ec2/aws_unrestricted_mongodb_access.yaml b/compliance/controls/baseline/aws/ec2/aws_unrestricted_mongodb_access.yaml index 9cd36d24b..6fa5075bf 100755 --- a/compliance/controls/baseline/aws/ec2/aws_unrestricted_mongodb_access.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_unrestricted_mongodb_access.yaml @@ -1,52 +1,24 @@ ID: aws_unrestricted_mongodb_access Title: "Unrestricted MongoDB Access" Description: "Ensure no security group allows unrestricted ingress access to MongoDB port 27017" -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - SELECT - group_name as resource, - og_resource_id, - og_account_id, - CASE - WHEN exists ( - select 1 - from jsonb_array_elements(ip_permissions) as p, - jsonb_array_elements(p -> 'IpRanges') as r - where ('{{.awsMongodbTrustedIpRange}}' not LIKE '%' || (r ->> 'CidrIp') || '%') and ((p ->> 'FromPort') = '27017') and ((p ->> 'ToPort') = '27017') - ) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN exists ( - select 1 - from jsonb_array_elements(ip_permissions) as p, - jsonb_array_elements(p -> 'IpRanges') as r - where ('{{.awsMongodbTrustedIpRange}}' not LIKE '%' || (r ->> 'CidrIp') || '%') and ((p ->> 'FromPort') = '27017') and ((p ->> 'ToPort') = '27017') - ) THEN group_name || ' has Unrestricted MongoDb Access' - ELSE group_name || ' MongoDb Access is secure' - END AS reason, - region, - account_id - FROM - aws_vpc_security_group - WHERE - exists (select 1 from jsonb_array_elements(ip_permissions) as p where ((p ->> 'FromPort') = '27017') and ((p ->> 'ToPort') = '27017')) + QueryToExecute: "SELECT \n group_name as resource,\n og_resource_id,\n og_account_id,\n CASE\n WHEN exists (\n select 1\n from jsonb_array_elements(ip_permissions) as p,\n jsonb_array_elements(p -> 'IpRanges') as r\n where ('{{.awsMongodbTrustedIpRange}}' not LIKE '%' || (r ->> 'CidrIp') || '%') and ((p ->> 'FromPort') = '27017') and ((p ->> 'ToPort') = '27017')\n ) THEN 'alarm'\n ELSE 'ok'\n END AS status,\n CASE\n WHEN exists (\n select 1\n from jsonb_array_elements(ip_permissions) as p,\n jsonb_array_elements(p -> 'IpRanges') as r\n where ('{{.awsMongodbTrustedIpRange}}' not LIKE '%' || (r ->> 'CidrIp') || '%') and ((p ->> 'FromPort') = '27017') and ((p ->> 'ToPort') = '27017')\n ) THEN group_name || ' has Unrestricted MongoDb Access' \n ELSE group_name || ' MongoDb Access is secure'\n END AS reason,\n region,\n account_id\nFROM \n aws_vpc_security_group\nWHERE\n exists (select 1 from jsonb_array_elements(ip_permissions) as p where ((p ->> 'FromPort') = '27017') and ((p ->> 'ToPort') = '27017'))\n" PrimaryTable: aws_vpc_security_group ListOfTables: - - aws_vpc_security_group + - aws_vpc_security_group Parameters: - Key: awsMongodbTrustedIpRange Required: true Severity: medium Tags: platform_score_cloud_service_name: - - AWS EC2 + - AWS EC2 platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - AWS EC2 + - AWS EC2 score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/ec2/aws_unrestricted_mssql_access.yaml b/compliance/controls/baseline/aws/ec2/aws_unrestricted_mssql_access.yaml index 26db3a339..228c791a1 100755 --- a/compliance/controls/baseline/aws/ec2/aws_unrestricted_mssql_access.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_unrestricted_mssql_access.yaml @@ -1,52 +1,24 @@ ID: aws_unrestricted_mssql_access Title: "Unrestricted MsSQL Access" Description: "Ensure no security group allows unrestricted ingress access to port 1433." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - SELECT - group_name as resource, - og_resource_id, - og_account_id, - CASE - WHEN exists ( - select 1 - from jsonb_array_elements(ip_permissions) as p, - jsonb_array_elements(p -> 'IpRanges') as r - where ('{{.awsMssqlTrustedIpRange}}' not LIKE '%' || (r ->> 'CidrIp') || '%') and ((p ->> 'FromPort') = '1433') and ((p ->> 'ToPort') = '1433') - ) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN exists ( - select 1 - from jsonb_array_elements(ip_permissions) as p, - jsonb_array_elements(p -> 'IpRanges') as r - where ('{{.awsMssqlTrustedIpRange}}' not LIKE '%' || (r ->> 'CidrIp') || '%') and ((p ->> 'FromPort') = '1433') and ((p ->> 'ToPort') = '1433') - ) THEN group_name || ' has Unrestricted MsSQL Access' - ELSE group_name || ' MsSQL Access is secure' - END AS reason, - region, - account_id - FROM - aws_vpc_security_group - WHERE - exists (select 1 from jsonb_array_elements(ip_permissions) as p where ((p ->> 'FromPort') = '1433') and ((p ->> 'ToPort') = '1433')) + QueryToExecute: "SELECT \n group_name as resource,\n og_resource_id,\n og_account_id,\n CASE\n WHEN exists (\n select 1\n from jsonb_array_elements(ip_permissions) as p,\n jsonb_array_elements(p -> 'IpRanges') as r\n where ('{{.awsMssqlTrustedIpRange}}' not LIKE '%' || (r ->> 'CidrIp') || '%') and ((p ->> 'FromPort') = '1433') and ((p ->> 'ToPort') = '1433')\n ) THEN 'alarm'\n ELSE 'ok'\n END AS status,\n CASE\n WHEN exists (\n select 1\n from jsonb_array_elements(ip_permissions) as p,\n jsonb_array_elements(p -> 'IpRanges') as r\n where ('{{.awsMssqlTrustedIpRange}}' not LIKE '%' || (r ->> 'CidrIp') || '%') and ((p ->> 'FromPort') = '1433') and ((p ->> 'ToPort') = '1433')\n ) THEN group_name || ' has Unrestricted MsSQL Access' \n ELSE group_name || ' MsSQL Access is secure'\n END AS reason,\n region,\n account_id\nFROM \n aws_vpc_security_group\nWHERE\n exists (select 1 from jsonb_array_elements(ip_permissions) as p where ((p ->> 'FromPort') = '1433') and ((p ->> 'ToPort') = '1433'))\n" PrimaryTable: aws_vpc_security_group ListOfTables: - - aws_vpc_security_group + - aws_vpc_security_group Parameters: - Key: awsMssqlTrustedIpRange Required: true Severity: medium Tags: platform_score_cloud_service_name: - - AWS EC2 + - AWS EC2 platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - AWS EC2 + - AWS EC2 score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/ec2/aws_unrestricted_mysql_access.yaml b/compliance/controls/baseline/aws/ec2/aws_unrestricted_mysql_access.yaml index 4ae1892ed..9e62fa1f6 100755 --- a/compliance/controls/baseline/aws/ec2/aws_unrestricted_mysql_access.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_unrestricted_mysql_access.yaml @@ -1,52 +1,24 @@ ID: aws_unrestricted_mysql_access Title: "Unrestricted MySQL Access" Description: "Ensure no security group allows unrestricted ingress access to port 3306." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - SELECT - group_name as resource, - og_resource_id, - og_account_id, - CASE - WHEN exists ( - select 1 - from jsonb_array_elements(ip_permissions) as p, - jsonb_array_elements(p -> 'IpRanges') as r - where ('{{.awsMysqlTrustedIpRange}}' not LIKE '%' || (r ->> 'CidrIp') || '%') and ((p ->> 'FromPort') = '3306') and ((p ->> 'ToPort') = '3306') - ) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN exists ( - select 1 - from jsonb_array_elements(ip_permissions) as p, - jsonb_array_elements(p -> 'IpRanges') as r - where ('{{.awsMysqlTrustedIpRange}}' not LIKE '%' || (r ->> 'CidrIp') || '%') and ((p ->> 'FromPort') = '3306') and ((p ->> 'ToPort') = '3306') - ) THEN group_name || ' has Unrestricted MySQL Access' - ELSE group_name || ' MySQL Access is secure' - END AS reason, - region, - account_id - FROM - aws_vpc_security_group - WHERE - exists (select 1 from jsonb_array_elements(ip_permissions) as p where ((p ->> 'FromPort') = '3306') and ((p ->> 'ToPort') = '3306')) + QueryToExecute: "SELECT \n group_name as resource,\n og_resource_id,\n og_account_id,\n CASE\n WHEN exists (\n select 1\n from jsonb_array_elements(ip_permissions) as p,\n jsonb_array_elements(p -> 'IpRanges') as r\n where ('{{.awsMysqlTrustedIpRange}}' not LIKE '%' || (r ->> 'CidrIp') || '%') and ((p ->> 'FromPort') = '3306') and ((p ->> 'ToPort') = '3306')\n ) THEN 'alarm'\n ELSE 'ok'\n END AS status,\n CASE\n WHEN exists (\n select 1\n from jsonb_array_elements(ip_permissions) as p,\n jsonb_array_elements(p -> 'IpRanges') as r\n where ('{{.awsMysqlTrustedIpRange}}' not LIKE '%' || (r ->> 'CidrIp') || '%') and ((p ->> 'FromPort') = '3306') and ((p ->> 'ToPort') = '3306')\n ) THEN group_name || ' has Unrestricted MySQL Access' \n ELSE group_name || ' MySQL Access is secure'\n END AS reason,\n region,\n account_id\nFROM \n aws_vpc_security_group\nWHERE\n exists (select 1 from jsonb_array_elements(ip_permissions) as p where ((p ->> 'FromPort') = '3306') and ((p ->> 'ToPort') = '3306'))\n" PrimaryTable: aws_vpc_security_group ListOfTables: - - aws_vpc_security_group + - aws_vpc_security_group Parameters: - Key: awsMysqlTrustedIpRange Required: true Severity: medium Tags: platform_score_cloud_service_name: - - AWS EC2 + - AWS EC2 platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - AWS EC2 + - AWS EC2 score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/ec2/aws_unrestricted_netbios_access.yaml b/compliance/controls/baseline/aws/ec2/aws_unrestricted_netbios_access.yaml index b0009677c..29b02975e 100755 --- a/compliance/controls/baseline/aws/ec2/aws_unrestricted_netbios_access.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_unrestricted_netbios_access.yaml @@ -1,52 +1,24 @@ ID: aws_unrestricted_netbios_access Title: "Unrestricted NetBIOS Access" Description: "Ensure no security group allows unrestricted inbound access to port UDP/137, UDP/138, and TPC/139 (NetBIOS)." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - SELECT - group_name as resource, - og_resource_id, - og_account_id, - CASE - WHEN exists ( - select 1 - from jsonb_array_elements(ip_permissions) as p, - jsonb_array_elements(p -> 'IpRanges') as r - where ('{{.awsNetBiosTrustedIpRange}}' not LIKE '%' || (r ->> 'CidrIp') || '%') and ((p ->> 'FromPort') in ('137', '138', '139')) and ((p ->> 'ToPort') in ('137', '138', '139')) - ) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN exists ( - select 1 - from jsonb_array_elements(ip_permissions) as p, - jsonb_array_elements(p -> 'IpRanges') as r - where ('{{.awsNetBiosTrustedIpRange}}' not LIKE '%' || (r ->> 'CidrIp') || '%') and ((p ->> 'FromPort') in ('137', '138', '139')) and ((p ->> 'ToPort') in ('137', '138', '139')) - ) THEN group_name || ' has Unrestricted NetBIOS Access' - ELSE group_name || ' NetBIOS Access is secure' - END AS reason, - region, - account_id - FROM - aws_vpc_security_group - WHERE - exists (select 1 from jsonb_array_elements(ip_permissions) as p where ((p ->> 'FromPort') in ('137', '138', '139')) and ((p ->> 'ToPort') in ('137', '138', '139'))) + QueryToExecute: "SELECT \n group_name as resource,\n og_resource_id,\n og_account_id,\n CASE\n WHEN exists (\n select 1\n from jsonb_array_elements(ip_permissions) as p,\n jsonb_array_elements(p -> 'IpRanges') as r\n where ('{{.awsNetBiosTrustedIpRange}}' not LIKE '%' || (r ->> 'CidrIp') || '%') and ((p ->> 'FromPort') in ('137', '138', '139')) and ((p ->> 'ToPort') in ('137', '138', '139'))\n ) THEN 'alarm'\n ELSE 'ok'\n END AS status,\n CASE\n WHEN exists (\n select 1\n from jsonb_array_elements(ip_permissions) as p,\n jsonb_array_elements(p -> 'IpRanges') as r\n where ('{{.awsNetBiosTrustedIpRange}}' not LIKE '%' || (r ->> 'CidrIp') || '%') and ((p ->> 'FromPort') in ('137', '138', '139')) and ((p ->> 'ToPort') in ('137', '138', '139'))\n ) THEN group_name || ' has Unrestricted NetBIOS Access' \n ELSE group_name || ' NetBIOS Access is secure'\n END AS reason,\n region,\n account_id\nFROM \n aws_vpc_security_group\nWHERE\n exists (select 1 from jsonb_array_elements(ip_permissions) as p where ((p ->> 'FromPort') in ('137', '138', '139')) and ((p ->> 'ToPort') in ('137', '138', '139')))\n" PrimaryTable: aws_vpc_security_group ListOfTables: - - aws_vpc_security_group + - aws_vpc_security_group Parameters: - Key: awsNetBiosTrustedIpRange Required: true Severity: medium Tags: platform_score_cloud_service_name: - - AWS EC2 + - AWS EC2 platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - AWS EC2 + - AWS EC2 score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/ec2/aws_unrestricted_opensearch_access.yaml b/compliance/controls/baseline/aws/ec2/aws_unrestricted_opensearch_access.yaml index 788f0fc5a..eb31917ad 100755 --- a/compliance/controls/baseline/aws/ec2/aws_unrestricted_opensearch_access.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_unrestricted_opensearch_access.yaml @@ -1,52 +1,24 @@ ID: aws_unrestricted_opensearch_access Title: "Unrestricted OpenSearch Access" Description: "Ensure no security group allows unrestricted inbound access to TCP port 9200 (OpenSearch)." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - SELECT - group_name as resource, - og_resource_id, - og_account_id, - CASE - WHEN exists ( - select 1 - from jsonb_array_elements(ip_permissions) as p, - jsonb_array_elements(p -> 'IpRanges') as r - where ('{{.awsOpensearchTrustedIpRange}}' not LIKE '%' || (r ->> 'CidrIp') || '%') and ((p ->> 'FromPort') = '9200') and ((p ->> 'ToPort') = '9200') - ) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN exists ( - select 1 - from jsonb_array_elements(ip_permissions) as p, - jsonb_array_elements(p -> 'IpRanges') as r - where ('{{.awsOpensearchTrustedIpRange}}' not LIKE '%' || (r ->> 'CidrIp') || '%') and ((p ->> 'FromPort') = '9200') and ((p ->> 'ToPort') = '9200') - ) THEN group_name || ' has Unrestricted OpenSearch Access' - ELSE group_name || ' OpenSearch Access is secure' - END AS reason, - region, - account_id - FROM - aws_vpc_security_group - WHERE - exists (select 1 from jsonb_array_elements(ip_permissions) as p where ((p ->> 'FromPort') = '9200') and ((p ->> 'ToPort') = '9200')) + QueryToExecute: "SELECT \n group_name as resource,\n og_resource_id,\n og_account_id,\n CASE\n WHEN exists (\n select 1\n from jsonb_array_elements(ip_permissions) as p,\n jsonb_array_elements(p -> 'IpRanges') as r\n where ('{{.awsOpensearchTrustedIpRange}}' not LIKE '%' || (r ->> 'CidrIp') || '%') and ((p ->> 'FromPort') = '9200') and ((p ->> 'ToPort') = '9200')\n ) THEN 'alarm'\n ELSE 'ok'\n END AS status,\n CASE\n WHEN exists (\n select 1\n from jsonb_array_elements(ip_permissions) as p,\n jsonb_array_elements(p -> 'IpRanges') as r\n where ('{{.awsOpensearchTrustedIpRange}}' not LIKE '%' || (r ->> 'CidrIp') || '%') and ((p ->> 'FromPort') = '9200') and ((p ->> 'ToPort') = '9200')\n ) THEN group_name || ' has Unrestricted OpenSearch Access' \n ELSE group_name || ' OpenSearch Access is secure'\n END AS reason,\n region,\n account_id\nFROM \n aws_vpc_security_group\nWHERE\n exists (select 1 from jsonb_array_elements(ip_permissions) as p where ((p ->> 'FromPort') = '9200') and ((p ->> 'ToPort') = '9200'))\n" PrimaryTable: aws_vpc_security_group ListOfTables: - - aws_vpc_security_group + - aws_vpc_security_group Parameters: - Key: awsOpensearchTrustedIpRange Required: true Severity: medium Tags: platform_score_cloud_service_name: - - AWS EC2 + - AWS EC2 platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - AWS EC2 + - AWS EC2 score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/ec2/aws_unrestricted_oracle_access.yaml b/compliance/controls/baseline/aws/ec2/aws_unrestricted_oracle_access.yaml index 7a6991a14..b9f938592 100755 --- a/compliance/controls/baseline/aws/ec2/aws_unrestricted_oracle_access.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_unrestricted_oracle_access.yaml @@ -1,52 +1,24 @@ ID: aws_unrestricted_oracle_access Title: "Unrestricted Oracle Access" Description: "Ensure no security group allows unrestricted ingress access to port 1521." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - SELECT - group_name as resource, - og_resource_id, - og_account_id, - CASE - WHEN exists ( - select 1 - from jsonb_array_elements(ip_permissions) as p, - jsonb_array_elements(p -> 'IpRanges') as r - where ('{{.awsOracleTrustedIpRange}}' not LIKE '%' || (r ->> 'CidrIp') || '%') and ((p ->> 'FromPort') = '1521') and ((p ->> 'ToPort') = '1521') - ) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN exists ( - select 1 - from jsonb_array_elements(ip_permissions) as p, - jsonb_array_elements(p -> 'IpRanges') as r - where ('{{.awsOracleTrustedIpRange}}' not LIKE '%' || (r ->> 'CidrIp') || '%') and ((p ->> 'FromPort') = '1521') and ((p ->> 'ToPort') = '1521') - ) THEN group_name || ' has Unrestricted Oracle Access' - ELSE group_name || ' Oracle Access is secure' - END AS reason, - region, - account_id - FROM - aws_vpc_security_group - WHERE - exists (select 1 from jsonb_array_elements(ip_permissions) as p where ((p ->> 'FromPort') = '1521') and ((p ->> 'ToPort') = '1521')) + QueryToExecute: "SELECT \n group_name as resource,\n og_resource_id,\n og_account_id,\n CASE\n WHEN exists (\n select 1\n from jsonb_array_elements(ip_permissions) as p,\n jsonb_array_elements(p -> 'IpRanges') as r\n where ('{{.awsOracleTrustedIpRange}}' not LIKE '%' || (r ->> 'CidrIp') || '%') and ((p ->> 'FromPort') = '1521') and ((p ->> 'ToPort') = '1521')\n ) THEN 'alarm'\n ELSE 'ok'\n END AS status,\n CASE\n WHEN exists (\n select 1\n from jsonb_array_elements(ip_permissions) as p,\n jsonb_array_elements(p -> 'IpRanges') as r\n where ('{{.awsOracleTrustedIpRange}}' not LIKE '%' || (r ->> 'CidrIp') || '%') and ((p ->> 'FromPort') = '1521') and ((p ->> 'ToPort') = '1521')\n ) THEN group_name || ' has Unrestricted Oracle Access' \n ELSE group_name || ' Oracle Access is secure'\n END AS reason,\n region,\n account_id\nFROM \n aws_vpc_security_group\nWHERE\n exists (select 1 from jsonb_array_elements(ip_permissions) as p where ((p ->> 'FromPort') = '1521') and ((p ->> 'ToPort') = '1521'))\n" PrimaryTable: aws_vpc_security_group ListOfTables: - - aws_vpc_security_group + - aws_vpc_security_group Parameters: - Key: awsOracleTrustedIpRange Required: true Severity: medium Tags: platform_score_cloud_service_name: - - AWS EC2 + - AWS EC2 platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - AWS EC2 + - AWS EC2 score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/ec2/aws_unrestricted_rpc_access.yaml b/compliance/controls/baseline/aws/ec2/aws_unrestricted_rpc_access.yaml index 4e4cffaa3..1f694a206 100755 --- a/compliance/controls/baseline/aws/ec2/aws_unrestricted_rpc_access.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_unrestricted_rpc_access.yaml @@ -1,52 +1,24 @@ ID: aws_unrestricted_rpc_access Title: "Unrestricted RPC Access" Description: "Ensure no security group allows unrestricted inbound access to TCP port 135 (RPC)." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - SELECT - group_name as resource, - og_resource_id, - og_account_id, - CASE - WHEN exists ( - select 1 - from jsonb_array_elements(ip_permissions) as p, - jsonb_array_elements(p -> 'IpRanges') as r - where ('{{.awsRpcTrustedIpRange}}' not LIKE '%' || (r ->> 'CidrIp') || '%') and ((p ->> 'FromPort') = '135') and ((p ->> 'ToPort') = '135') - ) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN exists ( - select 1 - from jsonb_array_elements(ip_permissions) as p, - jsonb_array_elements(p -> 'IpRanges') as r - where ('{{.awsRpcTrustedIpRange}}' not LIKE '%' || (r ->> 'CidrIp') || '%') and ((p ->> 'FromPort') = '135') and ((p ->> 'ToPort') = '135') - ) THEN group_name || ' has Unrestricted RPC Access' - ELSE group_name || ' RPC Access is secure' - END AS reason, - region, - account_id - FROM - aws_vpc_security_group - WHERE - exists (select 1 from jsonb_array_elements(ip_permissions) as p where ((p ->> 'FromPort') = '135') and ((p ->> 'ToPort') = '135')) + QueryToExecute: "SELECT \n group_name as resource,\n og_resource_id,\n og_account_id,\n CASE\n WHEN exists (\n select 1\n from jsonb_array_elements(ip_permissions) as p,\n jsonb_array_elements(p -> 'IpRanges') as r\n where ('{{.awsRpcTrustedIpRange}}' not LIKE '%' || (r ->> 'CidrIp') || '%') and ((p ->> 'FromPort') = '135') and ((p ->> 'ToPort') = '135')\n ) THEN 'alarm'\n ELSE 'ok'\n END AS status,\n CASE\n WHEN exists (\n select 1\n from jsonb_array_elements(ip_permissions) as p,\n jsonb_array_elements(p -> 'IpRanges') as r\n where ('{{.awsRpcTrustedIpRange}}' not LIKE '%' || (r ->> 'CidrIp') || '%') and ((p ->> 'FromPort') = '135') and ((p ->> 'ToPort') = '135')\n ) THEN group_name || ' has Unrestricted RPC Access' \n ELSE group_name || ' RPC Access is secure'\n END AS reason,\n region,\n account_id\nFROM \n aws_vpc_security_group\nWHERE\n exists (select 1 from jsonb_array_elements(ip_permissions) as p where ((p ->> 'FromPort') = '135') and ((p ->> 'ToPort') = '135'))\n" PrimaryTable: aws_vpc_security_group ListOfTables: - - aws_vpc_security_group + - aws_vpc_security_group Parameters: - Key: awsRpcTrustedIpRange Required: true Severity: medium Tags: platform_score_cloud_service_name: - - AWS EC2 + - AWS EC2 platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - AWS EC2 + - AWS EC2 score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/ec2/aws_unrestricted_security_group_ingress_on_uncommon_ports.yaml b/compliance/controls/baseline/aws/ec2/aws_unrestricted_security_group_ingress_on_uncommon_ports.yaml index 5c0a4aaa3..00687c18d 100755 --- a/compliance/controls/baseline/aws/ec2/aws_unrestricted_security_group_ingress_on_uncommon_ports.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_unrestricted_security_group_ingress_on_uncommon_ports.yaml @@ -1,48 +1,22 @@ ID: aws_unrestricted_security_group_ingress_on_uncommon_ports Title: "Unrestricted Security Group Ingress on Uncommon Ports" Description: "Ensure no security group contains any 0.0.0.0/0 ingress rules." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - SELECT - group_name as resource, - og_resource_id, - og_account_id, - CASE - WHEN exists ( - select 1 - from jsonb_array_elements(ip_permissions) as p, - jsonb_array_elements(p -> 'IpRanges') as r - where ((p ->> 'IpRanges') LIKE '%0.0.0.0/0%' or (p ->> 'IpRanges' LIKE '%::/0%')) - ) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN exists ( - select 1 - from jsonb_array_elements(ip_permissions) as p, - jsonb_array_elements(p -> 'IpRanges') as r - where ((p ->> 'IpRanges') LIKE '%0.0.0.0/0%' or (p ->> 'IpRanges' LIKE '%::/0%')) - ) THEN group_name || ' has Unrestricted Access' - ELSE group_name || ' Access is secure' - END AS reason, - region, - account_id - FROM - aws_vpc_security_group + QueryToExecute: "SELECT \n group_name as resource,\n og_resource_id,\n og_account_id,\n CASE\n WHEN exists (\n select 1\n from jsonb_array_elements(ip_permissions) as p,\n jsonb_array_elements(p -> 'IpRanges') as r\n where ((p ->> 'IpRanges') LIKE '%0.0.0.0/0%' or (p ->> 'IpRanges' LIKE '%::/0%'))\n ) THEN 'alarm'\n ELSE 'ok'\n END AS status,\n CASE\n WHEN exists (\n select 1\n from jsonb_array_elements(ip_permissions) as p,\n jsonb_array_elements(p -> 'IpRanges') as r\n where ((p ->> 'IpRanges') LIKE '%0.0.0.0/0%' or (p ->> 'IpRanges' LIKE '%::/0%'))\n ) THEN group_name || ' has Unrestricted Access' \n ELSE group_name || ' Access is secure'\n END AS reason,\n region,\n account_id\nFROM \n aws_vpc_security_group\n" PrimaryTable: aws_vpc_security_group ListOfTables: - - aws_vpc_security_group + - aws_vpc_security_group Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS EC2 + - AWS EC2 platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - AWS EC2 + - AWS EC2 score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/ec2/aws_unrestricted_smtp_access.yaml b/compliance/controls/baseline/aws/ec2/aws_unrestricted_smtp_access.yaml index 9cb5cb681..32a68ba56 100755 --- a/compliance/controls/baseline/aws/ec2/aws_unrestricted_smtp_access.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_unrestricted_smtp_access.yaml @@ -1,52 +1,24 @@ ID: aws_unrestricted_smtp_access Title: "Unrestricted SMTP Access" Description: "Ensure no security group allows unrestricted inbound access to TCP port 25 (SMTP)." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - SELECT - group_name as resource, - og_resource_id, - og_account_id, - CASE - WHEN exists ( - select 1 - from jsonb_array_elements(ip_permissions) as p, - jsonb_array_elements(p -> 'IpRanges') as r - where ('{{.awsSmtpTrustedIpRange}}' not LIKE '%' || (r ->> 'CidrIp') || '%') and ((p ->> 'FromPort') = '25') and ((p ->> 'ToPort') = '25') - ) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN exists ( - select 1 - from jsonb_array_elements(ip_permissions) as p, - jsonb_array_elements(p -> 'IpRanges') as r - where ('{{.awsSmtpTrustedIpRange}}' not LIKE '%' || (r ->> 'CidrIp') || '%') and ((p ->> 'FromPort') = '25') and ((p ->> 'ToPort') = '25') - ) THEN group_name || ' has Unrestricted SMTP Access' - ELSE group_name || ' SMTP Access is secure' - END AS reason, - region, - account_id - FROM - aws_vpc_security_group - WHERE - exists (select 1 from jsonb_array_elements(ip_permissions) as p where ((p ->> 'FromPort') = '25') and ((p ->> 'ToPort') = '25')) + QueryToExecute: "SELECT \n group_name as resource,\n og_resource_id,\n og_account_id,\n CASE\n WHEN exists (\n select 1\n from jsonb_array_elements(ip_permissions) as p,\n jsonb_array_elements(p -> 'IpRanges') as r\n where ('{{.awsSmtpTrustedIpRange}}' not LIKE '%' || (r ->> 'CidrIp') || '%') and ((p ->> 'FromPort') = '25') and ((p ->> 'ToPort') = '25')\n ) THEN 'alarm'\n ELSE 'ok'\n END AS status,\n CASE\n WHEN exists (\n select 1\n from jsonb_array_elements(ip_permissions) as p,\n jsonb_array_elements(p -> 'IpRanges') as r\n where ('{{.awsSmtpTrustedIpRange}}' not LIKE '%' || (r ->> 'CidrIp') || '%') and ((p ->> 'FromPort') = '25') and ((p ->> 'ToPort') = '25')\n ) THEN group_name || ' has Unrestricted SMTP Access' \n ELSE group_name || ' SMTP Access is secure'\n END AS reason,\n region,\n account_id\nFROM \n aws_vpc_security_group\nWHERE\n exists (select 1 from jsonb_array_elements(ip_permissions) as p where ((p ->> 'FromPort') = '25') and ((p ->> 'ToPort') = '25'))\n" PrimaryTable: aws_vpc_security_group ListOfTables: - - aws_vpc_security_group + - aws_vpc_security_group Parameters: - Key: awsSmtpTrustedIpRange Required: true Severity: medium Tags: platform_score_cloud_service_name: - - AWS EC2 + - AWS EC2 platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - AWS EC2 + - AWS EC2 score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/ec2/aws_unrestricted_ssh_access.yaml b/compliance/controls/baseline/aws/ec2/aws_unrestricted_ssh_access.yaml index cdbcefcc0..692a1f4ab 100755 --- a/compliance/controls/baseline/aws/ec2/aws_unrestricted_ssh_access.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_unrestricted_ssh_access.yaml @@ -1,8 +1,6 @@ ID: aws_unrestricted_ssh_access Title: "Unrestricted SSH Access" Description: "Ensure no security groups allow ingress from 0.0.0.0/0 to port 22." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -42,16 +40,18 @@ Query: left join ingress_sg as isg on sg.group_id = isg.group_id PrimaryTable: aws_vpc_security_group ListOfTables: - - aws_vpc_security_group - - aws_vpc_security_group_rule + - aws_vpc_security_group + - aws_vpc_security_group_rule Parameters: [] Severity: very high Tags: platform_score_cloud_service_name: - - AWS EC2 + - AWS EC2 platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - AWS EC2 + - AWS EC2 score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/ec2/aws_unused_ami.yaml b/compliance/controls/baseline/aws/ec2/aws_unused_ami.yaml index 685ca0e03..9cf6a1f53 100755 --- a/compliance/controls/baseline/aws/ec2/aws_unused_ami.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_unused_ami.yaml @@ -1,60 +1,25 @@ ID: aws_unused_ami Title: "Unused AMI" Description: "Identify unused Amazon Machine Images (AMI) to help lower the cost of your monthly AWS bill." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with dlm_managed as ( - select og_resource_id from aws_ec2_ami CROSS JOIN jsonb_each(tags) where (key like 'aws:dlm%' or key = 'dlm:managed') limit 1 - ) - select - ami.name as resource, - ami.og_resource_id, - ami.og_account_id, - case - when is_aws_backup_managed then 'skip' - when ami.root_device_type <> 'ebs' then 'skip' - when i.arn is null then 'alarm' - else 'ok' - end as status, - case - when is_aws_backup_managed then name || ' is managed by aws' - when ami.root_device_type <> 'ebs' then name || ' is not stored in ebs' - when i.arn is null then ami.name || ' is unused.' - else ami.name || ' is used.' - end as reason, - case - when is_aws_backup_managed then 0 - when ami.root_device_type <> 'ebs' then 0 - when i.arn is null then (SELECT SUM((select cost from pennywise_cost_estimate AS es WHERE es.resource_type = 'aws::ec2::volumesnapshot' - AND es.resource_id = s.arn limit 1)) - FROM jsonb_array_elements(ami.block_device_mappings) AS bdm - LEFT JOIN aws_ebs_snapshot AS s ON s.snapshot_id = bdm -> 'Ebs' ->> 'SnapshotId') - else 0 - end as cost_optimization, - ami.region, - ami.account_id - from - aws_ec2_ami AS ami - LEFT JOIN aws_ec2_instance AS i ON ami.image_id = i.image_id - where - not(exists(select * from dlm_managed dl where dl.og_resource_id = ami.og_resource_id)) + QueryToExecute: "with dlm_managed as (\n select og_resource_id from aws_ec2_ami CROSS JOIN jsonb_each(tags) where (key like 'aws:dlm%' or key = 'dlm:managed') limit 1\n)\nselect\n ami.name as resource,\n ami.og_resource_id,\n ami.og_account_id,\n case\n when is_aws_backup_managed then 'skip'\n when ami.root_device_type <> 'ebs' then 'skip'\n when i.arn is null then 'alarm'\n else 'ok'\n end as status,\n case\n when is_aws_backup_managed then name || ' is managed by aws'\n when ami.root_device_type <> 'ebs' then name || ' is not stored in ebs'\n when i.arn is null then ami.name || ' is unused.'\n else ami.name || ' is used.'\n end as reason, \n case\n when is_aws_backup_managed then 0\n when ami.root_device_type <> 'ebs' then 0\n when i.arn is null then (SELECT SUM((select cost from pennywise_cost_estimate AS es WHERE es.resource_type = 'aws::ec2::volumesnapshot' \n AND es.resource_id = s.arn limit 1))\n FROM jsonb_array_elements(ami.block_device_mappings) AS bdm\n LEFT JOIN aws_ebs_snapshot AS s ON s.snapshot_id = bdm -> 'Ebs' ->> 'SnapshotId')\n else 0\n end as cost_optimization,\n ami.region,\n ami.account_id\nfrom\n aws_ec2_ami AS ami\n LEFT JOIN aws_ec2_instance AS i ON ami.image_id = i.image_id\nwhere \n not(exists(select * from dlm_managed dl where dl.og_resource_id = ami.og_resource_id)) \n" PrimaryTable: aws_ec2_ami ListOfTables: - - aws_backup_managed - - aws_ebs_snapshot - - aws_ec2_ami - - aws_ec2_instance + - aws_backup_managed + - aws_ebs_snapshot + - aws_ec2_ami + - aws_ec2_instance Parameters: [] Severity: low Tags: platform_score_cloud_service_name: - - AWS EC2 + - AWS EC2 platform_score_use_case: - - Orphaned Resources + - Orphaned Resources score_service_name: - - AWS EC2 + - AWS EC2 score_tags: - - Orphaned Resources + - Orphaned Resources +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/ec2/aws_unused_aws_ec2_key_pairs.yaml b/compliance/controls/baseline/aws/ec2/aws_unused_aws_ec2_key_pairs.yaml index 83f447dfa..a8a3f75e4 100755 --- a/compliance/controls/baseline/aws/ec2/aws_unused_aws_ec2_key_pairs.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_unused_aws_ec2_key_pairs.yaml @@ -1,8 +1,6 @@ ID: aws_unused_aws_ec2_key_pairs Title: "Unused AWS EC2 Key Pairs" Description: "Ensure unused AWS EC2 key pairs are decommissioned to follow AWS security best practices." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -25,16 +23,18 @@ Query: LEFT JOIN aws_ec2_instance AS i ON k.key_name = i.key_name PrimaryTable: aws_ec2_key_pair ListOfTables: - - aws_ec2_instance - - aws_ec2_key_pair + - aws_ec2_instance + - aws_ec2_key_pair Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS EC2 + - AWS EC2 platform_score_use_case: - - Missing Tags + - Missing Tags score_service_name: - - AWS EC2 + - AWS EC2 score_tags: - - Missing Tags + - Missing Tags +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/ec2/aws_unused_elastic_network_interfaces.yaml b/compliance/controls/baseline/aws/ec2/aws_unused_elastic_network_interfaces.yaml index c20b40d85..425fc5624 100755 --- a/compliance/controls/baseline/aws/ec2/aws_unused_elastic_network_interfaces.yaml +++ b/compliance/controls/baseline/aws/ec2/aws_unused_elastic_network_interfaces.yaml @@ -1,38 +1,22 @@ ID: aws_unused_elastic_network_interfaces Title: "Unused Elastic Network Interfaces" Description: "Identify and delete any unused Elastic Network Interfaces" -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - SELECT - network_interface_id as resource, - og_resource_id, - og_account_id, - CASE - WHEN status = 'available' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN status = 'available' THEN network_interface_id || ' is unused and can be safely removed' - ELSE network_interface_id || ' is used.' - END AS reason, - region, - account_id - FROM - aws_ec2_network_interface + QueryToExecute: "SELECT \n network_interface_id as resource,\n og_resource_id,\n og_account_id,\n CASE\n WHEN status = 'available' THEN 'alarm'\n ELSE 'ok'\n END AS status,\n CASE\n WHEN status = 'available' THEN network_interface_id || ' is unused and can be safely removed' \n ELSE network_interface_id || ' is used.'\n END AS reason,\n region,\n account_id\nFROM \n aws_ec2_network_interface\n" PrimaryTable: aws_ec2_network_interface ListOfTables: - - aws_ec2_network_interface + - aws_ec2_network_interface Parameters: [] Severity: low Tags: platform_score_cloud_service_name: - - AWS EC2 + - AWS EC2 platform_score_use_case: - - Under Utilization + - Under Utilization score_service_name: - - AWS EC2 + - AWS EC2 score_tags: - - Under Utilization + - Under Utilization +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/ecr/aws_ecr_repository_exposed.yaml b/compliance/controls/baseline/aws/ecr/aws_ecr_repository_exposed.yaml index 04b3c270f..d805a4638 100755 --- a/compliance/controls/baseline/aws/ecr/aws_ecr_repository_exposed.yaml +++ b/compliance/controls/baseline/aws/ecr/aws_ecr_repository_exposed.yaml @@ -1,8 +1,6 @@ ID: aws_ecr_repository_exposed Title: "ECR Repository Exposed" Description: "Ensure that AWS Elastic Container Registry (ECR) repositories are not exposed to everyone." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -32,11 +30,13 @@ Query: aws_ecr_repository PrimaryTable: aws_ecr_repository ListOfTables: - - aws_ecr_repository + - aws_ecr_repository Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - Elastic Container Registry (ECR) + - Elastic Container Registry (ECR) score_service_name: - - Elastic Container Registry (ECR) + - Elastic Container Registry (ECR) +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/ecr/aws_enable_cross_region_replication.yaml b/compliance/controls/baseline/aws/ecr/aws_enable_cross_region_replication.yaml index e22f14432..f893ff9c8 100755 --- a/compliance/controls/baseline/aws/ecr/aws_enable_cross_region_replication.yaml +++ b/compliance/controls/baseline/aws/ecr/aws_enable_cross_region_replication.yaml @@ -1,8 +1,6 @@ ID: aws_enable_cross_region_replication Title: "Enable Cross-Region Replication" Description: "Ensure that Cross-Region Replication feature is enabled for your Amazon ECR container images." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -38,11 +36,13 @@ Query: aws_ecr_registry PrimaryTable: aws_ecr_registry ListOfTables: - - aws_ecr_registry + - aws_ecr_registry Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Elastic Container Registry (ECR) + - Elastic Container Registry (ECR) score_service_name: - - Elastic Container Registry (ECR) + - Elastic Container Registry (ECR) +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/ecr/aws_enable_scan_on_push_for_ecr_container_images.yaml b/compliance/controls/baseline/aws/ecr/aws_enable_scan_on_push_for_ecr_container_images.yaml index 641f23e3c..51ded1d6b 100755 --- a/compliance/controls/baseline/aws/ecr/aws_enable_scan_on_push_for_ecr_container_images.yaml +++ b/compliance/controls/baseline/aws/ecr/aws_enable_scan_on_push_for_ecr_container_images.yaml @@ -1,8 +1,6 @@ ID: aws_enable_scan_on_push_for_ecr_container_images Title: "Enable Scan on Push for ECR Container Images" Description: "Ensure that each Amazon ECR container image is automatically scanned for vulnerabilities when pushed to a repository." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -24,11 +22,13 @@ Query: aws_ecr_repository PrimaryTable: aws_ecr_repository ListOfTables: - - aws_ecr_repository + - aws_ecr_repository Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Elastic Container Registry (ECR) + - Elastic Container Registry (ECR) score_service_name: - - Elastic Container Registry (ECR) + - Elastic Container Registry (ECR) +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/ecr/aws_lifecycle_policy_in_use.yaml b/compliance/controls/baseline/aws/ecr/aws_lifecycle_policy_in_use.yaml index 1f9b6fb24..1fce943f9 100755 --- a/compliance/controls/baseline/aws/ecr/aws_lifecycle_policy_in_use.yaml +++ b/compliance/controls/baseline/aws/ecr/aws_lifecycle_policy_in_use.yaml @@ -1,8 +1,6 @@ ID: aws_lifecycle_policy_in_use Title: "Lifecycle Policy in Use" Description: "Ensure that each Amazon ECR container image is automatically scanned for vulnerabilities when pushed to a repository." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -18,7 +16,7 @@ Query: and (r -> 'selection' ->> 'countType' = 'sinceImagePushed') ) ) - + select r.repository_name as resource, og_resource_id, @@ -38,11 +36,13 @@ Query: left join repo_with_policy as p on r.repository_name = p.repository_name PrimaryTable: aws_ecr_repository ListOfTables: - - aws_ecr_repository + - aws_ecr_repository Parameters: [] Severity: low Tags: platform_score_cloud_service_name: - - Elastic Container Registry (ECR) + - Elastic Container Registry (ECR) score_service_name: - - Elastic Container Registry (ECR) + - Elastic Container Registry (ECR) +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/ecs/aws_check_for_amazon_ecs_service_placement_strategy.yaml b/compliance/controls/baseline/aws/ecs/aws_check_for_amazon_ecs_service_placement_strategy.yaml index 56e5b9e46..0886df1f0 100755 --- a/compliance/controls/baseline/aws/ecs/aws_check_for_amazon_ecs_service_placement_strategy.yaml +++ b/compliance/controls/baseline/aws/ecs/aws_check_for_amazon_ecs_service_placement_strategy.yaml @@ -1,8 +1,6 @@ ID: aws_check_for_amazon_ecs_service_placement_strategy Title: "Check for Amazon ECS Service Placement Strategy" Description: "Ensure that your Amazon ECS cluster services are using optimal placement strategies." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -24,15 +22,17 @@ Query: aws_ecs_service PrimaryTable: aws_ecs_service ListOfTables: - - aws_ecs_service + - aws_ecs_service Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Elastic Container Service (ECS) + - Elastic Container Service (ECS) platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - Elastic Container Service (ECS) + - Elastic Container Service (ECS) score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/ecs/aws_check_for_ecs_container_instance_agent_version.yaml b/compliance/controls/baseline/aws/ecs/aws_check_for_ecs_container_instance_agent_version.yaml index edc873e2f..60da4946a 100755 --- a/compliance/controls/baseline/aws/ecs/aws_check_for_ecs_container_instance_agent_version.yaml +++ b/compliance/controls/baseline/aws/ecs/aws_check_for_ecs_container_instance_agent_version.yaml @@ -1,8 +1,6 @@ ID: aws_check_for_ecs_container_instance_agent_version Title: "Check for ECS Container Instance Agent Version" Description: "Ensure that your Amazon ECS instances are using the latest ECS container agent version." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -24,17 +22,19 @@ Query: aws_ecs_container_instance PrimaryTable: aws_ecs_container_instance ListOfTables: - - aws_ecs_container_instance + - aws_ecs_container_instance Parameters: - Key: awsEcsContainerInstanceAgentVersion Required: true Severity: medium Tags: platform_score_cloud_service_name: - - Elastic Container Service (ECS) + - Elastic Container Service (ECS) platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - Elastic Container Service (ECS) + - Elastic Container Service (ECS) score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/ecs/aws_check_for_fargate_platform_version.yaml b/compliance/controls/baseline/aws/ecs/aws_check_for_fargate_platform_version.yaml index fe1c02598..83d15a7cc 100755 --- a/compliance/controls/baseline/aws/ecs/aws_check_for_fargate_platform_version.yaml +++ b/compliance/controls/baseline/aws/ecs/aws_check_for_fargate_platform_version.yaml @@ -1,8 +1,6 @@ ID: aws_check_for_fargate_platform_version Title: "Check for Fargate Platform Version" Description: "Ensure that your Amazon ECS cluster services are using the latest Fargate platform version." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -24,17 +22,19 @@ Query: aws_ecs_service PrimaryTable: aws_ecs_service ListOfTables: - - aws_ecs_service + - aws_ecs_service Parameters: - Key: awsEcsServicePlatformVersion Required: true Severity: medium Tags: platform_score_cloud_service_name: - - Elastic Container Service (ECS) + - Elastic Container Service (ECS) platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - Elastic Container Service (ECS) + - Elastic Container Service (ECS) score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/ecs/aws_ecs_task_log_driver_in_use.yaml b/compliance/controls/baseline/aws/ecs/aws_ecs_task_log_driver_in_use.yaml index 950b9d1e3..6f67918d4 100755 --- a/compliance/controls/baseline/aws/ecs/aws_ecs_task_log_driver_in_use.yaml +++ b/compliance/controls/baseline/aws/ecs/aws_ecs_task_log_driver_in_use.yaml @@ -1,8 +1,6 @@ ID: aws_ecs_task_log_driver_in_use Title: "Amazon ECS Task Log Driver in Use" Description: "Ensure that a log driver has been defined for each active Amazon ECS task definition." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -25,15 +23,17 @@ Query: jsonb_array_elements(container_definitions) as c PrimaryTable: aws_ecs_task_definition ListOfTables: - - aws_ecs_task_definition + - aws_ecs_task_definition Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - Elastic Container Service (ECS) + - Elastic Container Service (ECS) platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - Elastic Container Service (ECS) + - Elastic Container Service (ECS) score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/ecs/aws_enable_cloudwatch_container_insights.yaml b/compliance/controls/baseline/aws/ecs/aws_enable_cloudwatch_container_insights.yaml index f6c135520..b44d724db 100755 --- a/compliance/controls/baseline/aws/ecs/aws_enable_cloudwatch_container_insights.yaml +++ b/compliance/controls/baseline/aws/ecs/aws_enable_cloudwatch_container_insights.yaml @@ -1,8 +1,6 @@ ID: aws_enable_cloudwatch_container_insights Title: "Enable CloudWatch Container Insights" Description: "Ensure that CloudWatch Container Insights feature is enabled for your AWS ECS clusters." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -32,11 +30,13 @@ Query: aws_ecs_cluster PrimaryTable: aws_ecs_cluster ListOfTables: - - aws_ecs_cluster + - aws_ecs_cluster Parameters: [] Severity: low Tags: platform_score_cloud_service_name: - - Elastic Container Service (ECS) + - Elastic Container Service (ECS) score_service_name: - - Elastic Container Service (ECS) + - Elastic Container Service (ECS) +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/efs/aws_efs_encryption_enabled.yaml b/compliance/controls/baseline/aws/efs/aws_efs_encryption_enabled.yaml index 9f6ed9f64..dc2a043e5 100755 --- a/compliance/controls/baseline/aws/efs/aws_efs_encryption_enabled.yaml +++ b/compliance/controls/baseline/aws/efs/aws_efs_encryption_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_efs_encryption_enabled Title: "EFS Encryption Enabled" Description: "Ensure encryption is enabled for AWS EFS file systems to protect your data at rest." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -24,15 +22,17 @@ Query: aws_efs_file_system PrimaryTable: aws_efs_file_system ListOfTables: - - aws_efs_file_system + - aws_efs_file_system Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - Amazon Elastic File System (EFS) + - Amazon Elastic File System (EFS) platform_score_use_case: - - Unencrypted Storage + - Unencrypted Storage score_service_name: - - Amazon Elastic File System (EFS) + - Amazon Elastic File System (EFS) score_tags: - - Unencrypted Storage + - Unencrypted Storage +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/efs/aws_kms_customer_master_keys_for_efs_encryption.yaml b/compliance/controls/baseline/aws/efs/aws_kms_customer_master_keys_for_efs_encryption.yaml index 7a4a8a963..376d09473 100755 --- a/compliance/controls/baseline/aws/efs/aws_kms_customer_master_keys_for_efs_encryption.yaml +++ b/compliance/controls/baseline/aws/efs/aws_kms_customer_master_keys_for_efs_encryption.yaml @@ -1,8 +1,6 @@ ID: aws_kms_customer_master_keys_for_efs_encryption Title: "AWS KMS Customer Master Keys for EFS Encryption" Description: "Ensure EFS file systems are encrypted with KMS Customer Master Keys (CMKs) in order to have full control over data encryption and decryption." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -27,16 +25,18 @@ Query: left join aws_kms_key as k on fs.kms_key_id = k.arn PrimaryTable: aws_efs_file_system ListOfTables: - - aws_efs_file_system - - aws_kms_key + - aws_efs_file_system + - aws_kms_key Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - Amazon Elastic File System (EFS) + - Amazon Elastic File System (EFS) platform_score_use_case: - - Unencrypted Storage + - Unencrypted Storage score_service_name: - - Amazon Elastic File System (EFS) + - Amazon Elastic File System (EFS) score_tags: - - Unencrypted Storage + - Unencrypted Storage +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/eks/aws_disable_remote_access_to_eks_cluster_node_groups.yaml b/compliance/controls/baseline/aws/eks/aws_disable_remote_access_to_eks_cluster_node_groups.yaml index e1b08c1dd..69d0c22dc 100755 --- a/compliance/controls/baseline/aws/eks/aws_disable_remote_access_to_eks_cluster_node_groups.yaml +++ b/compliance/controls/baseline/aws/eks/aws_disable_remote_access_to_eks_cluster_node_groups.yaml @@ -1,8 +1,6 @@ ID: aws_disable_remote_access_to_eks_cluster_node_groups Title: "Disable Remote Access to EKS Cluster Node Groups" Description: "Ensure that remote access to EKS cluster node groups is disabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -24,15 +22,17 @@ Query: aws_eks_node_group; PrimaryTable: aws_eks_node_group ListOfTables: - - aws_eks_node_group + - aws_eks_node_group Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Elastic Kubernetes Service (EKS) + - AWS Elastic Kubernetes Service (EKS) platform_score_use_case: - - Lacking High Availability + - Lacking High Availability score_service_name: - - AWS Elastic Kubernetes Service (EKS) + - AWS Elastic Kubernetes Service (EKS) score_tags: - - Lacking High Availability + - Lacking High Availability +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/eks/aws_eks_cluster_endpoint_public_access.yaml b/compliance/controls/baseline/aws/eks/aws_eks_cluster_endpoint_public_access.yaml index b8f4a5195..9826f04ce 100755 --- a/compliance/controls/baseline/aws/eks/aws_eks_cluster_endpoint_public_access.yaml +++ b/compliance/controls/baseline/aws/eks/aws_eks_cluster_endpoint_public_access.yaml @@ -1,8 +1,6 @@ ID: aws_eks_cluster_endpoint_public_access Title: "EKS Cluster Endpoint Public Access" Description: "Ensure that AWS EKS cluster endpoint access isn't public and prone to security risks." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -26,15 +24,17 @@ Query: aws_eks_cluster; PrimaryTable: aws_eks_cluster ListOfTables: - - aws_eks_cluster + - aws_eks_cluster Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Elastic Kubernetes Service (EKS) + - AWS Elastic Kubernetes Service (EKS) platform_score_use_case: - - Lacking High Availability + - Lacking High Availability score_service_name: - - AWS Elastic Kubernetes Service (EKS) + - AWS Elastic Kubernetes Service (EKS) score_tags: - - Lacking High Availability + - Lacking High Availability +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/eks/aws_eks_cluster_node_group_iam_role_policies.yaml b/compliance/controls/baseline/aws/eks/aws_eks_cluster_node_group_iam_role_policies.yaml index ba39a3d07..bfb9d43b7 100755 --- a/compliance/controls/baseline/aws/eks/aws_eks_cluster_node_group_iam_role_policies.yaml +++ b/compliance/controls/baseline/aws/eks/aws_eks_cluster_node_group_iam_role_policies.yaml @@ -1,50 +1,23 @@ ID: aws_eks_cluster_node_group_iam_role_policies Title: "EKS Cluster Node Group IAM Role Policies" Description: "Ensure that EKS Cluster node groups are using appropriate permissions." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - ng.nodegroup_name as resource, - ng.og_account_id, - ng.og_resource_id, - case - when exists( - select 1 - from jsonb_array_elements_text(attached_policy_arns) as p - where p <> 'arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly' and p <> 'arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy' - ) then 'alarm' - when r.inline_policies is not null then 'alarm' - else 'ok' - end as status, - case - when exists( - select 1 - from jsonb_array_elements_text(attached_policy_arns) as p - where p <> 'arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly' and p <> 'arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy' - ) then 'permissions configured for IAM role are too permissive' - when r.inline_policies is not null then 'permissions configured for IAM role are too permissive' - else 'permissions configured for IAM role are not too permissive' - end as reason, - ng.region, - ng.account_id - from - aws_eks_node_group as ng - left join aws_iam_role as r on r.arn = ng.node_role + QueryToExecute: "select\n ng.nodegroup_name as resource,\n ng.og_account_id,\n ng.og_resource_id,\n case\n when exists(\n select 1\n from jsonb_array_elements_text(attached_policy_arns) as p \n where p <> 'arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly' and p <> 'arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy'\n ) then 'alarm'\n when r.inline_policies is not null then 'alarm'\n else 'ok'\n end as status,\n case\n when exists(\n select 1\n from jsonb_array_elements_text(attached_policy_arns) as p \n where p <> 'arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly' and p <> 'arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy'\n ) then 'permissions configured for IAM role are too permissive'\n when r.inline_policies is not null then 'permissions configured for IAM role are too permissive'\n else 'permissions configured for IAM role are not too permissive'\n end as reason,\n ng.region,\n ng.account_id\nfrom\n aws_eks_node_group as ng\n left join aws_iam_role as r on r.arn = ng.node_role\n" PrimaryTable: aws_eks_node_group ListOfTables: - - aws_eks_node_group - - aws_iam_role + - aws_eks_node_group + - aws_iam_role Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Elastic Kubernetes Service (EKS) + - AWS Elastic Kubernetes Service (EKS) platform_score_use_case: - - Lacking High Availability + - Lacking High Availability score_service_name: - - AWS Elastic Kubernetes Service (EKS) + - AWS Elastic Kubernetes Service (EKS) score_tags: - - Lacking High Availability + - Lacking High Availability +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/eks/aws_eks_security_groups.yaml b/compliance/controls/baseline/aws/eks/aws_eks_security_groups.yaml index e22551d0a..8fc8a724b 100755 --- a/compliance/controls/baseline/aws/eks/aws_eks_security_groups.yaml +++ b/compliance/controls/baseline/aws/eks/aws_eks_security_groups.yaml @@ -1,49 +1,23 @@ ID: aws_eks_security_groups Title: "EKS Security Groups" Description: "Ensure that AWS EKS security groups are configured to allow incoming traffic only on TCP port 443." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - c.name as resource, - c.og_account_id, - c.og_resource_id, - case - when exists( - select 1 - from jsonb_array_elements(ip_permissions) as ips - where (ips ->> 'FromPort' <> '443') and (ips ->> 'ToPort' <> '443') - ) then 'alarm' - else 'ok' - end as status, - case - when exists( - select 1 - from jsonb_array_elements(ip_permissions) as ips - where (ips ->> 'FromPort' <> '443') and (ips ->> 'ToPort' <> '443') - ) then name || ' Amazon EKS security group is not compliant (allow access on ports different than TCP port 443 (HTTPS))' - else name || ' Amazon EKS security group is compliant' - end as reason, - c.region, - c.account_id - from - aws_eks_cluster as c - cross join jsonb_array_elements_text(resources_vpc_config -> 'SecurityGroupIds') as sg_id - left join aws_vpc_security_group as sg on sg.group_id = sg_id + QueryToExecute: "select\n c.name as resource,\n c.og_account_id,\n c.og_resource_id,\n case\n when exists(\n select 1\n from jsonb_array_elements(ip_permissions) as ips \n where (ips ->> 'FromPort' <> '443') and (ips ->> 'ToPort' <> '443')\n ) then 'alarm'\n else 'ok'\n end as status,\n case\n when exists(\n select 1\n from jsonb_array_elements(ip_permissions) as ips \n where (ips ->> 'FromPort' <> '443') and (ips ->> 'ToPort' <> '443')\n ) then name || ' Amazon EKS security group is not compliant (allow access on ports different than TCP port 443 (HTTPS))'\n else name || ' Amazon EKS security group is compliant'\n end as reason,\n c.region,\n c.account_id\nfrom\n aws_eks_cluster as c\n cross join jsonb_array_elements_text(resources_vpc_config -> 'SecurityGroupIds') as sg_id\n left join aws_vpc_security_group as sg on sg.group_id = sg_id\n" PrimaryTable: aws_eks_cluster ListOfTables: - - aws_eks_cluster - - aws_vpc_security_group + - aws_eks_cluster + - aws_vpc_security_group Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS Elastic Kubernetes Service (EKS) + - AWS Elastic Kubernetes Service (EKS) platform_score_use_case: - - Lacking High Availability + - Lacking High Availability score_service_name: - - AWS Elastic Kubernetes Service (EKS) + - AWS Elastic Kubernetes Service (EKS) score_tags: - - Lacking High Availability + - Lacking High Availability +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/eks/aws_enable_cloudtrail_logging_for_kubernetes_api_calls.yaml b/compliance/controls/baseline/aws/eks/aws_enable_cloudtrail_logging_for_kubernetes_api_calls.yaml index 317f19bb8..f06513025 100755 --- a/compliance/controls/baseline/aws/eks/aws_enable_cloudtrail_logging_for_kubernetes_api_calls.yaml +++ b/compliance/controls/baseline/aws/eks/aws_enable_cloudtrail_logging_for_kubernetes_api_calls.yaml @@ -1,8 +1,6 @@ ID: aws_enable_cloudtrail_logging_for_kubernetes_api_calls Title: "Enable CloudTrail Logging for Kubernetes API Calls" Description: "Ensure that all Kubernetes API calls are logged using Amazon CloudTrail." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -32,16 +30,18 @@ Query: aws_account as a PrimaryTable: aws_account ListOfTables: - - aws_account - - aws_cloudtrail_trail + - aws_account + - aws_cloudtrail_trail Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Elastic Kubernetes Service (EKS) + - AWS Elastic Kubernetes Service (EKS) platform_score_use_case: - - Lacking High Availability + - Lacking High Availability score_service_name: - - AWS Elastic Kubernetes Service (EKS) + - AWS Elastic Kubernetes Service (EKS) score_tags: - - Lacking High Availability + - Lacking High Availability +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/eks/aws_enable_envelope_encryption_for_eks_kubernetes_secrets.yaml b/compliance/controls/baseline/aws/eks/aws_enable_envelope_encryption_for_eks_kubernetes_secrets.yaml index 3d7838ed4..1768c598f 100755 --- a/compliance/controls/baseline/aws/eks/aws_enable_envelope_encryption_for_eks_kubernetes_secrets.yaml +++ b/compliance/controls/baseline/aws/eks/aws_enable_envelope_encryption_for_eks_kubernetes_secrets.yaml @@ -1,8 +1,6 @@ ID: aws_enable_envelope_encryption_for_eks_kubernetes_secrets Title: "Enable Envelope Encryption for EKS Kubernetes Secrets" Description: "Ensure that envelope encryption of Kubernetes secrets using Amazon KMS is enabled." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -32,15 +30,17 @@ Query: aws_eks_cluster; PrimaryTable: aws_eks_cluster ListOfTables: - - aws_eks_cluster + - aws_eks_cluster Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Elastic Kubernetes Service (EKS) + - AWS Elastic Kubernetes Service (EKS) platform_score_use_case: - - Lacking High Availability + - Lacking High Availability score_service_name: - - AWS Elastic Kubernetes Service (EKS) + - AWS Elastic Kubernetes Service (EKS) score_tags: - - Lacking High Availability + - Lacking High Availability +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/eks/aws_kubernetes_cluster_logging.yaml b/compliance/controls/baseline/aws/eks/aws_kubernetes_cluster_logging.yaml index 19f7e450b..01dff340c 100755 --- a/compliance/controls/baseline/aws/eks/aws_kubernetes_cluster_logging.yaml +++ b/compliance/controls/baseline/aws/eks/aws_kubernetes_cluster_logging.yaml @@ -1,8 +1,6 @@ ID: aws_kubernetes_cluster_logging Title: "Kubernetes Cluster Logging" Description: "Ensure that EKS control plane logging is enabled for your Amazon EKS clusters." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -32,15 +30,17 @@ Query: aws_eks_cluster; PrimaryTable: aws_eks_cluster ListOfTables: - - aws_eks_cluster + - aws_eks_cluster Parameters: [] Severity: low Tags: platform_score_cloud_service_name: - - AWS Elastic Kubernetes Service (EKS) + - AWS Elastic Kubernetes Service (EKS) platform_score_use_case: - - Lacking High Availability + - Lacking High Availability score_service_name: - - AWS Elastic Kubernetes Service (EKS) + - AWS Elastic Kubernetes Service (EKS) score_tags: - - Lacking High Availability + - Lacking High Availability +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/eks/aws_kubernetes_cluster_version.yaml b/compliance/controls/baseline/aws/eks/aws_kubernetes_cluster_version.yaml index e4b254890..a5d04efaf 100755 --- a/compliance/controls/baseline/aws/eks/aws_kubernetes_cluster_version.yaml +++ b/compliance/controls/baseline/aws/eks/aws_kubernetes_cluster_version.yaml @@ -1,8 +1,6 @@ ID: aws_kubernetes_cluster_version Title: "Kubernetes Cluster Version" Description: "Ensure that the latest version of Kubernetes is installed on your Amazon EKS clusters." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |+ @@ -25,17 +23,19 @@ Query: PrimaryTable: aws_eks_cluster ListOfTables: - - aws_eks_cluster + - aws_eks_cluster Parameters: - Key: awsEksClusterLatestVersion Required: true Severity: low Tags: platform_score_cloud_service_name: - - AWS Elastic Kubernetes Service (EKS) + - AWS Elastic Kubernetes Service (EKS) platform_score_use_case: - - Lacking High Availability + - Lacking High Availability score_service_name: - - AWS Elastic Kubernetes Service (EKS) + - AWS Elastic Kubernetes Service (EKS) score_tags: - - Lacking High Availability + - Lacking High Availability +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/eks/aws_use_aws_managed_policy_to_access_amazon_ecr_repositories.yaml b/compliance/controls/baseline/aws/eks/aws_use_aws_managed_policy_to_access_amazon_ecr_repositories.yaml index 3f7ae684f..45e01b63d 100755 --- a/compliance/controls/baseline/aws/eks/aws_use_aws_managed_policy_to_access_amazon_ecr_repositories.yaml +++ b/compliance/controls/baseline/aws/eks/aws_use_aws_managed_policy_to_access_amazon_ecr_repositories.yaml @@ -1,8 +1,6 @@ ID: aws_use_aws_managed_policy_to_access_amazon_ecr_repositories Title: "Use AWS-managed policy to access Amazon ECR Repositories" Description: "Ensure that EKS cluster node groups implement the \"AmazonEC2ContainerRegistryReadOnly\" managed policy." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -25,16 +23,18 @@ Query: left join aws_iam_role as r on r.arn = ng.node_role PrimaryTable: aws_eks_node_group ListOfTables: - - aws_eks_node_group - - aws_iam_role + - aws_eks_node_group + - aws_iam_role Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Elastic Kubernetes Service (EKS) + - AWS Elastic Kubernetes Service (EKS) platform_score_use_case: - - Lacking High Availability + - Lacking High Availability score_service_name: - - AWS Elastic Kubernetes Service (EKS) + - AWS Elastic Kubernetes Service (EKS) score_tags: - - Lacking High Availability + - Lacking High Availability +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/eks/aws_use_aws_managed_policy_to_manage_aws_resources.yaml b/compliance/controls/baseline/aws/eks/aws_use_aws_managed_policy_to_manage_aws_resources.yaml index e6c83cc88..20f4fa8b1 100755 --- a/compliance/controls/baseline/aws/eks/aws_use_aws_managed_policy_to_manage_aws_resources.yaml +++ b/compliance/controls/baseline/aws/eks/aws_use_aws_managed_policy_to_manage_aws_resources.yaml @@ -1,8 +1,6 @@ ID: aws_use_aws_managed_policy_to_manage_aws_resources Title: "Use AWS-managed policy to manage AWS resources" Description: "Ensure that Amazon EKS clusters implement the \"AmazonEKSClusterPolicy\" managed policy." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -25,16 +23,18 @@ Query: left join aws_iam_role as r on r.arn = ng.node_role PrimaryTable: aws_eks_node_group ListOfTables: - - aws_eks_node_group - - aws_iam_role + - aws_eks_node_group + - aws_iam_role Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Elastic Kubernetes Service (EKS) + - AWS Elastic Kubernetes Service (EKS) platform_score_use_case: - - Lacking High Availability + - Lacking High Availability score_service_name: - - AWS Elastic Kubernetes Service (EKS) + - AWS Elastic Kubernetes Service (EKS) score_tags: - - Lacking High Availability + - Lacking High Availability +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/eks/aws_use_aws_managed_policy_to_manage_networking_resources.yaml b/compliance/controls/baseline/aws/eks/aws_use_aws_managed_policy_to_manage_networking_resources.yaml index 983f519ae..ce6476f39 100755 --- a/compliance/controls/baseline/aws/eks/aws_use_aws_managed_policy_to_manage_networking_resources.yaml +++ b/compliance/controls/baseline/aws/eks/aws_use_aws_managed_policy_to_manage_networking_resources.yaml @@ -1,8 +1,6 @@ ID: aws_use_aws_managed_policy_to_manage_networking_resources Title: "Use AWS-managed policy to Manage Networking Resources" Description: "Ensure that EKS cluster node groups implement the \"AmazonEKS_CNI_Policy\" managed policy." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -25,16 +23,18 @@ Query: left join aws_iam_role as r on r.arn = ng.node_role PrimaryTable: aws_eks_node_group ListOfTables: - - aws_eks_node_group - - aws_iam_role + - aws_eks_node_group + - aws_iam_role Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Elastic Kubernetes Service (EKS) + - AWS Elastic Kubernetes Service (EKS) platform_score_use_case: - - Lacking High Availability + - Lacking High Availability score_service_name: - - AWS Elastic Kubernetes Service (EKS) + - AWS Elastic Kubernetes Service (EKS) score_tags: - - Lacking High Availability + - Lacking High Availability +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/eks/aws_use_oidc_provider_for_authenticating_kubernetes_api_calls.yaml b/compliance/controls/baseline/aws/eks/aws_use_oidc_provider_for_authenticating_kubernetes_api_calls.yaml index fc4f751f3..43562089a 100755 --- a/compliance/controls/baseline/aws/eks/aws_use_oidc_provider_for_authenticating_kubernetes_api_calls.yaml +++ b/compliance/controls/baseline/aws/eks/aws_use_oidc_provider_for_authenticating_kubernetes_api_calls.yaml @@ -1,8 +1,6 @@ ID: aws_use_oidc_provider_for_authenticating_kubernetes_api_calls Title: "Use OIDC Provider for Authenticating Kubernetes API Calls" Description: "Ensure that Amazon EKS clusters are using an OpenID Connect (OIDC) provider." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -25,16 +23,18 @@ Query: left join aws_iam_open_id_connect_provider as oidc on 'https://' || oidc.url = c.identity -> 'Oidc' ->> 'Issuer' PrimaryTable: aws_eks_cluster ListOfTables: - - aws_eks_cluster - - aws_iam_open_id_connect_provider + - aws_eks_cluster + - aws_iam_open_id_connect_provider Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Elastic Kubernetes Service (EKS) + - AWS Elastic Kubernetes Service (EKS) platform_score_use_case: - - Lacking High Availability + - Lacking High Availability score_service_name: - - AWS Elastic Kubernetes Service (EKS) + - AWS Elastic Kubernetes Service (EKS) score_tags: - - Lacking High Availability + - Lacking High Availability +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/fsx/aws_use_kms_customer_master_keys_for_fsx_windows_file_server_file_systems.yaml b/compliance/controls/baseline/aws/fsx/aws_use_kms_customer_master_keys_for_fsx_windows_file_server_file_systems.yaml index e272fbbd7..7a797487f 100755 --- a/compliance/controls/baseline/aws/fsx/aws_use_kms_customer_master_keys_for_fsx_windows_file_server_file_systems.yaml +++ b/compliance/controls/baseline/aws/fsx/aws_use_kms_customer_master_keys_for_fsx_windows_file_server_file_systems.yaml @@ -1,8 +1,6 @@ ID: aws_use_kms_customer_master_keys_for_fsx_windows_file_server_file_systems Title: "Use KMS Customer Master Keys for FSx Windows File Server File Systems" Description: "Ensure AWS FSx for Windows File Server file systems data is encrypted using AWS KMS CMKs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -27,16 +25,18 @@ Query: left join aws_kms_key as k on v.kms_key_id = k.arn PrimaryTable: aws_fsx_file_system ListOfTables: - - aws_fsx_file_system - - aws_kms_key + - aws_fsx_file_system + - aws_kms_key Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS Elastic Block Store (EBS) + - AWS Elastic Block Store (EBS) platform_score_use_case: - - Unencrypted Storage + - Unencrypted Storage score_service_name: - - AWS Elastic Block Store (EBS) + - AWS Elastic Block Store (EBS) score_tags: - - Unencrypted Storage + - Unencrypted Storage +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/load_balancer/aws_configure_http_desync_mitigation_mode_for_application_load_balancers.yaml b/compliance/controls/baseline/aws/load_balancer/aws_configure_http_desync_mitigation_mode_for_application_load_balancers.yaml index 8a7025b89..d1ba6552d 100755 --- a/compliance/controls/baseline/aws/load_balancer/aws_configure_http_desync_mitigation_mode_for_application_load_balancers.yaml +++ b/compliance/controls/baseline/aws/load_balancer/aws_configure_http_desync_mitigation_mode_for_application_load_balancers.yaml @@ -1,8 +1,6 @@ ID: aws_configure_http_desync_mitigation_mode_for_application_load_balancers Title: "Configure HTTP Desync Mitigation Mode for Application Load Balancers" Description: "Ensure that the suitable Desync Mitigation mode is configured for your Application Load Balancers." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -33,15 +31,17 @@ Query: left join app_lb_desync_mitigation_mode as m on a.arn = m.arn; PrimaryTable: aws_ec2_application_load_balancer ListOfTables: - - aws_ec2_application_load_balancer + - aws_ec2_application_load_balancer Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) + - AWS Elastic Load Balancing V2 (ELBv2) platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) + - AWS Elastic Load Balancing V2 (ELBv2) score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/load_balancer/aws_configure_multiple_availability_zones_for_load_balancers.yaml b/compliance/controls/baseline/aws/load_balancer/aws_configure_multiple_availability_zones_for_load_balancers.yaml index 079337229..f2c0805c0 100755 --- a/compliance/controls/baseline/aws/load_balancer/aws_configure_multiple_availability_zones_for_load_balancers.yaml +++ b/compliance/controls/baseline/aws/load_balancer/aws_configure_multiple_availability_zones_for_load_balancers.yaml @@ -1,8 +1,6 @@ ID: aws_configure_multiple_availability_zones_for_load_balancers Title: "Configure Multiple Availability Zones for Load Balancers" Description: "Ensure that Amazon Gateway Load Balancers are using Multi-AZ configurations." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -49,17 +47,19 @@ Query: aws_ec2_gateway_load_balancer; PrimaryTable: "" ListOfTables: - - aws_ec2_application_load_balancer - - aws_ec2_gateway_load_balancer - - aws_ec2_network_load_balancer + - aws_ec2_application_load_balancer + - aws_ec2_gateway_load_balancer + - aws_ec2_network_load_balancer Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) + - AWS Elastic Load Balancing V2 (ELBv2) platform_score_use_case: - - Lacking High Availability + - Lacking High Availability score_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) + - AWS Elastic Load Balancing V2 (ELBv2) score_tags: - - Lacking High Availability + - Lacking High Availability +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/load_balancer/aws_elb_access_log.yaml b/compliance/controls/baseline/aws/load_balancer/aws_elb_access_log.yaml index 677ff4e20..3e8e2af42 100755 --- a/compliance/controls/baseline/aws/load_balancer/aws_elb_access_log.yaml +++ b/compliance/controls/baseline/aws/load_balancer/aws_elb_access_log.yaml @@ -1,8 +1,6 @@ ID: aws_elb_access_log Title: "ELB Access Log" Description: "Ensure ELB access logging is enabled for security, troubleshooting, and statistical analysis purposes" -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -24,11 +22,13 @@ Query: aws_ec2_classic_load_balancer a PrimaryTable: aws_ec2_classic_load_balancer ListOfTables: - - aws_ec2_classic_load_balancer + - aws_ec2_classic_load_balancer Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Elastic Load Balancing (ELB) + - AWS Elastic Load Balancing (ELB) score_service_name: - - AWS Elastic Load Balancing (ELB) + - AWS Elastic Load Balancing (ELB) +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/load_balancer/aws_elb_connection_draining_enabled.yaml b/compliance/controls/baseline/aws/load_balancer/aws_elb_connection_draining_enabled.yaml index 0b8b21f41..c977a5cef 100755 --- a/compliance/controls/baseline/aws/load_balancer/aws_elb_connection_draining_enabled.yaml +++ b/compliance/controls/baseline/aws/load_balancer/aws_elb_connection_draining_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_elb_connection_draining_enabled Title: "ELB Connection Draining Enabled" Description: "Ensure ELB access logging is enabled for security, troubleshooting, and statistical analysis purposes" -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -24,11 +22,13 @@ Query: aws_ec2_classic_load_balancer a PrimaryTable: aws_ec2_classic_load_balancer ListOfTables: - - aws_ec2_classic_load_balancer + - aws_ec2_classic_load_balancer Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Elastic Load Balancing (ELB) + - AWS Elastic Load Balancing (ELB) score_service_name: - - AWS Elastic Load Balancing (ELB) + - AWS Elastic Load Balancing (ELB) +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/load_balancer/aws_elb_cross_zone_load_balancing_enabled.yaml b/compliance/controls/baseline/aws/load_balancer/aws_elb_cross_zone_load_balancing_enabled.yaml index 029173699..881286dfc 100755 --- a/compliance/controls/baseline/aws/load_balancer/aws_elb_cross_zone_load_balancing_enabled.yaml +++ b/compliance/controls/baseline/aws/load_balancer/aws_elb_cross_zone_load_balancing_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_elb_cross_zone_load_balancing_enabled Title: "ELB Cross-Zone Load Balancing Enabled" Description: "Ensure Cross-Zone Load Balancing is enabled for all load balancers. Also select at least two subnets in different availability zones to provide higher availability." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -24,11 +22,13 @@ Query: aws_ec2_classic_load_balancer a PrimaryTable: aws_ec2_classic_load_balancer ListOfTables: - - aws_ec2_classic_load_balancer + - aws_ec2_classic_load_balancer Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS Elastic Load Balancing (ELB) + - AWS Elastic Load Balancing (ELB) score_service_name: - - AWS Elastic Load Balancing (ELB) + - AWS Elastic Load Balancing (ELB) +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/load_balancer/aws_elb_insecure_ssl_protocols.yaml b/compliance/controls/baseline/aws/load_balancer/aws_elb_insecure_ssl_protocols.yaml index 9168f5477..8af4aa14d 100755 --- a/compliance/controls/baseline/aws/load_balancer/aws_elb_insecure_ssl_protocols.yaml +++ b/compliance/controls/baseline/aws/load_balancer/aws_elb_insecure_ssl_protocols.yaml @@ -1,8 +1,6 @@ ID: aws_elb_insecure_ssl_protocols Title: "ELB Insecure SSL Protocols" Description: "Ensure ELBs don't use insecure SSL protocols." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -37,15 +35,17 @@ Query: left join detailed_classic_listeners as b on a.name = b.name; PrimaryTable: aws_ec2_classic_load_balancer ListOfTables: - - aws_ec2_classic_load_balancer + - aws_ec2_classic_load_balancer Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) + - AWS Elastic Load Balancing V2 (ELBv2) platform_score_use_case: - - Unencrypted Traffic + - Unencrypted Traffic score_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) + - AWS Elastic Load Balancing V2 (ELBv2) score_tags: - - Unencrypted Traffic + - Unencrypted Traffic +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/load_balancer/aws_elbv2_access_log.yaml b/compliance/controls/baseline/aws/load_balancer/aws_elbv2_access_log.yaml index 4d6fd6af6..2ade1d905 100755 --- a/compliance/controls/baseline/aws/load_balancer/aws_elbv2_access_log.yaml +++ b/compliance/controls/baseline/aws/load_balancer/aws_elbv2_access_log.yaml @@ -1,8 +1,6 @@ ID: aws_elbv2_access_log Title: "ELBv2 Access Log" Description: "Ensure that Amazon ALBs have Access Logging feature enabled for security, troubleshooting and statistical analysis purposes." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -27,11 +25,13 @@ Query: lb ->> 'Key' = 'access_logs.s3.enabled' PrimaryTable: aws_ec2_application_load_balancer ListOfTables: - - aws_ec2_application_load_balancer + - aws_ec2_application_load_balancer Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) + - AWS Elastic Load Balancing V2 (ELBv2) score_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) + - AWS Elastic Load Balancing V2 (ELBv2) +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/load_balancer/aws_elbv2_alb_listener_security.yaml b/compliance/controls/baseline/aws/load_balancer/aws_elbv2_alb_listener_security.yaml index 6b31b63f3..6431aea16 100755 --- a/compliance/controls/baseline/aws/load_balancer/aws_elbv2_alb_listener_security.yaml +++ b/compliance/controls/baseline/aws/load_balancer/aws_elbv2_alb_listener_security.yaml @@ -1,42 +1,23 @@ ID: aws_elbv2_alb_listener_security Title: "ELBv2 ALB Listener Security" Description: "Ensure ELBv2 ALBs are using a secure protocol." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - SELECT - al.arn AS resource, - al.og_resource_id, - al.og_account_id, - CASE - WHEN STRING_AGG(ll.protocol, ',') ILIKE '%HTTPS%' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN STRING_AGG(ll.protocol, ',') ILIKE '%HTTPS%' THEN 'alb is using a secure protocol' - ELSE 'alb is not using a secure protocol' - END AS reason, - al.region, - al.account_id - FROM - aws_ec2_application_load_balancer al - LEFT JOIN aws_ec2_load_balancer_listener ll ON al.arn = ll.load_balancer_arn - GROUP BY - al.arn, al.og_resource_id, al.og_account_id, al.title, al.region, al.account_id; + QueryToExecute: "SELECT \n al.arn AS resource,\n al.og_resource_id,\n al.og_account_id,\n CASE\n WHEN STRING_AGG(ll.protocol, ',') ILIKE '%HTTPS%' THEN 'ok'\n ELSE 'alarm'\n END AS status,\n CASE\n WHEN STRING_AGG(ll.protocol, ',') ILIKE '%HTTPS%' THEN 'alb is using a secure protocol'\n ELSE 'alb is not using a secure protocol'\n END AS reason,\n al.region,\n al.account_id\nFROM \n aws_ec2_application_load_balancer al\nLEFT JOIN aws_ec2_load_balancer_listener ll ON al.arn = ll.load_balancer_arn\nGROUP BY \n al.arn, al.og_resource_id, al.og_account_id, al.title, al.region, al.account_id;\n" PrimaryTable: aws_ec2_application_load_balancer ListOfTables: - - aws_ec2_application_load_balancer - - aws_ec2_load_balancer_listener + - aws_ec2_application_load_balancer + - aws_ec2_load_balancer_listener Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) + - AWS Elastic Load Balancing V2 (ELBv2) platform_score_use_case: - - Unencrypted Traffic + - Unencrypted Traffic score_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) + - AWS Elastic Load Balancing V2 (ELBv2) score_tags: - - Unencrypted Traffic + - Unencrypted Traffic +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/load_balancer/aws_elbv2_alb_minimum_number_of_ec2_target_instances.yaml b/compliance/controls/baseline/aws/load_balancer/aws_elbv2_alb_minimum_number_of_ec2_target_instances.yaml index 022b0fc3a..40b165d11 100755 --- a/compliance/controls/baseline/aws/load_balancer/aws_elbv2_alb_minimum_number_of_ec2_target_instances.yaml +++ b/compliance/controls/baseline/aws/load_balancer/aws_elbv2_alb_minimum_number_of_ec2_target_instances.yaml @@ -1,49 +1,23 @@ ID: aws_elbv2_alb_minimum_number_of_ec2_target_instances Title: "ELBv2 ALB Minimum Number of EC2 Target Instances" Description: "Ensure there is a minimum number of two healthy target instances associated with each AWS ELBv2 application load balancer." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with target_resource as ( - select - load_balancer_arn, - count(*) as c - from - aws_ec2_target_group, - jsonb_array_elements_text(load_balancer_arns) as load_balancer_arn - group by load_balancer_arn - ) - select - a.arn as resource, - a.og_account_id, - a.og_resource_id, - case - when b.load_balancer_arn is null or b.c < 2 then 'alarm' - else 'ok' - end as status, - case - when b.load_balancer_arn is null or b.c < 2 then a.title || ' is not using a fault-tolerant configuration.' - else a.title || ' is using a fault-tolerant configuration.' - end as reason, - a.region, - a.account_id - from - aws_ec2_application_load_balancer a - left join target_resource b on a.arn = b.load_balancer_arn; + QueryToExecute: "with target_resource as (\nselect \n load_balancer_arn,\n count(*) as c \nfrom \n aws_ec2_target_group, \n jsonb_array_elements_text(load_balancer_arns) as load_balancer_arn \ngroup by load_balancer_arn\n)\nselect\n a.arn as resource,\n a.og_account_id,\n a.og_resource_id,\n case\n when b.load_balancer_arn is null or b.c < 2 then 'alarm'\n else 'ok'\n end as status,\n case\n when b.load_balancer_arn is null or b.c < 2 then a.title || ' is not using a fault-tolerant configuration.'\n else a.title || ' is using a fault-tolerant configuration.'\n end as reason,\n a.region,\n a.account_id\nfrom\n aws_ec2_application_load_balancer a\n left join target_resource b on a.arn = b.load_balancer_arn;\n" PrimaryTable: aws_ec2_application_load_balancer ListOfTables: - - aws_ec2_application_load_balancer - - aws_ec2_target_group + - aws_ec2_application_load_balancer + - aws_ec2_target_group Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) + - AWS Elastic Load Balancing V2 (ELBv2) platform_score_use_case: - - Lacking High Availability + - Lacking High Availability score_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) + - AWS Elastic Load Balancing V2 (ELBv2) score_tags: - - Lacking High Availability + - Lacking High Availability +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/load_balancer/aws_elbv2_alb_security_group.yaml b/compliance/controls/baseline/aws/load_balancer/aws_elbv2_alb_security_group.yaml index 654659b3d..b5238c927 100755 --- a/compliance/controls/baseline/aws/load_balancer/aws_elbv2_alb_security_group.yaml +++ b/compliance/controls/baseline/aws/load_balancer/aws_elbv2_alb_security_group.yaml @@ -1,64 +1,24 @@ ID: aws_elbv2_alb_security_group Title: "ELBv2 ALB Security Group" Description: "Ensure ELBv2 load balancers have secure and valid security groups." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - WITH sg AS ( - SELECT - group_id, - group_name, - ARRAY_AGG('(' || (p ->> 'ToPort') || ',' || lower(p ->> 'IpProtocol') || ')') AS ports_and_protocols - FROM - aws_vpc_security_group, - jsonb_array_elements(ip_permissions) as p - GROUP BY - group_id, group_name - ), lbl AS ( - SELECT - load_balancer_arn, - ARRAY_AGG('(' || port || ',' || lower(protocol) || ')') AS ports_and_protocols - FROM - aws_ec2_load_balancer_listener - GROUP BY - load_balancer_arn - ) - SELECT - al.name as resource, - al.og_account_id, - al.og_resource_id, - sg.ports_and_protocols, - lbl.ports_and_protocols, - CASE - WHEN sg.ports_and_protocols <@ lbl.ports_and_protocols THEN 'ok' - ELSE 'alarm' - END as status, - CASE - WHEN sg.ports_and_protocols <@ lbl.ports_and_protocols THEN al.name || ' is secure' - ELSE al.name || ' is not secure' - END as reason, - al.region, - al.account_id - FROM - aws_ec2_application_load_balancer as al - CROSS JOIN LATERAL jsonb_array_elements_text(al.security_groups) as sgid - LEFT JOIN sg ON sgid = sg.group_id - LEFT JOIN lbl ON al.arn = lbl.load_balancer_arn; + QueryToExecute: "WITH sg AS (\n SELECT\n group_id,\n group_name,\n ARRAY_AGG('(' || (p ->> 'ToPort') || ',' || lower(p ->> 'IpProtocol') || ')') AS ports_and_protocols\n FROM\n aws_vpc_security_group,\n jsonb_array_elements(ip_permissions) as p\n GROUP BY\n group_id, group_name\n), lbl AS (\n SELECT \n load_balancer_arn,\n ARRAY_AGG('(' || port || ',' || lower(protocol) || ')') AS ports_and_protocols\n FROM \n aws_ec2_load_balancer_listener\n GROUP BY \n load_balancer_arn\n)\nSELECT\n al.name as resource,\n al.og_account_id,\n al.og_resource_id,\n sg.ports_and_protocols,\n lbl.ports_and_protocols,\n CASE\n WHEN sg.ports_and_protocols <@ lbl.ports_and_protocols THEN 'ok'\n ELSE 'alarm'\n END as status,\n CASE\n WHEN sg.ports_and_protocols <@ lbl.ports_and_protocols THEN al.name || ' is secure'\n ELSE al.name || ' is not secure'\n END as reason,\n al.region,\n al.account_id\nFROM\n aws_ec2_application_load_balancer as al\n CROSS JOIN LATERAL jsonb_array_elements_text(al.security_groups) as sgid\n LEFT JOIN sg ON sgid = sg.group_id\n LEFT JOIN lbl ON al.arn = lbl.load_balancer_arn;\n" PrimaryTable: aws_ec2_application_load_balancer ListOfTables: - - aws_ec2_application_load_balancer - - aws_ec2_load_balancer_listener - - aws_vpc_security_group + - aws_ec2_application_load_balancer + - aws_ec2_load_balancer_listener + - aws_vpc_security_group Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) + - AWS Elastic Load Balancing V2 (ELBv2) platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) + - AWS Elastic Load Balancing V2 (ELBv2) score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/load_balancer/aws_elbv2_alb_security_policy.yaml b/compliance/controls/baseline/aws/load_balancer/aws_elbv2_alb_security_policy.yaml index b7fd26ca6..fd5844a67 100755 --- a/compliance/controls/baseline/aws/load_balancer/aws_elbv2_alb_security_policy.yaml +++ b/compliance/controls/baseline/aws/load_balancer/aws_elbv2_alb_security_policy.yaml @@ -1,8 +1,6 @@ ID: aws_elbv2_alb_security_policy Title: "ELBv2 ALB Security Policy" Description: "Ensure that Amazon ALBs are using the latest predefined security policy for their SSL negotiation configuration in order to follow security best practices and protect their front-end connections against SSL/TLS vulnerabilities." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -25,14 +23,16 @@ Query: left join aws_ec2_load_balancer_listener as li on li.load_balancer_arn = a.arn PrimaryTable: aws_ec2_application_load_balancer ListOfTables: - - aws_ec2_application_load_balancer - - aws_ec2_load_balancer_listener + - aws_ec2_application_load_balancer + - aws_ec2_load_balancer_listener Parameters: - Key: awsLatestPolicies Required: true Severity: medium Tags: platform_score_cloud_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) + - AWS Elastic Load Balancing V2 (ELBv2) score_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) + - AWS Elastic Load Balancing V2 (ELBv2) +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/load_balancer/aws_elbv2_elastic_load_balancing_deletion_protection.yaml b/compliance/controls/baseline/aws/load_balancer/aws_elbv2_elastic_load_balancing_deletion_protection.yaml index e64563f47..9e2c43d07 100755 --- a/compliance/controls/baseline/aws/load_balancer/aws_elbv2_elastic_load_balancing_deletion_protection.yaml +++ b/compliance/controls/baseline/aws/load_balancer/aws_elbv2_elastic_load_balancing_deletion_protection.yaml @@ -1,8 +1,6 @@ ID: aws_elbv2_elastic_load_balancing_deletion_protection Title: "ELBv2 Elastic Load Balancing Deletion Protection" Description: "Ensure ELBv2 Load Balancers have Deletion Protection feature enabled in order to protect them from being accidentally deleted." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -36,15 +34,17 @@ Query: left join app_lb_desync_mitigation_mode as m on a.arn = m.arn; PrimaryTable: aws_ec2_application_load_balancer ListOfTables: - - aws_ec2_application_load_balancer + - aws_ec2_application_load_balancer Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) + - AWS Elastic Load Balancing V2 (ELBv2) platform_score_use_case: - - Problem Identities + - Problem Identities score_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) + - AWS Elastic Load Balancing V2 (ELBv2) score_tags: - - Problem Identities + - Problem Identities +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/load_balancer/aws_elbv2_glb_minimum_number_of_ec2_target_instances.yaml b/compliance/controls/baseline/aws/load_balancer/aws_elbv2_glb_minimum_number_of_ec2_target_instances.yaml index 91ad658fe..b59d886e2 100755 --- a/compliance/controls/baseline/aws/load_balancer/aws_elbv2_glb_minimum_number_of_ec2_target_instances.yaml +++ b/compliance/controls/baseline/aws/load_balancer/aws_elbv2_glb_minimum_number_of_ec2_target_instances.yaml @@ -1,49 +1,23 @@ ID: aws_elbv2_glb_minimum_number_of_ec2_target_instances Title: "ELBv2 GLB Minimum Number of EC2 Target Instances" Description: "Ensure there is a minimum number of two healthy target instances associated with each AWS ELBv2 gateway load balancer." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with target_resource as ( - select - load_balancer_arn, - count(*) as c - from - aws_ec2_target_group, - jsonb_array_elements_text(load_balancer_arns) as load_balancer_arn - group by load_balancer_arn - ) - select - a.arn as resource, - a.og_account_id, - a.og_resource_id, - case - when b.load_balancer_arn is null or b.c < 2 then 'alarm' - else 'ok' - end as status, - case - when b.load_balancer_arn is null or b.c < 2 then a.title || ' is not using a fault-tolerant configuration.' - else a.title || ' is using a fault-tolerant configuration.' - end as reason, - a.region, - a.account_id - from - aws_ec2_gateway_load_balancer a - left join target_resource b on a.arn = b.load_balancer_arn; + QueryToExecute: "with target_resource as (\nselect \n load_balancer_arn,\n count(*) as c \nfrom \n aws_ec2_target_group, \n jsonb_array_elements_text(load_balancer_arns) as load_balancer_arn \ngroup by load_balancer_arn\n)\nselect\n a.arn as resource,\n a.og_account_id,\n a.og_resource_id,\n case\n when b.load_balancer_arn is null or b.c < 2 then 'alarm'\n else 'ok'\n end as status,\n case\n when b.load_balancer_arn is null or b.c < 2 then a.title || ' is not using a fault-tolerant configuration.'\n else a.title || ' is using a fault-tolerant configuration.'\n end as reason,\n a.region,\n a.account_id\nfrom\n aws_ec2_gateway_load_balancer a\n left join target_resource b on a.arn = b.load_balancer_arn;\n" PrimaryTable: aws_ec2_gateway_load_balancer ListOfTables: - - aws_ec2_gateway_load_balancer - - aws_ec2_target_group + - aws_ec2_gateway_load_balancer + - aws_ec2_target_group Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) + - AWS Elastic Load Balancing V2 (ELBv2) platform_score_use_case: - - Lacking High Availability + - Lacking High Availability score_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) + - AWS Elastic Load Balancing V2 (ELBv2) score_tags: - - Lacking High Availability + - Lacking High Availability +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/load_balancer/aws_elbv2_nlb_listener_security.yaml b/compliance/controls/baseline/aws/load_balancer/aws_elbv2_nlb_listener_security.yaml index c892db943..847974eb2 100755 --- a/compliance/controls/baseline/aws/load_balancer/aws_elbv2_nlb_listener_security.yaml +++ b/compliance/controls/baseline/aws/load_balancer/aws_elbv2_nlb_listener_security.yaml @@ -1,8 +1,6 @@ ID: aws_elbv2_nlb_listener_security Title: "ELBv2 NLB Listener Security" Description: "Ensure that your AWS Network Load Balancer listeners are using a secure protocol such as TLS." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -66,16 +64,18 @@ Query: left join nwl_without_tls_listener as l on l.load_balancer_arn = lb.arn; PrimaryTable: aws_ec2_network_load_balancer ListOfTables: - - aws_ec2_load_balancer_listener - - aws_ec2_network_load_balancer + - aws_ec2_load_balancer_listener + - aws_ec2_network_load_balancer Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) + - AWS Elastic Load Balancing V2 (ELBv2) platform_score_use_case: - - Unencrypted Traffic + - Unencrypted Traffic score_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) + - AWS Elastic Load Balancing V2 (ELBv2) score_tags: - - Unencrypted Traffic + - Unencrypted Traffic +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/load_balancer/aws_enable_amazon_waf_integration_for_application_load_balancers.yaml b/compliance/controls/baseline/aws/load_balancer/aws_enable_amazon_waf_integration_for_application_load_balancers.yaml index 148fc50b0..91ef5b315 100755 --- a/compliance/controls/baseline/aws/load_balancer/aws_enable_amazon_waf_integration_for_application_load_balancers.yaml +++ b/compliance/controls/baseline/aws/load_balancer/aws_enable_amazon_waf_integration_for_application_load_balancers.yaml @@ -1,8 +1,6 @@ ID: aws_enable_amazon_waf_integration_for_application_load_balancers Title: "Enable Amazon WAF Integration for Application Load Balancers" Description: "Use Amazon WAF to protect Application Load Balancers from common web exploits." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -32,16 +30,18 @@ Query: left join associated_resource as ar on lb.arn = ar.arns; PrimaryTable: aws_ec2_application_load_balancer ListOfTables: - - aws_ec2_application_load_balancer - - aws_wafv2_web_acl + - aws_ec2_application_load_balancer + - aws_wafv2_web_acl Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) + - AWS Elastic Load Balancing V2 (ELBv2) platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) + - AWS Elastic Load Balancing V2 (ELBv2) score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/load_balancer/aws_enable_cross_zone_load_balancing.yaml b/compliance/controls/baseline/aws/load_balancer/aws_enable_cross_zone_load_balancing.yaml index fd4bbfb2e..df0aa80e6 100755 --- a/compliance/controls/baseline/aws/load_balancer/aws_enable_cross_zone_load_balancing.yaml +++ b/compliance/controls/baseline/aws/load_balancer/aws_enable_cross_zone_load_balancing.yaml @@ -1,8 +1,6 @@ ID: aws_enable_cross_zone_load_balancing Title: "Enable Cross-Zone Load Balancing" Description: "Ensure fault tolerance for your Amazon Gateway Load Balancers by enabling Cross-Zone Load Balancing." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -27,11 +25,13 @@ Query: lb ->> 'Key' = 'load_balancing.cross_zone.enabled' PrimaryTable: aws_ec2_gateway_load_balancer ListOfTables: - - aws_ec2_gateway_load_balancer + - aws_ec2_gateway_load_balancer Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) + - AWS Elastic Load Balancing V2 (ELBv2) score_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) + - AWS Elastic Load Balancing V2 (ELBv2) +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/load_balancer/aws_enable_deletion_protection.yaml b/compliance/controls/baseline/aws/load_balancer/aws_enable_deletion_protection.yaml index 50b69998a..79fa5b9e1 100755 --- a/compliance/controls/baseline/aws/load_balancer/aws_enable_deletion_protection.yaml +++ b/compliance/controls/baseline/aws/load_balancer/aws_enable_deletion_protection.yaml @@ -1,8 +1,6 @@ ID: aws_enable_deletion_protection Title: "Enable Deletion Protection" Description: "Ensure that Deletion Protection is enabled for Amazon Gateway Load Balancers." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -27,11 +25,13 @@ Query: lb ->> 'Key' = 'deletion_protection.enabled' PrimaryTable: aws_ec2_gateway_load_balancer ListOfTables: - - aws_ec2_gateway_load_balancer + - aws_ec2_gateway_load_balancer Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) + - AWS Elastic Load Balancing V2 (ELBv2) score_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) + - AWS Elastic Load Balancing V2 (ELBv2) +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/load_balancer/aws_enable_http_to_https_redirect_for_application_load_balancers.yaml b/compliance/controls/baseline/aws/load_balancer/aws_enable_http_to_https_redirect_for_application_load_balancers.yaml index e86adb4c8..859785b26 100755 --- a/compliance/controls/baseline/aws/load_balancer/aws_enable_http_to_https_redirect_for_application_load_balancers.yaml +++ b/compliance/controls/baseline/aws/load_balancer/aws_enable_http_to_https_redirect_for_application_load_balancers.yaml @@ -1,8 +1,6 @@ ID: aws_enable_http_to_https_redirect_for_application_load_balancers Title: "Enable HTTP to HTTPS Redirect for Application Load Balancers" Description: "Ensure that your Application Load Balancers have a rule that redirects HTTP traffic to HTTPS." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -39,16 +37,18 @@ Query: left join detailed_listeners b on a.arn = b.load_balancer_arn; PrimaryTable: aws_ec2_application_load_balancer ListOfTables: - - aws_ec2_application_load_balancer - - aws_ec2_load_balancer_listener + - aws_ec2_application_load_balancer + - aws_ec2_load_balancer_listener Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) + - AWS Elastic Load Balancing V2 (ELBv2) platform_score_use_case: - - Unencrypted Traffic + - Unencrypted Traffic score_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) + - AWS Elastic Load Balancing V2 (ELBv2) score_tags: - - Unencrypted Traffic + - Unencrypted Traffic +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/load_balancer/aws_enable_support_for_grpc_protocol.yaml b/compliance/controls/baseline/aws/load_balancer/aws_enable_support_for_grpc_protocol.yaml index e19a27e2b..570cb2326 100755 --- a/compliance/controls/baseline/aws/load_balancer/aws_enable_support_for_grpc_protocol.yaml +++ b/compliance/controls/baseline/aws/load_balancer/aws_enable_support_for_grpc_protocol.yaml @@ -1,8 +1,6 @@ ID: aws_enable_support_for_grpc_protocol Title: "Enable Support for gRPC Protocol" Description: "Ensure that support for gRPC protocol is enabled for Application Load Balancers (ALBs)." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -25,12 +23,14 @@ Query: left join aws_ec2_target_group as tg on tg.load_balancer_arns::text like '%' || a.arn || '%' PrimaryTable: aws_ec2_application_load_balancer ListOfTables: - - aws_ec2_application_load_balancer - - aws_ec2_target_group + - aws_ec2_application_load_balancer + - aws_ec2_target_group Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) + - AWS Elastic Load Balancing V2 (ELBv2) score_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) + - AWS Elastic Load Balancing V2 (ELBv2) +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/load_balancer/aws_internet_facing_elbs.yaml b/compliance/controls/baseline/aws/load_balancer/aws_internet_facing_elbs.yaml index fea7c78b3..d298e0174 100755 --- a/compliance/controls/baseline/aws/load_balancer/aws_internet_facing_elbs.yaml +++ b/compliance/controls/baseline/aws/load_balancer/aws_internet_facing_elbs.yaml @@ -1,8 +1,6 @@ ID: aws_internet_facing_elbs Title: "Internet Facing ELBs" Description: "Ensure Amazon internet-facing ELBs/ALBs are regularly reviewed for security purposes." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -24,11 +22,13 @@ Query: aws_ec2_classic_load_balancer a PrimaryTable: aws_ec2_classic_load_balancer ListOfTables: - - aws_ec2_classic_load_balancer + - aws_ec2_classic_load_balancer Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) + - AWS Elastic Load Balancing V2 (ELBv2) score_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) + - AWS Elastic Load Balancing V2 (ELBv2) +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/load_balancer/aws_internet_facing_elbv2s.yaml b/compliance/controls/baseline/aws/load_balancer/aws_internet_facing_elbv2s.yaml index 81ac96e0a..7e7139abf 100755 --- a/compliance/controls/baseline/aws/load_balancer/aws_internet_facing_elbv2s.yaml +++ b/compliance/controls/baseline/aws/load_balancer/aws_internet_facing_elbv2s.yaml @@ -1,8 +1,6 @@ ID: aws_internet_facing_elbv2s Title: "Internet Facing ELBv2s" Description: "Ensure Amazon internet-facing ELBs/ALBs are regularly reviewed for security purposes." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -24,11 +22,13 @@ Query: aws_ec2_application_load_balancer a PrimaryTable: aws_ec2_application_load_balancer ListOfTables: - - aws_ec2_application_load_balancer + - aws_ec2_application_load_balancer Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) + - AWS Elastic Load Balancing V2 (ELBv2) score_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) + - AWS Elastic Load Balancing V2 (ELBv2) +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/load_balancer/aws_unused_application_load_balancers.yaml b/compliance/controls/baseline/aws/load_balancer/aws_unused_application_load_balancers.yaml index c689a1575..71608105c 100755 --- a/compliance/controls/baseline/aws/load_balancer/aws_unused_application_load_balancers.yaml +++ b/compliance/controls/baseline/aws/load_balancer/aws_unused_application_load_balancers.yaml @@ -1,8 +1,6 @@ ID: aws_unused_application_load_balancers Title: "Unused Application Load Balancers" Description: "Identify unused Applications Load Balancers, and delete them to help lower the cost of your monthly AWS bill." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -38,16 +36,18 @@ Query: left join target_resource b on a.arn = b.load_balancer_arn; PrimaryTable: aws_ec2_application_load_balancer ListOfTables: - - aws_ec2_application_load_balancer - - aws_ec2_target_group + - aws_ec2_application_load_balancer + - aws_ec2_target_group Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) + - AWS Elastic Load Balancing V2 (ELBv2) platform_score_use_case: - - Orphaned Resources + - Orphaned Resources score_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) + - AWS Elastic Load Balancing V2 (ELBv2) score_tags: - - Orphaned Resources + - Orphaned Resources +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/load_balancer/aws_unused_elastic_load_balancers.yaml b/compliance/controls/baseline/aws/load_balancer/aws_unused_elastic_load_balancers.yaml index a38fd05b9..799b3be06 100755 --- a/compliance/controls/baseline/aws/load_balancer/aws_unused_elastic_load_balancers.yaml +++ b/compliance/controls/baseline/aws/load_balancer/aws_unused_elastic_load_balancers.yaml @@ -1,8 +1,6 @@ ID: aws_unused_elastic_load_balancers Title: "Unused Elastic Load Balancers" Description: "Identify unused Elastic Load Balancers, and delete them to help lower the cost of your monthly AWS bill." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -28,15 +26,17 @@ Query: aws_ec2_classic_load_balancer as lb PrimaryTable: aws_ec2_classic_load_balancer ListOfTables: - - aws_ec2_classic_load_balancer + - aws_ec2_classic_load_balancer Parameters: [] Severity: low Tags: platform_score_cloud_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) + - AWS Elastic Load Balancing V2 (ELBv2) platform_score_use_case: - - Orphaned Resources + - Orphaned Resources score_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) + - AWS Elastic Load Balancing V2 (ELBv2) score_tags: - - Orphaned Resources + - Orphaned Resources +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/load_balancer/aws_unused_gateway_load_balancers.yaml b/compliance/controls/baseline/aws/load_balancer/aws_unused_gateway_load_balancers.yaml index 00d98e3bf..885f72c7b 100755 --- a/compliance/controls/baseline/aws/load_balancer/aws_unused_gateway_load_balancers.yaml +++ b/compliance/controls/baseline/aws/load_balancer/aws_unused_gateway_load_balancers.yaml @@ -1,8 +1,6 @@ ID: aws_unused_gateway_load_balancers Title: "Unused Gateway Load Balancers" Description: "Identify unused Gateway Load Balancers, and delete them to help lower the cost of your monthly AWS bill." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -38,16 +36,18 @@ Query: left join target_resource b on a.arn = b.load_balancer_arn; PrimaryTable: aws_ec2_gateway_load_balancer ListOfTables: - - aws_ec2_gateway_load_balancer - - aws_ec2_target_group + - aws_ec2_gateway_load_balancer + - aws_ec2_target_group Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) + - AWS Elastic Load Balancing V2 (ELBv2) platform_score_use_case: - - Orphaned Resources + - Orphaned Resources score_service_name: - - AWS Elastic Load Balancing V2 (ELBv2) + - AWS Elastic Load Balancing V2 (ELBv2) score_tags: - - Orphaned Resources + - Orphaned Resources +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/opensearch/aws_enable_audit_logs.yaml b/compliance/controls/baseline/aws/opensearch/aws_enable_audit_logs.yaml index e39103e04..1efedffc7 100755 --- a/compliance/controls/baseline/aws/opensearch/aws_enable_audit_logs.yaml +++ b/compliance/controls/baseline/aws/opensearch/aws_enable_audit_logs.yaml @@ -1,38 +1,22 @@ ID: aws_enable_audit_logs Title: "Enable Audit Logs" Description: "Ensure that audit logging is enabled for all your Amazon OpenSearch domains." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - SELECT - domain_name as resource, - og_resource_id, - og_account_id, - CASE - WHEN log_publishing_options ->> 'AUDIT_LOGS' is not null THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN log_publishing_options ->> 'AUDIT_LOGS' is not null THEN domain_name || ' CloudWatch Logs are enabled.' - ELSE domain_name || ' CloudWatch Logs are not enabled.' - END AS reason, - region, - account_id - FROM - aws_opensearch_domain + QueryToExecute: "SELECT \n domain_name as resource,\n og_resource_id,\n og_account_id,\n CASE\n WHEN log_publishing_options ->> 'AUDIT_LOGS' is not null THEN 'ok'\n ELSE 'alarm'\n END AS status,\n CASE\n WHEN log_publishing_options ->> 'AUDIT_LOGS' is not null THEN domain_name || ' CloudWatch Logs are enabled.' \n ELSE domain_name || ' CloudWatch Logs are not enabled.'\n END AS reason,\n region,\n account_id\nFROM \n aws_opensearch_domain\n" PrimaryTable: aws_opensearch_domain ListOfTables: - - aws_opensearch_domain + - aws_opensearch_domain Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS OpenSearch Service + - AWS OpenSearch Service platform_score_use_case: - - Problem Identities + - Problem Identities score_service_name: - - AWS OpenSearch Service + - AWS OpenSearch Service score_tags: - - Problem Identities + - Problem Identities +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/opensearch/aws_enable_in_transit_encryption.yaml b/compliance/controls/baseline/aws/opensearch/aws_enable_in_transit_encryption.yaml index ebddc23ea..7aa57177e 100755 --- a/compliance/controls/baseline/aws/opensearch/aws_enable_in_transit_encryption.yaml +++ b/compliance/controls/baseline/aws/opensearch/aws_enable_in_transit_encryption.yaml @@ -1,38 +1,22 @@ ID: aws_enable_in_transit_encryption Title: "Enable In-Transit Encryption" Description: "Ensure that in-transit encryption is enabled for your Amazon OpenSearch domains." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - SELECT - domain_name as resource, - og_resource_id, - og_account_id, - CASE - WHEN (domain_endpoint_options ->> 'EnforceHTTPS')::bool THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN (domain_endpoint_options ->> 'EnforceHTTPS')::bool THEN domain_name || ' in-transit encryption is enabled.' - ELSE domain_name || ' in-transit encryption is not enabled' - END AS reason, - region, - account_id - FROM - aws_opensearch_domain + QueryToExecute: "SELECT \n domain_name as resource,\n og_resource_id,\n og_account_id,\n CASE\n WHEN (domain_endpoint_options ->> 'EnforceHTTPS')::bool THEN 'ok'\n ELSE 'alarm'\n END AS status,\n CASE\n WHEN (domain_endpoint_options ->> 'EnforceHTTPS')::bool THEN domain_name || ' in-transit encryption is enabled.' \n ELSE domain_name || ' in-transit encryption is not enabled'\n END AS reason,\n region,\n account_id\nFROM \n aws_opensearch_domain\n" PrimaryTable: aws_opensearch_domain ListOfTables: - - aws_opensearch_domain + - aws_opensearch_domain Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS OpenSearch Service + - AWS OpenSearch Service platform_score_use_case: - - Unencrypted Traffic + - Unencrypted Traffic score_service_name: - - AWS OpenSearch Service + - AWS OpenSearch Service score_tags: - - Unencrypted Traffic + - Unencrypted Traffic +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/opensearch/aws_encryption_at_rest.yaml b/compliance/controls/baseline/aws/opensearch/aws_encryption_at_rest.yaml index 87406887c..720306d0f 100755 --- a/compliance/controls/baseline/aws/opensearch/aws_encryption_at_rest.yaml +++ b/compliance/controls/baseline/aws/opensearch/aws_encryption_at_rest.yaml @@ -1,38 +1,22 @@ ID: aws_encryption_at_rest Title: "Encryption At Rest" Description: "Ensure that your Amazon OpenSearch domains are encrypted in order to meet security and compliance requirements." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - SELECT - domain_name as resource, - og_resource_id, - og_account_id, - CASE - WHEN (encryption_at_rest_options ->> 'Enabled')::bool THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN (encryption_at_rest_options ->> 'Enabled')::bool THEN domain_name || ' encryption at rest is not enabled' - ELSE domain_name || ' encryption at rest is enabled' - END AS reason, - region, - account_id - FROM - aws_opensearch_domain + QueryToExecute: "SELECT \n domain_name as resource,\n og_resource_id,\n og_account_id,\n CASE\n WHEN (encryption_at_rest_options ->> 'Enabled')::bool THEN 'ok'\n ELSE 'alarm'\n END AS status,\n CASE\n WHEN (encryption_at_rest_options ->> 'Enabled')::bool THEN domain_name || ' encryption at rest is not enabled' \n ELSE domain_name || ' encryption at rest is enabled'\n END AS reason,\n region,\n account_id\nFROM \n aws_opensearch_domain\n" PrimaryTable: aws_opensearch_domain ListOfTables: - - aws_opensearch_domain + - aws_opensearch_domain Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS OpenSearch Service + - AWS OpenSearch Service platform_score_use_case: - - Unencrypted Storage + - Unencrypted Storage score_service_name: - - AWS OpenSearch Service + - AWS OpenSearch Service score_tags: - - Unencrypted Storage + - Unencrypted Storage +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/opensearch/aws_opensearch_accessible_only_from_safelisted_ip_addresses.yaml b/compliance/controls/baseline/aws/opensearch/aws_opensearch_accessible_only_from_safelisted_ip_addresses.yaml index 32e4f2fec..839e0fc0d 100755 --- a/compliance/controls/baseline/aws/opensearch/aws_opensearch_accessible_only_from_safelisted_ip_addresses.yaml +++ b/compliance/controls/baseline/aws/opensearch/aws_opensearch_accessible_only_from_safelisted_ip_addresses.yaml @@ -1,58 +1,24 @@ ID: aws_opensearch_accessible_only_from_safelisted_ip_addresses Title: "Opensearch Accessible Only From Safelisted IP Addresses" Description: "Ensure only safelisted IP addresses can access your Amazon OpenSearch domains." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - SELECT - domain_name as resource, - og_resource_id, - og_account_id, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(access_policies::jsonb -> 'Statement') AS statement - WHERE statement ->> 'Condition' = NULL - ) THEN 'alarm' - WHEN EXISTS (SELECT 1 - FROM jsonb_array_elements(access_policies::jsonb -> 'Statement') AS statement, - jsonb_array_elements((statement -> 'Condition' -> 'IpAddress' ->> 'aws:SourceIp')::jsonb) AS ip - WHERE '{{.awsSafelistedIPs}}' like '%' || ip.value::text || '%') THEN 'ok' - WHEN '{{.awsSafelistedIPs}}' = '' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN EXISTS ( - SELECT 1 - FROM jsonb_array_elements(access_policies::jsonb -> 'Statement') AS statement - WHERE statement ->> 'Condition' = NULL - ) THEN domain_name || ' does not include specific IP addresses' - WHEN EXISTS (SELECT 1 - FROM jsonb_array_elements(access_policies::jsonb -> 'Statement') AS statement, - jsonb_array_elements((statement -> 'Condition' -> 'IpAddress' ->> 'aws:SourceIp')::jsonb) AS ip - WHERE '{{.awsSafelistedIPs}}' like '%' || ip.value::text || '%') THEN domain_name || ' includes approved specific IP addresses' - WHEN '{{.awsSafelistedIPs}}' = '' THEN ' approved IP addresses not defined' - ELSE domain_name || ' includes not approved specific IP addresses' - END AS reason, - region, - account_id - FROM - aws_opensearch_domain; + QueryToExecute: "SELECT \n domain_name as resource,\n og_resource_id,\n og_account_id,\n CASE\n WHEN EXISTS (\n SELECT 1\n FROM jsonb_array_elements(access_policies::jsonb -> 'Statement') AS statement\n WHERE statement ->> 'Condition' = NULL\n ) THEN 'alarm'\n WHEN EXISTS (SELECT 1\n FROM jsonb_array_elements(access_policies::jsonb -> 'Statement') AS statement,\n jsonb_array_elements((statement -> 'Condition' -> 'IpAddress' ->> 'aws:SourceIp')::jsonb) AS ip\n WHERE '{{.awsSafelistedIPs}}' like '%' || ip.value::text || '%') THEN 'ok'\n WHEN '{{.awsSafelistedIPs}}' = '' THEN 'ok'\n ELSE 'alarm'\n END AS status,\n CASE\n WHEN EXISTS (\n SELECT 1\n FROM jsonb_array_elements(access_policies::jsonb -> 'Statement') AS statement\n WHERE statement ->> 'Condition' = NULL\n ) THEN domain_name || ' does not include specific IP addresses'\n WHEN EXISTS (SELECT 1\n FROM jsonb_array_elements(access_policies::jsonb -> 'Statement') AS statement,\n jsonb_array_elements((statement -> 'Condition' -> 'IpAddress' ->> 'aws:SourceIp')::jsonb) AS ip\n WHERE '{{.awsSafelistedIPs}}' like '%' || ip.value::text || '%') THEN domain_name || ' includes approved specific IP addresses'\n WHEN '{{.awsSafelistedIPs}}' = '' THEN ' approved IP addresses not defined'\n ELSE domain_name || ' includes not approved specific IP addresses'\n END AS reason,\n region,\n account_id\nFROM \n aws_opensearch_domain;\n" PrimaryTable: aws_opensearch_domain ListOfTables: - - aws_opensearch_domain + - aws_opensearch_domain Parameters: - Key: awsSafelistedIPs Required: false Severity: critical Tags: platform_score_cloud_service_name: - - AWS OpenSearch Service + - AWS OpenSearch Service platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - AWS OpenSearch Service + - AWS OpenSearch Service score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/opensearch/aws_opensearch_dedicated_master_enabled.yaml b/compliance/controls/baseline/aws/opensearch/aws_opensearch_dedicated_master_enabled.yaml index 3bb3d759c..5da07ce60 100755 --- a/compliance/controls/baseline/aws/opensearch/aws_opensearch_dedicated_master_enabled.yaml +++ b/compliance/controls/baseline/aws/opensearch/aws_opensearch_dedicated_master_enabled.yaml @@ -1,38 +1,22 @@ ID: aws_opensearch_dedicated_master_enabled Title: "OpenSearch Dedicated Master Enabled" Description: "Ensure Amazon OpenSearch clusters are using dedicated master nodes to increase the production environment stability." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - SELECT - domain_name as resource, - og_resource_id, - og_account_id, - CASE - WHEN (cluster_config ->> 'DedicatedMasterEnabled')::bool THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN (cluster_config ->> 'DedicatedMasterEnabled')::bool THEN domain_name || ' is configured to use dedicated mater nodes.' - ELSE domain_name || ' is not configured to use dedicated mater nodes' - END AS reason, - region, - account_id - FROM - aws_opensearch_domain + QueryToExecute: "SELECT \n domain_name as resource,\n og_resource_id,\n og_account_id,\n CASE\n WHEN (cluster_config ->> 'DedicatedMasterEnabled')::bool THEN 'ok'\n ELSE 'alarm'\n END AS status,\n CASE\n WHEN (cluster_config ->> 'DedicatedMasterEnabled')::bool THEN domain_name || ' is configured to use dedicated mater nodes.' \n ELSE domain_name || ' is not configured to use dedicated mater nodes'\n END AS reason,\n region,\n account_id\nFROM \n aws_opensearch_domain\n" PrimaryTable: aws_opensearch_domain ListOfTables: - - aws_opensearch_domain + - aws_opensearch_domain Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS OpenSearch Service + - AWS OpenSearch Service platform_score_use_case: - - Lacking High Availability + - Lacking High Availability score_service_name: - - AWS OpenSearch Service + - AWS OpenSearch Service score_tags: - - Lacking High Availability + - Lacking High Availability +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/opensearch/aws_opensearch_domain_encrypted_with_kms_cmks.yaml b/compliance/controls/baseline/aws/opensearch/aws_opensearch_domain_encrypted_with_kms_cmks.yaml index 42bb79f0c..92113b1f8 100755 --- a/compliance/controls/baseline/aws/opensearch/aws_opensearch_domain_encrypted_with_kms_cmks.yaml +++ b/compliance/controls/baseline/aws/opensearch/aws_opensearch_domain_encrypted_with_kms_cmks.yaml @@ -1,42 +1,23 @@ ID: aws_opensearch_domain_encrypted_with_kms_cmks Title: "OpenSearch Domain Encrypted with KMS CMKs" Description: "Ensure that OpenSearch domains are encrypted with KMS Customer Master Keys (CMKs)." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - SELECT - domain_name as resource, - og_resource_id, - og_account_id, - CASE - WHEN kms.key_manager is NULL THEN 'alarm' - WHEN kms.key_manager = 'AWS' THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN kms.key_manager is NULL THEN domain_name || ' encryption with kms key not enabled' - WHEN kms.key_manager = 'AWS' THEN domain_name || ' is not encrypted with CMK' - ELSE domain_name || ' is encrypted with CMK' - END AS reason, - region, - account_id - FROM - aws_opensearch_domain - left join (select arn, key_manager from aws_kms_key) kms on (encryption_at_rest_options ->> 'KmsKeyId') = kms.arn + QueryToExecute: "SELECT \n domain_name as resource,\n og_resource_id,\n og_account_id,\n CASE\n WHEN kms.key_manager is NULL THEN 'alarm'\n WHEN kms.key_manager = 'AWS' THEN 'alarm'\n ELSE 'ok'\n END AS status,\n CASE\n WHEN kms.key_manager is NULL THEN domain_name || ' encryption with kms key not enabled' \n WHEN kms.key_manager = 'AWS' THEN domain_name || ' is not encrypted with CMK' \n ELSE domain_name || ' is encrypted with CMK'\n END AS reason,\n region,\n account_id\nFROM \n aws_opensearch_domain\n left join (select arn, key_manager from aws_kms_key) kms on (encryption_at_rest_options ->> 'KmsKeyId') = kms.arn\n" PrimaryTable: aws_opensearch_domain ListOfTables: - - aws_kms_key - - aws_opensearch_domain + - aws_kms_key + - aws_opensearch_domain Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS OpenSearch Service + - AWS OpenSearch Service platform_score_use_case: - - Unencrypted Storage + - Unencrypted Storage score_service_name: - - AWS OpenSearch Service + - AWS OpenSearch Service score_tags: - - Unencrypted Storage + - Unencrypted Storage +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/opensearch/aws_opensearch_domain_exposed.yaml b/compliance/controls/baseline/aws/opensearch/aws_opensearch_domain_exposed.yaml index 23bc82c6b..be62dfe20 100755 --- a/compliance/controls/baseline/aws/opensearch/aws_opensearch_domain_exposed.yaml +++ b/compliance/controls/baseline/aws/opensearch/aws_opensearch_domain_exposed.yaml @@ -1,46 +1,22 @@ ID: aws_opensearch_domain_exposed Title: "OpenSearch Domain Exposed" Description: "Ensure Amazon OpenSearch domains aren't exposed to everyone." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - SELECT - domain_name as resource, - og_resource_id, - og_account_id, - CASE - WHEN EXISTS ( - SELECT 1 FROM jsonb_array_elements(access_policies::jsonb -> 'Statement') as s - WHERE (s ->> 'Effect') = 'Allow' and ((s ->> 'Principal')::text = '"*"' or - (s ->> 'Principal')::text = '{"AWS": "*"}') - ) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN EXISTS ( - SELECT 1 FROM jsonb_array_elements(access_policies::jsonb -> 'Statement') as s - WHERE (s ->> 'Effect') = 'Allow' and ((s ->> 'Principal')::text = '"*"' or - (s ->> 'Principal')::text = '{"AWS": "*"}') - ) THEN domain_name || ' is publicly accessible' - ELSE domain_name || ' is not publicly accessible' - END AS reason, - region, - account_id - FROM - aws_opensearch_domain + QueryToExecute: "SELECT \n domain_name as resource,\n og_resource_id,\n og_account_id,\n CASE\n WHEN EXISTS (\n SELECT 1 FROM jsonb_array_elements(access_policies::jsonb -> 'Statement') as s\n WHERE (s ->> 'Effect') = 'Allow' and ((s ->> 'Principal')::text = '\"*\"' or\n (s ->> 'Principal')::text = '{\"AWS\": \"*\"}')\n ) THEN 'alarm'\n ELSE 'ok'\n END AS status,\n CASE\n WHEN EXISTS (\n SELECT 1 FROM jsonb_array_elements(access_policies::jsonb -> 'Statement') as s\n WHERE (s ->> 'Effect') = 'Allow' and ((s ->> 'Principal')::text = '\"*\"' or\n (s ->> 'Principal')::text = '{\"AWS\": \"*\"}')\n ) THEN domain_name || ' is publicly accessible' \n ELSE domain_name || ' is not publicly accessible'\n END AS reason,\n region,\n account_id\nFROM \n aws_opensearch_domain\n" PrimaryTable: aws_opensearch_domain ListOfTables: - - aws_opensearch_domain + - aws_opensearch_domain Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS OpenSearch Service + - AWS OpenSearch Service platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - AWS OpenSearch Service + - AWS OpenSearch Service score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/opensearch/aws_opensearch_domain_in_vpc.yaml b/compliance/controls/baseline/aws/opensearch/aws_opensearch_domain_in_vpc.yaml index fcc2c7a07..0ade79990 100755 --- a/compliance/controls/baseline/aws/opensearch/aws_opensearch_domain_in_vpc.yaml +++ b/compliance/controls/baseline/aws/opensearch/aws_opensearch_domain_in_vpc.yaml @@ -1,8 +1,6 @@ ID: aws_opensearch_domain_in_vpc Title: "OpenSearch Domain In VPC" Description: "Ensure that your Amazon OpenSearch domains are accessible only from AWS VPCs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -54,16 +52,18 @@ Query: left join opensearch_domain_with_public_subnet as p on d.arn = p.arn; PrimaryTable: aws_opensearch_domain ListOfTables: - - aws_opensearch_domain - - aws_vpc_route_table + - aws_opensearch_domain + - aws_vpc_route_table Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS OpenSearch Service + - AWS OpenSearch Service platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - AWS OpenSearch Service + - AWS OpenSearch Service score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/opensearch/aws_opensearch_node_to_node_encryption.yaml b/compliance/controls/baseline/aws/opensearch/aws_opensearch_node_to_node_encryption.yaml index 38eea497d..a3e495bc4 100755 --- a/compliance/controls/baseline/aws/opensearch/aws_opensearch_node_to_node_encryption.yaml +++ b/compliance/controls/baseline/aws/opensearch/aws_opensearch_node_to_node_encryption.yaml @@ -1,38 +1,22 @@ ID: aws_opensearch_node_to_node_encryption Title: "OpenSearch Node To Node Encryption" Description: "Ensure that your Amazon OpenSearch clusters are using node to node encryption in order to meet security and compliance requirements." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - SELECT - domain_name as resource, - og_resource_id, - og_account_id, - CASE - WHEN not node_to_node_encryption_options_enabled THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN not node_to_node_encryption_options_enabled THEN domain_name || ' node-to-node encryption is not enabled' - ELSE domain_name || ' node-to-node encryption is enabled' - END AS reason, - region, - account_id - FROM - aws_opensearch_domain + QueryToExecute: "SELECT \n domain_name as resource,\n og_resource_id,\n og_account_id,\n CASE\n WHEN not node_to_node_encryption_options_enabled THEN 'alarm'\n ELSE 'ok'\n END AS status,\n CASE\n WHEN not node_to_node_encryption_options_enabled THEN domain_name || ' node-to-node encryption is not enabled' \n ELSE domain_name || ' node-to-node encryption is enabled'\n END AS reason,\n region,\n account_id\nFROM \n aws_opensearch_domain\n" PrimaryTable: aws_opensearch_domain ListOfTables: - - aws_opensearch_domain + - aws_opensearch_domain Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS OpenSearch Service + - AWS OpenSearch Service platform_score_use_case: - - Unencrypted Traffic + - Unencrypted Traffic score_service_name: - - AWS OpenSearch Service + - AWS OpenSearch Service score_tags: - - Unencrypted Traffic + - Unencrypted Traffic +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/opensearch/aws_opensearch_slow_logs.yaml b/compliance/controls/baseline/aws/opensearch/aws_opensearch_slow_logs.yaml index 0893cb384..8c037696c 100755 --- a/compliance/controls/baseline/aws/opensearch/aws_opensearch_slow_logs.yaml +++ b/compliance/controls/baseline/aws/opensearch/aws_opensearch_slow_logs.yaml @@ -1,40 +1,22 @@ ID: aws_opensearch_slow_logs Title: "AWS OpenSearch Slow Logs" Description: "Ensure that your AWS OpenSearch domains publish slow logs to AWS CloudWatch Logs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - SELECT - domain_name as resource, - og_resource_id, - og_account_id, - CASE - WHEN (COALESCE((log_publishing_options -> 'INDEX_SLOW_LOGS' ->> 'Enabled')::bool, false)::bool and - COALESCE((log_publishing_options -> 'SEARCH_SLOW_LOGS' ->> 'Enabled')::bool, false)::bool) THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN (COALESCE((log_publishing_options -> 'INDEX_SLOW_LOGS' ->> 'Enabled')::bool, false)::bool and - COALESCE((log_publishing_options -> 'SEARCH_SLOW_LOGS' ->> 'Enabled')::bool, false)::bool) THEN domain_name || ' Slow Logs feature is enabled' - ELSE domain_name || ' Slow Logs feature is not enabled' - END AS reason, - region, - account_id - FROM - aws_opensearch_domain + QueryToExecute: "SELECT \n domain_name as resource,\n og_resource_id,\n og_account_id,\n CASE\n WHEN (COALESCE((log_publishing_options -> 'INDEX_SLOW_LOGS' ->> 'Enabled')::bool, false)::bool and\n COALESCE((log_publishing_options -> 'SEARCH_SLOW_LOGS' ->> 'Enabled')::bool, false)::bool) THEN 'ok'\n ELSE 'alarm'\n END AS status,\n CASE\n WHEN (COALESCE((log_publishing_options -> 'INDEX_SLOW_LOGS' ->> 'Enabled')::bool, false)::bool and\n COALESCE((log_publishing_options -> 'SEARCH_SLOW_LOGS' ->> 'Enabled')::bool, false)::bool) THEN domain_name || ' Slow Logs feature is enabled' \n ELSE domain_name || ' Slow Logs feature is not enabled'\n END AS reason,\n region,\n account_id\nFROM \n aws_opensearch_domain\n" PrimaryTable: aws_opensearch_domain ListOfTables: - - aws_opensearch_domain + - aws_opensearch_domain Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS OpenSearch Service + - AWS OpenSearch Service platform_score_use_case: - - General Efficiency + - General Efficiency score_service_name: - - AWS OpenSearch Service + - AWS OpenSearch Service score_tags: - - General Efficiency + - General Efficiency +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/opensearch/aws_opensearch_version.yaml b/compliance/controls/baseline/aws/opensearch/aws_opensearch_version.yaml index 06148a131..da9ae6af2 100755 --- a/compliance/controls/baseline/aws/opensearch/aws_opensearch_version.yaml +++ b/compliance/controls/baseline/aws/opensearch/aws_opensearch_version.yaml @@ -1,40 +1,24 @@ ID: aws_opensearch_version Title: "OpenSearch Version" Description: "Ensure that the latest version of OpenSearch engine is used for your OpenSearch domains." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - SELECT - domain_name as resource, - og_resource_id, - og_account_id, - CASE - WHEN engine_version = '{{.awsOpensearchLatestVersion}}' THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN engine_version = '{{.awsOpensearchLatestVersion}}' THEN domain_name || ' is using the latest engine version' - ELSE domain_name || ' is not using the latest engine version' - END AS reason, - region, - account_id - FROM - aws_opensearch_domain + QueryToExecute: "SELECT \n domain_name as resource,\n og_resource_id,\n og_account_id,\n CASE\n WHEN engine_version = '{{.awsOpensearchLatestVersion}}' THEN 'ok'\n ELSE 'alarm'\n END AS status,\n CASE\n WHEN engine_version = '{{.awsOpensearchLatestVersion}}' THEN domain_name || ' is using the latest engine version' \n ELSE domain_name || ' is not using the latest engine version'\n END AS reason,\n region,\n account_id\nFROM \n aws_opensearch_domain\n" PrimaryTable: aws_opensearch_domain ListOfTables: - - aws_opensearch_domain + - aws_opensearch_domain Parameters: - Key: awsOpensearchLatestVersion Required: true Severity: high Tags: platform_score_cloud_service_name: - - AWS OpenSearch Service + - AWS OpenSearch Service platform_score_use_case: - - General Efficiency + - General Efficiency score_service_name: - - AWS OpenSearch Service + - AWS OpenSearch Service score_tags: - - General Efficiency + - General Efficiency +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/opensearch/aws_opensearch_zone_awareness_enabled.yaml b/compliance/controls/baseline/aws/opensearch/aws_opensearch_zone_awareness_enabled.yaml index aafcef8d2..169a8b2eb 100755 --- a/compliance/controls/baseline/aws/opensearch/aws_opensearch_zone_awareness_enabled.yaml +++ b/compliance/controls/baseline/aws/opensearch/aws_opensearch_zone_awareness_enabled.yaml @@ -1,38 +1,22 @@ ID: aws_opensearch_zone_awareness_enabled Title: "OpenSearch Zone Awareness Enabled" Description: "Ensure high availability for your Amazon OpenSearch clusters by enabling the Zone Awareness feature." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - SELECT - domain_name as resource, - og_resource_id, - og_account_id, - CASE - WHEN (cluster_config ->> 'ZoneAwarenessEnabled')::bool THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN (cluster_config ->> 'ZoneAwarenessEnabled')::bool THEN domain_name || ' cross-zone replication is enabled' - ELSE domain_name || ' cross-zone replication is not enabled' - END AS reason, - region, - account_id - FROM - aws_opensearch_domain + QueryToExecute: "SELECT \n domain_name as resource,\n og_resource_id,\n og_account_id,\n CASE\n WHEN (cluster_config ->> 'ZoneAwarenessEnabled')::bool THEN 'ok'\n ELSE 'alarm'\n END AS status,\n CASE\n WHEN (cluster_config ->> 'ZoneAwarenessEnabled')::bool THEN domain_name || ' cross-zone replication is enabled' \n ELSE domain_name || ' cross-zone replication is not enabled'\n END AS reason,\n region,\n account_id\nFROM \n aws_opensearch_domain\n" PrimaryTable: aws_opensearch_domain ListOfTables: - - aws_opensearch_domain + - aws_opensearch_domain Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS OpenSearch Service + - AWS OpenSearch Service platform_score_use_case: - - Lacking High Availability + - Lacking High Availability score_service_name: - - AWS OpenSearch Service + - AWS OpenSearch Service score_tags: - - Lacking High Availability + - Lacking High Availability +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/opensearch/aws_tls_security_policy_version.yaml b/compliance/controls/baseline/aws/opensearch/aws_tls_security_policy_version.yaml index a54b7e000..c46880615 100755 --- a/compliance/controls/baseline/aws/opensearch/aws_tls_security_policy_version.yaml +++ b/compliance/controls/baseline/aws/opensearch/aws_tls_security_policy_version.yaml @@ -1,38 +1,22 @@ ID: aws_tls_security_policy_version Title: "TLS Security Policy Version" Description: "Ensure that your OpenSearch domains are using the latest version of the TLS security policy." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - SELECT - domain_name as resource, - og_resource_id, - og_account_id, - CASE - WHEN log_publishing_options is NULL THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN log_publishing_options is NULL THEN domain_name || ' the CloudWatch Logs are not enabled' - ELSE domain_name || ' the CloudWatch Logs are enabled' - END AS reason, - region, - account_id - FROM - aws_opensearch_domain + QueryToExecute: "SELECT \n domain_name as resource,\n og_resource_id,\n og_account_id,\n CASE\n WHEN log_publishing_options is NULL THEN 'alarm'\n ELSE 'ok'\n END AS status,\n CASE\n WHEN log_publishing_options is NULL THEN domain_name || ' the CloudWatch Logs are not enabled' \n ELSE domain_name || ' the CloudWatch Logs are enabled'\n END AS reason,\n region,\n account_id\nFROM \n aws_opensearch_domain\n" PrimaryTable: aws_opensearch_domain ListOfTables: - - aws_opensearch_domain + - aws_opensearch_domain Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS OpenSearch Service + - AWS OpenSearch Service platform_score_use_case: - - Unencrypted Traffic + - Unencrypted Traffic score_service_name: - - AWS OpenSearch Service + - AWS OpenSearch Service score_tags: - - Unencrypted Traffic + - Unencrypted Traffic +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/rds/aws_aurora_database_cluster_activity_streams.yaml b/compliance/controls/baseline/aws/rds/aws_aurora_database_cluster_activity_streams.yaml index 589dfe0ee..545e3b9a7 100755 --- a/compliance/controls/baseline/aws/rds/aws_aurora_database_cluster_activity_streams.yaml +++ b/compliance/controls/baseline/aws/rds/aws_aurora_database_cluster_activity_streams.yaml @@ -1,8 +1,6 @@ ID: aws_aurora_database_cluster_activity_streams Title: "Aurora Database Cluster Activity Streams" Description: "Ensure that Amazon Aurora clusters are configured to use database activity streams." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: |- @@ -14,7 +12,7 @@ Query: group by db_cluster_identifier, publicly_accessible ) - + select c.db_cluster_identifier as resource, og_account_id as og_account_id, @@ -36,16 +34,18 @@ Query: c.engine = 'aurora-mysql' or c.engine = 'aurora-postgresql' PrimaryTable: aws_rds_db_cluster ListOfTables: - - aws_rds_db_cluster - - aws_rds_db_instance + - aws_rds_db_cluster + - aws_rds_db_instance Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) platform_score_use_case: - - Problem Identities + - Problem Identities score_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) score_tags: - - Problem Identities + - Problem Identities +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/rds/aws_aurora_database_instance_accessibility.yaml b/compliance/controls/baseline/aws/rds/aws_aurora_database_instance_accessibility.yaml index f4db6810b..65b5a643d 100644 --- a/compliance/controls/baseline/aws/rds/aws_aurora_database_instance_accessibility.yaml +++ b/compliance/controls/baseline/aws/rds/aws_aurora_database_instance_accessibility.yaml @@ -1,8 +1,6 @@ ID: aws_aurora_database_instance_accessibility Title: "Aurora Database Instance Accessibility" Description: "Ensure that all database instances within an Amazon Aurora cluster have the same accessibility." -Connector: -- aws Query: Engine: odysseus-v0.0.1 QueryToExecute: |- @@ -14,7 +12,7 @@ Query: group by db_cluster_identifier, publicly_accessible ) - + select c.db_cluster_identifier as resource, og_account_id as og_account_id, @@ -36,16 +34,18 @@ Query: c.engine = 'aurora-mysql' or c.engine = 'aurora-postgresql' PrimaryTable: aws_rds_db_cluster ListOfTables: - - aws_rds_db_cluster - - aws_rds_db_instance + - aws_rds_db_cluster + - aws_rds_db_instance Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) platform_score_use_case: - - Lacking High Availability + - Lacking High Availability score_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) score_tags: - - Lacking High Availability + - Lacking High Availability +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/rds/aws_backtrack.yaml b/compliance/controls/baseline/aws/rds/aws_backtrack.yaml index 9c4109521..b9206a88a 100644 --- a/compliance/controls/baseline/aws/rds/aws_backtrack.yaml +++ b/compliance/controls/baseline/aws/rds/aws_backtrack.yaml @@ -1,8 +1,6 @@ ID: aws_backtrack Title: "Backtrack" Description: "Enable Amazon Aurora Backtrack." -Connector: -- aws Query: Engine: odysseus-v0.0.1 QueryToExecute: |- @@ -26,15 +24,17 @@ Query: engine = 'aurora-mysql' or engine = 'aurora-postgresql' PrimaryTable: aws_rds_db_cluster ListOfTables: - - aws_rds_db_cluster + - aws_rds_db_cluster Parameters: [] Severity: low Tags: platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) platform_score_use_case: - - Lacking High Availability + - Lacking High Availability score_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) score_tags: - - Lacking High Availability + - Lacking High Availability +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/rds/aws_cluster_deletion_protection.yaml b/compliance/controls/baseline/aws/rds/aws_cluster_deletion_protection.yaml index b45ddde81..1a6e15b6a 100644 --- a/compliance/controls/baseline/aws/rds/aws_cluster_deletion_protection.yaml +++ b/compliance/controls/baseline/aws/rds/aws_cluster_deletion_protection.yaml @@ -1,8 +1,6 @@ ID: aws_cluster_deletion_protection Title: "Cluster Deletion Protection" Description: "Enable AWS RDS Cluster Deletion Protection." -Connector: -- aws Query: Engine: odysseus-v0.0.1 QueryToExecute: |- @@ -26,15 +24,17 @@ Query: engine = 'aurora-mysql' or engine = 'aurora-postgresql' PrimaryTable: aws_rds_db_cluster ListOfTables: - - aws_rds_db_cluster + - aws_rds_db_cluster Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) platform_score_use_case: - - Problem Identities + - Problem Identities score_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) score_tags: - - Problem Identities + - Problem Identities +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/rds/aws_db_instance_generation.yaml b/compliance/controls/baseline/aws/rds/aws_db_instance_generation.yaml index 7c5d99a5e..01cda8cc9 100644 --- a/compliance/controls/baseline/aws/rds/aws_db_instance_generation.yaml +++ b/compliance/controls/baseline/aws/rds/aws_db_instance_generation.yaml @@ -1,8 +1,6 @@ ID: aws_db_instance_generation Title: "DB Instance Generation" Description: "Ensure you always use the latest generation of DB instances to get better performance with lower cost." -Connector: -- aws Query: Engine: odysseus-v0.0.1 QueryToExecute: |- @@ -33,11 +31,13 @@ Query: aws_rds_db_instance PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_rds_db_instance + - aws_rds_db_instance Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) score_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/rds/aws_enable_aurora_cluster_copy_tags_to_snapshots.yaml b/compliance/controls/baseline/aws/rds/aws_enable_aurora_cluster_copy_tags_to_snapshots.yaml index 9ed86ab59..b82545775 100644 --- a/compliance/controls/baseline/aws/rds/aws_enable_aurora_cluster_copy_tags_to_snapshots.yaml +++ b/compliance/controls/baseline/aws/rds/aws_enable_aurora_cluster_copy_tags_to_snapshots.yaml @@ -1,8 +1,6 @@ ID: aws_enable_aurora_cluster_copy_tags_to_snapshots Title: "Enable Aurora Cluster Copy Tags to Snapshots" Description: "Ensure that Amazon Aurora clusters have Copy Tags to Snapshots feature enabled." -Connector: -- aws Query: Engine: odysseus-v0.0.1 QueryToExecute: |- @@ -26,15 +24,17 @@ Query: engine = 'aurora-mysql' or engine = 'aurora-postgresql' PrimaryTable: aws_rds_db_cluster ListOfTables: - - aws_rds_db_cluster + - aws_rds_db_cluster Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) platform_score_use_case: - - Observability + - Observability score_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) score_tags: - - Observability + - Observability +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/rds/aws_enable_aws_rds_transport_encryption.yaml b/compliance/controls/baseline/aws/rds/aws_enable_aws_rds_transport_encryption.yaml index dba0913c1..5604efdb7 100644 --- a/compliance/controls/baseline/aws/rds/aws_enable_aws_rds_transport_encryption.yaml +++ b/compliance/controls/baseline/aws/rds/aws_enable_aws_rds_transport_encryption.yaml @@ -1,8 +1,6 @@ ID: aws_enable_aws_rds_transport_encryption Title: "Enable AWS RDS Transport Encryption" Description: "Ensure AWS RDS SQL Server and Postgre instances have Transport Encryption feature enabled." -Connector: -- aws Query: Engine: odysseus-v0.0.1 QueryToExecute: |- @@ -58,16 +56,18 @@ Query: left join pg_with_ssl_enabled as p on p.name = i.pg_name PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_rds_db_instance - - aws_rds_db_parameter_group + - aws_rds_db_instance + - aws_rds_db_parameter_group Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) platform_score_use_case: - - Unencrypted Traffic + - Unencrypted Traffic score_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) score_tags: - - Unencrypted Traffic + - Unencrypted Traffic +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/rds/aws_enable_instance_storage_auto_scaling.yaml b/compliance/controls/baseline/aws/rds/aws_enable_instance_storage_auto_scaling.yaml index 933d759d9..cd7375fdb 100644 --- a/compliance/controls/baseline/aws/rds/aws_enable_instance_storage_auto_scaling.yaml +++ b/compliance/controls/baseline/aws/rds/aws_enable_instance_storage_auto_scaling.yaml @@ -1,8 +1,6 @@ ID: aws_enable_instance_storage_auto_scaling Title: "Enable Instance Storage AutoScaling" Description: "Ensure that the Storage AutoScaling feature is enabled to support unpredictable database workload." -Connector: -- aws Query: Engine: odysseus-v0.0.1 QueryToExecute: |- @@ -26,15 +24,17 @@ Query: engine = 'mysql' or engine = 'postgres' PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_rds_db_instance + - aws_rds_db_instance Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) platform_score_use_case: - - Over Utilization + - Over Utilization score_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) score_tags: - - Over Utilization + - Over Utilization +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/rds/aws_enable_rds_snapshot_encryption.yaml b/compliance/controls/baseline/aws/rds/aws_enable_rds_snapshot_encryption.yaml index 7f6339d4b..59281bed4 100644 --- a/compliance/controls/baseline/aws/rds/aws_enable_rds_snapshot_encryption.yaml +++ b/compliance/controls/baseline/aws/rds/aws_enable_rds_snapshot_encryption.yaml @@ -1,8 +1,6 @@ ID: aws_enable_rds_snapshot_encryption Title: "Enable RDS Snapshot Encryption" Description: "Ensure that AWS RDS snapshots are encrypted to meet security and compliance requirements." -Connector: -- aws Query: Engine: odysseus-v0.0.1 QueryToExecute: |- @@ -34,16 +32,18 @@ Query: left join snapshots as b on r.db_instance_identifier = b.db_instance_identifier; PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_rds_db_instance - - aws_rds_db_snapshot + - aws_rds_db_instance + - aws_rds_db_snapshot Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) platform_score_use_case: - - Unencrypted Storage + - Unencrypted Storage score_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) score_tags: - - Unencrypted Storage + - Unencrypted Storage +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/rds/aws_enable_serverless_log_exports.yaml b/compliance/controls/baseline/aws/rds/aws_enable_serverless_log_exports.yaml index 89ed3df89..1b199d8ea 100644 --- a/compliance/controls/baseline/aws/rds/aws_enable_serverless_log_exports.yaml +++ b/compliance/controls/baseline/aws/rds/aws_enable_serverless_log_exports.yaml @@ -1,8 +1,6 @@ ID: aws_enable_serverless_log_exports Title: "Enable Serverless Log Exports" Description: "Ensure Log Exports feature is enabled for your Amazon Aurora Serverless databases." -Connector: -- aws Query: Engine: odysseus-v0.0.1 QueryToExecute: |- @@ -26,15 +24,17 @@ Query: engine_mode = 'serverless' PrimaryTable: aws_rds_db_cluster ListOfTables: - - aws_rds_db_cluster + - aws_rds_db_cluster Parameters: [] Severity: low Tags: platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) platform_score_use_case: - - Lacking High Availability + - Lacking High Availability score_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) score_tags: - - Lacking High Availability + - Lacking High Availability +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/rds/aws_instance_deletion_protection.yaml b/compliance/controls/baseline/aws/rds/aws_instance_deletion_protection.yaml index c0e66eec2..bdfd0c113 100644 --- a/compliance/controls/baseline/aws/rds/aws_instance_deletion_protection.yaml +++ b/compliance/controls/baseline/aws/rds/aws_instance_deletion_protection.yaml @@ -1,8 +1,6 @@ ID: aws_instance_deletion_protection Title: "Instance Deletion Protection" Description: "Enable AWS RDS Instance Deletion Protection." -Connector: -- aws Query: Engine: odysseus-v0.0.1 QueryToExecute: |- @@ -26,15 +24,17 @@ Query: aws_rds_db_instance; PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_rds_db_instance + - aws_rds_db_instance Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) platform_score_use_case: - - Problem Identities + - Problem Identities score_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) score_tags: - - Problem Identities + - Problem Identities +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/rds/aws_instance_level_events_subscriptions.yaml b/compliance/controls/baseline/aws/rds/aws_instance_level_events_subscriptions.yaml index d6fcfe4a9..363457efd 100644 --- a/compliance/controls/baseline/aws/rds/aws_instance_level_events_subscriptions.yaml +++ b/compliance/controls/baseline/aws/rds/aws_instance_level_events_subscriptions.yaml @@ -1,44 +1,23 @@ ID: aws_instance_level_events_subscriptions Title: "Instance Level Events Subscriptions" Description: "Enable Event Subscriptions for Instance Level Events." -Connector: -- aws Query: Engine: odysseus-v0.0.1 - QueryToExecute: | - select distinct - a.og_account_id, - a.og_resource_id, - case - when s.arn - is null then 'alarm' - else 'ok' - end status, - case - when s.arn is - null then 'Event notifications is not enabled for Amazon RDS instance level events' - - else 'Event notifications is enabled for Amazon RDS instance level events' - - end reason, - a.account_id - from - aws_account a - left join (select * from - aws_rds_db_event_subscription where source_type = 'db-instance') s on s.og_account_id - = a.og_account_id + QueryToExecute: "select distinct\n a.og_account_id,\n a.og_resource_id,\n case\n when s.arn\n is null then 'alarm'\n else 'ok'\n end status,\n case\n when s.arn is\n null then 'Event notifications is not enabled for Amazon RDS instance level events'\n\n else 'Event notifications is enabled for Amazon RDS instance level events'\n\n end reason,\n a.account_id\nfrom \n aws_account a\n left join (select * from\n aws_rds_db_event_subscription where source_type = 'db-instance') s on s.og_account_id\n = a.og_account_id\n" PrimaryTable: aws_account ListOfTables: - - aws_account - - aws_rds_db_event_subscription + - aws_account + - aws_rds_db_event_subscription Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) platform_score_use_case: - - General Efficiency + - General Efficiency score_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) score_tags: - - General Efficiency + - General Efficiency +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/rds/aws_log_exports.yaml b/compliance/controls/baseline/aws/rds/aws_log_exports.yaml index ab0c583fb..e072cab3a 100644 --- a/compliance/controls/baseline/aws/rds/aws_log_exports.yaml +++ b/compliance/controls/baseline/aws/rds/aws_log_exports.yaml @@ -1,8 +1,6 @@ ID: aws_log_exports Title: "Log Exports" Description: "Enable AWS RDS Log Exports." -Connector: -- aws Query: Engine: odysseus-v0.0.1 QueryToExecute: |- @@ -26,15 +24,17 @@ Query: engine = 'mysql' or engine = 'mariadb' PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_rds_db_instance + - aws_rds_db_instance Parameters: [] Severity: low Tags: platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) platform_score_use_case: - - Observability + - Observability score_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) score_tags: - - Observability + - Observability +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/rds/aws_performance_insights.yaml b/compliance/controls/baseline/aws/rds/aws_performance_insights.yaml index d46e03fb9..f6a90c984 100644 --- a/compliance/controls/baseline/aws/rds/aws_performance_insights.yaml +++ b/compliance/controls/baseline/aws/rds/aws_performance_insights.yaml @@ -1,8 +1,6 @@ ID: aws_performance_insights Title: "Performance Insights" Description: "Enable AWS RDS Performance Insights." -Connector: -- aws Query: Engine: odysseus-v0.0.1 QueryToExecute: |- @@ -26,15 +24,17 @@ Query: engine = 'aurora-mysql' or engine = 'aurora-postgresql' or engine = 'mysql' or engine = 'postgres' PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_rds_db_instance + - aws_rds_db_instance Parameters: [] Severity: low Tags: platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) platform_score_use_case: - - Lacking High Availability + - Lacking High Availability score_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) score_tags: - - Lacking High Availability + - Lacking High Availability +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/rds/aws_rds_automated_backups_enabled.yaml b/compliance/controls/baseline/aws/rds/aws_rds_automated_backups_enabled.yaml index 2f45a0a8e..bf6c4e66a 100644 --- a/compliance/controls/baseline/aws/rds/aws_rds_automated_backups_enabled.yaml +++ b/compliance/controls/baseline/aws/rds/aws_rds_automated_backups_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_rds_automated_backups_enabled Title: "RDS Automated Backups Enabled" Description: "Ensure automated backups are enabled for RDS instances. This feature of Amazon RDS enables point-in-time recovery of your database instance." -Connector: -- aws Query: Engine: odysseus-v0.0.1 QueryToExecute: |- @@ -25,15 +23,17 @@ Query: aws_rds_db_instance; PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_rds_db_instance + - aws_rds_db_instance Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) platform_score_use_case: - - Missing Backup + - Missing Backup score_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) score_tags: - - Missing Backup + - Missing Backup +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/rds/aws_rds_db_instance_no_public_subnet.yaml b/compliance/controls/baseline/aws/rds/aws_rds_db_instance_no_public_subnet.yaml index 0034088b6..fff23fc28 100644 --- a/compliance/controls/baseline/aws/rds/aws_rds_db_instance_no_public_subnet.yaml +++ b/compliance/controls/baseline/aws/rds/aws_rds_db_instance_no_public_subnet.yaml @@ -1,8 +1,6 @@ ID: aws_rds_db_instance_no_public_subnet Title: "RDS Instance Not In Public Subnet" Description: "Ensure that no AWS RDS database instances are provisioned inside VPC public subnets." -Connector: -- aws Query: Engine: odysseus-v0.0.1 QueryToExecute: |+ @@ -101,18 +99,20 @@ Query: PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_rds_db_instance - - aws_rds_db_subnet_group - - aws_vpc_route_table - - aws_vpc_subnet + - aws_rds_db_instance + - aws_rds_db_subnet_group + - aws_vpc_route_table + - aws_vpc_subnet Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) platform_score_use_case: - - Lacking High Availability + - Lacking High Availability score_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) score_tags: - - Lacking High Availability + - Lacking High Availability +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/rds/aws_rds_default_port.yaml b/compliance/controls/baseline/aws/rds/aws_rds_default_port.yaml index ac6526512..edc6533d1 100644 --- a/compliance/controls/baseline/aws/rds/aws_rds_default_port.yaml +++ b/compliance/controls/baseline/aws/rds/aws_rds_default_port.yaml @@ -1,59 +1,22 @@ ID: aws_rds_default_port Title: "RDS Default Port" Description: "Ensure Amazon RDS database instances aren't using the default ports." -Connector: -- aws Query: Engine: odysseus-v0.0.1 - QueryToExecute: | - select - db_instance_identifier as resource, - og_account_id - as og_account_id, - og_resource_id as og_resource_id, - case - when - - endpoint_port = 3306 and engine in ('mysql', 'mariadb', 'aurora-mysql') - or - endpoint_port = 5431 and engine in ('postres', 'postgres-ee', 'aurora-postgresql') - or - endpoint_port = 1433 and engine like 'sqlserver%' or - endpoint_port - = 1521 and engine = 'oracle-ee' - then 'alarm' - else 'ok' - end as status, - - case - when - endpoint_port = 3306 and engine in ('mysql', 'mariadb', - 'aurora-mysql') or - endpoint_port = 5431 and engine in ('postres', 'postgres-ee', - 'aurora-postgresql') or - endpoint_port = 1433 and engine like 'sqlserver%' - or - endpoint_port = 1521 and engine = 'oracle-ee' - then title || ' port - is set to default' - else title || ' port is not set to default' - end as - reason, - region, - account_id - from - aws_rds_db_instance + QueryToExecute: "select\n db_instance_identifier as resource,\n og_account_id\n as og_account_id,\n og_resource_id as og_resource_id,\n case\n when\n \n endpoint_port = 3306 and engine in ('mysql', 'mariadb', 'aurora-mysql')\n or\n endpoint_port = 5431 and engine in ('postres', 'postgres-ee', 'aurora-postgresql')\n or\n endpoint_port = 1433 and engine like 'sqlserver%' or\n endpoint_port\n = 1521 and engine = 'oracle-ee'\n then 'alarm'\n else 'ok'\n end as status,\n\n case\n when \n endpoint_port = 3306 and engine in ('mysql', 'mariadb',\n 'aurora-mysql') or\n endpoint_port = 5431 and engine in ('postres', 'postgres-ee',\n 'aurora-postgresql') or\n endpoint_port = 1433 and engine like 'sqlserver%'\n or\n endpoint_port = 1521 and engine = 'oracle-ee'\n then title || ' port\n is set to default'\n else title || ' port is not set to default'\n end as\n reason,\n region,\n account_id\nfrom\n aws_rds_db_instance\n" PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_rds_db_instance + - aws_rds_db_instance Parameters: [] Severity: low Tags: platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/rds/aws_rds_desired_instance_type.yaml b/compliance/controls/baseline/aws/rds/aws_rds_desired_instance_type.yaml index d8147030d..11189e91d 100644 --- a/compliance/controls/baseline/aws/rds/aws_rds_desired_instance_type.yaml +++ b/compliance/controls/baseline/aws/rds/aws_rds_desired_instance_type.yaml @@ -1,8 +1,6 @@ ID: aws_rds_desired_instance_type Title: "RDS Desired Instance Type" Description: "Ensure fewer Amazon RDS instances than the established limit in your AWS account." -Connector: -- aws Query: Engine: odysseus-v0.0.1 QueryToExecute: |- @@ -24,13 +22,15 @@ Query: aws_rds_db_instance PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_rds_db_instance + - aws_rds_db_instance Parameters: - Key: awsRdsInstanceDesiredClasses Required: true Severity: medium Tags: platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) score_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/rds/aws_rds_encrypted_with_kms_customer_master_keys.yaml b/compliance/controls/baseline/aws/rds/aws_rds_encrypted_with_kms_customer_master_keys.yaml index c705aa112..c3a3b2909 100644 --- a/compliance/controls/baseline/aws/rds/aws_rds_encrypted_with_kms_customer_master_keys.yaml +++ b/compliance/controls/baseline/aws/rds/aws_rds_encrypted_with_kms_customer_master_keys.yaml @@ -1,8 +1,6 @@ ID: aws_rds_encrypted_with_kms_customer_master_keys Title: "RDS Encrypted With KMS Customer Master Keys" Description: "Ensure RDS instances are encrypted with CMKs to have full control over encrypting and decrypting data." -Connector: -- aws Query: Engine: odysseus-v0.0.1 QueryToExecute: |- @@ -29,12 +27,14 @@ Query: left join aws_kms_key as k on v.kms_key_id = k.arn PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_kms_key - - aws_rds_db_instance + - aws_kms_key + - aws_rds_db_instance Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) score_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/rds/aws_rds_encryption_enabled.yaml b/compliance/controls/baseline/aws/rds/aws_rds_encryption_enabled.yaml index ee3336a21..5e7432a93 100644 --- a/compliance/controls/baseline/aws/rds/aws_rds_encryption_enabled.yaml +++ b/compliance/controls/baseline/aws/rds/aws_rds_encryption_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_rds_encryption_enabled Title: "RDS Encryption Enabled" Description: "Ensure encryption is setup for RDS instances to fulfill compliance requirements for data-at-rest encryption." -Connector: -- aws Query: Engine: odysseus-v0.0.1 QueryToExecute: |- @@ -24,15 +22,17 @@ Query: aws_rds_db_instance; PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_rds_db_instance + - aws_rds_db_instance Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) platform_score_use_case: - - Unencrypted Storage + - Unencrypted Storage score_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) score_tags: - - Unencrypted Storage + - Unencrypted Storage +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/rds/aws_rds_event_notifications.yaml b/compliance/controls/baseline/aws/rds/aws_rds_event_notifications.yaml index 2f428ea99..b000a09ca 100644 --- a/compliance/controls/baseline/aws/rds/aws_rds_event_notifications.yaml +++ b/compliance/controls/baseline/aws/rds/aws_rds_event_notifications.yaml @@ -1,8 +1,6 @@ ID: aws_rds_event_notifications Title: "RDS Event Notifications" Description: "Enable event notifications for RDS." -Connector: -- aws Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -27,16 +25,18 @@ Query: = a.og_account_id PrimaryTable: aws_account ListOfTables: - - aws_account - - aws_rds_db_event_subscription + - aws_account + - aws_rds_db_event_subscription Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) platform_score_use_case: - - Lacking High Availability + - Lacking High Availability score_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) score_tags: - - Lacking High Availability + - Lacking High Availability +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/rds/aws_rds_instance_counts.yaml b/compliance/controls/baseline/aws/rds/aws_rds_instance_counts.yaml index bcf759b7b..e907ae235 100644 --- a/compliance/controls/baseline/aws/rds/aws_rds_instance_counts.yaml +++ b/compliance/controls/baseline/aws/rds/aws_rds_instance_counts.yaml @@ -1,39 +1,22 @@ ID: aws_rds_instance_counts Title: "RDS Instance Counts" Description: "Ensure fewer Amazon RDS instances than the established limit in your AWS account." -Connector: -- aws Query: Engine: odysseus-v0.0.1 - QueryToExecute: | - select - og_account_id as og_account_id, - og_resource_id as og_resource_id, - count(*) RDS_Instances_Count, - case - when count(*) > 10 then 'alarm' - else 'ok' - end status, - case - when count(*) > 10 then 'The limit the number of RDS instances exceeded' - else 'The limit the number of RDS instances not exceeded' - end reason, - account_id - from - aws_rds_db_instance - group by - og_account_id, og_resource_id, account_id; + QueryToExecute: "select \n og_account_id as og_account_id,\n og_resource_id as og_resource_id,\n count(*) RDS_Instances_Count,\n case\n when count(*) > 10 then 'alarm'\n else 'ok'\n end status,\n case\n when count(*) > 10 then 'The limit the number of RDS instances exceeded'\n else 'The limit the number of RDS instances not exceeded'\n end reason,\n account_id\nfrom \n aws_rds_db_instance \ngroup by \n og_account_id, og_resource_id, account_id;\n" PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_rds_db_instance + - aws_rds_db_instance Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) platform_score_use_case: - - Problem Identities + - Problem Identities score_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) score_tags: - - Problem Identities + - Problem Identities +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/rds/aws_rds_multi_az.yaml b/compliance/controls/baseline/aws/rds/aws_rds_multi_az.yaml index 89c876a5b..a64f1119c 100644 --- a/compliance/controls/baseline/aws/rds/aws_rds_multi_az.yaml +++ b/compliance/controls/baseline/aws/rds/aws_rds_multi_az.yaml @@ -1,8 +1,6 @@ ID: aws_rds_multi_az Title: "RDS Multi-AZ" Description: "Ensure RDS instances are launched into Multi-AZ." -Connector: -- aws Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -24,15 +22,17 @@ Query: aws_rds_db_instance PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_rds_db_instance + - aws_rds_db_instance Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) platform_score_use_case: - - Lacking High Availability + - Lacking High Availability score_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) score_tags: - - Lacking High Availability + - Lacking High Availability +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/rds/aws_rds_public_snapshots.yaml b/compliance/controls/baseline/aws/rds/aws_rds_public_snapshots.yaml index 943385c29..d6a4d0e2a 100644 --- a/compliance/controls/baseline/aws/rds/aws_rds_public_snapshots.yaml +++ b/compliance/controls/baseline/aws/rds/aws_rds_public_snapshots.yaml @@ -1,58 +1,22 @@ ID: aws_rds_public_snapshots Title: "Amazon RDS Public Snapshots" Description: "Ensure that your Amazon RDS database snapshots are not accessible to all AWS accounts." -Connector: -- aws Query: Engine: odysseus-v0.0.1 - QueryToExecute: | - WITH restore_values AS ( - SELECT - db_snapshot_identifier, - - attr ->> 'AttributeValues' AS attrValues - FROM - aws_rds_db_snapshot, - - jsonb_array_elements(db_snapshot_attributes) attr - WHERE - attr ->> - 'AttributeName' = 'restore' - ) - SELECT - s.db_snapshot_identifier AS resource, - - s.og_account_id AS og_account_id, - s.og_resource_id AS og_resource_id, - - CASE - WHEN rv.attrValues LIKE '%all%' - THEN 'alarm' - ELSE 'ok' - - END AS status, - CASE - WHEN rv.attrValues LIKE '%all%' - THEN s.db_snapshot_identifier - || ' is open to all accounts' - ELSE s.db_snapshot_identifier || ' is not open - to all accounts' - END AS reason - FROM - aws_rds_db_snapshot AS s - LEFT JOIN - restore_values AS rv ON s.db_snapshot_identifier = rv.db_snapshot_identifier + QueryToExecute: "WITH restore_values AS (\n SELECT \n db_snapshot_identifier,\n \n attr ->> 'AttributeValues' AS attrValues \n FROM \n aws_rds_db_snapshot,\n \n jsonb_array_elements(db_snapshot_attributes) attr \n WHERE \n attr ->>\n 'AttributeName' = 'restore'\n)\nSELECT \n s.db_snapshot_identifier AS resource,\n\n s.og_account_id AS og_account_id,\n s.og_resource_id AS og_resource_id,\n\n CASE\n WHEN rv.attrValues LIKE '%all%'\n THEN 'alarm'\n ELSE 'ok'\n\n END AS status,\n CASE\n WHEN rv.attrValues LIKE '%all%'\n THEN s.db_snapshot_identifier\n || ' is open to all accounts'\n ELSE s.db_snapshot_identifier || ' is not open\n to all accounts'\n END AS reason\nFROM\n aws_rds_db_snapshot AS s\n LEFT JOIN\n restore_values AS rv ON s.db_snapshot_identifier = rv.db_snapshot_identifier\n" PrimaryTable: aws_rds_db_snapshot ListOfTables: - - aws_rds_db_snapshot + - aws_rds_db_snapshot Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/rds/aws_rds_publicly_accessible.yaml b/compliance/controls/baseline/aws/rds/aws_rds_publicly_accessible.yaml index 84d7d2cc4..c194398ad 100644 --- a/compliance/controls/baseline/aws/rds/aws_rds_publicly_accessible.yaml +++ b/compliance/controls/baseline/aws/rds/aws_rds_publicly_accessible.yaml @@ -1,8 +1,6 @@ ID: aws_rds_publicly_accessible Title: "RDS Publicly Accessible" Description: "Ensure RDS instances aren't public facing to minimise security risks." -Connector: -- aws Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -24,15 +22,17 @@ Query: aws_rds_db_instance; PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_rds_db_instance + - aws_rds_db_instance Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/rds/aws_rotate_ssltls_certificates_for_database_instances.yaml b/compliance/controls/baseline/aws/rds/aws_rotate_ssltls_certificates_for_database_instances.yaml index ba55d81bb..0175a2945 100644 --- a/compliance/controls/baseline/aws/rds/aws_rotate_ssltls_certificates_for_database_instances.yaml +++ b/compliance/controls/baseline/aws/rds/aws_rotate_ssltls_certificates_for_database_instances.yaml @@ -1,8 +1,6 @@ ID: aws_rotate_ssltls_certificates_for_database_instances Title: "Rotate SSL/TLS Certificates for Database Instances" Description: "Ensure that SSL/TLS certificates for RDS database instances are rotated according to the AWS schedule." -Connector: -- aws Query: Engine: odysseus-v0.0.1 QueryToExecute: |- @@ -25,15 +23,17 @@ Query: json_array_elements(certificate::json) as c; PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_rds_db_instance + - aws_rds_db_instance Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) platform_score_use_case: - - Unencrypted Traffic + - Unencrypted Traffic score_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) score_tags: - - Unencrypted Traffic + - Unencrypted Traffic +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/rds/aws_security_groups_events_subscriptions.yaml b/compliance/controls/baseline/aws/rds/aws_security_groups_events_subscriptions.yaml index 3fce41433..18b62065c 100644 --- a/compliance/controls/baseline/aws/rds/aws_security_groups_events_subscriptions.yaml +++ b/compliance/controls/baseline/aws/rds/aws_security_groups_events_subscriptions.yaml @@ -1,43 +1,23 @@ ID: aws_security_groups_events_subscriptions Title: "Security Groups Events Subscriptions" Description: "Enable Event Subscriptions for DB Security Groups Events." -Connector: -- aws Query: Engine: odysseus-v0.0.1 - QueryToExecute: | - select distinct - a.og_account_id, - a.og_resource_id, - case - when s.arn - is null then 'alarm' - else 'ok' - end status, - case - when s.arn is - null then 'Event subscription is not enabled for database security groups' - else - 'Event subscription is enabled for database security groups' - end reason, - - a.account_id - from - aws_account a - left join (select * from aws_rds_db_event_subscription - where source_type = 'db-security-group') s on s.og_account_id = a.og_account_id + QueryToExecute: "select distinct\n a.og_account_id,\n a.og_resource_id,\n case\n when s.arn\n is null then 'alarm'\n else 'ok'\n end status,\n case\n when s.arn is\n null then 'Event subscription is not enabled for database security groups'\n else\n 'Event subscription is enabled for database security groups'\n end reason,\n\n a.account_id\nfrom \n aws_account a\n left join (select * from aws_rds_db_event_subscription\n where source_type = 'db-security-group') s on s.og_account_id = a.og_account_id\n" PrimaryTable: aws_account ListOfTables: - - aws_account - - aws_rds_db_event_subscription + - aws_account + - aws_rds_db_event_subscription Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) platform_score_use_case: - - General Efficiency + - General Efficiency score_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) score_tags: - - General Efficiency + - General Efficiency +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/rds/aws_use_aws_backup_service_in_use_for_amazon_rds.yaml b/compliance/controls/baseline/aws/rds/aws_use_aws_backup_service_in_use_for_amazon_rds.yaml index 8a51a112a..0866b7740 100644 --- a/compliance/controls/baseline/aws/rds/aws_use_aws_backup_service_in_use_for_amazon_rds.yaml +++ b/compliance/controls/baseline/aws/rds/aws_use_aws_backup_service_in_use_for_amazon_rds.yaml @@ -1,8 +1,6 @@ ID: aws_use_aws_backup_service_in_use_for_amazon_rds Title: "Use AWS Backup Service in Use for Amazon RDS" Description: "Ensure that Amazon Backup service is used to manage AWS RDS database snapshots." -Connector: -- aws Query: Engine: odysseus-v0.0.1 QueryToExecute: |- @@ -32,16 +30,18 @@ Query: left join snapshots as b on r.db_instance_identifier = b.db_instance_identifier; PrimaryTable: aws_rds_db_instance ListOfTables: - - aws_rds_db_instance - - aws_rds_db_snapshot + - aws_rds_db_instance + - aws_rds_db_snapshot Parameters: [] Severity: low Tags: platform_score_cloud_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) platform_score_use_case: - - Missing Backup + - Missing Backup score_service_name: - - AWS Relational Database Service (RDS) + - AWS Relational Database Service (RDS) score_tags: - - Missing Backup + - Missing Backup +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/vpc/aws_managed_nat_gateway_in_use.yaml b/compliance/controls/baseline/aws/vpc/aws_managed_nat_gateway_in_use.yaml index 1fff6dc9d..c84d53019 100644 --- a/compliance/controls/baseline/aws/vpc/aws_managed_nat_gateway_in_use.yaml +++ b/compliance/controls/baseline/aws/vpc/aws_managed_nat_gateway_in_use.yaml @@ -1,8 +1,6 @@ ID: aws_managed_nat_gateway_in_use Title: "Managed NAT Gateway in Use" Description: "Ensure that the Managed NAT Gateway service is enabled for high availability (HA)." -Connector: -- aws Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -28,16 +26,18 @@ Query: left join available_nat_gateways as ng on ng.vpc_id = v.vpc_id PrimaryTable: aws_vpc ListOfTables: - - aws_vpc - - aws_vpc_nat_gateway + - aws_vpc + - aws_vpc_nat_gateway Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS Virtual Private Cloud (VPC) + - AWS Virtual Private Cloud (VPC) platform_score_use_case: - - Over Utilization + - Over Utilization score_service_name: - - AWS Virtual Private Cloud (VPC) + - AWS Virtual Private Cloud (VPC) score_tags: - - Over Utilization + - Over Utilization +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/vpc/aws_unrestricted_inbound_traffic_on_remote_server_administration_ports.yaml b/compliance/controls/baseline/aws/vpc/aws_unrestricted_inbound_traffic_on_remote_server_administration_ports.yaml index e2167221f..4101d2da9 100644 --- a/compliance/controls/baseline/aws/vpc/aws_unrestricted_inbound_traffic_on_remote_server_administration_ports.yaml +++ b/compliance/controls/baseline/aws/vpc/aws_unrestricted_inbound_traffic_on_remote_server_administration_ports.yaml @@ -1,76 +1,23 @@ ID: aws_unrestricted_inbound_traffic_on_remote_server_administration_ports Title: "Unrestricted Inbound Traffic on Remote Server Administration Ports" Description: "Ensure that no Network ACL (NACL) allows unrestricted inbound traffic on TCP ports 22 and 3389." -Connector: -- aws Query: Engine: odysseus-v0.0.1 - QueryToExecute: |+ - with bad_rules as ( - select - network_acl_id, - count(*) as num_bad_rules - from - aws_vpc_network_acl, - jsonb_array_elements(entries) as att - where - att ->> 'Egress' = 'false' -- as per aws egress = false indicates the ingress - and ( - att ->> 'CidrBlock' = '0.0.0.0/0' - or att ->> 'Ipv6CidrBlock' = '::/0' - ) - and att ->> 'RuleAction' = 'allow' - and ( - ( - att ->> 'Protocol' = '-1' -- all traffic - and att ->> 'PortRange' is null - ) - or ( - (att -> 'PortRange' ->> 'From') :: int <= 22 - and (att -> 'PortRange' ->> 'To') :: int >= 22 - and att ->> 'Protocol' in('6', '17') -- TCP or UDP - ) - or ( - (att -> 'PortRange' ->> 'From') :: int <= 3389 - and (att -> 'PortRange' ->> 'To') :: int >= 3389 - and att ->> 'Protocol' in('6', '17') -- TCP or UDP - ) - ) - group by - network_acl_id - ) - select - 'arn:' || acl.partition || ':ec2:' || acl.region || ':' || acl.account_id || ':network-acl/' || acl.network_acl_id as resource, - acl.og_resource_id, - acl.og_account_id, - case - when bad_rules.network_acl_id is null then 'ok' - else 'alarm' - end as status, - case - when bad_rules.network_acl_id is null then acl.network_acl_id || ' does not allow ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.' - else acl.network_acl_id || ' contains ' || bad_rules.num_bad_rules || ' rule(s) allowing ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.' - end as reason, - acl.region, - acl.account_id - from - aws_vpc_network_acl as acl - left join bad_rules on bad_rules.network_acl_id = acl.network_acl_id - inner join aws_vpc vpc on acl.vpc_id = vpc.vpc_id - where jsonb_array_length(acl.associations) > 0 and vpc.is_default = false; - + QueryToExecute: "with bad_rules as (\n select\n network_acl_id,\n count(*) as num_bad_rules\n from\n aws_vpc_network_acl,\n jsonb_array_elements(entries) as att\n where\n att ->> 'Egress' = 'false' -- as per aws egress = false indicates the ingress\n and (\n att ->> 'CidrBlock' = '0.0.0.0/0'\n or att ->> 'Ipv6CidrBlock' = '::/0'\n )\n and att ->> 'RuleAction' = 'allow'\n and (\n (\n att ->> 'Protocol' = '-1' -- all traffic\n and att ->> 'PortRange' is null\n )\n or (\n (att -> 'PortRange' ->> 'From') :: int <= 22\n and (att -> 'PortRange' ->> 'To') :: int >= 22\n and att ->> 'Protocol' in('6', '17') -- TCP or UDP\n )\n or (\n (att -> 'PortRange' ->> 'From') :: int <= 3389\n and (att -> 'PortRange' ->> 'To') :: int >= 3389\n and att ->> 'Protocol' in('6', '17') -- TCP or UDP\n )\n )\n group by\n network_acl_id\n)\nselect\n 'arn:' || acl.partition || ':ec2:' || acl.region || ':' || acl.account_id || ':network-acl/' || acl.network_acl_id as resource,\n acl.og_resource_id,\n acl.og_account_id,\n case\n when bad_rules.network_acl_id is null then 'ok'\n else 'alarm'\n end as status,\n case\n when bad_rules.network_acl_id is null then acl.network_acl_id || ' does not allow ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.'\n else acl.network_acl_id || ' contains ' || bad_rules.num_bad_rules || ' rule(s) allowing ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.'\n end as reason,\n acl.region,\n acl.account_id\nfrom\n aws_vpc_network_acl as acl\n left join bad_rules on bad_rules.network_acl_id = acl.network_acl_id \n inner join aws_vpc vpc on acl.vpc_id = vpc.vpc_id\n where jsonb_array_length(acl.associations) > 0 and vpc.is_default = false;\n\n" PrimaryTable: aws_vpc_network_acl ListOfTables: - - aws_vpc - - aws_vpc_network_acl + - aws_vpc + - aws_vpc_network_acl Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - AWS Virtual Private Cloud (VPC) + - AWS Virtual Private Cloud (VPC) platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - AWS Virtual Private Cloud (VPC) + - AWS Virtual Private Cloud (VPC) score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/vpc/aws_unrestricted_network_acl_inbound_traffic.yaml b/compliance/controls/baseline/aws/vpc/aws_unrestricted_network_acl_inbound_traffic.yaml index 9bc21b4fb..e8de8d3af 100644 --- a/compliance/controls/baseline/aws/vpc/aws_unrestricted_network_acl_inbound_traffic.yaml +++ b/compliance/controls/baseline/aws/vpc/aws_unrestricted_network_acl_inbound_traffic.yaml @@ -1,8 +1,6 @@ ID: aws_unrestricted_network_acl_inbound_traffic Title: "Unrestricted Network ACL Inbound Traffic" Description: "Ensure that no Network ACL (NACL) allows inbound/ingress traffic from all ports." -Connector: -- aws Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -34,15 +32,17 @@ Query: aws_vpc_network_acl PrimaryTable: aws_vpc_network_acl ListOfTables: - - aws_vpc_network_acl + - aws_vpc_network_acl Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS Virtual Private Cloud (VPC) + - AWS Virtual Private Cloud (VPC) platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - AWS Virtual Private Cloud (VPC) + - AWS Virtual Private Cloud (VPC) score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/vpc/aws_unrestricted_network_acl_outbound_traffic.yaml b/compliance/controls/baseline/aws/vpc/aws_unrestricted_network_acl_outbound_traffic.yaml index 1ccb95548..df2fc9d3a 100644 --- a/compliance/controls/baseline/aws/vpc/aws_unrestricted_network_acl_outbound_traffic.yaml +++ b/compliance/controls/baseline/aws/vpc/aws_unrestricted_network_acl_outbound_traffic.yaml @@ -1,8 +1,6 @@ ID: aws_unrestricted_network_acl_outbound_traffic Title: "Unrestricted Network ACL Outbound Traffic" Description: "Ensure that no Network ACL (NACL) allows outbound/egress traffic to all ports." -Connector: -- aws Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -34,15 +32,17 @@ Query: aws_vpc_network_acl PrimaryTable: aws_vpc_network_acl ListOfTables: - - aws_vpc_network_acl + - aws_vpc_network_acl Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS Virtual Private Cloud (VPC) + - AWS Virtual Private Cloud (VPC) platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - AWS Virtual Private Cloud (VPC) + - AWS Virtual Private Cloud (VPC) score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/vpc/aws_vpc_endpoint_cross_account_access.yaml b/compliance/controls/baseline/aws/vpc/aws_vpc_endpoint_cross_account_access.yaml index 8ed1c2092..f7f17538b 100644 --- a/compliance/controls/baseline/aws/vpc/aws_vpc_endpoint_cross_account_access.yaml +++ b/compliance/controls/baseline/aws/vpc/aws_vpc_endpoint_cross_account_access.yaml @@ -1,56 +1,22 @@ ID: aws_vpc_endpoint_cross_account_access Title: "VPC Endpoint Cross Account Access" Description: "Ensure Amazon VPC endpoints don't allow unknown cross account access." -Connector: -- aws Query: Engine: odysseus-v0.0.1 - QueryToExecute: | - SELECT - vpc_endpoint_id as resource, - og_resource_id, - og_account_id, - CASE - WHEN EXISTS ( - SELECT 1 FROM jsonb_array_elements(policy::jsonb -> 'Statement') as s - WHERE (s ->> 'Effect') = 'Allow' and ((s ->> 'Principal')::text = '"*"' or - (s ->> 'Principal')::text = '{"AWS": "*"}') - ) THEN 'alarm' - WHEN '{{.awsTrustedAccounts}}' = '' THEN 'ok' - WHEN EXISTS ( - SELECT 1 FROM jsonb_array_elements(policy::jsonb -> 'Statement') as s - WHERE (s ->> 'Effect') = 'Allow' and not('{{.awsTrustedAccounts}}' LIKE ('%'||((s ->> 'Principal')::text) || '%')) - ) THEN 'alarm' - ELSE 'ok' - END AS status, - CASE - WHEN EXISTS ( - SELECT 1 FROM jsonb_array_elements(policy::jsonb -> 'Statement') as s - WHERE (s ->> 'Effect') = 'Allow' and ((s ->> 'Principal')::text = '"*"' or - (s ->> 'Principal')::text = '{"AWS": "*"}') - ) THEN vpc_endpoint_id || ' is publicly accessible' - WHEN '{{.awsTrustedAccounts}}' = '' THEN 'trusted AWS accounts are not defined' - WHEN EXISTS ( - SELECT 1 FROM jsonb_array_elements(policy::jsonb -> 'Statement') as s - WHERE (s ->> 'Effect') = 'Allow' and not('{{.awsTrustedAccounts}}' LIKE ('%'||((s ->> 'Principal')::text) || '%')) - ) THEN vpc_endpoint_id || ' is not configured to allow access only to trusted AWS accounts' - ELSE vpc_endpoint_id || ' is configured to allow access only to trusted AWS accounts' - END AS reason, - region, - account_id - FROM - aws_vpc_endpoint + QueryToExecute: "SELECT \n vpc_endpoint_id as resource,\n og_resource_id,\n og_account_id,\n CASE\n WHEN EXISTS (\n SELECT 1 FROM jsonb_array_elements(policy::jsonb -> 'Statement') as s\n WHERE (s ->> 'Effect') = 'Allow' and ((s ->> 'Principal')::text = '\"*\"' or\n (s ->> 'Principal')::text = '{\"AWS\": \"*\"}')\n ) THEN 'alarm'\n WHEN '{{.awsTrustedAccounts}}' = '' THEN 'ok'\n WHEN EXISTS (\n SELECT 1 FROM jsonb_array_elements(policy::jsonb -> 'Statement') as s\n WHERE (s ->> 'Effect') = 'Allow' and not('{{.awsTrustedAccounts}}' LIKE ('%'||((s ->> 'Principal')::text) || '%'))\n ) THEN 'alarm'\n ELSE 'ok'\n END AS status,\n CASE\n WHEN EXISTS (\n SELECT 1 FROM jsonb_array_elements(policy::jsonb -> 'Statement') as s\n WHERE (s ->> 'Effect') = 'Allow' and ((s ->> 'Principal')::text = '\"*\"' or\n (s ->> 'Principal')::text = '{\"AWS\": \"*\"}')\n ) THEN vpc_endpoint_id || ' is publicly accessible' \n WHEN '{{.awsTrustedAccounts}}' = '' THEN 'trusted AWS accounts are not defined'\n WHEN EXISTS (\n SELECT 1 FROM jsonb_array_elements(policy::jsonb -> 'Statement') as s\n WHERE (s ->> 'Effect') = 'Allow' and not('{{.awsTrustedAccounts}}' LIKE ('%'||((s ->> 'Principal')::text) || '%'))\n ) THEN vpc_endpoint_id || ' is not configured to allow access only to trusted AWS accounts'\n ELSE vpc_endpoint_id || ' is configured to allow access only to trusted AWS accounts'\n END AS reason,\n region,\n account_id\nFROM \naws_vpc_endpoint\n" PrimaryTable: aws_vpc_endpoint ListOfTables: - - aws_vpc_endpoint + - aws_vpc_endpoint Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS Virtual Private Cloud (VPC) + - AWS Virtual Private Cloud (VPC) platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - AWS Virtual Private Cloud (VPC) + - AWS Virtual Private Cloud (VPC) score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/vpc/aws_vpc_endpoint_exposed.yaml b/compliance/controls/baseline/aws/vpc/aws_vpc_endpoint_exposed.yaml index 6334d9e39..f9fd41e63 100644 --- a/compliance/controls/baseline/aws/vpc/aws_vpc_endpoint_exposed.yaml +++ b/compliance/controls/baseline/aws/vpc/aws_vpc_endpoint_exposed.yaml @@ -1,8 +1,6 @@ ID: aws_vpc_endpoint_exposed Title: "VPC Endpoint Exposed" Description: "Ensure Amazon VPC endpoints aren't exposed to everyone." -Connector: -- aws Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -26,16 +24,18 @@ Query: jsonb_array_elements(e.policy -> 'Statement') as p PrimaryTable: aws_vpc ListOfTables: - - aws_vpc - - aws_vpc_endpoint + - aws_vpc + - aws_vpc_endpoint Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS Virtual Private Cloud (VPC) + - AWS Virtual Private Cloud (VPC) platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - AWS Virtual Private Cloud (VPC) + - AWS Virtual Private Cloud (VPC) score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/vpc/aws_vpc_endpoints_in_use.yaml b/compliance/controls/baseline/aws/vpc/aws_vpc_endpoints_in_use.yaml index 73a47d07e..a4710b6c8 100644 --- a/compliance/controls/baseline/aws/vpc/aws_vpc_endpoints_in_use.yaml +++ b/compliance/controls/baseline/aws/vpc/aws_vpc_endpoints_in_use.yaml @@ -1,44 +1,23 @@ ID: aws_vpc_endpoints_in_use Title: "VPC Endpoints In Use" Description: "Ensure that VPC endpoints are being used to connect your VPC to another AWS cloud service." -Connector: -- aws Query: Engine: odysseus-v0.0.1 - QueryToExecute: | - SELECT - v.vpc_id as resource, - v.og_resource_id, - v.og_account_id, - CASE - WHEN EXISTS ( - select 1 from aws_vpc_endpoint as e where e.vpc_id = v.vpc_id - ) THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN EXISTS ( - select 1 from aws_vpc_endpoint as e where e.vpc_id = v.vpc_id - ) THEN v.vpc_id || ' has VPC endpoints' - ELSE ' there are no Amazon VPC endpoints deployed for ' || v.vpc_id - END AS reason, - v.region, - v.account_id - FROM - aws_vpc as v - WHERE is_default = false; + QueryToExecute: "SELECT \n v.vpc_id as resource,\n v.og_resource_id,\n v.og_account_id,\n CASE\n WHEN EXISTS (\n select 1 from aws_vpc_endpoint as e where e.vpc_id = v.vpc_id\n ) THEN 'ok'\n ELSE 'alarm'\n END AS status,\n CASE\n WHEN EXISTS (\n select 1 from aws_vpc_endpoint as e where e.vpc_id = v.vpc_id\n ) THEN v.vpc_id || ' has VPC endpoints'\n ELSE ' there are no Amazon VPC endpoints deployed for ' || v.vpc_id\n END AS reason,\n v.region,\n v.account_id\nFROM \naws_vpc as v\nWHERE is_default = false;\n" PrimaryTable: aws_vpc ListOfTables: - - aws_vpc - - aws_vpc_endpoint + - aws_vpc + - aws_vpc_endpoint Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS Virtual Private Cloud (VPC) + - AWS Virtual Private Cloud (VPC) platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - AWS Virtual Private Cloud (VPC) + - AWS Virtual Private Cloud (VPC) score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/vpc/aws_vpc_flow_logs_enabled.yaml b/compliance/controls/baseline/aws/vpc/aws_vpc_flow_logs_enabled.yaml index 76b0965b0..3ac598bd2 100644 --- a/compliance/controls/baseline/aws/vpc/aws_vpc_flow_logs_enabled.yaml +++ b/compliance/controls/baseline/aws/vpc/aws_vpc_flow_logs_enabled.yaml @@ -1,8 +1,6 @@ ID: aws_vpc_flow_logs_enabled Title: "VPC Flow Logs Enabled" Description: "Ensure VPC flow logging is enabled in all VPCs." -Connector: -- aws Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -27,16 +25,18 @@ Query: left join aws_vpc_flow_log as f on v.vpc_id = f.resource_id; PrimaryTable: aws_vpc ListOfTables: - - aws_vpc - - aws_vpc_flow_log + - aws_vpc + - aws_vpc_flow_log Parameters: [] Severity: low Tags: platform_score_cloud_service_name: - - AWS Virtual Private Cloud (VPC) + - AWS Virtual Private Cloud (VPC) platform_score_use_case: - - Unencrypted Traffic + - Unencrypted Traffic score_service_name: - - AWS Virtual Private Cloud (VPC) + - AWS Virtual Private Cloud (VPC) score_tags: - - Unencrypted Traffic + - Unencrypted Traffic +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/aws/vpc/aws_vpc_peering_connections_to_accounts_outside_aws_organization.yaml b/compliance/controls/baseline/aws/vpc/aws_vpc_peering_connections_to_accounts_outside_aws_organization.yaml index e401ff9c0..772c29ab7 100644 --- a/compliance/controls/baseline/aws/vpc/aws_vpc_peering_connections_to_accounts_outside_aws_organization.yaml +++ b/compliance/controls/baseline/aws/vpc/aws_vpc_peering_connections_to_accounts_outside_aws_organization.yaml @@ -1,59 +1,24 @@ ID: aws_vpc_peering_connections_to_accounts_outside_aws_organization Title: "VPC Peering Connections To Accounts Outside AWS Organization" Description: "Ensure VPC peering communication is only between AWS accounts, members of the same AWS Organization." -Connector: -- aws Query: Engine: odysseus-v0.0.1 - QueryToExecute: | - WITH account_org AS ( - SELECT - og_account_id, - organization_id - FROM - aws_account - ), vpc_org AS ( - SELECT - vpc.vpc_id, - ao.organization_id as org - FROM - aws_vpc AS vpc - LEFT JOIN account_org AS ao ON ao.og_account_id = vpc.og_account_id - ) - - SELECT - c.id as resource, - og_resource_id, - og_account_id, - CASE - WHEN accepter_org.org = requester_org.org THEN 'ok' - ELSE 'alarm' - END AS status, - CASE - WHEN accepter_org.org = requester_org.org THEN c.id || ' connections are ok' - ELSE c.id || ' connects to accounts outside organization' - END AS reason, - region, - account_id - FROM - aws_vpc_peering_connection AS c - LEFT JOIN vpc_org AS accepter_org ON c.accepter_vpc_id = accepter_org.vpc_id - LEFT JOIN vpc_org AS requester_org ON c.requester_vpc_id = accepter_org.vpc_id - WHERE - status_code = 'active' + QueryToExecute: "WITH account_org AS (\n SELECT \n og_account_id,\n organization_id\n FROM\n aws_account\n), vpc_org AS (\n SELECT\n vpc.vpc_id,\n ao.organization_id as org\n FROM\n aws_vpc AS vpc\n LEFT JOIN account_org AS ao ON ao.og_account_id = vpc.og_account_id\n)\n\nSELECT \n c.id as resource,\n og_resource_id,\n og_account_id,\n CASE\n WHEN accepter_org.org = requester_org.org THEN 'ok'\n ELSE 'alarm'\n END AS status,\n CASE\n WHEN accepter_org.org = requester_org.org THEN c.id || ' connections are ok'\n ELSE c.id || ' connects to accounts outside organization'\n END AS reason,\n region,\n account_id\nFROM \n aws_vpc_peering_connection AS c\n LEFT JOIN vpc_org AS accepter_org ON c.accepter_vpc_id = accepter_org.vpc_id\n LEFT JOIN vpc_org AS requester_org ON c.requester_vpc_id = accepter_org.vpc_id\nWHERE\n status_code = 'active'\n" PrimaryTable: aws_vpc_peering_connection ListOfTables: - - aws_account - - aws_vpc - - aws_vpc_peering_connection + - aws_account + - aws_vpc + - aws_vpc_peering_connection Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - AWS Virtual Private Cloud (VPC) + - AWS Virtual Private Cloud (VPC) platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - AWS Virtual Private Cloud (VPC) + - AWS Virtual Private Cloud (VPC) score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/baseline/azure/KeyVault/azure_app_tier_customer_managed_key_in_use.yaml b/compliance/controls/baseline/azure/KeyVault/azure_app_tier_customer_managed_key_in_use.yaml index fd18bcfab..adbff1f51 100644 --- a/compliance/controls/baseline/azure/KeyVault/azure_app_tier_customer_managed_key_in_use.yaml +++ b/compliance/controls/baseline/azure/KeyVault/azure_app_tier_customer_managed_key_in_use.yaml @@ -1,8 +1,6 @@ ID: azure_app_tier_customer_managed_key_in_use Title: "App Tier Customer-Managed Key In Use" Description: "Ensure that a Customer-Managed Key is created for your Azure cloud application tier." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -37,18 +35,20 @@ Query: azure_subscription as sub PrimaryTable: azure_subscription ListOfTables: - - azure_key_vault_key - - azure_subscription + - azure_key_vault_key + - azure_subscription Parameters: - Key: azureAppTierTags Required: true Severity: high Tags: platform_score_cloud_service_name: - - Azure KeyVault + - Azure KeyVault platform_score_use_case: - - Unencrypted Storage + - Unencrypted Storage score_service_name: - - Azure KeyVault + - Azure KeyVault score_tags: - - Unencrypted Storage + - Unencrypted Storage +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/KeyVault/azure_check_for_allowed_certificate_key_types.yaml b/compliance/controls/baseline/azure/KeyVault/azure_check_for_allowed_certificate_key_types.yaml index 9b8d36e11..0e0672566 100644 --- a/compliance/controls/baseline/azure/KeyVault/azure_check_for_allowed_certificate_key_types.yaml +++ b/compliance/controls/baseline/azure/KeyVault/azure_check_for_allowed_certificate_key_types.yaml @@ -1,8 +1,6 @@ ID: azure_check_for_allowed_certificate_key_types Title: "Check for Allowed Certificate Key Types" Description: "Ensure that Azure Key Vault certificates are using the appropriate key type(s)." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -25,18 +23,20 @@ Query: left join azure_subscription as sub on k.subscription_id = sub.subscription_id PrimaryTable: azure_key_vault_key ListOfTables: - - azure_key_vault_key - - azure_subscription + - azure_key_vault_key + - azure_subscription Parameters: - Key: azureAllowedKeyTypes Required: true Severity: medium Tags: platform_score_cloud_service_name: - - Azure KeyVault + - Azure KeyVault platform_score_use_case: - - Insecure Keys + - Insecure Keys score_service_name: - - Azure KeyVault + - Azure KeyVault score_tags: - - Insecure Keys + - Insecure Keys +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/KeyVault/azure_check_for_azure_key_vault_keys_expiration_date.yaml b/compliance/controls/baseline/azure/KeyVault/azure_check_for_azure_key_vault_keys_expiration_date.yaml index 370b1d4c1..a25b2f5b5 100644 --- a/compliance/controls/baseline/azure/KeyVault/azure_check_for_azure_key_vault_keys_expiration_date.yaml +++ b/compliance/controls/baseline/azure/KeyVault/azure_check_for_azure_key_vault_keys_expiration_date.yaml @@ -1,61 +1,25 @@ ID: azure_check_for_azure_key_vault_keys_expiration_date Title: "Check for Azure Key Vault Keys Expiration Date" Description: "Ensure that your Azure Key Vault encryption keys are renewed prior to their expiration date." -Connector: -- azure Query: Engine: odysseus-v0.0.1 - QueryToExecute: | - select - name as resource, - k.og_resource_id, - k.og_account_id, - case - when expires_at is null then 'skip' - when '{{.azureKeyVaultKeyExpirationDateDays}}' = '' then - case - when expires_at - now() > '30 days'::interval then 'ok' - else 'alarm' - end - else - case - when expires_at - now() > '{{.azureKeyVaultKeyExpirationDateDays}} days'::interval then 'ok' - else 'alarm' - end - end as status, - case - when expires_at is null then 'expires at is not specified' - when expires_at < now() then 'key has been expired' - when '{{.azureKeyVaultKeyExpirationDateDays}}' = '' then - case - when expires_at - now() > '30 days'::interval then 'key does not expire soon' - else 'key expires soon' - end - else - case - when expires_at - now() > '{{.azureKeyVaultKeyExpirationDateDays}} days'::interval then 'key does not expire soon' - else 'key expires soon' - end - end as reason, - resource_group as resource_group, - sub.display_name as subscription - from - azure_key_vault_key as k - left join azure_subscription as sub on k.subscription_id = sub.subscription_id + QueryToExecute: "select\n name as resource,\n k.og_resource_id,\n k.og_account_id,\n case\n when expires_at is null then 'skip'\n when '{{.azureKeyVaultKeyExpirationDateDays}}' = '' then\n case \n when expires_at - now() > '30 days'::interval then 'ok'\n else 'alarm'\n end\n else\n case\n when expires_at - now() > '{{.azureKeyVaultKeyExpirationDateDays}} days'::interval then 'ok'\n else 'alarm'\n end\n end as status,\n case\n when expires_at is null then 'expires at is not specified'\n when expires_at < now() then 'key has been expired'\n when '{{.azureKeyVaultKeyExpirationDateDays}}' = '' then\n case\n when expires_at - now() > '30 days'::interval then 'key does not expire soon'\n else 'key expires soon'\n end\n else\n case\n when expires_at - now() > '{{.azureKeyVaultKeyExpirationDateDays}} days'::interval then 'key does not expire soon'\n else 'key expires soon'\n end\n end as reason,\n resource_group as resource_group,\n sub.display_name as subscription\nfrom\n azure_key_vault_key as k\n left join azure_subscription as sub on k.subscription_id = sub.subscription_id\n" PrimaryTable: azure_key_vault_key ListOfTables: - - azure_key_vault_key - - azure_subscription + - azure_key_vault_key + - azure_subscription Parameters: - Key: azureKeyVaultKeyExpirationDateDays Required: true Severity: medium Tags: platform_score_cloud_service_name: - - Azure KeyVault + - Azure KeyVault platform_score_use_case: - - Problem Identities + - Problem Identities score_service_name: - - Azure KeyVault + - Azure KeyVault score_tags: - - Problem Identities + - Problem Identities +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/KeyVault/azure_check_for_azure_key_vault_secrets_expiration_date.yaml b/compliance/controls/baseline/azure/KeyVault/azure_check_for_azure_key_vault_secrets_expiration_date.yaml index fda573d03..fb0b6917f 100644 --- a/compliance/controls/baseline/azure/KeyVault/azure_check_for_azure_key_vault_secrets_expiration_date.yaml +++ b/compliance/controls/baseline/azure/KeyVault/azure_check_for_azure_key_vault_secrets_expiration_date.yaml @@ -1,8 +1,6 @@ ID: azure_check_for_azure_key_vault_secrets_expiration_date Title: "Check for Azure Key Vault Secrets Expiration Date" Description: "Ensure that your Azure Key Vault secrets are renewed prior to their expiration date." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -26,18 +24,20 @@ Query: left join azure_subscription as sub on s.subscription_id = sub.subscription_id PrimaryTable: azure_key_vault_secret ListOfTables: - - azure_key_vault_secret - - azure_subscription + - azure_key_vault_secret + - azure_subscription Parameters: - Key: azureCmkSecretExpireDays Required: true Severity: medium Tags: platform_score_cloud_service_name: - - Azure KeyVault + - Azure KeyVault platform_score_use_case: - - Problem Identities + - Problem Identities score_service_name: - - Azure KeyVault + - Azure KeyVault score_tags: - - Problem Identities + - Problem Identities +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/KeyVault/azure_check_for_certificate_minimum_key_size.yaml b/compliance/controls/baseline/azure/KeyVault/azure_check_for_certificate_minimum_key_size.yaml index cf31a082c..d83e77b82 100644 --- a/compliance/controls/baseline/azure/KeyVault/azure_check_for_certificate_minimum_key_size.yaml +++ b/compliance/controls/baseline/azure/KeyVault/azure_check_for_certificate_minimum_key_size.yaml @@ -1,8 +1,6 @@ ID: azure_check_for_certificate_minimum_key_size Title: "Check for Certificate Minimum Key Size" Description: "Ensure that Azure Key Vault RSA certificates are using the appropriate key size." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -27,18 +25,20 @@ Query: left join azure_subscription as sub on k.subscription_id = sub.subscription_id PrimaryTable: azure_key_vault_key ListOfTables: - - azure_key_vault_key - - azure_subscription + - azure_key_vault_key + - azure_subscription Parameters: - Key: azureRsaCertificateMinSize Required: true Severity: medium Tags: platform_score_cloud_service_name: - - Azure KeyVault + - Azure KeyVault platform_score_use_case: - - Insecure Keys + - Insecure Keys score_service_name: - - Azure KeyVault + - Azure KeyVault score_tags: - - Insecure Keys + - Insecure Keys +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/KeyVault/azure_check_for_key_vault_full_administrator_permissions.yaml b/compliance/controls/baseline/azure/KeyVault/azure_check_for_key_vault_full_administrator_permissions.yaml index 44ce5f0f4..99eadad0a 100644 --- a/compliance/controls/baseline/azure/KeyVault/azure_check_for_key_vault_full_administrator_permissions.yaml +++ b/compliance/controls/baseline/azure/KeyVault/azure_check_for_key_vault_full_administrator_permissions.yaml @@ -1,8 +1,6 @@ ID: azure_check_for_key_vault_full_administrator_permissions Title: "Check for Key Vault Full Administrator Permissions" Description: "Ensure that no Azure user, group or application has full permissions to access and manage Key Vaults." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -16,7 +14,7 @@ Query: 'Update','Create','Import','Delete','Recover','Backup','Restore','ManageContacts', 'ManageIssuers','GetIssuers','ListIssuers','SetIssuers','DeleteIssuers','Purge']) AS c ) - + select v.name as resource, v.og_resource_id, @@ -54,16 +52,18 @@ Query: left join azure_subscription as sub on v.subscription_id = sub.subscription_id PrimaryTable: azure_key_vault ListOfTables: - - azure_key_vault - - azure_subscription + - azure_key_vault + - azure_subscription Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - Azure KeyVault + - Azure KeyVault platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - Azure KeyVault + - Azure KeyVault score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/KeyVault/azure_check_for_sufficient_certificate_auto_renewal_period.yaml b/compliance/controls/baseline/azure/KeyVault/azure_check_for_sufficient_certificate_auto_renewal_period.yaml index d2827f9ca..58b16b763 100644 --- a/compliance/controls/baseline/azure/KeyVault/azure_check_for_sufficient_certificate_auto_renewal_period.yaml +++ b/compliance/controls/baseline/azure/KeyVault/azure_check_for_sufficient_certificate_auto_renewal_period.yaml @@ -1,8 +1,6 @@ ID: azure_check_for_sufficient_certificate_auto_renewal_period Title: "Check for Sufficient Certificate Auto-Renewal Period" Description: "Ensure there is a sufficient period configured for the SSL certificates auto-renewal." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -26,18 +24,20 @@ Query: jsonb_array_elements(lifetime_actions) as la PrimaryTable: azure_key_vault_certificate ListOfTables: - - azure_key_vault_certificate - - azure_subscription + - azure_key_vault_certificate + - azure_subscription Parameters: - Key: azureSufficientDaysBeforeCertificateExpiry Required: true Severity: high Tags: platform_score_cloud_service_name: - - Azure KeyVault + - Azure KeyVault platform_score_use_case: - - Insecure Keys + - Insecure Keys score_service_name: - - Azure KeyVault + - Azure KeyVault score_tags: - - Insecure Keys + - Insecure Keys +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/KeyVault/azure_database_tier_customer_managed_key_in_use.yaml b/compliance/controls/baseline/azure/KeyVault/azure_database_tier_customer_managed_key_in_use.yaml index 69c8016c9..8722d5bee 100644 --- a/compliance/controls/baseline/azure/KeyVault/azure_database_tier_customer_managed_key_in_use.yaml +++ b/compliance/controls/baseline/azure/KeyVault/azure_database_tier_customer_managed_key_in_use.yaml @@ -1,8 +1,6 @@ ID: azure_database_tier_customer_managed_key_in_use Title: "Database Tier Customer-Managed Key In Use" Description: "Ensure that a Customer-Managed Key is created for your Azure cloud database tier." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -37,18 +35,20 @@ Query: azure_subscription as sub PrimaryTable: azure_subscription ListOfTables: - - azure_key_vault_key - - azure_subscription + - azure_key_vault_key + - azure_subscription Parameters: - Key: azureDatabaseTierTags Required: true Severity: high Tags: platform_score_cloud_service_name: - - Azure KeyVault + - Azure KeyVault platform_score_use_case: - - Unencrypted Storage + - Unencrypted Storage score_service_name: - - Azure KeyVault + - Azure KeyVault score_tags: - - Unencrypted Storage + - Unencrypted Storage +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/KeyVault/azure_enable_auditevent_logging_for_azure_key_vaults.yaml b/compliance/controls/baseline/azure/KeyVault/azure_enable_auditevent_logging_for_azure_key_vaults.yaml index 4c67c0cf0..e824e4cb2 100644 --- a/compliance/controls/baseline/azure/KeyVault/azure_enable_auditevent_logging_for_azure_key_vaults.yaml +++ b/compliance/controls/baseline/azure/KeyVault/azure_enable_auditevent_logging_for_azure_key_vaults.yaml @@ -1,54 +1,23 @@ ID: azure_enable_auditevent_logging_for_azure_key_vaults Title: "Enable AuditEvent Logging for Azure Key Vaults" Description: "Ensure that logging for Azure KeyVault is 'Enabled'" -Connector: -- azure Query: Engine: odysseus-v0.0.1 - QueryToExecute: | - select - name as resource, - v.og_resource_id, - v.og_account_id, - case - when exists( - select 1 - from - jsonb_array_elements(diagnostic_settings) as ds, - jsonb_array_elements(ds -> 'properties' -> 'logs') as l - where - (l ->> 'category' = 'AuditEvent') and (l ->> 'enabled' = 'true') - ) then 'ok' - else 'alarm' - end as status, - case - when exists( - select 1 - from - jsonb_array_elements(diagnostic_settings) as ds, - jsonb_array_elements(ds -> 'properties' -> 'logs') as l - where - (l ->> 'category' = 'AuditEvent') and (l ->> 'enabled' = 'true') - ) then 'subscription has an app-tier cmk' - else 'subscription does not have any app-tier cmk' - end as reason, - resource_group as resource_group, - sub.display_name as subscription - from - azure_key_vault as v - left join azure_subscription as sub on v.subscription_id = sub.subscription_id + QueryToExecute: "select\n name as resource,\n v.og_resource_id,\n v.og_account_id,\n case\n when exists(\n select 1\n from \n jsonb_array_elements(diagnostic_settings) as ds,\n jsonb_array_elements(ds -> 'properties' -> 'logs') as l\n where\n (l ->> 'category' = 'AuditEvent') and (l ->> 'enabled' = 'true')\n ) then 'ok'\n else 'alarm'\n end as status,\n case\n when exists(\n select 1\n from \n jsonb_array_elements(diagnostic_settings) as ds,\n jsonb_array_elements(ds -> 'properties' -> 'logs') as l\n where\n (l ->> 'category' = 'AuditEvent') and (l ->> 'enabled' = 'true')\n ) then 'subscription has an app-tier cmk'\n else 'subscription does not have any app-tier cmk'\n end as reason,\n resource_group as resource_group,\n sub.display_name as subscription\nfrom\n azure_key_vault as v\n left join azure_subscription as sub on v.subscription_id = sub.subscription_id\n" PrimaryTable: azure_key_vault ListOfTables: - - azure_key_vault - - azure_subscription + - azure_key_vault + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure KeyVault + - Azure KeyVault platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - Azure KeyVault + - Azure KeyVault score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/KeyVault/azure_enable_certificate_transparency.yaml b/compliance/controls/baseline/azure/KeyVault/azure_enable_certificate_transparency.yaml index 1c3f1f3fd..02d683bf8 100644 --- a/compliance/controls/baseline/azure/KeyVault/azure_enable_certificate_transparency.yaml +++ b/compliance/controls/baseline/azure/KeyVault/azure_enable_certificate_transparency.yaml @@ -1,8 +1,6 @@ ID: azure_enable_certificate_transparency Title: "Enable Certificate Transparency" Description: "Ensure there is a sufficient period configured for the SSL certificates auto-renewal." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -25,16 +23,18 @@ Query: left join azure_subscription as sub on c.subscription_id = sub.subscription_id PrimaryTable: azure_key_vault_certificate ListOfTables: - - azure_key_vault_certificate - - azure_subscription + - azure_key_vault_certificate + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure KeyVault + - Azure KeyVault platform_score_use_case: - - Insecure Keys + - Insecure Keys score_service_name: - - Azure KeyVault + - Azure KeyVault score_tags: - - Insecure Keys + - Insecure Keys +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/KeyVault/azure_enable_key_vault_recoverability.yaml b/compliance/controls/baseline/azure/KeyVault/azure_enable_key_vault_recoverability.yaml index 51e4e0caa..e2760d04f 100644 --- a/compliance/controls/baseline/azure/KeyVault/azure_enable_key_vault_recoverability.yaml +++ b/compliance/controls/baseline/azure/KeyVault/azure_enable_key_vault_recoverability.yaml @@ -1,8 +1,6 @@ ID: azure_enable_key_vault_recoverability Title: "Enable Key Vault Recoverability" Description: "Ensure that your Microsoft Azure Key Vault instances are recoverable." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -25,16 +23,18 @@ Query: left join azure_subscription as sub on v.subscription_id = sub.subscription_id PrimaryTable: azure_key_vault ListOfTables: - - azure_key_vault - - azure_subscription + - azure_key_vault + - azure_subscription Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - Azure KeyVault + - Azure KeyVault platform_score_use_case: - - Problem Identities + - Problem Identities score_service_name: - - Azure KeyVault + - Azure KeyVault score_tags: - - Problem Identities + - Problem Identities +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/KeyVault/azure_enable_ssl_certificate_auto_renewal.yaml b/compliance/controls/baseline/azure/KeyVault/azure_enable_ssl_certificate_auto_renewal.yaml index 79be7975a..6bd59dc96 100644 --- a/compliance/controls/baseline/azure/KeyVault/azure_enable_ssl_certificate_auto_renewal.yaml +++ b/compliance/controls/baseline/azure/KeyVault/azure_enable_ssl_certificate_auto_renewal.yaml @@ -1,8 +1,6 @@ ID: azure_enable_ssl_certificate_auto_renewal Title: "Enable SSL Certificate Auto-Renewal" Description: "Ensure that Auto-Renewal feature is enabled for your Azure Key Vault SSL certificates." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -26,16 +24,18 @@ Query: jsonb_array_elements(lifetime_actions) as la PrimaryTable: azure_key_vault_certificate ListOfTables: - - azure_key_vault_certificate - - azure_subscription + - azure_key_vault_certificate + - azure_subscription Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - Azure KeyVault + - Azure KeyVault platform_score_use_case: - - Insecure Keys + - Insecure Keys score_service_name: - - Azure KeyVault + - Azure KeyVault score_tags: - - Insecure Keys + - Insecure Keys +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/KeyVault/azure_enable_trusted_microsoft_services_for_key_vault_access.yaml b/compliance/controls/baseline/azure/KeyVault/azure_enable_trusted_microsoft_services_for_key_vault_access.yaml index 193279aa4..c1c4876cd 100644 --- a/compliance/controls/baseline/azure/KeyVault/azure_enable_trusted_microsoft_services_for_key_vault_access.yaml +++ b/compliance/controls/baseline/azure/KeyVault/azure_enable_trusted_microsoft_services_for_key_vault_access.yaml @@ -1,8 +1,6 @@ ID: azure_enable_trusted_microsoft_services_for_key_vault_access Title: "Enable Trusted Microsoft Services for Key Vault Access" Description: "Allow trusted Microsoft services to access your Azure Key Vault resources (i.e. encryption keys, secrets and certificates)." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -27,16 +25,18 @@ Query: left join azure_subscription as sub on c.subscription_id = sub.subscription_id PrimaryTable: azure_key_vault ListOfTables: - - azure_key_vault - - azure_subscription + - azure_key_vault + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure KeyVault + - Azure KeyVault platform_score_use_case: - - Insecure Keys + - Insecure Keys score_service_name: - - Azure KeyVault + - Azure KeyVault score_tags: - - Insecure Keys + - Insecure Keys +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/KeyVault/azure_restrict_default_network_access_for_azure_key_vaults.yaml b/compliance/controls/baseline/azure/KeyVault/azure_restrict_default_network_access_for_azure_key_vaults.yaml index 2be07aaff..deda7493c 100644 --- a/compliance/controls/baseline/azure/KeyVault/azure_restrict_default_network_access_for_azure_key_vaults.yaml +++ b/compliance/controls/baseline/azure/KeyVault/azure_restrict_default_network_access_for_azure_key_vaults.yaml @@ -1,8 +1,6 @@ ID: azure_restrict_default_network_access_for_azure_key_vaults Title: "Restrict Default Network Access for Azure Key Vaults" Description: "Ensure that default network access (i.e. public access) rule is set to \"Deny\" within your Azure Key Vaults configuration." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -25,16 +23,18 @@ Query: left join azure_subscription as sub on v.subscription_id = sub.subscription_id PrimaryTable: azure_key_vault ListOfTables: - - azure_key_vault - - azure_subscription + - azure_key_vault + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure KeyVault + - Azure KeyVault platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - Azure KeyVault + - Azure KeyVault score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/KeyVault/azure_set_azure_secret_key_expiration.yaml b/compliance/controls/baseline/azure/KeyVault/azure_set_azure_secret_key_expiration.yaml index 6fb5f807f..3774a4cd3 100644 --- a/compliance/controls/baseline/azure/KeyVault/azure_set_azure_secret_key_expiration.yaml +++ b/compliance/controls/baseline/azure/KeyVault/azure_set_azure_secret_key_expiration.yaml @@ -1,8 +1,6 @@ ID: azure_set_azure_secret_key_expiration Title: "Set Azure Secret Key Expiration" Description: "Ensure that an expiration date is set for all your Microsoft Azure secret keys." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -25,16 +23,18 @@ Query: left join azure_subscription as sub on c.subscription_id = sub.subscription_id PrimaryTable: azure_key_vault_secret ListOfTables: - - azure_key_vault_secret - - azure_subscription + - azure_key_vault_secret + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure KeyVault + - Azure KeyVault platform_score_use_case: - - Insecure Keys + - Insecure Keys score_service_name: - - Azure KeyVault + - Azure KeyVault score_tags: - - Insecure Keys + - Insecure Keys +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/KeyVault/azure_set_encryption_key_expiration.yaml b/compliance/controls/baseline/azure/KeyVault/azure_set_encryption_key_expiration.yaml index 1ba091cd2..4f4ecf3cf 100644 --- a/compliance/controls/baseline/azure/KeyVault/azure_set_encryption_key_expiration.yaml +++ b/compliance/controls/baseline/azure/KeyVault/azure_set_encryption_key_expiration.yaml @@ -1,8 +1,6 @@ ID: azure_set_encryption_key_expiration Title: "Set Encryption Key Expiration" Description: "Ensure that an expiration date is configured for all your Microsoft Azure encryption keys." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -25,16 +23,18 @@ Query: left join azure_subscription as sub on k.subscription_id = sub.subscription_id PrimaryTable: azure_key_vault_key ListOfTables: - - azure_key_vault_key - - azure_subscription + - azure_key_vault_key + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure KeyVault + - Azure KeyVault platform_score_use_case: - - Problem Identities + - Problem Identities score_service_name: - - Azure KeyVault + - Azure KeyVault score_tags: - - Problem Identities + - Problem Identities +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/KeyVault/azure_web_tier_customer_managed_key_in_use.yaml b/compliance/controls/baseline/azure/KeyVault/azure_web_tier_customer_managed_key_in_use.yaml index 442cedafd..c62d4cde6 100644 --- a/compliance/controls/baseline/azure/KeyVault/azure_web_tier_customer_managed_key_in_use.yaml +++ b/compliance/controls/baseline/azure/KeyVault/azure_web_tier_customer_managed_key_in_use.yaml @@ -1,8 +1,6 @@ ID: azure_web_tier_customer_managed_key_in_use Title: "Web Tier Customer-Managed Key In Use" Description: "Ensure that a Customer-Managed Key is created for your Microsoft Azure cloud web tier." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -17,7 +15,7 @@ Query: FROM jsonb_each_text('{{.azureWebTierTags}}'::jsonb) ), '{', ''), '}', '') || '%' ) - + select sub.display_name as resource, sub.og_resource_id, @@ -36,18 +34,20 @@ Query: left join web_tier_keys as wtk on sub.subscription_id = wtk.subscription_id PrimaryTable: azure_subscription ListOfTables: - - azure_key_vault_key - - azure_subscription + - azure_key_vault_key + - azure_subscription Parameters: - Key: azureWebTierTags Required: true Severity: high Tags: platform_score_cloud_service_name: - - Azure KeyVault + - Azure KeyVault platform_score_use_case: - - Insecure Keys + - Insecure Keys score_service_name: - - Azure KeyVault + - Azure KeyVault score_tags: - - Insecure Keys + - Insecure Keys +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/aks/azure_check_for_kubernetes_version.yaml b/compliance/controls/baseline/azure/aks/azure_check_for_kubernetes_version.yaml index 226d8fe1f..2e479e5b1 100644 --- a/compliance/controls/baseline/azure/aks/azure_check_for_kubernetes_version.yaml +++ b/compliance/controls/baseline/azure/aks/azure_check_for_kubernetes_version.yaml @@ -1,8 +1,6 @@ ID: azure_check_for_kubernetes_version Title: "Check for Kubernetes Version" Description: "Ensure that AKS clusters are using the latest available version of Kubernetes software." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -25,18 +23,20 @@ Query: left join azure_subscription as sub on c.subscription_id = sub.subscription_id PrimaryTable: azure_kubernetes_cluster ListOfTables: - - azure_kubernetes_cluster - - azure_subscription + - azure_kubernetes_cluster + - azure_subscription Parameters: - Key: azureAksLatestVersion Required: true Severity: low Tags: platform_score_cloud_service_name: - - Azure Kubernetes (AKS) + - Azure Kubernetes (AKS) platform_score_use_case: - - Lacking High Availability + - Lacking High Availability score_service_name: - - Azure Kubernetes (AKS) + - Azure Kubernetes (AKS) score_tags: - - Lacking High Availability + - Lacking High Availability +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/aks/azure_enable_defender_for_cloud_for_aks_clusters.yaml b/compliance/controls/baseline/azure/aks/azure_enable_defender_for_cloud_for_aks_clusters.yaml index 515bb5ab1..191963f39 100644 --- a/compliance/controls/baseline/azure/aks/azure_enable_defender_for_cloud_for_aks_clusters.yaml +++ b/compliance/controls/baseline/azure/aks/azure_enable_defender_for_cloud_for_aks_clusters.yaml @@ -1,8 +1,6 @@ ID: azure_enable_defender_for_cloud_for_aks_clusters Title: "Enable Defender for Cloud for AKS Clusters" Description: "Ensure that Microsoft Defender for Cloud is enabled for AKS clusters." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -25,16 +23,18 @@ Query: left join azure_subscription as sub on c.subscription_id = sub.subscription_id PrimaryTable: azure_kubernetes_cluster ListOfTables: - - azure_kubernetes_cluster - - azure_subscription + - azure_kubernetes_cluster + - azure_subscription Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - Azure Kubernetes (AKS) + - Azure Kubernetes (AKS) platform_score_use_case: - - Tolerate Failures + - Tolerate Failures score_service_name: - - Azure Kubernetes (AKS) + - Azure Kubernetes (AKS) score_tags: - - Tolerate Failures + - Tolerate Failures +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/aks/azure_enable_kubernetes_role_based_access_control.yaml b/compliance/controls/baseline/azure/aks/azure_enable_kubernetes_role_based_access_control.yaml index bbbcbd55c..fee235742 100644 --- a/compliance/controls/baseline/azure/aks/azure_enable_kubernetes_role_based_access_control.yaml +++ b/compliance/controls/baseline/azure/aks/azure_enable_kubernetes_role_based_access_control.yaml @@ -1,8 +1,6 @@ ID: azure_enable_kubernetes_role_based_access_control Title: "Enable Kubernetes Role-Based Access Control" Description: "Ensure that Kubernetes Role-Based Access Control is enabled for Azure Kubernetes clusters." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -26,16 +24,18 @@ Query: left join azure_subscription as sub on c.subscription_id = sub.subscription_id PrimaryTable: azure_kubernetes_cluster ListOfTables: - - azure_kubernetes_cluster - - azure_subscription + - azure_kubernetes_cluster + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Kubernetes (AKS) + - Azure Kubernetes (AKS) platform_score_use_case: - - Unencrypted Traffic + - Unencrypted Traffic score_service_name: - - Azure Kubernetes (AKS) + - Azure Kubernetes (AKS) score_tags: - - Unencrypted Traffic + - Unencrypted Traffic +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/aks/azure_kubernetes_api_version.yaml b/compliance/controls/baseline/azure/aks/azure_kubernetes_api_version.yaml index aeaeb3f58..53d0b65d7 100644 --- a/compliance/controls/baseline/azure/aks/azure_kubernetes_api_version.yaml +++ b/compliance/controls/baseline/azure/aks/azure_kubernetes_api_version.yaml @@ -1,8 +1,6 @@ ID: azure_kubernetes_api_version Title: "Kubernetes API Version" Description: "Ensure that AKS clusters are using the latest version of Kubernetes API." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -25,14 +23,16 @@ Query: left join azure_subscription as sub on c.subscription_id = sub.subscription_id PrimaryTable: azure_kubernetes_cluster ListOfTables: - - azure_kubernetes_cluster - - azure_subscription + - azure_kubernetes_cluster + - azure_subscription Parameters: - Key: azureKubernetesLatestVersion Required: true Severity: high Tags: platform_score_cloud_service_name: - - Azure Kubernetes (AKS) + - Azure Kubernetes (AKS) score_service_name: - - Azure Kubernetes (AKS) + - Azure Kubernetes (AKS) +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/aks/azure_secure_access_to_kubernetes_api_server_using_authorized_ip_address_ranges.yaml b/compliance/controls/baseline/azure/aks/azure_secure_access_to_kubernetes_api_server_using_authorized_ip_address_ranges.yaml index f6738051c..aafee2c27 100644 --- a/compliance/controls/baseline/azure/aks/azure_secure_access_to_kubernetes_api_server_using_authorized_ip_address_ranges.yaml +++ b/compliance/controls/baseline/azure/aks/azure_secure_access_to_kubernetes_api_server_using_authorized_ip_address_ranges.yaml @@ -1,8 +1,6 @@ ID: azure_secure_access_to_kubernetes_api_server_using_authorized_ip_address_ranges Title: "Secure Access to Kubernetes API Server Using Authorized IP Address Ranges" Description: "Ensure that public access to Kubernetes API server is restricted." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -26,16 +24,18 @@ Query: left join azure_subscription as sub on c.subscription_id = sub.subscription_id PrimaryTable: azure_kubernetes_cluster ListOfTables: - - azure_kubernetes_cluster - - azure_subscription + - azure_kubernetes_cluster + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Kubernetes (AKS) + - Azure Kubernetes (AKS) platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - Azure Kubernetes (AKS) + - Azure Kubernetes (AKS) score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/aks/azure_use_azure_cni_add_on_for_managing_network_resources.yaml b/compliance/controls/baseline/azure/aks/azure_use_azure_cni_add_on_for_managing_network_resources.yaml index 788d8a8f4..c0d966ecd 100644 --- a/compliance/controls/baseline/azure/aks/azure_use_azure_cni_add_on_for_managing_network_resources.yaml +++ b/compliance/controls/baseline/azure/aks/azure_use_azure_cni_add_on_for_managing_network_resources.yaml @@ -1,8 +1,6 @@ ID: azure_use_azure_cni_add_on_for_managing_network_resources Title: "Use Azure CNI Add-On for Managing Network Resources" Description: "Ensure that DDoS standard protection is enabled for production Azure virtual networks." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -27,12 +25,14 @@ Query: sub.subscription_id = kc.subscription_id PrimaryTable: azure_kubernetes_cluster ListOfTables: - - azure_kubernetes_cluster - - azure_subscription + - azure_kubernetes_cluster + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Kubernetes (AKS) + - Azure Kubernetes (AKS) score_service_name: - - Azure Kubernetes (AKS) + - Azure Kubernetes (AKS) +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/aks/azure_use_microsoft_entra_id_integration_for_aks_clusters.yaml b/compliance/controls/baseline/azure/aks/azure_use_microsoft_entra_id_integration_for_aks_clusters.yaml index d60268256..b93ea51e6 100644 --- a/compliance/controls/baseline/azure/aks/azure_use_microsoft_entra_id_integration_for_aks_clusters.yaml +++ b/compliance/controls/baseline/azure/aks/azure_use_microsoft_entra_id_integration_for_aks_clusters.yaml @@ -1,8 +1,6 @@ ID: azure_use_microsoft_entra_id_integration_for_aks_clusters Title: "Use Microsoft Entra ID Integration for AKS Clusters" Description: "Ensure that Microsoft Entra ID integration is enabled for Azure Kubernetes clusters." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -27,12 +25,14 @@ Query: sub.subscription_id = kc.subscription_id PrimaryTable: azure_kubernetes_cluster ListOfTables: - - azure_kubernetes_cluster - - azure_subscription + - azure_kubernetes_cluster + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Kubernetes (AKS) + - Azure Kubernetes (AKS) score_service_name: - - Azure Kubernetes (AKS) + - Azure Kubernetes (AKS) +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/aks/azure_use_network_contributor_role_for_managing_azure_network_resources.yaml b/compliance/controls/baseline/azure/aks/azure_use_network_contributor_role_for_managing_azure_network_resources.yaml index 12549b31c..c2d6a1d32 100644 --- a/compliance/controls/baseline/azure/aks/azure_use_network_contributor_role_for_managing_azure_network_resources.yaml +++ b/compliance/controls/baseline/azure/aks/azure_use_network_contributor_role_for_managing_azure_network_resources.yaml @@ -1,47 +1,21 @@ ID: azure_use_network_contributor_role_for_managing_azure_network_resources Title: "Use Network Contributor Role for Managing Azure Network Resources" Description: "Ensure that AKS clusters are configured to use the Network Contributor role." -Connector: -- azure Query: Engine: odysseus-v0.0.1 - QueryToExecute: | - with rd as ( - select - scope, ARRAY_AGG(role_name) as roles - from - azure_role_assignment as ra left join azure_role_definition as rd on ra.role_definition_id = rd.id - group by scope limit 10 - ) - - select - c.name as resource, - c.og_resource_id, - c.og_account_id, - case - when rd.roles::text ilike '%Network Contributor%' then 'ok' - else 'alarm' - end as status, - case - when rd.roles::text ilike '%Network Contributor%' then c.name || ' is using a Network Contributor role to manage network resources.' - else c.name || ' is not using a Network Contributor role to manage network resources.' - end as reason, - c.resource_group as resource_group, - sub.display_name as subscription - from - azure_kubernetes_cluster as c - left join azure_subscription as sub on c.subscription_id = sub.subscription_id - left join rd as rd on c.id like '%' || rd.scope || '%' + QueryToExecute: "with rd as (\n select\n scope, ARRAY_AGG(role_name) as roles\n from\n azure_role_assignment as ra left join azure_role_definition as rd on ra.role_definition_id = rd.id\n group by scope limit 10\n)\n \nselect\n c.name as resource,\n c.og_resource_id,\n c.og_account_id,\n case\n when rd.roles::text ilike '%Network Contributor%' then 'ok'\n else 'alarm'\n end as status,\n case\n when rd.roles::text ilike '%Network Contributor%' then c.name || ' is using a Network Contributor role to manage network resources.'\n else c.name || ' is not using a Network Contributor role to manage network resources.'\n end as reason,\n c.resource_group as resource_group,\n sub.display_name as subscription\n from\n azure_kubernetes_cluster as c\n left join azure_subscription as sub on c.subscription_id = sub.subscription_id\n left join rd as rd on c.id like '%' || rd.scope || '%'\n" PrimaryTable: azure_kubernetes_cluster ListOfTables: - - azure_kubernetes_cluster - - azure_role_assignment - - azure_role_definition - - azure_subscription + - azure_kubernetes_cluster + - azure_role_assignment + - azure_role_definition + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Kubernetes (AKS) + - Azure Kubernetes (AKS) score_service_name: - - Azure Kubernetes (AKS) + - Azure Kubernetes (AKS) +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/aks/azure_use_system_assigned_managed_identities_for_aks_clusters.yaml b/compliance/controls/baseline/azure/aks/azure_use_system_assigned_managed_identities_for_aks_clusters.yaml index 88843f71a..0920a57dc 100644 --- a/compliance/controls/baseline/azure/aks/azure_use_system_assigned_managed_identities_for_aks_clusters.yaml +++ b/compliance/controls/baseline/azure/aks/azure_use_system_assigned_managed_identities_for_aks_clusters.yaml @@ -1,8 +1,6 @@ ID: azure_use_system_assigned_managed_identities_for_aks_clusters Title: "Use System-Assigned Managed Identities for AKS Clusters" Description: "Ensure that AKS clusters are using system-assigned managed identities." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -26,16 +24,18 @@ Query: left join azure_subscription as sub on c.subscription_id = sub.subscription_id PrimaryTable: azure_kubernetes_cluster ListOfTables: - - azure_kubernetes_cluster - - azure_subscription + - azure_kubernetes_cluster + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Kubernetes (AKS) + - Azure Kubernetes (AKS) platform_score_use_case: - - Unencrypted Traffic + - Unencrypted Traffic score_service_name: - - Azure Kubernetes (AKS) + - Azure Kubernetes (AKS) score_tags: - - Unencrypted Traffic + - Unencrypted Traffic +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/aks/azure_use_user_assigned_managed_identities_for_aks_clusters.yaml b/compliance/controls/baseline/azure/aks/azure_use_user_assigned_managed_identities_for_aks_clusters.yaml index 9500453a2..e5febe068 100644 --- a/compliance/controls/baseline/azure/aks/azure_use_user_assigned_managed_identities_for_aks_clusters.yaml +++ b/compliance/controls/baseline/azure/aks/azure_use_user_assigned_managed_identities_for_aks_clusters.yaml @@ -1,8 +1,6 @@ ID: azure_use_user_assigned_managed_identities_for_aks_clusters Title: "Use User-Assigned Managed Identities for AKS Clusters" Description: "Ensure that AKS clusters are using user-assigned managed identities." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -25,12 +23,14 @@ Query: left join azure_subscription as sub on c.subscription_id = sub.subscription_id PrimaryTable: azure_kubernetes_cluster ListOfTables: - - azure_kubernetes_cluster - - azure_subscription + - azure_kubernetes_cluster + - azure_subscription Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - Azure Kubernetes (AKS) + - Azure Kubernetes (AKS) score_service_name: - - Azure Kubernetes (AKS) + - Azure Kubernetes (AKS) +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/app_services/azure_disable_plain_ftp_deployment.yaml b/compliance/controls/baseline/azure/app_services/azure_disable_plain_ftp_deployment.yaml index 7f798655c..d3fb50181 100644 --- a/compliance/controls/baseline/azure/app_services/azure_disable_plain_ftp_deployment.yaml +++ b/compliance/controls/baseline/azure/app_services/azure_disable_plain_ftp_deployment.yaml @@ -1,8 +1,6 @@ ID: azure_disable_plain_ftp_deployment Title: "Disable Plain FTP Deployment" Description: "Ensure that FTP access is disabled for your Azure App Services web applications." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -25,16 +23,18 @@ Query: left join azure_subscription as sub on wa.subscription_id = sub.subscription_id PrimaryTable: azure_app_service_web_app ListOfTables: - - azure_app_service_web_app - - azure_subscription + - azure_app_service_web_app + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure App Services + - Azure App Services platform_score_use_case: - - Lacking High Availability + - Lacking High Availability score_service_name: - - Azure App Services + - Azure App Services score_tags: - - Lacking High Availability + - Lacking High Availability +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/cosmosdb/azure_enable_automatic_failover.yaml b/compliance/controls/baseline/azure/cosmosdb/azure_enable_automatic_failover.yaml index 7fd1e13df..3141ce011 100644 --- a/compliance/controls/baseline/azure/cosmosdb/azure_enable_automatic_failover.yaml +++ b/compliance/controls/baseline/azure/cosmosdb/azure_enable_automatic_failover.yaml @@ -1,8 +1,6 @@ ID: azure_enable_automatic_failover Title: "Enable Automatic Failover" Description: "Enable automatic failover for Microsoft Azure Cosmos DB accounts." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -25,12 +23,14 @@ Query: left join azure_subscription as sub on a.subscription_id = sub.subscription_id PrimaryTable: azure_cosmosdb_account ListOfTables: - - azure_cosmosdb_account - - azure_subscription + - azure_cosmosdb_account + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Network + - Azure Network score_service_name: - - Azure Network + - Azure Network +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/monitor/azure_monitor_log_all_activities.yaml b/compliance/controls/baseline/azure/monitor/azure_monitor_log_all_activities.yaml index e7871b2b7..8a6f0438d 100644 --- a/compliance/controls/baseline/azure/monitor/azure_monitor_log_all_activities.yaml +++ b/compliance/controls/baseline/azure/monitor/azure_monitor_log_all_activities.yaml @@ -1,8 +1,6 @@ ID: azure_monitor_log_all_activities Title: "Azure Monitor Log All Activities" Description: "Ensure audit profile captures all the activities." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -25,16 +23,18 @@ Query: left join azure_subscription sub on sub.subscription_id = p.subscription_id; PrimaryTable: azure_log_profile ListOfTables: - - azure_log_profile - - azure_subscription + - azure_log_profile + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Monitor + - Azure Monitor platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - Azure Monitor + - Azure Monitor score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_mongodb_access.yaml b/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_mongodb_access.yaml index 4e594fa52..cb21b8d9c 100644 --- a/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_mongodb_access.yaml +++ b/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_mongodb_access.yaml @@ -1,8 +1,6 @@ ID: azure_check_for_unrestricted_mongodb_access Title: "Check for Unrestricted MongoDB Access" Description: "Ensure that no network security groups allow unrestricted inbound access on TCP ports 27017, 27018 and 27019." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -34,12 +32,14 @@ Query: (sr -> 'properties' ->> 'destinationPortRanges' = '27017' or sr -> 'properties' ->> 'destinationPortRanges' like '%"27017"%' or sr -> 'properties' ->> 'destinationPortRanges' = '27018' or sr -> 'properties' ->> 'destinationPortRanges' like '%"27018"%' or sr -> 'properties' ->> 'destinationPortRanges' = '27019' or sr -> 'properties' ->> 'destinationPortRanges' like '%"27019"%' or sr -> 'properties' ->> 'destinationPortRanges' = '*') and sr -> 'properties' ->> 'direction' = 'Inbound' PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_subscription + - azure_network_security_group + - azure_subscription Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - Azure Network + - Azure Network score_service_name: - - Azure Network + - Azure Network +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_mssql_access.yaml b/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_mssql_access.yaml index bc0203af3..aaf6d9e3c 100644 --- a/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_mssql_access.yaml +++ b/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_mssql_access.yaml @@ -1,8 +1,6 @@ ID: azure_check_for_unrestricted_mssql_access Title: "Check for Unrestricted MSSQL Access" Description: "Ensure that no network security groups allow unrestricted inbound access on TCP port 1433." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -34,12 +32,14 @@ Query: (sr -> 'properties' ->> 'destinationPortRanges' = '1433' or sr -> 'properties' ->> 'destinationPortRanges' like '%"1433"%' or sr -> 'properties' ->> 'destinationPortRanges' = '*') and sr -> 'properties' ->> 'direction' = 'Inbound' PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_subscription + - azure_network_security_group + - azure_subscription Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - Azure Network + - Azure Network score_service_name: - - Azure Network + - Azure Network +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_mysql_database_access.yaml b/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_mysql_database_access.yaml index 018300ef4..b36777959 100644 --- a/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_mysql_database_access.yaml +++ b/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_mysql_database_access.yaml @@ -1,8 +1,6 @@ ID: azure_check_for_unrestricted_mysql_database_access Title: "Check for Unrestricted MySQL Database Access" Description: "Ensure that no network security groups allow unrestricted ingress access on TCP port 3306 (MySQL Database)." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -34,12 +32,14 @@ Query: (sr -> 'properties' ->> 'destinationPortRanges' = '3306' or sr -> 'properties' ->> 'destinationPortRanges' like '%"3306"%' or sr -> 'properties' ->> 'destinationPortRanges' = '*') and sr -> 'properties' ->> 'direction' = 'Inbound' PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_subscription + - azure_network_security_group + - azure_subscription Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - Azure Network + - Azure Network score_service_name: - - Azure Network + - Azure Network +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_netbios_access.yaml b/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_netbios_access.yaml index 79f00ef09..f97b7c8a2 100644 --- a/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_netbios_access.yaml +++ b/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_netbios_access.yaml @@ -1,8 +1,6 @@ ID: azure_check_for_unrestricted_netbios_access Title: "Check for Unrestricted NetBIOS Access" Description: "Ensure that no network security groups allow unrestricted inbound access on TCP port 139 and UDP ports 137 and 138 (NetBIOS)." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -35,12 +33,14 @@ Query: (sr -> 'properties' ->> 'destinationPortRanges' = '137' or sr -> 'properties' ->> 'destinationPortRanges' like '%"137"%' or sr -> 'properties' ->> 'destinationPortRanges' = '138' or sr -> 'properties' ->> 'destinationPortRanges' like '%"138"%' or sr -> 'properties' ->> 'destinationPortRanges' = '*'))) and sr -> 'properties' ->> 'direction' = 'Inbound' PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_subscription + - azure_network_security_group + - azure_subscription Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - Azure Network + - Azure Network score_service_name: - - Azure Network + - Azure Network +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_oracle_database_access.yaml b/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_oracle_database_access.yaml index 4270949b5..8aeeb88ae 100644 --- a/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_oracle_database_access.yaml +++ b/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_oracle_database_access.yaml @@ -1,8 +1,6 @@ ID: azure_check_for_unrestricted_oracle_database_access Title: "Check for Unrestricted Oracle Database Access" Description: "Ensure that no network security groups allow unrestricted inbound access on TCP port 1521 (Oracle Database)." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -34,12 +32,14 @@ Query: (sr -> 'properties' ->> 'destinationPortRanges' = '1521' or sr -> 'properties' ->> 'destinationPortRanges' like '%"1521"%' or sr -> 'properties' ->> 'destinationPortRanges' = '*') and sr -> 'properties' ->> 'direction' = 'Inbound' PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_subscription + - azure_network_security_group + - azure_subscription Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - Azure Network + - Azure Network score_service_name: - - Azure Network + - Azure Network +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_postgresql_database_access.yaml b/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_postgresql_database_access.yaml index dd06914f7..cf2a5138a 100644 --- a/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_postgresql_database_access.yaml +++ b/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_postgresql_database_access.yaml @@ -1,8 +1,6 @@ ID: azure_check_for_unrestricted_postgresql_database_access Title: "Check for Unrestricted PostgreSQL Database Access" Description: "Ensure that no network security groups allow unrestricted inbound access on TCP port 5432 (PostgreSQL Database Server)." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -34,12 +32,14 @@ Query: (sr -> 'properties' ->> 'destinationPortRanges' = '5432' or sr -> 'properties' ->> 'destinationPortRanges' like '%"5432"%' or sr -> 'properties' ->> 'destinationPortRanges' = '*') and sr -> 'properties' ->> 'direction' = 'Inbound' PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_subscription + - azure_network_security_group + - azure_subscription Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - Azure Network + - Azure Network score_service_name: - - Azure Network + - Azure Network +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_rdp_access.yaml b/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_rdp_access.yaml index 22b958a37..6e3ff5807 100644 --- a/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_rdp_access.yaml +++ b/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_rdp_access.yaml @@ -1,8 +1,6 @@ ID: azure_check_for_unrestricted_rdp_access Title: "Check for Unrestricted RDP Access" Description: "Ensure that no network security groups allow unrestricted inbound access on TCP port 3389 (Remote Desktop Protocol RDP)." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -34,12 +32,14 @@ Query: (sr -> 'properties' ->> 'destinationPortRanges' = '3389' or sr -> 'properties' ->> 'destinationPortRanges' like '%"3389"%' or sr -> 'properties' ->> 'destinationPortRanges' = '*') and sr -> 'properties' ->> 'direction' = 'Inbound' PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_subscription + - azure_network_security_group + - azure_subscription Parameters: [] Severity: critical Tags: platform_score_cloud_service_name: - - Azure Network + - Azure Network score_service_name: - - Azure Network + - Azure Network +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_rpc_access.yaml b/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_rpc_access.yaml index 27590e091..cb646dd9e 100644 --- a/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_rpc_access.yaml +++ b/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_rpc_access.yaml @@ -1,8 +1,6 @@ ID: azure_check_for_unrestricted_rpc_access Title: "Check for Unrestricted RPC Access" Description: "Ensure that no network security groups allow unrestricted inbound access on TCP port 135." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -34,12 +32,14 @@ Query: (sr -> 'properties' ->> 'destinationPortRanges' = '135' or sr -> 'properties' ->> 'destinationPortRanges' like '%"135"%' or sr -> 'properties' ->> 'destinationPortRanges' = '*') and sr -> 'properties' ->> 'direction' = 'Inbound' PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_subscription + - azure_network_security_group + - azure_subscription Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - Azure Network + - Azure Network score_service_name: - - Azure Network + - Azure Network +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_smtp_access.yaml b/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_smtp_access.yaml index b2aecb77f..7c4fc6057 100644 --- a/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_smtp_access.yaml +++ b/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_smtp_access.yaml @@ -1,8 +1,6 @@ ID: azure_check_for_unrestricted_smtp_access Title: "Check for Unrestricted SMTP Access" Description: "Ensure that no network security groups allow unrestricted inbound access on TCP port 25." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -34,12 +32,14 @@ Query: (sr -> 'properties' ->> 'destinationPortRanges' = '25' or sr -> 'properties' ->> 'destinationPortRanges' like '%"25"%' or sr -> 'properties' ->> 'destinationPortRanges' = '*') and sr -> 'properties' ->> 'direction' = 'Inbound' PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_subscription + - azure_network_security_group + - azure_subscription Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - Azure Network + - Azure Network score_service_name: - - Azure Network + - Azure Network +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_ssh_access.yaml b/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_ssh_access.yaml index 9f219700a..b9950a0aa 100644 --- a/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_ssh_access.yaml +++ b/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_ssh_access.yaml @@ -1,8 +1,6 @@ ID: azure_check_for_unrestricted_ssh_access Title: "Check for Unrestricted SSH Access" Description: "Ensure that no network security groups allow unrestricted inbound access on TCP port 22." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -34,12 +32,14 @@ Query: (sr -> 'properties' ->> 'destinationPortRanges' = '22' or sr -> 'properties' ->> 'destinationPortRanges' like '%"22"%' or sr -> 'properties' ->> 'destinationPortRanges' = '*') and sr -> 'properties' ->> 'direction' = 'Inbound' PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_subscription + - azure_network_security_group + - azure_subscription Parameters: [] Severity: critical Tags: platform_score_cloud_service_name: - - Azure Network + - Azure Network score_service_name: - - Azure Network + - Azure Network +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_telnet_access.yaml b/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_telnet_access.yaml index f85e936c5..0de5cfe18 100644 --- a/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_telnet_access.yaml +++ b/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_telnet_access.yaml @@ -1,8 +1,6 @@ ID: azure_check_for_unrestricted_telnet_access Title: "Check for Unrestricted Telnet Access" Description: "Ensure that no network security groups allow unrestricted inbound access on TCP port 23." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -34,12 +32,14 @@ Query: (sr -> 'properties' ->> 'destinationPortRanges' = '23' or sr -> 'properties' ->> 'destinationPortRanges' like '%"23"%' or sr -> 'properties' ->> 'destinationPortRanges' = '*') and sr -> 'properties' ->> 'direction' = 'Inbound' PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_subscription + - azure_network_security_group + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Network + - Azure Network score_service_name: - - Azure Network + - Azure Network +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_udp_access.yaml b/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_udp_access.yaml index b70552f28..14ca155b3 100644 --- a/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_udp_access.yaml +++ b/compliance/controls/baseline/azure/network/azure_check_for_unrestricted_udp_access.yaml @@ -1,8 +1,6 @@ ID: azure_check_for_unrestricted_udp_access Title: "Check for Unrestricted UDP Access" Description: "Ensure that no network security groups allow unrestricted inbound access on UDP ports." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -34,12 +32,14 @@ Query: sr -> 'properties' ->> 'direction' = 'Inbound' PrimaryTable: azure_network_security_group ListOfTables: - - azure_network_security_group - - azure_subscription + - azure_network_security_group + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Network + - Azure Network score_service_name: - - Azure Network + - Azure Network +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/network/azure_enable_azure_network_watcher.yaml b/compliance/controls/baseline/azure/network/azure_enable_azure_network_watcher.yaml index 47e4e5b6e..0e400aa1c 100644 --- a/compliance/controls/baseline/azure/network/azure_enable_azure_network_watcher.yaml +++ b/compliance/controls/baseline/azure/network/azure_enable_azure_network_watcher.yaml @@ -1,8 +1,6 @@ ID: azure_enable_azure_network_watcher Title: "Enable Azure Network Watcher" Description: "Ensure that Network Watcher is enabled within your Microsoft Azure account subscription." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -11,7 +9,7 @@ Query: FROM azure_network_watcher GROUP BY subscription_id ) - + select sub.id as resource, sub.og_account_id, @@ -66,12 +64,14 @@ Query: left join regions_nw as nw on sub.subscription_id = nw.subscription_id PrimaryTable: azure_subscription ListOfTables: - - azure_network_watcher - - azure_subscription + - azure_network_watcher + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Network + - Azure Network score_service_name: - - Azure Network + - Azure Network +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/network/azure_enable_ddos_standard_protection_for_virtual_networks.yaml b/compliance/controls/baseline/azure/network/azure_enable_ddos_standard_protection_for_virtual_networks.yaml index d8cb3aa9c..c1b80e6ee 100644 --- a/compliance/controls/baseline/azure/network/azure_enable_ddos_standard_protection_for_virtual_networks.yaml +++ b/compliance/controls/baseline/azure/network/azure_enable_ddos_standard_protection_for_virtual_networks.yaml @@ -1,8 +1,6 @@ ID: azure_enable_ddos_standard_protection_for_virtual_networks Title: "Enable DDoS Standard Protection for Virtual Networks" Description: "Ensure that DDoS standard protection is enabled for production Azure virtual networks." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -27,12 +25,14 @@ Query: sub.subscription_id = vn.subscription_id PrimaryTable: azure_virtual_network ListOfTables: - - azure_subscription - - azure_virtual_network + - azure_subscription + - azure_virtual_network Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Network + - Azure Network score_service_name: - - Azure Network + - Azure Network +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/network/azure_review_network_interfaces_with_ip_forwarding_enabled.yaml b/compliance/controls/baseline/azure/network/azure_review_network_interfaces_with_ip_forwarding_enabled.yaml index 3c94479af..e759a6af8 100644 --- a/compliance/controls/baseline/azure/network/azure_review_network_interfaces_with_ip_forwarding_enabled.yaml +++ b/compliance/controls/baseline/azure/network/azure_review_network_interfaces_with_ip_forwarding_enabled.yaml @@ -1,8 +1,6 @@ ID: azure_review_network_interfaces_with_ip_forwarding_enabled Title: "Review Network Interfaces with IP Forwarding Enabled" Description: "Ensure that the Azure network interfaces with IP forwarding enabled are regularly reviewed." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -27,12 +25,14 @@ Query: sub.subscription_id = ni.subscription_id PrimaryTable: azure_network_interface ListOfTables: - - azure_network_interface - - azure_subscription + - azure_network_interface + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Network + - Azure Network score_service_name: - - Azure Network + - Azure Network +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/recovery_service/azure_recovery_service_vault_alert_for_job_failures_enabled.yaml b/compliance/controls/baseline/azure/recovery_service/azure_recovery_service_vault_alert_for_job_failures_enabled.yaml index 813f14773..cc4df3be1 100644 --- a/compliance/controls/baseline/azure/recovery_service/azure_recovery_service_vault_alert_for_job_failures_enabled.yaml +++ b/compliance/controls/baseline/azure/recovery_service/azure_recovery_service_vault_alert_for_job_failures_enabled.yaml @@ -1,8 +1,6 @@ ID: azure_recovery_service_vault_alert_for_job_failures_enabled Title: "Recovery Service Vault alert for job failures enabled" Description: "Ensure all Recovery Service Vaults alert for job failures are enabled" -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -25,16 +23,18 @@ Query: left join azure_subscription sub on sub.subscription_id = v.subscription_id; PrimaryTable: azure_recovery_services_vault ListOfTables: - - azure_recovery_services_vault - - azure_subscription + - azure_recovery_services_vault + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Recovery Services + - Azure Recovery Services platform_score_use_case: - - Lacking High Availability + - Lacking High Availability score_service_name: - - Azure Recovery Services + - Azure Recovery Services score_tags: - - Lacking High Availability + - Lacking High Availability +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/recovery_service/azure_recovery_service_vault_not_publicly_accessible_and_not_encrypted.yaml b/compliance/controls/baseline/azure/recovery_service/azure_recovery_service_vault_not_publicly_accessible_and_not_encrypted.yaml index 6351bb8d9..11bea666a 100644 --- a/compliance/controls/baseline/azure/recovery_service/azure_recovery_service_vault_not_publicly_accessible_and_not_encrypted.yaml +++ b/compliance/controls/baseline/azure/recovery_service/azure_recovery_service_vault_not_publicly_accessible_and_not_encrypted.yaml @@ -1,8 +1,6 @@ ID: azure_recovery_service_vault_not_publicly_accessible_and_not_encrypted Title: "Recovery Service Vault not publicly accessible and not encrypted" Description: "Ensure Recovery Service Vaults are not publicly accessible and not encrypted" -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -25,16 +23,18 @@ Query: left join azure_subscription sub on sub.subscription_id = v.subscription_id PrimaryTable: azure_recovery_services_vault ListOfTables: - - azure_recovery_services_vault - - azure_subscription + - azure_recovery_services_vault + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Recovery Services + - Azure Recovery Services platform_score_use_case: - - Unencrypted Storage + - Unencrypted Storage score_service_name: - - Azure Recovery Services + - Azure Recovery Services score_tags: - - Unencrypted Storage + - Unencrypted Storage +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/sql/azure_advanced_data_security_for_sql_servers.yaml b/compliance/controls/baseline/azure/sql/azure_advanced_data_security_for_sql_servers.yaml index 394d32f75..ac7435488 100644 --- a/compliance/controls/baseline/azure/sql/azure_advanced_data_security_for_sql_servers.yaml +++ b/compliance/controls/baseline/azure/sql/azure_advanced_data_security_for_sql_servers.yaml @@ -1,8 +1,6 @@ ID: azure_enable_auditing_for_sql_servers Title: "Enable Auditing for SQL Servers" Description: "Ensure that database auditing is enabled at the Azure SQL database server level." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -26,16 +24,18 @@ Query: jsonb_array_elements(server_security_alert_policy) as security PrimaryTable: azure_sql_server ListOfTables: - - azure_sql_server - - azure_subscription + - azure_sql_server + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Managed SQL Service + - Azure Managed SQL Service platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - Azure Managed SQL Service + - Azure Managed SQL Service score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/sql/azure_check_for_publicly_accessible_sql_servers.yaml b/compliance/controls/baseline/azure/sql/azure_check_for_publicly_accessible_sql_servers.yaml index 4a5f39cda..342d17e8d 100644 --- a/compliance/controls/baseline/azure/sql/azure_check_for_publicly_accessible_sql_servers.yaml +++ b/compliance/controls/baseline/azure/sql/azure_check_for_publicly_accessible_sql_servers.yaml @@ -1,8 +1,6 @@ ID: azure_check_for_publicly_accessible_sql_servers Title: "Check for Publicly Accessible SQL Servers" Description: "Ensure that Azure SQL database servers are accessible via private endpoints only." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -27,16 +25,18 @@ Query: sub.subscription_id = a.subscription_id; PrimaryTable: azure_sql_server ListOfTables: - - azure_sql_server - - azure_subscription + - azure_sql_server + - azure_subscription Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - Azure Managed SQL Service + - Azure Managed SQL Service platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - Azure Managed SQL Service + - Azure Managed SQL Service score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/sql/azure_check_for_sufficient_point_in_time_restore_pitr_backup_retention_period.yaml b/compliance/controls/baseline/azure/sql/azure_check_for_sufficient_point_in_time_restore_pitr_backup_retention_period.yaml index fa86166bc..3f8da2f8b 100644 --- a/compliance/controls/baseline/azure/sql/azure_check_for_sufficient_point_in_time_restore_pitr_backup_retention_period.yaml +++ b/compliance/controls/baseline/azure/sql/azure_check_for_sufficient_point_in_time_restore_pitr_backup_retention_period.yaml @@ -1,8 +1,6 @@ ID: azure_check_for_sufficient_point_in_time_restore_pitr_backup_retention_period Title: "Check for Sufficient Point in Time Restore (PITR) Backup Retention Period" Description: "Ensure there is a sufficient PITR backup retention period configured for Azure SQL databases." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -23,18 +21,20 @@ Query: jsonb_array_elements(server_audit_policy) as p PrimaryTable: azure_sql_server ListOfTables: - - azure_sql_server - - azure_subscription + - azure_sql_server + - azure_subscription Parameters: - Key: azureDatabaseServerRetentionPeriodDays Required: true Severity: medium Tags: platform_score_cloud_service_name: - - Azure Managed SQL Service + - Azure Managed SQL Service platform_score_use_case: - - Missing Backup + - Missing Backup score_service_name: - - Azure Managed SQL Service + - Azure Managed SQL Service score_tags: - - Missing Backup + - Missing Backup +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/sql/azure_check_for_unrestricted_sql_database_access.yaml b/compliance/controls/baseline/azure/sql/azure_check_for_unrestricted_sql_database_access.yaml index 1539f1b36..56e67ca4d 100644 --- a/compliance/controls/baseline/azure/sql/azure_check_for_unrestricted_sql_database_access.yaml +++ b/compliance/controls/baseline/azure/sql/azure_check_for_unrestricted_sql_database_access.yaml @@ -1,8 +1,6 @@ ID: azure_check_for_unrestricted_sql_database_access Title: "Check for Unrestricted SQL Database Access" Description: "Ensure that no SQL databases allow unrestricted inbound access from 0.0.0.0/0 (any IP address)." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -26,16 +24,18 @@ Query: jsonb_array_elements(firewall_rules) as r PrimaryTable: azure_sql_server ListOfTables: - - azure_sql_server - - azure_subscription + - azure_sql_server + - azure_subscription Parameters: [] Severity: critical Tags: platform_score_cloud_service_name: - - Azure Managed SQL Service + - Azure Managed SQL Service platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - Azure Managed SQL Service + - Azure Managed SQL Service score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/sql/azure_configure_audit_action_group_for_sql_server_auditing.yaml b/compliance/controls/baseline/azure/sql/azure_configure_audit_action_group_for_sql_server_auditing.yaml index ce805ac02..374ffe6e9 100644 --- a/compliance/controls/baseline/azure/sql/azure_configure_audit_action_group_for_sql_server_auditing.yaml +++ b/compliance/controls/baseline/azure/sql/azure_configure_audit_action_group_for_sql_server_auditing.yaml @@ -1,8 +1,6 @@ ID: azure_configure_audit_action_group_for_sql_server_auditing Title: "Configure \"AuditActionGroup\" for SQL Server Auditing" Description: "Ensure that \"AuditActionGroup\" property is well configured at the Azure SQL database server level." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -26,12 +24,14 @@ Query: jsonb_array_elements(server_audit_policy) as ap PrimaryTable: azure_sql_server ListOfTables: - - azure_sql_server - - azure_subscription + - azure_sql_server + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Managed SQL Service + - Azure Managed SQL Service score_service_name: - - Azure Managed SQL Service + - Azure Managed SQL Service +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/sql/azure_configure_emails_for_vulnerability_assessment_scan_reports_and_alerts.yaml b/compliance/controls/baseline/azure/sql/azure_configure_emails_for_vulnerability_assessment_scan_reports_and_alerts.yaml index 7e50bfc33..4c6680353 100644 --- a/compliance/controls/baseline/azure/sql/azure_configure_emails_for_vulnerability_assessment_scan_reports_and_alerts.yaml +++ b/compliance/controls/baseline/azure/sql/azure_configure_emails_for_vulnerability_assessment_scan_reports_and_alerts.yaml @@ -1,8 +1,6 @@ ID: azure_configure_emails_for_vulnerability_assessment_scan_reports_and_alerts Title: "Configure Emails for Vulnerability Assessment Scan Reports and Alerts" Description: "Ensure that \"Send scan reports to\" setting is configured for SQL database servers." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -26,16 +24,18 @@ Query: jsonb_array_elements(server_vulnerability_assessment) as vs PrimaryTable: azure_sql_server ListOfTables: - - azure_sql_server - - azure_subscription + - azure_sql_server + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Managed SQL Service + - Azure Managed SQL Service platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - Azure Managed SQL Service + - Azure Managed SQL Service score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/sql/azure_enable_all_types_of_threat_detection_on_sql_servers.yaml b/compliance/controls/baseline/azure/sql/azure_enable_all_types_of_threat_detection_on_sql_servers.yaml index a1e83bbf3..cdf4d547a 100644 --- a/compliance/controls/baseline/azure/sql/azure_enable_all_types_of_threat_detection_on_sql_servers.yaml +++ b/compliance/controls/baseline/azure/sql/azure_enable_all_types_of_threat_detection_on_sql_servers.yaml @@ -1,8 +1,6 @@ ID: azure_enable_all_types_of_threat_detection_on_sql_servers Title: "Enable All Types of Threat Detection on SQL Servers" Description: "Enable all types of threat detection for your Microsoft Azure SQL database servers." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -28,16 +26,18 @@ Query: jsonb_array_length(security -> 'properties' -> 'disabledAlerts') as alert_length PrimaryTable: azure_sql_server ListOfTables: - - azure_sql_server - - azure_subscription + - azure_sql_server + - azure_subscription Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - Azure Managed SQL Service + - Azure Managed SQL Service platform_score_use_case: - - Problem Identities + - Problem Identities score_service_name: - - Azure Managed SQL Service + - Azure Managed SQL Service score_tags: - - Problem Identities + - Problem Identities +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/sql/azure_enable_auditing_for_sql_servers.yaml b/compliance/controls/baseline/azure/sql/azure_enable_auditing_for_sql_servers.yaml index ffbfe55fc..740497d2d 100644 --- a/compliance/controls/baseline/azure/sql/azure_enable_auditing_for_sql_servers.yaml +++ b/compliance/controls/baseline/azure/sql/azure_enable_auditing_for_sql_servers.yaml @@ -1,8 +1,6 @@ ID: azure_enable_all_types_of_threat_detection_on_sql_servers Title: "Enable All Types of Threat Detection on SQL Servers" Description: "Enable all types of threat detection for your Microsoft Azure SQL database servers." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -35,16 +33,18 @@ Query: left join sql_server_audit_enabled as a on lower(s.id) = lower(a.id); PrimaryTable: azure_sql_server ListOfTables: - - azure_sql_server - - azure_subscription + - azure_sql_server + - azure_subscription Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - Azure Managed SQL Service + - Azure Managed SQL Service platform_score_use_case: - - Problem Identities + - Problem Identities score_service_name: - - Azure Managed SQL Service + - Azure Managed SQL Service score_tags: - - Problem Identities + - Problem Identities +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/sql/azure_enable_auto_failover_groups.yaml b/compliance/controls/baseline/azure/sql/azure_enable_auto_failover_groups.yaml index 6e1f07018..6cd01902d 100644 --- a/compliance/controls/baseline/azure/sql/azure_enable_auto_failover_groups.yaml +++ b/compliance/controls/baseline/azure/sql/azure_enable_auto_failover_groups.yaml @@ -1,8 +1,6 @@ ID: azure_enable_auto_failover_groups Title: "Enable Auto-Failover Groups" Description: "Ensure that your Azure SQL database servers are configured to use auto-failover groups." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -25,16 +23,18 @@ Query: left join azure_subscription as sub on s.subscription_id = sub.subscription_id PrimaryTable: azure_sql_server ListOfTables: - - azure_sql_server - - azure_subscription + - azure_sql_server + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Managed SQL Service + - Azure Managed SQL Service platform_score_use_case: - - Missing Backup + - Missing Backup score_service_name: - - Azure Managed SQL Service + - Azure Managed SQL Service score_tags: - - Missing Backup + - Missing Backup +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/sql/azure_enable_automatic_tuning_for_sql_database_servers.yaml b/compliance/controls/baseline/azure/sql/azure_enable_automatic_tuning_for_sql_database_servers.yaml index 4739d3876..14d1340e2 100644 --- a/compliance/controls/baseline/azure/sql/azure_enable_automatic_tuning_for_sql_database_servers.yaml +++ b/compliance/controls/baseline/azure/sql/azure_enable_automatic_tuning_for_sql_database_servers.yaml @@ -1,8 +1,6 @@ ID: azure_enable_automatic_tuning_for_sql_database_servers Title: "Enable Automatic Tuning for SQL Database Servers" Description: "Ensure that Automatic Tuning feature is enabled for Microsoft Azure SQL database servers." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -27,16 +25,18 @@ Query: left join azure_subscription as sub on s.subscription_id = sub.subscription_id PrimaryTable: azure_sql_server ListOfTables: - - azure_sql_server - - azure_subscription + - azure_sql_server + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Managed SQL Service + - Azure Managed SQL Service platform_score_use_case: - - Missing Backup + - Missing Backup score_service_name: - - Azure Managed SQL Service + - Azure Managed SQL Service score_tags: - - Missing Backup + - Missing Backup +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/sql/azure_enable_in_transit_encryption_for_mysql_servers.yaml b/compliance/controls/baseline/azure/sql/azure_enable_in_transit_encryption_for_mysql_servers.yaml index 11295044f..5c9ea89a6 100644 --- a/compliance/controls/baseline/azure/sql/azure_enable_in_transit_encryption_for_mysql_servers.yaml +++ b/compliance/controls/baseline/azure/sql/azure_enable_in_transit_encryption_for_mysql_servers.yaml @@ -1,8 +1,6 @@ ID: azure_enable_in_transit_encryption_for_mysql_servers Title: "Enable In-Transit Encryption for MySQL Servers" Description: "Ensure that in-transit encryption is enabled for your Azure MySQL database servers." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -25,12 +23,14 @@ Query: left join azure_subscription as sub on s.subscription_id = sub.subscription_id PrimaryTable: azure_mysql_server ListOfTables: - - azure_mysql_server - - azure_subscription + - azure_mysql_server + - azure_subscription Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - Azure Database for MySQL + - Azure Database for MySQL score_service_name: - - Azure Database for MySQL + - Azure Database for MySQL +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/sql/azure_enable_transparent_data_encryption_for_sql_managed_instance_using_customer_managed_keys.yaml b/compliance/controls/baseline/azure/sql/azure_enable_transparent_data_encryption_for_sql_managed_instance_using_customer_managed_keys.yaml index 44a229d01..d19bb92fb 100644 --- a/compliance/controls/baseline/azure/sql/azure_enable_transparent_data_encryption_for_sql_managed_instance_using_customer_managed_keys.yaml +++ b/compliance/controls/baseline/azure/sql/azure_enable_transparent_data_encryption_for_sql_managed_instance_using_customer_managed_keys.yaml @@ -1,8 +1,6 @@ ID: azure_enable_transparent_data_encryption_for_sql_managed_instance_using_customer_managed_keys Title: "Enable Transparent Data Encryption for SQL Managed Instance using Customer-Managed Keys" Description: "Ensure that Azure SQL managed instances are encrypted at rest using Customer-Managed Keys (CMKs)." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -28,16 +26,18 @@ Query: sub.subscription_id = s.subscription_id PrimaryTable: azure_sql_server ListOfTables: - - azure_sql_server - - azure_subscription + - azure_sql_server + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Managed SQL Service + - Azure Managed SQL Service platform_score_use_case: - - Tolerate Failures + - Tolerate Failures score_service_name: - - Azure Managed SQL Service + - Azure Managed SQL Service score_tags: - - Tolerate Failures + - Tolerate Failures +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/sql/azure_enable_vulnerability_assessment_email_notifications_for_admins_and_subscription_owners.yaml b/compliance/controls/baseline/azure/sql/azure_enable_vulnerability_assessment_email_notifications_for_admins_and_subscription_owners.yaml index d20589686..e94dba131 100644 --- a/compliance/controls/baseline/azure/sql/azure_enable_vulnerability_assessment_email_notifications_for_admins_and_subscription_owners.yaml +++ b/compliance/controls/baseline/azure/sql/azure_enable_vulnerability_assessment_email_notifications_for_admins_and_subscription_owners.yaml @@ -1,8 +1,6 @@ ID: azure_enable_vulnerability_assessment_email_notifications_for_admins_and_subscription_owners Title: "Enable Vulnerability Assessment Email Notifications for Admins and Subscription Owners" Description: "Ensure that the Vulnerability Assessment setting \"Also send email notification to admins and subscription owners\" is enabled for your Microsoft SQL database servers." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -33,16 +31,18 @@ Query: left join sql_server_va as v on lower(s.id) = lower(v.id) PrimaryTable: azure_sql_server ListOfTables: - - azure_sql_server - - azure_subscription + - azure_sql_server + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Managed SQL Service + - Azure Managed SQL Service platform_score_use_case: - - Problem Identities + - Problem Identities score_service_name: - - Azure Managed SQL Service + - Azure Managed SQL Service score_tags: - - Problem Identities + - Problem Identities +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/sql/azure_enable_vulnerability_assessment_for_microsoft_sql_servers.yaml b/compliance/controls/baseline/azure/sql/azure_enable_vulnerability_assessment_for_microsoft_sql_servers.yaml index 0aec3e891..d822a9016 100644 --- a/compliance/controls/baseline/azure/sql/azure_enable_vulnerability_assessment_for_microsoft_sql_servers.yaml +++ b/compliance/controls/baseline/azure/sql/azure_enable_vulnerability_assessment_for_microsoft_sql_servers.yaml @@ -1,8 +1,6 @@ ID: azure_enable_vulnerability_assessment_for_microsoft_sql_servers Title: "Enable Vulnerability Assessment for Microsoft SQL Servers" Description: "Ensure that Vulnerability Assessment is enabled for Microsoft SQL database servers." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -33,16 +31,18 @@ Query: left join sql_server_va as v on lower(s.id) = lower(v.id) PrimaryTable: azure_sql_server ListOfTables: - - azure_sql_server - - azure_subscription + - azure_sql_server + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Managed SQL Service + - Azure Managed SQL Service platform_score_use_case: - - Problem Identities + - Problem Identities score_service_name: - - Azure Managed SQL Service + - Azure Managed SQL Service score_tags: - - Problem Identities + - Problem Identities +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/sql/azure_enable_vulnerability_assessment_periodic_recurring_scans.yaml b/compliance/controls/baseline/azure/sql/azure_enable_vulnerability_assessment_periodic_recurring_scans.yaml index 617c9c433..01c5b657b 100644 --- a/compliance/controls/baseline/azure/sql/azure_enable_vulnerability_assessment_periodic_recurring_scans.yaml +++ b/compliance/controls/baseline/azure/sql/azure_enable_vulnerability_assessment_periodic_recurring_scans.yaml @@ -1,8 +1,6 @@ ID: azure_enable_vulnerability_assessment_periodic_recurring_scans Title: "Enable Vulnerability Assessment Periodic Recurring Scans" Description: "Ensure that the Vulnerability Assessment Periodic Recurring Scans setting is enabled for SQL database servers." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -33,16 +31,18 @@ Query: left join sql_server_va as v on lower(s.id) = lower(v.id) PrimaryTable: azure_sql_server ListOfTables: - - azure_sql_server - - azure_subscription + - azure_sql_server + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Managed SQL Service + - Azure Managed SQL Service platform_score_use_case: - - Problem Identities + - Problem Identities score_service_name: - - Azure Managed SQL Service + - Azure Managed SQL Service score_tags: - - Problem Identities + - Problem Identities +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/sql/azure_restrict_default_network_access_for_azure_cosmos_db_accounts.yaml b/compliance/controls/baseline/azure/sql/azure_restrict_default_network_access_for_azure_cosmos_db_accounts.yaml index b08da3296..8a7265bb8 100644 --- a/compliance/controls/baseline/azure/sql/azure_restrict_default_network_access_for_azure_cosmos_db_accounts.yaml +++ b/compliance/controls/baseline/azure/sql/azure_restrict_default_network_access_for_azure_cosmos_db_accounts.yaml @@ -1,8 +1,6 @@ ID: azure_restrict_default_network_access_for_azure_cosmos_db_accounts Title: "Restrict Default Network Access for Azure Cosmos DB Accounts" Description: "Ensure that default network access (i.e. public access) is denied within your Azure Cosmos DB account configuration." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -25,16 +23,18 @@ Query: left join azure_subscription as sub on a.subscription_id = sub.subscription_id PrimaryTable: azure_cosmosdb_account ListOfTables: - - azure_cosmosdb_account - - azure_subscription + - azure_cosmosdb_account + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Managed SQL Service + - Azure Managed SQL Service platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - Azure Managed SQL Service + - Azure Managed SQL Service score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/sql/azure_sql_auditing_retention.yaml b/compliance/controls/baseline/azure/sql/azure_sql_auditing_retention.yaml index d49f3c5e5..8b58d30a0 100644 --- a/compliance/controls/baseline/azure/sql/azure_sql_auditing_retention.yaml +++ b/compliance/controls/baseline/azure/sql/azure_sql_auditing_retention.yaml @@ -1,8 +1,6 @@ ID: azure_sql_auditing_retention Title: "SQL Auditing Retention" Description: "Ensure that SQL database auditing has a sufficient log data retention period configured." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -26,16 +24,18 @@ Query: jsonb_array_elements(server_audit_policy) as ap PrimaryTable: azure_sql_server ListOfTables: - - azure_sql_server - - azure_subscription + - azure_sql_server + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Managed SQL Service + - Azure Managed SQL Service platform_score_use_case: - - Problem Identities + - Problem Identities score_service_name: - - Azure Managed SQL Service + - Azure Managed SQL Service score_tags: - - Problem Identities + - Problem Identities +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/sql/azure_use_byok_for_transparent_data_encryption.yaml b/compliance/controls/baseline/azure/sql/azure_use_byok_for_transparent_data_encryption.yaml index 89ac8defe..0d4f2906a 100644 --- a/compliance/controls/baseline/azure/sql/azure_use_byok_for_transparent_data_encryption.yaml +++ b/compliance/controls/baseline/azure/sql/azure_use_byok_for_transparent_data_encryption.yaml @@ -1,8 +1,6 @@ ID: azure_use_byok_for_transparent_data_encryption Title: "Use BYOK for Transparent Data Encryption" Description: "Use Bring Your Own Key (BYOK) support for Transparent Data Encryption (TDE)." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -25,16 +23,18 @@ Query: jsonb_array_elements(encryption_protector) as encryption PrimaryTable: azure_sql_server ListOfTables: - - azure_sql_server - - azure_subscription + - azure_sql_server + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Managed SQL Service + - Azure Managed SQL Service platform_score_use_case: - - Insecure Keys + - Insecure Keys score_service_name: - - Azure Managed SQL Service + - Azure Managed SQL Service score_tags: - - Insecure Keys + - Insecure Keys +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/sql/azure_use_microsoft_entra_admin_for_sql_authentication.yaml b/compliance/controls/baseline/azure/sql/azure_use_microsoft_entra_admin_for_sql_authentication.yaml index 4559a0912..658b7df0c 100644 --- a/compliance/controls/baseline/azure/sql/azure_use_microsoft_entra_admin_for_sql_authentication.yaml +++ b/compliance/controls/baseline/azure/sql/azure_use_microsoft_entra_admin_for_sql_authentication.yaml @@ -1,8 +1,6 @@ ID: azure_use_microsoft_entra_admin_for_sql_authentication Title: "Use Microsoft Entra Admin for SQL Authentication" Description: "Ensure that an Microsoft Entra admin is configured for SQL authentication." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -25,13 +23,15 @@ Query: left join azure_subscription as sub on s.subscription_id = sub.subscription_id PrimaryTable: azure_sql_server ListOfTables: - - azure_ad_administrator - - azure_sql_server - - azure_subscription + - azure_ad_administrator + - azure_sql_server + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Managed SQL Service + - Azure Managed SQL Service score_service_name: - - Azure Managed SQL Service + - Azure Managed SQL Service +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/storage_account/azure_check_for_publicly_accessible_web_containers.yaml b/compliance/controls/baseline/azure/storage_account/azure_check_for_publicly_accessible_web_containers.yaml index 1d325a9ac..07beb96f0 100644 --- a/compliance/controls/baseline/azure/storage_account/azure_check_for_publicly_accessible_web_containers.yaml +++ b/compliance/controls/baseline/azure/storage_account/azure_check_for_publicly_accessible_web_containers.yaml @@ -1,8 +1,6 @@ ID: azure_check_for_publicly_accessible_web_containers Title: "Check for Publicly Accessible Web Containers" Description: "Ensure that Azure Storage containers aren't publicly accessible." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -28,17 +26,19 @@ Query: join azure_subscription sub on sub.subscription_id = account.subscription_id; PrimaryTable: azure_storage_container ListOfTables: - - azure_storage_account - - azure_storage_container - - azure_subscription + - azure_storage_account + - azure_storage_container + - azure_subscription Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - Azure Storage Accounts + - Azure Storage Accounts platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - Azure Storage Accounts + - Azure Storage Accounts score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/storage_account/azure_check_for_sufficient_soft_deleted_data_retention_period.yaml b/compliance/controls/baseline/azure/storage_account/azure_check_for_sufficient_soft_deleted_data_retention_period.yaml index fdef8d1cf..bd28966a7 100644 --- a/compliance/controls/baseline/azure/storage_account/azure_check_for_sufficient_soft_deleted_data_retention_period.yaml +++ b/compliance/controls/baseline/azure/storage_account/azure_check_for_sufficient_soft_deleted_data_retention_period.yaml @@ -1,8 +1,6 @@ ID: azure_check_for_sufficient_soft_deleted_data_retention_period Title: "Check for Sufficient Soft Deleted Data Retention Period" Description: "Ensure there is a sufficient retention period configured for Azure Blob Storage soft deleted data." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -29,14 +27,16 @@ Query: sub.subscription_id = sa.subscription_id PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: - Key: azureStorageBlobSoftDeleteSufficientDays Required: true Severity: medium Tags: platform_score_cloud_service_name: - - Azure Storage Accounts + - Azure Storage Accounts score_service_name: - - Azure Storage Accounts + - Azure Storage Accounts +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/storage_account/azure_configure_minimum_tls_version.yaml b/compliance/controls/baseline/azure/storage_account/azure_configure_minimum_tls_version.yaml index 107830d80..ad5fb9331 100644 --- a/compliance/controls/baseline/azure/storage_account/azure_configure_minimum_tls_version.yaml +++ b/compliance/controls/baseline/azure/storage_account/azure_configure_minimum_tls_version.yaml @@ -1,8 +1,6 @@ ID: azure_configure_minimum_tls_version Title: "Configure Minimum TLS Version" Description: "Ensure that the \"Minimum TLS version\" setting is set to \"Version 1.2\" for all Azure Storage accounts." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -22,18 +20,20 @@ Query: left join azure_subscription as sub on s.subscription_id = sub.subscription_id PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: - Key: azureLatestTlsVersion Required: true Severity: medium Tags: platform_score_cloud_service_name: - - Azure Storage Accounts + - Azure Storage Accounts platform_score_use_case: - - Expiring Certificates + - Expiring Certificates score_service_name: - - Azure Storage Accounts + - Azure Storage Accounts score_tags: - - Expiring Certificates + - Expiring Certificates +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/storage_account/azure_disable_anonymous_access_to_blob_containers.yaml b/compliance/controls/baseline/azure/storage_account/azure_disable_anonymous_access_to_blob_containers.yaml index 127e17d88..7197e6786 100644 --- a/compliance/controls/baseline/azure/storage_account/azure_disable_anonymous_access_to_blob_containers.yaml +++ b/compliance/controls/baseline/azure/storage_account/azure_disable_anonymous_access_to_blob_containers.yaml @@ -1,8 +1,6 @@ ID: azure_disable_anonymous_access_to_blob_containers Title: "Disable Anonymous Access to Blob Containers" Description: "Ensure that anonymous access to blob containers is disabled within your Azure Storage account." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -28,17 +26,19 @@ Query: left join azure_subscription as sub on a.subscription_id = sub.subscription_id PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_storage_container - - azure_subscription + - azure_storage_account + - azure_storage_container + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Storage Accounts + - Azure Storage Accounts platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - Azure Storage Accounts + - Azure Storage Accounts score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/storage_account/azure_disable_public_access_to_storage_accounts_with_blob_containers.yaml b/compliance/controls/baseline/azure/storage_account/azure_disable_public_access_to_storage_accounts_with_blob_containers.yaml index 2849911ea..4c4f344c3 100644 --- a/compliance/controls/baseline/azure/storage_account/azure_disable_public_access_to_storage_accounts_with_blob_containers.yaml +++ b/compliance/controls/baseline/azure/storage_account/azure_disable_public_access_to_storage_accounts_with_blob_containers.yaml @@ -1,8 +1,6 @@ ID: azure_disable_public_access_to_storage_accounts_with_blob_containers Title: "Disable public access to storage accounts with blob containers" Description: "Ensure that public access to blob containers is disabled for your Azure storage accounts to override any ACL configurations allowing access." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -25,16 +23,18 @@ Query: left join azure_subscription as sub on a.subscription_id = sub.subscription_id PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Storage Accounts + - Azure Storage Accounts platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - Azure Storage Accounts + - Azure Storage Accounts score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/storage_account/azure_enable_blob_storage_lifecycle_management.yaml b/compliance/controls/baseline/azure/storage_account/azure_enable_blob_storage_lifecycle_management.yaml index 3cdf9d202..1c04b8a32 100644 --- a/compliance/controls/baseline/azure/storage_account/azure_enable_blob_storage_lifecycle_management.yaml +++ b/compliance/controls/baseline/azure/storage_account/azure_enable_blob_storage_lifecycle_management.yaml @@ -1,8 +1,6 @@ ID: azure_enable_blob_storage_lifecycle_management Title: "Enable Blob Storage Lifecycle Management" Description: "Ensure that Azure Blob Storage service has a lifecycle management policy configured." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -27,12 +25,14 @@ Query: sub.subscription_id = sa.subscription_id PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Storage Accounts + - Azure Storage Accounts score_service_name: - - Azure Storage Accounts + - Azure Storage Accounts +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/storage_account/azure_enable_immutable_blob_storage.yaml b/compliance/controls/baseline/azure/storage_account/azure_enable_immutable_blob_storage.yaml index 051edc6bf..7d4e84400 100644 --- a/compliance/controls/baseline/azure/storage_account/azure_enable_immutable_blob_storage.yaml +++ b/compliance/controls/baseline/azure/storage_account/azure_enable_immutable_blob_storage.yaml @@ -1,8 +1,6 @@ ID: azure_enable_immutable_blob_storage Title: "Enable Immutable Blob Storage" Description: "Ensure that critical Azure Blob Storage data is protected from accidental deletion or modification." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -27,12 +25,14 @@ Query: sub.subscription_id = sc.subscription_id PrimaryTable: azure_storage_container ListOfTables: - - azure_storage_container - - azure_subscription + - azure_storage_container + - azure_subscription Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - Azure Storage Accounts + - Azure Storage Accounts score_service_name: - - Azure Storage Accounts + - Azure Storage Accounts +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/storage_account/azure_enable_infrastructure_encryption.yaml b/compliance/controls/baseline/azure/storage_account/azure_enable_infrastructure_encryption.yaml index 49f09434d..2d0f97802 100644 --- a/compliance/controls/baseline/azure/storage_account/azure_enable_infrastructure_encryption.yaml +++ b/compliance/controls/baseline/azure/storage_account/azure_enable_infrastructure_encryption.yaml @@ -1,8 +1,6 @@ ID: azure_enable_infrastructure_encryption Title: "Enable Infrastructure Encryption" Description: "Ensure that infrastructure encryption is enabled for Microsoft Azure Storage accounts." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -25,16 +23,18 @@ Query: left join azure_subscription as sub on a.subscription_id = sub.subscription_id PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Storage Accounts + - Azure Storage Accounts platform_score_use_case: - - Unencrypted Storage + - Unencrypted Storage score_service_name: - - Azure Storage Accounts + - Azure Storage Accounts score_tags: - - Unencrypted Storage + - Unencrypted Storage +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/storage_account/azure_enable_logging_for_azure_storage_blob_service.yaml b/compliance/controls/baseline/azure/storage_account/azure_enable_logging_for_azure_storage_blob_service.yaml index 960d2dc98..f27915088 100644 --- a/compliance/controls/baseline/azure/storage_account/azure_enable_logging_for_azure_storage_blob_service.yaml +++ b/compliance/controls/baseline/azure/storage_account/azure_enable_logging_for_azure_storage_blob_service.yaml @@ -1,8 +1,6 @@ ID: azure_enable_logging_for_azure_storage_blob_service Title: "Enable Logging for Azure Storage Blob Service" Description: "Ensure that storage logging is enabled for the Azure Storage Blob service." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -27,12 +25,14 @@ Query: sub.subscription_id = sa.subscription_id PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Storage Accounts + - Azure Storage Accounts score_service_name: - - Azure Storage Accounts + - Azure Storage Accounts +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/storage_account/azure_enable_logging_for_azure_storage_queue_service.yaml b/compliance/controls/baseline/azure/storage_account/azure_enable_logging_for_azure_storage_queue_service.yaml index b4a5ff703..bbc3761f9 100644 --- a/compliance/controls/baseline/azure/storage_account/azure_enable_logging_for_azure_storage_queue_service.yaml +++ b/compliance/controls/baseline/azure/storage_account/azure_enable_logging_for_azure_storage_queue_service.yaml @@ -1,8 +1,6 @@ ID: azure_enable_logging_for_azure_storage_queue_service Title: "Enable Logging for Azure Storage Queue Service" Description: "Ensure that detailed storage logging is enabled for the Azure Storage Queue service." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -27,12 +25,14 @@ Query: sub.subscription_id = sa.subscription_id PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Storage Accounts + - Azure Storage Accounts score_service_name: - - Azure Storage Accounts + - Azure Storage Accounts +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/storage_account/azure_enable_logging_for_azure_storage_table_service.yaml b/compliance/controls/baseline/azure/storage_account/azure_enable_logging_for_azure_storage_table_service.yaml index eca6c2137..369310895 100644 --- a/compliance/controls/baseline/azure/storage_account/azure_enable_logging_for_azure_storage_table_service.yaml +++ b/compliance/controls/baseline/azure/storage_account/azure_enable_logging_for_azure_storage_table_service.yaml @@ -1,8 +1,6 @@ ID: azure_enable_logging_for_azure_storage_table_service Title: "Enable Logging for Azure Storage Table Service" Description: "Ensure that storage logging is enabled for the Azure Storage Table service." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -27,12 +25,14 @@ Query: sub.subscription_id = sa.subscription_id PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Storage Accounts + - Azure Storage Accounts score_service_name: - - Azure Storage Accounts + - Azure Storage Accounts +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/storage_account/azure_enable_secure_transfer_in_azure_storage.yaml b/compliance/controls/baseline/azure/storage_account/azure_enable_secure_transfer_in_azure_storage.yaml index 05b2fe227..1da7d1d03 100644 --- a/compliance/controls/baseline/azure/storage_account/azure_enable_secure_transfer_in_azure_storage.yaml +++ b/compliance/controls/baseline/azure/storage_account/azure_enable_secure_transfer_in_azure_storage.yaml @@ -1,8 +1,6 @@ ID: azure_enable_secure_transfer_in_azure_storage Title: "Enable Secure Transfer in Azure Storage" Description: "Ensure that \"Secure transfer required\" security feature is enabled within your Azure Storage account configuration." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -27,12 +25,14 @@ Query: sub.subscription_id = sa.subscription_id PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Storage Accounts + - Azure Storage Accounts score_service_name: - - Azure Storage Accounts + - Azure Storage Accounts +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/storage_account/azure_enable_soft_delete_for_azure_blob_storage.yaml b/compliance/controls/baseline/azure/storage_account/azure_enable_soft_delete_for_azure_blob_storage.yaml index 345e1d407..0758e9c3d 100644 --- a/compliance/controls/baseline/azure/storage_account/azure_enable_soft_delete_for_azure_blob_storage.yaml +++ b/compliance/controls/baseline/azure/storage_account/azure_enable_soft_delete_for_azure_blob_storage.yaml @@ -1,8 +1,6 @@ ID: azure_enable_soft_delete_for_azure_blob_storage Title: "Enable Soft Delete for Azure Blob Storage" Description: "Ensure that infrastructure encryption is enabled for Microsoft Azure Storage accounts." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -27,12 +25,14 @@ Query: sub.subscription_id = sa.subscription_id PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Storage Accounts + - Azure Storage Accounts score_service_name: - - Azure Storage Accounts + - Azure Storage Accounts +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/storage_account/azure_enable_trusted_microsoft_services_for_storage_account_access.yaml b/compliance/controls/baseline/azure/storage_account/azure_enable_trusted_microsoft_services_for_storage_account_access.yaml index 695cdf6bc..0180000c7 100644 --- a/compliance/controls/baseline/azure/storage_account/azure_enable_trusted_microsoft_services_for_storage_account_access.yaml +++ b/compliance/controls/baseline/azure/storage_account/azure_enable_trusted_microsoft_services_for_storage_account_access.yaml @@ -1,8 +1,6 @@ ID: azure_enable_trusted_microsoft_services_for_storage_account_access Title: "Enable Trusted Microsoft Services for Storage Account Access" Description: "Allow Trusted Microsoft Services to access your Azure Storage account resources." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -27,12 +25,14 @@ Query: sub.subscription_id = sa.subscription_id PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Storage Accounts + - Azure Storage Accounts score_service_name: - - Azure Storage Accounts + - Azure Storage Accounts +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/storage_account/azure_limit_storage_account_access_by_ip_address.yaml b/compliance/controls/baseline/azure/storage_account/azure_limit_storage_account_access_by_ip_address.yaml index d72f037bd..288dddf30 100644 --- a/compliance/controls/baseline/azure/storage_account/azure_limit_storage_account_access_by_ip_address.yaml +++ b/compliance/controls/baseline/azure/storage_account/azure_limit_storage_account_access_by_ip_address.yaml @@ -1,8 +1,6 @@ ID: azure_limit_storage_account_access_by_ip_address Title: "Limit Storage Account Access by IP Address" Description: "Ensure that Azure Storage account access is limited only to specific IP address(es)." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -35,18 +33,20 @@ Query: left join azure_subscription as sub on s.subscription_id = sub.subscription_id PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: - Key: azureStorageAccountAllowedIPAddresses Required: true Severity: medium Tags: platform_score_cloud_service_name: - - Azure Storage Accounts + - Azure Storage Accounts platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - Azure Storage Accounts + - Azure Storage Accounts score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/storage_account/azure_private_endpoint_in_use.yaml b/compliance/controls/baseline/azure/storage_account/azure_private_endpoint_in_use.yaml index 1cf504d6b..11a9e3087 100644 --- a/compliance/controls/baseline/azure/storage_account/azure_private_endpoint_in_use.yaml +++ b/compliance/controls/baseline/azure/storage_account/azure_private_endpoint_in_use.yaml @@ -1,8 +1,6 @@ ID: azure_private_endpoint_in_use Title: "Private Endpoint in Use" Description: "Ensure that private endpoints are used to access Microsoft Azure Storage accounts." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -25,16 +23,18 @@ Query: left join azure_subscription as sub on a.subscription_id = sub.subscription_id PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Storage Accounts + - Azure Storage Accounts platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - Azure Storage Accounts + - Azure Storage Accounts score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/storage_account/azure_restrict_default_network_access_for_storage_accounts.yaml b/compliance/controls/baseline/azure/storage_account/azure_restrict_default_network_access_for_storage_accounts.yaml index c2565e92c..1512e8b92 100644 --- a/compliance/controls/baseline/azure/storage_account/azure_restrict_default_network_access_for_storage_accounts.yaml +++ b/compliance/controls/baseline/azure/storage_account/azure_restrict_default_network_access_for_storage_accounts.yaml @@ -1,8 +1,6 @@ ID: azure_restrict_default_network_access_for_storage_accounts Title: "Restrict Default Network Access for Storage Accounts" Description: "Ensure that the default network access rule is set to \"Deny\" within your Azure Storage account." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -25,16 +23,18 @@ Query: left join azure_subscription as sub on a.subscription_id = sub.subscription_id PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Storage Accounts + - Azure Storage Accounts platform_score_use_case: - - Exposed Endpoints + - Exposed Endpoints score_service_name: - - Azure Storage Accounts + - Azure Storage Accounts score_tags: - - Exposed Endpoints + - Exposed Endpoints +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/storage_account/azure_storage_account_encryption_using_customer_managed_keys.yaml b/compliance/controls/baseline/azure/storage_account/azure_storage_account_encryption_using_customer_managed_keys.yaml index 86b8296df..56256a764 100644 --- a/compliance/controls/baseline/azure/storage_account/azure_storage_account_encryption_using_customer_managed_keys.yaml +++ b/compliance/controls/baseline/azure/storage_account/azure_storage_account_encryption_using_customer_managed_keys.yaml @@ -1,8 +1,6 @@ ID: azure_storage_account_encryption_using_customer_managed_keys Title: "Storage Account Encryption using Customer Managed Keys" Description: "Use Customer Managed Keys (CMKs) to encrypt data within Azure Storage accounts." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -25,16 +23,18 @@ Query: left join azure_subscription as sub on a.subscription_id = sub.subscription_id PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Storage Accounts + - Azure Storage Accounts platform_score_use_case: - - Unencrypted Storage + - Unencrypted Storage score_service_name: - - Azure Storage Accounts + - Azure Storage Accounts score_tags: - - Unencrypted Storage + - Unencrypted Storage +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/storage_account/azure_use_byok_for_storage_account_encryption.yaml b/compliance/controls/baseline/azure/storage_account/azure_use_byok_for_storage_account_encryption.yaml index d5db805e9..2d99f0bf2 100644 --- a/compliance/controls/baseline/azure/storage_account/azure_use_byok_for_storage_account_encryption.yaml +++ b/compliance/controls/baseline/azure/storage_account/azure_use_byok_for_storage_account_encryption.yaml @@ -1,8 +1,6 @@ ID: azure_use_byok_for_storage_account_encryption Title: "Use BYOK for Storage Account Encryption" Description: "Ensure that infrastructure encryption is enabled for Microsoft Azure Storage accounts." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -27,12 +25,14 @@ Query: sub.subscription_id = sa.subscription_id PrimaryTable: azure_storage_account ListOfTables: - - azure_storage_account - - azure_subscription + - azure_storage_account + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Storage Accounts + - Azure Storage Accounts score_service_name: - - Azure Storage Accounts + - Azure Storage Accounts +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_approved_azure_machine_image_in_use.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_approved_azure_machine_image_in_use.yaml index 4464a53de..6bf296ac4 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_approved_azure_machine_image_in_use.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_approved_azure_machine_image_in_use.yaml @@ -1,8 +1,6 @@ ID: azure_approved_azure_machine_image_in_use Title: "Approved Azure Machine Image in Use" Description: "Ensure that all your Azure virtual machine instances are launched from approved machine images only." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -27,12 +25,14 @@ Query: sub.subscription_id = vm.subscription_id; PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_subscription + - azure_compute_virtual_machine + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Virtual Machines + - Azure Virtual Machines score_service_name: - - Azure Virtual Machines + - Azure Virtual Machines +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_accelerated_networking_for_virtual_machines.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_accelerated_networking_for_virtual_machines.yaml index 8e6c2a163..12cfcb3f7 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_accelerated_networking_for_virtual_machines.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_accelerated_networking_for_virtual_machines.yaml @@ -1,8 +1,6 @@ ID: azure_check_for_accelerated_networking_for_virtual_machines Title: "Check for Accelerated Networking for Virtual Machines" Description: "Ensure that Microsoft Azure virtual machines are configured to use accelerated networking." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -27,15 +25,17 @@ Query: left join azure_network_interface as nic on nic.id = (ni ->> 'id') PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_network_interface - - azure_subscription + - azure_compute_virtual_machine + - azure_network_interface + - azure_subscription Parameters: - Key: azureAllowedVmExtentions Required: true Severity: high Tags: platform_score_cloud_service_name: - - Azure Virtual Machines + - Azure Virtual Machines score_service_name: - - Azure Virtual Machines + - Azure Virtual Machines +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_associated_load_balancers.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_associated_load_balancers.yaml index 9a1702624..0849d49fe 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_associated_load_balancers.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_associated_load_balancers.yaml @@ -1,8 +1,6 @@ ID: azure_check_for_associated_load_balancers Title: "Check for Associated Load Balancers" Description: "Ensure that your Azure virtual machine scale sets are using load balancers for traffic distribution." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -27,12 +25,14 @@ Query: sub.subscription_id = vm.subscription_id PrimaryTable: azure_compute_virtual_machine_scale_set ListOfTables: - - azure_compute_virtual_machine_scale_set - - azure_subscription + - azure_compute_virtual_machine_scale_set + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Virtual Machines + - Azure Virtual Machines score_service_name: - - Azure Virtual Machines + - Azure Virtual Machines +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_automatic_instance_repairs.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_automatic_instance_repairs.yaml index 3fd6d746a..741e4728b 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_automatic_instance_repairs.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_automatic_instance_repairs.yaml @@ -1,8 +1,6 @@ ID: azure_check_for_automatic_instance_repairs Title: "Check for Automatic Instance Repairs" Description: "Ensure that Azure virtual machine scale sets are configured to use automatic instance repairs" -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -27,12 +25,14 @@ Query: sub.subscription_id = vm.subscription_id PrimaryTable: azure_compute_virtual_machine_scale_set ListOfTables: - - azure_compute_virtual_machine_scale_set - - azure_subscription + - azure_compute_virtual_machine_scale_set + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Virtual Machines + - Azure Virtual Machines score_service_name: - - Azure Virtual Machines + - Azure Virtual Machines +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_automatic_os_upgrades.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_automatic_os_upgrades.yaml index af101a633..19b2a2f95 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_automatic_os_upgrades.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_automatic_os_upgrades.yaml @@ -1,8 +1,6 @@ ID: azure_check_for_automatic_os_upgrades Title: "Check for Automatic OS Upgrades" Description: "Ensure that Automatic OS Upgrades feature is enabled for your Azure virtual machine scale sets." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -27,12 +25,14 @@ Query: sub.subscription_id = vm.subscription_id PrimaryTable: azure_compute_virtual_machine_scale_set ListOfTables: - - azure_compute_virtual_machine_scale_set - - azure_subscription + - azure_compute_virtual_machine_scale_set + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Virtual Machines + - Azure Virtual Machines score_service_name: - - Azure Virtual Machines + - Azure Virtual Machines +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_autoscale_notifications.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_autoscale_notifications.yaml index 0d5015d5a..dff03979f 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_autoscale_notifications.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_autoscale_notifications.yaml @@ -1,8 +1,6 @@ ID: azure_check_for_autoscale_notifications Title: "Check for Autoscale Notifications" Description: "Ensure that autoscale notifications are enabled for Azure virtual machine scale sets." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -26,13 +24,15 @@ Query: left join azure_autoscale_setting as s on vm.id = s.target_resource_uri PrimaryTable: azure_compute_virtual_machine_scale_set ListOfTables: - - azure_autoscale_setting - - azure_compute_virtual_machine_scale_set - - azure_subscription + - azure_autoscale_setting + - azure_compute_virtual_machine_scale_set + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Virtual Machines + - Azure Virtual Machines score_service_name: - - Azure Virtual Machines + - Azure Virtual Machines +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_backups_for_azure_virtual_machines.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_backups_for_azure_virtual_machines.yaml index 11618ea23..0f4c12744 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_backups_for_azure_virtual_machines.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_backups_for_azure_virtual_machines.yaml @@ -1,8 +1,6 @@ ID: azure_check_for_backups_for_azure_virtual_machines Title: "Check for Backups for Azure Virtual Machines" Description: "Ensure that Microsoft Azure Backup service is in use for your Azure virtual machines (VMs)." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -26,13 +24,15 @@ Query: left join azure_recovery_services_backup_item as bi on vm.id = (bi.properties ->> 'SourceResourceID') PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_recovery_services_backup_item - - azure_subscription + - azure_compute_virtual_machine + - azure_recovery_services_backup_item + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Virtual Machines + - Azure Virtual Machines score_service_name: - - Azure Virtual Machines + - Azure Virtual Machines +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_configure_health_monitoring.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_configure_health_monitoring.yaml index 186eb0390..e6374f7f0 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_configure_health_monitoring.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_configure_health_monitoring.yaml @@ -1,8 +1,6 @@ ID: azure_check_for_configure_health_monitoring Title: "Check for Configure Health Monitoring" Description: "Ensure that the health of your Microsoft Azure scale set instances is being monitored." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -31,12 +29,14 @@ Query: left join azure_subscription as sub on sub.subscription_id = vmss.subscription_id PrimaryTable: azure_compute_virtual_machine_scale_set ListOfTables: - - azure_compute_virtual_machine_scale_set - - azure_subscription + - azure_compute_virtual_machine_scale_set + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Virtual Machines + - Azure Virtual Machines score_service_name: - - Azure Virtual Machines + - Azure Virtual Machines +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_desired_vm_sku_sizes.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_desired_vm_sku_sizes.yaml index c54bedaf6..169f41806 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_desired_vm_sku_sizes.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_desired_vm_sku_sizes.yaml @@ -1,8 +1,6 @@ ID: azure_check_for_desired_vm_sku_sizes Title: "Check for Desired VM SKU Size(s)" Description: "Ensure that your virtual machine instances are of a given SKU size (e.g. Standard_A8_v2)." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -27,18 +25,20 @@ Query: sub.subscription_id = vm.subscription_id; PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_subscription + - azure_compute_virtual_machine + - azure_subscription Parameters: - Key: azureAllowedVmSizes Required: true Severity: high Tags: platform_score_cloud_service_name: - - Azure Virtual Machines + - Azure Virtual Machines platform_score_use_case: - - Unencrypted Traffic + - Unencrypted Traffic score_service_name: - - Azure Virtual Machines + - Azure Virtual Machines score_tags: - - Unencrypted Traffic + - Unencrypted Traffic +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_encryption_for_web_tier_disk_volumes.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_encryption_for_web_tier_disk_volumes.yaml index 2caa09ca2..dd638869f 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_encryption_for_web_tier_disk_volumes.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_encryption_for_web_tier_disk_volumes.yaml @@ -1,8 +1,6 @@ ID: azure_check_for_encryption_for_web_tier_disk_volumes Title: "Check for Encryption for Web-Tier Disk Volumes" Description: "Ensure that Azure virtual machine disk volumes created for the web tier are encrypted." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -31,14 +29,16 @@ Query: ), '{', ''), '}', '') || '%' PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_subscription + - azure_compute_virtual_machine + - azure_subscription Parameters: - Key: azureAppTierTags Required: true Severity: medium Tags: platform_score_cloud_service_name: - - Azure Virtual Machines + - Azure Virtual Machines score_service_name: - - Azure Virtual Machines + - Azure Virtual Machines +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_guest_level_diagnostics_for_virtual_machines.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_guest_level_diagnostics_for_virtual_machines.yaml index f85a50db0..7ca207e49 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_guest_level_diagnostics_for_virtual_machines.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_guest_level_diagnostics_for_virtual_machines.yaml @@ -1,8 +1,6 @@ ID: azure_check_for_guest_level_diagnostics_for_virtual_machines Title: "Check for Guest-Level Diagnostics for Virtual Machines" Description: "Ensure that Microsoft Azure virtual machines are configured to use OS guest-level monitoring." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -41,12 +39,14 @@ Query: sub.subscription_id = vm.subscription_id PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_subscription + - azure_compute_virtual_machine + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Virtual Machines + - Azure Virtual Machines score_service_name: - - Azure Virtual Machines + - Azure Virtual Machines +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_installataion_for_latest_os_patches.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_installataion_for_latest_os_patches.yaml index 7ba7a234b..055926d73 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_installataion_for_latest_os_patches.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_installataion_for_latest_os_patches.yaml @@ -1,8 +1,6 @@ ID: azure_check_for_installataion_for_latest_os_patches Title: "Check for installataion for latest OS Patches" Description: "Ensure that the latest OS patches available for Microsoft Azure virtual machines are applied." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -27,12 +25,14 @@ Query: sub.subscription_id = vm.subscription_id PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_subscription + - azure_compute_virtual_machine + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Virtual Machines + - Azure Virtual Machines score_service_name: - - Azure Virtual Machines + - Azure Virtual Machines +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_instance_termination_notifications_for_virtual_machine_scale_sets.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_instance_termination_notifications_for_virtual_machine_scale_sets.yaml index a73dcda81..ebbf4abfb 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_instance_termination_notifications_for_virtual_machine_scale_sets.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_instance_termination_notifications_for_virtual_machine_scale_sets.yaml @@ -1,8 +1,6 @@ ID: azure_check_for_instance_termination_notifications_for_virtual_machine_scale_sets Title: "Check for Instance Termination Notifications for Virtual Machine Scale Sets" Description: "Ensure that instance termination notifications are enabled for your Azure virtual machine scale sets." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -27,12 +25,14 @@ Query: sub.subscription_id = vm.subscription_id PrimaryTable: azure_compute_virtual_machine_scale_set ListOfTables: - - azure_compute_virtual_machine_scale_set - - azure_subscription + - azure_compute_virtual_machine_scale_set + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Virtual Machines + - Azure Virtual Machines score_service_name: - - Azure Virtual Machines + - Azure Virtual Machines +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_just_in_time_access_for_virtual_machines.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_just_in_time_access_for_virtual_machines.yaml index 1292d610b..e229275ac 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_just_in_time_access_for_virtual_machines.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_just_in_time_access_for_virtual_machines.yaml @@ -1,8 +1,6 @@ ID: azure_check_for_just_in_time_access_for_virtual_machines Title: "Check for Just-In-Time Access for Virtual Machines" Description: "Ensure that Microsoft Azure virtual machines are configured to use Just-in-Time (JIT) access." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -39,13 +37,15 @@ Query: sub.subscription_id = vm.subscription_id; PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_security_center_jit_network_access_policy - - azure_subscription + - azure_compute_virtual_machine + - azure_security_center_jit_network_access_policy + - azure_subscription Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - Azure Virtual Machines + - Azure Virtual Machines score_service_name: - - Azure Virtual Machines + - Azure Virtual Machines +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_old_virtual_machine_disk_snapshots.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_old_virtual_machine_disk_snapshots.yaml index 3d6b58a9e..5cc844977 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_old_virtual_machine_disk_snapshots.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_old_virtual_machine_disk_snapshots.yaml @@ -1,8 +1,6 @@ ID: azure_check_for_old_virtual_machine_disk_snapshots Title: "Check for Old Virtual Machine Disk Snapshots" Description: "Identify and remove old virtual machine disk snapshots in order to optimize cloud costs." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -32,18 +30,20 @@ Query: sub.subscription_id = s.subscription_id; PrimaryTable: azure_compute_snapshot ListOfTables: - - azure_compute_snapshot - - azure_subscription + - azure_compute_snapshot + - azure_subscription Parameters: - Key: azureDiskSnapshotAgeThreshold Required: true Severity: medium Tags: platform_score_cloud_service_name: - - Azure Virtual Machines + - Azure Virtual Machines platform_score_use_case: - - Optimization + - Optimization score_service_name: - - Azure Virtual Machines + - Azure Virtual Machines score_tags: - - Optimization + - Optimization +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_performance_diagnostics_for_azure_virtual_machines.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_performance_diagnostics_for_azure_virtual_machines.yaml index 94c8fd223..b779fdfcc 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_performance_diagnostics_for_azure_virtual_machines.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_performance_diagnostics_for_azure_virtual_machines.yaml @@ -1,8 +1,6 @@ ID: azure_check_for_performance_diagnostics_for_azure_virtual_machines Title: "Check for Performance Diagnostics for Azure Virtual Machines" Description: "Ensure that Azure virtual machines are configured to use the Performance Diagnostics tool." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -31,12 +29,14 @@ Query: left join azure_subscription as sub on sub.subscription_id = vm.subscription_id PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_subscription + - azure_compute_virtual_machine + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Virtual Machines + - Azure Virtual Machines score_service_name: - - Azure Virtual Machines + - Azure Virtual Machines +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_ssh_authentication_type.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_ssh_authentication_type.yaml index 183c19827..2995dca73 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_ssh_authentication_type.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_ssh_authentication_type.yaml @@ -1,8 +1,6 @@ ID: azure_check_for_ssh_authentication_type Title: "Check for SSH Authentication Type" Description: "Ensure that Azure Linux-based virtual machines (VMs) are configured to use SSH keys." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -27,12 +25,14 @@ Query: sub.subscription_id = vm.subscription_id PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_subscription + - azure_compute_virtual_machine + - azure_subscription Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - Azure Virtual Machines + - Azure Virtual Machines score_service_name: - - Azure Virtual Machines + - Azure Virtual Machines +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_sufficient_daily_backup_retention_period.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_sufficient_daily_backup_retention_period.yaml index 6bf570633..36df5b6a3 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_sufficient_daily_backup_retention_period.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_sufficient_daily_backup_retention_period.yaml @@ -1,8 +1,6 @@ ID: azure_check_for_sufficient_daily_backup_retention_period Title: "Check for Sufficient Daily Backup Retention Period" Description: "Ensure there is a sufficient daily backup retention period configured for Azure virtual machines." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -27,16 +25,18 @@ Query: left join azure_recovery_services_backup_policy as bp on bi.properties ->> 'PolicyID' = bp.id PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_recovery_services_backup_item - - azure_recovery_services_backup_policy - - azure_subscription + - azure_compute_virtual_machine + - azure_recovery_services_backup_item + - azure_recovery_services_backup_policy + - azure_subscription Parameters: - Key: azureSufficientDailyBackupRetention Required: true Severity: medium Tags: platform_score_cloud_service_name: - - Azure Virtual Machines + - Azure Virtual Machines score_service_name: - - Azure Virtual Machines + - Azure Virtual Machines +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_sufficient_instant_restore_retention_period.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_sufficient_instant_restore_retention_period.yaml index a4746f49e..19703e879 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_sufficient_instant_restore_retention_period.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_sufficient_instant_restore_retention_period.yaml @@ -1,8 +1,6 @@ ID: azure_check_for_sufficient_instant_restore_retention_period Title: "Check for Sufficient Instant Restore Retention Period" Description: "Ensure there is a sufficient instant restore retention period configured for Azure virtual machines." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -27,16 +25,18 @@ Query: left join azure_recovery_services_backup_policy as bp on bi.properties ->> 'PolicyID' = bp.id PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_recovery_services_backup_item - - azure_recovery_services_backup_policy - - azure_subscription + - azure_compute_virtual_machine + - azure_recovery_services_backup_item + - azure_recovery_services_backup_policy + - azure_subscription Parameters: - Key: azureSufficientInstantRestoreRetention Required: true Severity: medium Tags: platform_score_cloud_service_name: - - Azure Virtual Machines + - Azure Virtual Machines score_service_name: - - Azure Virtual Machines + - Azure Virtual Machines +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_system_assigned_managed_identities.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_system_assigned_managed_identities.yaml index 3badc69ee..2b6cd3202 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_system_assigned_managed_identities.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_system_assigned_managed_identities.yaml @@ -1,8 +1,6 @@ ID: azure_check_for_system_assigned_managed_identities Title: "Check for System-Assigned Managed Identities" Description: "Ensure that Azure virtual machines are configured to use system-assigned managed identities." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -27,12 +25,14 @@ Query: sub.subscription_id = vm.subscription_id; PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_subscription + - azure_compute_virtual_machine + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Virtual Machines + - Azure Virtual Machines score_service_name: - - Azure Virtual Machines + - Azure Virtual Machines +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_unattached_virtual_machine_disk_volumes.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_unattached_virtual_machine_disk_volumes.yaml index 84619cfed..72ab3f05a 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_unattached_virtual_machine_disk_volumes.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_unattached_virtual_machine_disk_volumes.yaml @@ -1,8 +1,6 @@ ID: azure_check_for_unattached_virtual_machine_disk_volumes Title: "Check for Unattached Virtual Machine Disk Volumes" Description: "Remove any unattached Azure virtual machine (VM) disk volumes to improve security and reduce costs" -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -31,16 +29,18 @@ Query: sub.subscription_id = disk.subscription_id; PrimaryTable: azure_compute_disk ListOfTables: - - azure_compute_disk - - azure_subscription + - azure_compute_disk + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Virtual Machines + - Azure Virtual Machines platform_score_use_case: - - Orphaned Resources + - Orphaned Resources score_service_name: - - Azure Virtual Machines + - Azure Virtual Machines score_tags: - - Orphaned Resources + - Orphaned Resources +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_unused_load_balancers.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_unused_load_balancers.yaml index f16ab84a9..7f0472506 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_unused_load_balancers.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_unused_load_balancers.yaml @@ -1,8 +1,6 @@ ID: azure_check_for_unused_load_balancers Title: "Check for Unused Load Balancers" Description: "Identify and remove unused load balancers from your Microsoft Azure cloud account." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -38,16 +36,18 @@ Query: left join azure_subscription as sub on lb.subscription_id = sub.subscription_id PrimaryTable: azure_lb ListOfTables: - - azure_lb - - azure_subscription + - azure_lb + - azure_subscription Parameters: [] Severity: low Tags: platform_score_cloud_service_name: - - Azure Network + - Azure Network platform_score_use_case: - - Orphaned Resources + - Orphaned Resources score_service_name: - - Azure Network + - Azure Network score_tags: - - Orphaned Resources + - Orphaned Resources +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_usage_of_approved_extensions_only.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_usage_of_approved_extensions_only.yaml index 484cef07e..74163d9ab 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_usage_of_approved_extensions_only.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_usage_of_approved_extensions_only.yaml @@ -1,8 +1,6 @@ ID: azure_check_for_usage_of_approved_extensions_only Title: "Check for usage of Approved Extensions Only" Description: "Ensure that only approved extensions are installed on your Microsoft Azure virtual machines." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -31,14 +29,16 @@ Query: left join azure_subscription as sub on sub.subscription_id = vm.subscription_id PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_subscription + - azure_compute_virtual_machine + - azure_subscription Parameters: - Key: azureAllowedVmExtentions Required: true Severity: high Tags: platform_score_cloud_service_name: - - Azure Virtual Machines + - Azure Virtual Machines score_service_name: - - Azure Virtual Machines + - Azure Virtual Machines +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_usage_of_byok_for_disk_volumes_encryption.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_usage_of_byok_for_disk_volumes_encryption.yaml index 4a4a27a06..f80679634 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_usage_of_byok_for_disk_volumes_encryption.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_usage_of_byok_for_disk_volumes_encryption.yaml @@ -1,8 +1,6 @@ ID: azure_check_for_usage_of_byok_for_disk_volumes_encryption Title: "Check for usage of BYOK for Disk Volumes Encryption" Description: "Use customer-managed keys for Microsoft Azure virtual machine (VM) disk volumes encryption." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -27,16 +25,18 @@ Query: sub.subscription_id = disk.subscription_id; PrimaryTable: azure_compute_disk ListOfTables: - - azure_compute_disk - - azure_subscription + - azure_compute_disk + - azure_subscription Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - Azure Virtual Machines + - Azure Virtual Machines platform_score_use_case: - - Insecure Keys + - Insecure Keys score_service_name: - - Azure Virtual Machines + - Azure Virtual Machines score_tags: - - Insecure Keys + - Insecure Keys +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_usage_of_customer_managed_keys_for_virtual_hard_disk_encryption.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_usage_of_customer_managed_keys_for_virtual_hard_disk_encryption.yaml index 311eac765..d6b9d5266 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_usage_of_customer_managed_keys_for_virtual_hard_disk_encryption.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_usage_of_customer_managed_keys_for_virtual_hard_disk_encryption.yaml @@ -1,8 +1,6 @@ ID: azure_check_for_usage_of_customer_managed_keys_for_virtual_hard_disk_encryption Title: "Check for usage of Customer Managed Keys for Virtual Hard Disk Encryption" Description: "Ensure that Customer Managed Keys are used to encrypt Virtual Hard Disk (VHD) volumes." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -27,16 +25,18 @@ Query: sub.subscription_id = disk.subscription_id; PrimaryTable: azure_compute_disk ListOfTables: - - azure_compute_disk - - azure_subscription + - azure_compute_disk + - azure_subscription Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - Azure Virtual Machines + - Azure Virtual Machines platform_score_use_case: - - Insecure Keys + - Insecure Keys score_service_name: - - Azure Virtual Machines + - Azure Virtual Machines score_tags: - - Insecure Keys + - Insecure Keys +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_usage_of_endpoint_protection.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_usage_of_endpoint_protection.yaml index a4f545de4..3295b8b71 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_usage_of_endpoint_protection.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_usage_of_endpoint_protection.yaml @@ -1,8 +1,6 @@ ID: azure_check_for_usage_of_endpoint_protection Title: "Check for usage of Endpoint Protection" Description: "Ensure that endpoint protection is installed on your Microsoft Azure virtual machines." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -31,16 +29,18 @@ Query: left join azure_subscription as sub on sub.subscription_id = vm.subscription_id PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_subscription + - azure_compute_virtual_machine + - azure_subscription Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - Azure Virtual Machines + - Azure Virtual Machines platform_score_use_case: - - Unencrypted Traffic + - Unencrypted Traffic score_service_name: - - Azure Virtual Machines + - Azure Virtual Machines score_tags: - - Unencrypted Traffic + - Unencrypted Traffic +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_usage_of_managed_disk_volumes_for_virtual_machines.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_usage_of_managed_disk_volumes_for_virtual_machines.yaml index 4c749c2a8..2ac76f3dd 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_usage_of_managed_disk_volumes_for_virtual_machines.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_usage_of_managed_disk_volumes_for_virtual_machines.yaml @@ -1,8 +1,6 @@ ID: azure_check_for_usage_of_managed_disk_volumes_for_virtual_machines Title: "Check for usage of Managed Disk Volumes for Virtual Machines" Description: "Ensure that your Microsoft Azure virtual machines are using managed disk volumes." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -29,16 +27,18 @@ Query: left join azure_subscription as sub on vm.subscription_id = sub.subscription_id PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_subscription + - azure_compute_virtual_machine + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Virtual Machines + - Azure Virtual Machines platform_score_use_case: - - Lacking High Availability + - Lacking High Availability score_service_name: - - Azure Virtual Machines + - Azure Virtual Machines score_tags: - - Lacking High Availability + - Lacking High Availability +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_virtual_machine_access_using_microsoft_entra_id_authentication.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_virtual_machine_access_using_microsoft_entra_id_authentication.yaml index 432e11d34..95872704a 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_virtual_machine_access_using_microsoft_entra_id_authentication.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_virtual_machine_access_using_microsoft_entra_id_authentication.yaml @@ -1,8 +1,6 @@ ID: azure_check_for_virtual_machine_access_using_microsoft_entra_id_authentication Title: "Check for Virtual Machine Access using Microsoft Entra ID Authentication" Description: "Configure your Microsoft Azure virtual machines to use Microsoft Entra ID credentials for secure authentication." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -31,12 +29,14 @@ Query: left join azure_subscription as sub on sub.subscription_id = vm.subscription_id PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_subscription + - azure_compute_virtual_machine + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Virtual Machines + - Azure Virtual Machines score_service_name: - - Azure Virtual Machines + - Azure Virtual Machines +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_virtual_machine_boot_diagnostics.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_virtual_machine_boot_diagnostics.yaml index d5642cd49..196ad6d36 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_virtual_machine_boot_diagnostics.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_virtual_machine_boot_diagnostics.yaml @@ -1,8 +1,6 @@ ID: azure_check_for_virtual_machine_boot_diagnostics Title: "Check for Virtual Machine Boot Diagnostics" Description: "Ensure that Microsoft Azure virtual machines are configured to use Boot Diagnostics feature." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -27,12 +25,14 @@ Query: sub.subscription_id = vm.subscription_id; PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_virtual_machine - - azure_subscription + - azure_compute_virtual_machine + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Virtual Machines + - Azure Virtual Machines score_service_name: - - Azure Virtual Machines + - Azure Virtual Machines +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_zone_redundant_virtual_machine_scale_sets.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_zone_redundant_virtual_machine_scale_sets.yaml index 116c66c56..e40c6b7fa 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_check_for_zone_redundant_virtual_machine_scale_sets.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_check_for_zone_redundant_virtual_machine_scale_sets.yaml @@ -1,8 +1,6 @@ ID: azure_check_for_zone_redundant_virtual_machine_scale_sets Title: "Check for Zone-Redundant Virtual Machine Scale Sets" Description: "Ensure that Azure virtual machine scale sets are configured for zone redundancy." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -27,12 +25,14 @@ Query: sub.subscription_id = vm.subscription_id PrimaryTable: azure_compute_virtual_machine_scale_set ListOfTables: - - azure_compute_virtual_machine_scale_set - - azure_subscription + - azure_compute_virtual_machine_scale_set + - azure_subscription Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - Azure Virtual Machines + - Azure Virtual Machines score_service_name: - - Azure Virtual Machines + - Azure Virtual Machines +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_disk_encryption_for_boot_disk_volumes.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_disk_encryption_for_boot_disk_volumes.yaml index 54a6ed7c9..daa6492a1 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_disk_encryption_for_boot_disk_volumes.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_disk_encryption_for_boot_disk_volumes.yaml @@ -1,8 +1,6 @@ ID: azure_disk_encryption_for_boot_disk_volumes Title: "Azure Disk Encryption for Boot Disk Volumes" Description: "Ensure that Azure Disk Encryption is enabled for Azure virtual machine boot volumes to protect data at rest." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -26,17 +24,19 @@ Query: left join azure_subscription as sub on vm.subscription_id = sub.subscription_id PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_disk - - azure_compute_virtual_machine - - azure_subscription + - azure_compute_disk + - azure_compute_virtual_machine + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Virtual Machines + - Azure Virtual Machines platform_score_use_case: - - Unencrypted Storage + - Unencrypted Storage score_service_name: - - Azure Virtual Machines + - Azure Virtual Machines score_tags: - - Unencrypted Storage + - Unencrypted Storage +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_disk_encryption_for_non_boot_disk_volumes.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_disk_encryption_for_non_boot_disk_volumes.yaml index 9a8256325..76e990cac 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_disk_encryption_for_non_boot_disk_volumes.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_disk_encryption_for_non_boot_disk_volumes.yaml @@ -1,8 +1,6 @@ ID: azure_disk_encryption_for_non_boot_disk_volumes Title: "Azure Disk Encryption for Non Boot Disk Volumes" Description: "Ensure that Azure Disk Encryption is enabled for Microsoft Azure virtual machines for non-boot volumes." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -28,17 +26,19 @@ Query: d.name != vm.os_disk_name; PrimaryTable: azure_compute_virtual_machine ListOfTables: - - azure_compute_disk - - azure_compute_virtual_machine - - azure_subscription + - azure_compute_disk + - azure_compute_virtual_machine + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Virtual Machines + - Azure Virtual Machines platform_score_use_case: - - Unencrypted Storage + - Unencrypted Storage score_service_name: - - Azure Virtual Machines + - Azure Virtual Machines score_tags: - - Unencrypted Storage + - Unencrypted Storage +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_disk_encryption_for_unattached_disk_volumes.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_disk_encryption_for_unattached_disk_volumes.yaml index 46941904a..c88274ed2 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_disk_encryption_for_unattached_disk_volumes.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_disk_encryption_for_unattached_disk_volumes.yaml @@ -1,8 +1,6 @@ ID: azure_disk_encryption_for_unattached_disk_volumes Title: "Azure Disk Encryption for Unattached Disk Volumes" Description: "Ensure that Azure Disk Encryption is enabled for unattached Azure virtual machine disk volumes." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -27,16 +25,18 @@ Query: d.managed_by is null; PrimaryTable: azure_compute_disk ListOfTables: - - azure_compute_disk - - azure_subscription + - azure_compute_disk + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Virtual Machines + - Azure Virtual Machines platform_score_use_case: - - Unencrypted Storage + - Unencrypted Storage score_service_name: - - Azure Virtual Machines + - Azure Virtual Machines score_tags: - - Unencrypted Storage + - Unencrypted Storage +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_disks_should_use_standard_snapshots.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_disks_should_use_standard_snapshots.yaml index c7adb482e..96ed9219c 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_disks_should_use_standard_snapshots.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_disks_should_use_standard_snapshots.yaml @@ -1,8 +1,6 @@ ID: azure_disks_should_use_standard_snapshots Title: "Disks should use standard snapshots" Description: "Use standard storage instead of premium storage for managed disk snapshots to save 60% on costs." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -31,16 +29,18 @@ Query: ss.subscription_id = sub.subscription_id; PrimaryTable: azure_compute_snapshot ListOfTables: - - azure_compute_snapshot - - azure_subscription + - azure_compute_snapshot + - azure_subscription Parameters: [] Severity: medium Tags: platform_score_cloud_service_name: - - Azure Virtual Machines + - Azure Virtual Machines platform_score_use_case: - - Over Utilization + - Over Utilization score_service_name: - - Azure Virtual Machines + - Azure Virtual Machines score_tags: - - Over Utilization + - Over Utilization +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_server_side_encryption_for_boot_disk_using_cmk.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_server_side_encryption_for_boot_disk_using_cmk.yaml index efb9d121e..dd058d360 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_server_side_encryption_for_boot_disk_using_cmk.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_server_side_encryption_for_boot_disk_using_cmk.yaml @@ -1,8 +1,6 @@ ID: azure_server_side_encryption_for_boot_disk_using_cmk Title: "Server Side Encryption for Boot Disk using CMK" Description: "Ensure that Azure VM managed disk boot volumes are encrypted at rest using customer-managed keys (CMKs)." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -28,17 +26,19 @@ Query: vm.id is not null PrimaryTable: azure_compute_disk ListOfTables: - - azure_compute_disk - - azure_compute_virtual_machine - - azure_subscription + - azure_compute_disk + - azure_compute_virtual_machine + - azure_subscription Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - Azure Virtual Machines + - Azure Virtual Machines platform_score_use_case: - - Insecure Keys + - Insecure Keys score_service_name: - - Azure Virtual Machines + - Azure Virtual Machines score_tags: - - Insecure Keys + - Insecure Keys +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_server_side_encryption_for_non_boot_disk_using_cmk.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_server_side_encryption_for_non_boot_disk_using_cmk.yaml index 46fe60741..1f3b5dca3 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_server_side_encryption_for_non_boot_disk_using_cmk.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_server_side_encryption_for_non_boot_disk_using_cmk.yaml @@ -1,8 +1,6 @@ ID: azure_server_side_encryption_for_non_boot_disk_using_cmk Title: "Server Side Encryption for Non-Boot Disk using CMK" Description: "Ensure that Azure VM data disk volumes are encrypted at rest using customer-managed keys (CMKs)." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -28,17 +26,19 @@ Query: vm.id is not null PrimaryTable: azure_compute_disk ListOfTables: - - azure_compute_disk - - azure_compute_virtual_machine - - azure_subscription + - azure_compute_disk + - azure_compute_virtual_machine + - azure_subscription Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - Azure Virtual Machines + - Azure Virtual Machines platform_score_use_case: - - Insecure Keys + - Insecure Keys score_service_name: - - Azure Virtual Machines + - Azure Virtual Machines score_tags: - - Insecure Keys + - Insecure Keys +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/azure/virtual_machine/azure_server_side_encryption_for_unattached_disk_using_cmk.yaml b/compliance/controls/baseline/azure/virtual_machine/azure_server_side_encryption_for_unattached_disk_using_cmk.yaml index dd47b291d..9dcd91ccb 100644 --- a/compliance/controls/baseline/azure/virtual_machine/azure_server_side_encryption_for_unattached_disk_using_cmk.yaml +++ b/compliance/controls/baseline/azure/virtual_machine/azure_server_side_encryption_for_unattached_disk_using_cmk.yaml @@ -1,8 +1,6 @@ ID: azure_server_side_encryption_for_unattached_disk_using_cmk Title: "Server Side Encryption for Unattached Disk using CMK" Description: "Ensure that unattached managed disk volumes are encrypted at rest using customer-managed keys (CMKs)." -Connector: -- azure Query: Engine: odysseus-v0.0.1 QueryToExecute: | @@ -28,16 +26,18 @@ Query: and disk_state = 'Unattached' PrimaryTable: azure_compute_disk ListOfTables: - - azure_compute_disk - - azure_subscription + - azure_compute_disk + - azure_subscription Parameters: [] Severity: high Tags: platform_score_cloud_service_name: - - Azure Virtual Machines + - Azure Virtual Machines platform_score_use_case: - - Insecure Keys + - Insecure Keys score_service_name: - - Azure Virtual Machines + - Azure Virtual Machines score_tags: - - Insecure Keys + - Insecure Keys +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/baseline/shared/cost/kaytu_connection_mom_cost_growth.yaml b/compliance/controls/baseline/shared/cost/kaytu_connection_mom_cost_growth.yaml index 0062028a5..55f8f9032 100644 --- a/compliance/controls/baseline/shared/cost/kaytu_connection_mom_cost_growth.yaml +++ b/compliance/controls/baseline/shared/cost/kaytu_connection_mom_cost_growth.yaml @@ -1,77 +1,28 @@ ID: og_connection_mom_cost_growth Title: "MoM growth for a connection that has a cost more than a certain amount cannot grow more than a certain percentage" Description: "MoM growth for a connection that has a cost more than a certain amount cannot grow more than a certain percentage" -Connector: -- aws -- azure Query: Engine: odysseus-v0.0.1 - QueryToExecute: | - with last30 as ( - SELECT connection_id, SUM(cost_value) as cost_value - FROM og_cost - WHERE period_start::timestamp >= NOW() - interval '31 days' and period_end::timestamp <= NOW() - GROUP BY connection_id - ), - last60to30 as ( - SELECT connection_id, SUM(cost_value) as cost_value - FROM og_cost - WHERE period_start::timestamp >= NOW() - interval '62 days' and period_end::timestamp <= NOW() - interval '31 days' - GROUP BY connection_id - ), - last_valid_60 as ( - SELECT - l.connection_id as connection_id, - l.cost_value as last30_cost_value, - s.cost_value as last60to30_cost_value - FROM last30 as l JOIN last60to30 as s on (l.connection_id = s.connection_id) - WHERE l.cost_value > {{.kaytuConnectionMoMCostGrowthMinCost}} - ) - SELECT - case - when aw.account_id IS NOT NULL then aw.account_id - when az.subscription_id IS NOT NULL then az.subscription_id - end as resource, - case - when aw.og_account_id IS NOT NULL then aw.og_account_id - when az.og_account_id IS NOT NULL then az.og_account_id - end as og_account_id, - case - when aw.og_resource_id IS NOT NULL then aw.og_resource_id - when az.og_resource_id IS NOT NULL then az.og_resource_id - end as og_resource_id, - case - when aw.account_id IS NOT NULL then 'aws_account' - when az.subscription_id IS NOT NULL then 'azure_subscription' - end as og_table_name, - case - when (l.last30_cost_value - l.last60to30_cost_value) / l.last30_cost_value > {{.kaytuConnectionMoMCostGrowthAllowedGrowth}} then 'alarm' - else 'ok' - end as status, - case - when aw.account_id IS NOT NULL AND (l.last30_cost_value - l.last60to30_cost_value) / l.last30_cost_value > {{.kaytuConnectionMoMCostGrowthAllowedGrowth}} then aw.account_id || ' cost grew from ' || l.last60to30_cost_value || ' to ' || l.last30_cost_value || ' which is more than allowed growth' - when az.subscription_id IS NOT NULL AND (l.last30_cost_value - l.last60to30_cost_value) / l.last30_cost_value > {{.kaytuConnectionMoMCostGrowthAllowedGrowth}} then az.subscription_id || ' cost grew from ' || l.last60to30_cost_value || ' to ' || l.last30_cost_value || ' which is more than allowed growth' - else 'Connection did not have more than allowed growth' - end as reason - FROM last_valid_60 as l - left join aws_account as aw on aw.og_account_id = l.connection_id - left join azure_subscription as az on az.og_account_id = l.connection_id + QueryToExecute: "with last30 as (\n SELECT connection_id, SUM(cost_value) as cost_value\n FROM og_cost\n WHERE period_start::timestamp >= NOW() - interval '31 days' and period_end::timestamp <= NOW()\n GROUP BY connection_id\n),\nlast60to30 as (\n SELECT connection_id, SUM(cost_value) as cost_value\n FROM og_cost\n WHERE period_start::timestamp >= NOW() - interval '62 days' and period_end::timestamp <= NOW() - interval '31 days'\n GROUP BY connection_id\n),\nlast_valid_60 as (\n SELECT \n l.connection_id as connection_id,\n l.cost_value as last30_cost_value,\n s.cost_value as last60to30_cost_value\n FROM last30 as l JOIN last60to30 as s on (l.connection_id = s.connection_id)\n WHERE l.cost_value > {{.kaytuConnectionMoMCostGrowthMinCost}}\n)\nSELECT \n case \n when aw.account_id IS NOT NULL then aw.account_id\n when az.subscription_id IS NOT NULL then az.subscription_id\n end as resource,\n case\n when aw.og_account_id IS NOT NULL then aw.og_account_id\n when az.og_account_id IS NOT NULL then az.og_account_id\n end as og_account_id,\n case\n when aw.og_resource_id IS NOT NULL then aw.og_resource_id\n when az.og_resource_id IS NOT NULL then az.og_resource_id\n end as og_resource_id,\n case\n when aw.account_id IS NOT NULL then 'aws_account'\n when az.subscription_id IS NOT NULL then 'azure_subscription'\n end as og_table_name, \n case \n when (l.last30_cost_value - l.last60to30_cost_value) / l.last30_cost_value > {{.kaytuConnectionMoMCostGrowthAllowedGrowth}} then 'alarm'\n else 'ok'\n end as status,\n case \n when aw.account_id IS NOT NULL AND (l.last30_cost_value - l.last60to30_cost_value) / l.last30_cost_value > {{.kaytuConnectionMoMCostGrowthAllowedGrowth}} then aw.account_id || ' cost grew from ' || l.last60to30_cost_value || ' to ' || l.last30_cost_value || ' which is more than allowed growth'\n when az.subscription_id IS NOT NULL AND (l.last30_cost_value - l.last60to30_cost_value) / l.last30_cost_value > {{.kaytuConnectionMoMCostGrowthAllowedGrowth}} then az.subscription_id || ' cost grew from ' || l.last60to30_cost_value || ' to ' || l.last30_cost_value || ' which is more than allowed growth'\n else 'Connection did not have more than allowed growth'\n end as reason\nFROM last_valid_60 as l \n left join aws_account as aw on aw.og_account_id = l.connection_id\n left join azure_subscription as az on az.og_account_id = l.connection_id\n" PrimaryTable: "" ListOfTables: - - aws_account - - azure_subscription + - aws_account + - azure_subscription Parameters: - - Key: kaytuConnectionMoMCostGrowthMinCost - Required: true - - Key: kaytuConnectionMoMCostGrowthAllowedGrowth - Required: true + - Key: kaytuConnectionMoMCostGrowthMinCost + Required: true + - Key: kaytuConnectionMoMCostGrowthAllowedGrowth + Required: true Severity: high Tags: platform_score_cloud_service_name: - - TODO + - TODO platform_score_use_case: - - TODO + - TODO score_service_name: - - TODO + - TODO score_tags: - - TODO + - TODO +IntegrationTypeName: + - aws_cloud + - azure_subscription diff --git a/compliance/controls/baseline/shared/cost/kaytu_mom_cost_growth_15.yaml b/compliance/controls/baseline/shared/cost/kaytu_mom_cost_growth_15.yaml index ca8a4d898..1a1543e59 100644 --- a/compliance/controls/baseline/shared/cost/kaytu_mom_cost_growth_15.yaml +++ b/compliance/controls/baseline/shared/cost/kaytu_mom_cost_growth_15.yaml @@ -1,78 +1,28 @@ ID: og_mom_cost_growth_15 Title: "MoM growth for a service that is >$100 cannot grow more than 15%" Description: "MoM growth for a service that is >$100 cannot grow more than 15%" -Connector: -- aws -- azure Query: Engine: odysseus-v0.0.1 - QueryToExecute: | - with last30 as ( - SELECT connection_id, metric_id, metric_name, SUM(cost_value) as cost_value - FROM og_cost - WHERE period_start::timestamp >= NOW() - interval '31 days' and period_end::timestamp <= NOW() - GROUP BY connection_id, metric_id, metric_name - ), - last60to30 as ( - SELECT connection_id, metric_id, metric_name, SUM(cost_value) as cost_value - FROM og_cost - WHERE period_start::timestamp >= NOW() - interval '62 days' and period_end::timestamp <= NOW() - interval '31 days' - GROUP BY connection_id, metric_id, metric_name - ), - last_valid_60 as ( - SELECT - l.connection_id as connection_id, - l.metric_id as metric_id, - l.metric_name as metric_name, - l.cost_value as last30_cost_value, - s.cost_value as last60to30_cost_value - FROM last30 as l JOIN last60to30 as s on (l.connection_id = s.connection_id and l.metric_id = s.metric_id) - WHERE l.cost_value > {{.kaytuMoMCostGrowthMinCost}} - ) - SELECT - case - when aw.account_id IS NOT NULL then aw.account_id || ' - ' || l.metric_id - when az.subscription_id IS NOT NULL then az.subscription_id || ' - ' || l.metric_id - end as resource, - case - when aw.og_account_id IS NOT NULL then aw.og_account_id - when az.og_account_id IS NOT NULL then az.og_account_id - end as og_account_id, - case - when aw.og_resource_id IS NOT NULL then aw.og_resource_id - when az.og_resource_id IS NOT NULL then az.og_resource_id - end as og_resource_id, - case - when aw.account_id IS NOT NULL then 'aws_account' - when az.subscription_id IS NOT NULL then 'azure_subscription' - end as og_table_name, - case - when (l.last30_cost_value - l.last60to30_cost_value) / l.last30_cost_value > {{.kaytuMoMCostGrowthAllowedGrowth}} then 'alarm' - else 'ok' - end as status, - case - when (l.last30_cost_value - l.last60to30_cost_value) / l.last30_cost_value > {{.kaytuMoMCostGrowthAllowedGrowth}} then l.metric_name || ' cost grew from ' || l.last60to30_cost_value || ' to ' || l.last30_cost_value || ' which is more than allowed growth' - else l.metric_name || ' did not have more than allowed growth' - end as reason - FROM last_valid_60 as l - left join aws_account as aw on aw.og_account_id = l.connection_id - left join azure_subscription as az on az.og_account_id = l.connection_id + QueryToExecute: "with last30 as (\n SELECT connection_id, metric_id, metric_name, SUM(cost_value) as cost_value\n FROM og_cost\n WHERE period_start::timestamp >= NOW() - interval '31 days' and period_end::timestamp <= NOW()\n GROUP BY connection_id, metric_id, metric_name\n),\nlast60to30 as (\n SELECT connection_id, metric_id, metric_name, SUM(cost_value) as cost_value\n FROM og_cost\n WHERE period_start::timestamp >= NOW() - interval '62 days' and period_end::timestamp <= NOW() - interval '31 days'\n GROUP BY connection_id, metric_id, metric_name\n),\nlast_valid_60 as (\n SELECT \n l.connection_id as connection_id,\n l.metric_id as metric_id,\n l.metric_name as metric_name,\n l.cost_value as last30_cost_value,\n s.cost_value as last60to30_cost_value\n FROM last30 as l JOIN last60to30 as s on (l.connection_id = s.connection_id and l.metric_id = s.metric_id)\n WHERE l.cost_value > {{.kaytuMoMCostGrowthMinCost}}\n)\nSELECT \n case \n when aw.account_id IS NOT NULL then aw.account_id || ' - ' || l.metric_id\n when az.subscription_id IS NOT NULL then az.subscription_id || ' - ' || l.metric_id\n end as resource,\n case\n when aw.og_account_id IS NOT NULL then aw.og_account_id\n when az.og_account_id IS NOT NULL then az.og_account_id\n end as og_account_id,\n case\n when aw.og_resource_id IS NOT NULL then aw.og_resource_id\n when az.og_resource_id IS NOT NULL then az.og_resource_id\n end as og_resource_id,\n case\n when aw.account_id IS NOT NULL then 'aws_account'\n when az.subscription_id IS NOT NULL then 'azure_subscription'\n end as og_table_name, \n case \n when (l.last30_cost_value - l.last60to30_cost_value) / l.last30_cost_value > {{.kaytuMoMCostGrowthAllowedGrowth}} then 'alarm'\n else 'ok'\n end as status,\n case \n when (l.last30_cost_value - l.last60to30_cost_value) / l.last30_cost_value > {{.kaytuMoMCostGrowthAllowedGrowth}} then l.metric_name || ' cost grew from ' || l.last60to30_cost_value || ' to ' || l.last30_cost_value || ' which is more than allowed growth'\n else l.metric_name || ' did not have more than allowed growth'\n end as reason\nFROM last_valid_60 as l \n left join aws_account as aw on aw.og_account_id = l.connection_id\n left join azure_subscription as az on az.og_account_id = l.connection_id\n" PrimaryTable: "" ListOfTables: - - aws_account - - azure_subscription + - aws_account + - azure_subscription Parameters: - - Key: kaytuMoMCostGrowthMinCost - Required: true - - Key: kaytuMoMCostGrowthAllowedGrowth - Required: true + - Key: kaytuMoMCostGrowthMinCost + Required: true + - Key: kaytuMoMCostGrowthAllowedGrowth + Required: true Severity: high Tags: platform_score_cloud_service_name: - - TODO + - TODO platform_score_use_case: - - TODO + - TODO score_service_name: - - TODO + - TODO score_tags: - - TODO + - TODO +IntegrationTypeName: + - aws_cloud + - azure_subscription diff --git a/compliance/controls/bulk_update_yaml.sh b/compliance/controls/bulk_update_yaml.sh new file mode 100755 index 000000000..b719397f4 --- /dev/null +++ b/compliance/controls/bulk_update_yaml.sh @@ -0,0 +1,67 @@ +#!/bin/bash + +# Description: +# This script traverses all subdirectories to find YAML files containing the 'Connector' key +# and renames the key to 'IntegrationTypeName' while mapping specific values. + +# Define the root directory (current directory) +ROOT_DIR="." + +# Create or clear the log files +> processed_files.log +> error_files.log +> error_messages.log + +# Find all .yaml and .yml files +find "$ROOT_DIR" -type f \( -iname "*.yaml" -o -iname "*.yml" \) -print0 | while IFS= read -r -d '' file; do + # Check if the file contains the 'Connector:' key + if grep -q '^Connector:' "$file"; then + echo "Processing: $file" + + # Apply the yq transformation with enhanced handling + if yq eval -i ' + .IntegrationTypeName = ( + if type == "array" then + .Connector | map( + { + "aws": "aws_cloud", + "azure": "azure_subscription" + }[.] // . + ) + else + { + "aws": "aws_cloud", + "azure": "azure_subscription" + }[.] // . + end + ) | + del(.Connector) + ' "$file"; then + echo "$file processed successfully." >> processed_files.log + else + echo "Error processing $file" >> error_files.log + # Capture detailed error messages + yq eval -i ' + .IntegrationTypeName = ( + if type == "array" then + .Connector | map( + { + "aws": "aws_cloud", + "azure": "azure_subscription" + }[.] // . + ) + else + { + "aws": "aws_cloud", + "azure": "azure_subscription" + }[.] // . + end + ) | + del(.Connector) + ' "$file" 2>> error_messages.log + fi + fi +done + +echo "Bulk update completed. Check 'processed_files.log' for details." +echo "Any errors are logged in 'error_files.log' and 'error_messages.log'." diff --git a/compliance/controls/error_files.log b/compliance/controls/error_files.log new file mode 100644 index 000000000..e69de29bb diff --git a/compliance/controls/pending/aws/aws_backup_report_plan_configured.yaml b/compliance/controls/pending/aws/aws_backup_report_plan_configured.yaml index b84875524..aa08750f9 100755 --- a/compliance/controls/pending/aws/aws_backup_report_plan_configured.yaml +++ b/compliance/controls/pending/aws/aws_backup_report_plan_configured.yaml @@ -1,49 +1,13 @@ ID: aws_backup_report_plan_configured Title: "Backup report plan should exist in a region where backup plan is enabled" Description: "Ensure that there is a minimum of one backup report plan in each region. The rule will be considered non-compliant if a region with backup plans does not have any backup report plans." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with backup_plan_configured_regions as ( - select - distinct region, - account_id - from - aws_backup_plan - group by - region, - account_id - ), backup_report_plan_configured as ( - select - distinct region, - account_id - from - aws_backup_report_plan - group by - region, - account_id - ) - select - 'arn:' || r.partition || '::' || r.region || ':' || r.account_id as resource, - case - when cp.region is not null and rp.region is not null then 'ok' - when cp.region is not null and rp.region is null then 'alarm' - else 'info' - end as status, - case - when cp.region is not null and rp.region is not null then 'Backup report plan(s) exist in region ' || r.region || '.' - when cp.region is not null and rp.region is null then 'No backup report plan(s) exist in region ' || r.region || '.' - else 'No backup plan(s) configured in region ' || r.region || '.' - end as reason - - from - aws_region as r - left join backup_plan_configured_regions as cp on r.account_id = cp.account_id and r.region = cp.region - left join backup_report_plan_configured as rp on r.account_id = rp.account_id and r.region = rp.region; + QueryToExecute: "with backup_plan_configured_regions as (\n select\n distinct region,\n account_id\n from\n aws_backup_plan\n group by\n region,\n account_id\n), backup_report_plan_configured as (\n select\n distinct region,\n account_id\n from\n aws_backup_report_plan\n group by\n region,\n account_id\n)\nselect\n 'arn:' || r.partition || '::' || r.region || ':' || r.account_id as resource,\n case\n when cp.region is not null and rp.region is not null then 'ok'\n when cp.region is not null and rp.region is null then 'alarm'\n else 'info'\n end as status,\n case\n when cp.region is not null and rp.region is not null then 'Backup report plan(s) exist in region ' || r.region || '.'\n when cp.region is not null and rp.region is null then 'No backup report plan(s) exist in region ' || r.region || '.'\n else 'No backup plan(s) configured in region ' || r.region || '.'\n end as reason\n \nfrom\n aws_region as r\n left join backup_plan_configured_regions as cp on r.account_id = cp.account_id and r.region = cp.region\n left join backup_report_plan_configured as rp on r.account_id = rp.account_id and r.region = rp.region;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_compute_service_v100_2_7.yaml b/compliance/controls/pending/aws/aws_cis_compute_service_v100_2_7.yaml index 628032e2d..853a30634 100755 --- a/compliance/controls/pending/aws/aws_cis_compute_service_v100_2_7.yaml +++ b/compliance/controls/pending/aws/aws_cis_compute_service_v100_2_7.yaml @@ -1,34 +1,13 @@ ID: aws_cis_compute_service_v100_2_7 Title: "2.7 Ensure Default EC2 Security groups are not being used" Description: "When an EC2 instance is launched a specified custom security group should be assigned to the instance." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn resource, - case - when jsonb_array_length(ip_permissions) = 0 and jsonb_array_length(ip_permissions_egress) = 0 then 'ok' - else 'alarm' - end status, - case - when jsonb_array_length(ip_permissions) > 0 and jsonb_array_length(ip_permissions_egress) > 0 - then 'Default security group ' || group_id || ' has inbound and outbound rules.' - when jsonb_array_length(ip_permissions) > 0 and jsonb_array_length(ip_permissions_egress) = 0 - then 'Default security group ' || group_id || ' has inbound rules.' - when jsonb_array_length(ip_permissions) = 0 and jsonb_array_length(ip_permissions_egress) > 0 - then 'Default security group ' || group_id || ' has outbound rules.' - else 'Default security group ' || group_id || ' has no inbound or outbound rules.' - end reason - - - from - aws_vpc_security_group - where - group_name = 'default'; + QueryToExecute: "select\n arn resource,\n case\n when jsonb_array_length(ip_permissions) = 0 and jsonb_array_length(ip_permissions_egress) = 0 then 'ok'\n else 'alarm'\n end status,\n case\n when jsonb_array_length(ip_permissions) > 0 and jsonb_array_length(ip_permissions_egress) > 0\n then 'Default security group ' || group_id || ' has inbound and outbound rules.'\n when jsonb_array_length(ip_permissions) > 0 and jsonb_array_length(ip_permissions_egress) = 0\n then 'Default security group ' || group_id || ' has inbound rules.'\n when jsonb_array_length(ip_permissions) = 0 and jsonb_array_length(ip_permissions_egress) > 0\n then 'Default security group ' || group_id || ' has outbound rules.'\n else 'Default security group ' || group_id || ' has no inbound or outbound rules.'\n end reason\n \n \nfrom\n aws_vpc_security_group\nwhere\n group_name = 'default';\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_compute_service_v100_3_4.yaml b/compliance/controls/pending/aws/aws_cis_compute_service_v100_3_4.yaml index 206036e5e..7ef701c89 100755 --- a/compliance/controls/pending/aws/aws_cis_compute_service_v100_3_4.yaml +++ b/compliance/controls/pending/aws/aws_cis_compute_service_v100_3_4.yaml @@ -1,8 +1,6 @@ ID: aws_cis_compute_service_v100_3_4 Title: "3.4 Ensure SSH is restricted to only IP address that should have this access" Description: "Any ports enable within Lightsail by default are open and exposed to the world. For SSH and RDP access you should identify which IP address need access." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -53,3 +51,5 @@ Query: Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v120_1_10.yaml b/compliance/controls/pending/aws/aws_cis_v120_1_10.yaml index 44fc8d83e..ec16252a8 100755 --- a/compliance/controls/pending/aws/aws_cis_v120_1_10.yaml +++ b/compliance/controls/pending/aws/aws_cis_v120_1_10.yaml @@ -1,28 +1,13 @@ ID: aws_cis_v120_1_10 Title: "1.10 Ensure IAM password policy prevents password reuse" Description: "IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when password_reuse_prevention >= 24 then 'ok' - else 'alarm' - end as status, - case - when minimum_password_length is null then 'No password policy set.' - when password_reuse_prevention is null then 'Password reuse prevention not set.' - else 'Password reuse prevention set to ' || password_reuse_prevention || '.' - end as reason - - from - aws_account as a - left join aws_iam_account_password_policy as pol on a.account_id = pol.account_id; + QueryToExecute: "select\n 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when password_reuse_prevention >= 24 then 'ok'\n else 'alarm'\n end as status,\n case\n when minimum_password_length is null then 'No password policy set.'\n when password_reuse_prevention is null then 'Password reuse prevention not set.'\n else 'Password reuse prevention set to ' || password_reuse_prevention || '.'\n end as reason\n \nfrom\n aws_account as a\n left join aws_iam_account_password_policy as pol on a.account_id = pol.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v120_1_14.yaml b/compliance/controls/pending/aws/aws_cis_v120_1_14.yaml index 575cc1923..628e436d3 100755 --- a/compliance/controls/pending/aws/aws_cis_v120_1_14.yaml +++ b/compliance/controls/pending/aws/aws_cis_v120_1_14.yaml @@ -1,28 +1,13 @@ ID: aws_cis_v120_1_14 Title: "1.14 Ensure hardware MFA is enabled for the \\\"root\\\" account" Description: "The root account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2, it is recommended that the root account be protected with a hardware MFA." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - 'arn:' || s.partition || ':::' || s.account_id as resource, - case - when s.account_mfa_enabled and d.serial_number is null then 'ok' - else 'alarm' - end status, - case - when s.account_mfa_enabled = false then 'MFA not enabled for root account.' - when d.serial_number is not null then 'MFA enabled for root account, but the MFA associated is a virtual device.' - else 'Hardware MFA device enabled for root account.' - end reason - - from - aws_iam_account_summary as s - left join aws_iam_virtual_mfa_device as d on (d.user ->> 'Arn') = 'arn:' || s.partition || ':iam::' || s.account_id || ':root'; + QueryToExecute: "select\n 'arn:' || s.partition || ':::' || s.account_id as resource,\n case\n when s.account_mfa_enabled and d.serial_number is null then 'ok'\n else 'alarm'\n end status,\n case\n when s.account_mfa_enabled = false then 'MFA not enabled for root account.'\n when d.serial_number is not null then 'MFA enabled for root account, but the MFA associated is a virtual device.'\n else 'Hardware MFA device enabled for root account.'\n end reason\n \nfrom\n aws_iam_account_summary as s\n left join aws_iam_virtual_mfa_device as d on (d.user ->> 'Arn') = 'arn:' || s.partition || ':iam::' || s.account_id || ':root';\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v120_1_5.yaml b/compliance/controls/pending/aws/aws_cis_v120_1_5.yaml index d9cefe977..4ea38d59f 100755 --- a/compliance/controls/pending/aws/aws_cis_v120_1_5.yaml +++ b/compliance/controls/pending/aws/aws_cis_v120_1_5.yaml @@ -1,28 +1,13 @@ ID: aws_cis_v120_1_5 Title: "1.5 Ensure IAM password policy requires at least one uppercase letter" Description: "Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one uppercase letter." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when require_uppercase_characters then 'ok' - else 'alarm' - end as status, - case - when minimum_password_length is null then 'No password policy set.' - when require_uppercase_characters then 'Uppercase character required.' - else 'Uppercase character not required.' - end as reason - - from - aws_account as a - left join aws_iam_account_password_policy as pol on a.account_id = pol.account_id; + QueryToExecute: "select\n 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when require_uppercase_characters then 'ok'\n else 'alarm'\n end as status,\n case\n when minimum_password_length is null then 'No password policy set.'\n when require_uppercase_characters then 'Uppercase character required.'\n else 'Uppercase character not required.'\n end as reason\n \nfrom\n aws_account as a\n left join aws_iam_account_password_policy as pol on a.account_id = pol.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v120_1_6.yaml b/compliance/controls/pending/aws/aws_cis_v120_1_6.yaml index db45a366f..5686a77c4 100755 --- a/compliance/controls/pending/aws/aws_cis_v120_1_6.yaml +++ b/compliance/controls/pending/aws/aws_cis_v120_1_6.yaml @@ -1,28 +1,13 @@ ID: aws_cis_v120_1_6 Title: "1.6 Ensure IAM password policy require at least one lowercase letter" Description: "Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one lowercase letter." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when require_lowercase_characters then 'ok' - else 'alarm' - end as status, - case - when minimum_password_length is null then 'No password policy set.' - when require_lowercase_characters then 'Lowercase character required.' - else 'Lowercase character not required.' - end as reason - - from - aws_account as a - left join aws_iam_account_password_policy as pol on a.account_id = pol.account_id; + QueryToExecute: "select\n 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when require_lowercase_characters then 'ok'\n else 'alarm'\n end as status,\n case\n when minimum_password_length is null then 'No password policy set.'\n when require_lowercase_characters then 'Lowercase character required.'\n else 'Lowercase character not required.'\n end as reason\n \nfrom\n aws_account as a\n left join aws_iam_account_password_policy as pol on a.account_id = pol.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v120_1_7.yaml b/compliance/controls/pending/aws/aws_cis_v120_1_7.yaml index a54d61fef..8f3a4b06d 100755 --- a/compliance/controls/pending/aws/aws_cis_v120_1_7.yaml +++ b/compliance/controls/pending/aws/aws_cis_v120_1_7.yaml @@ -1,28 +1,13 @@ ID: aws_cis_v120_1_7 Title: "1.7 Ensure IAM password policy require at least one symbol" Description: "Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets. It is recommended that the password policy require at least one symbol." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when require_symbols then 'ok' - else 'alarm' - end as status, - case - when minimum_password_length is null then 'No password policy set.' - when require_symbols then 'Symbol required.' - else 'Symbol not required.' - end as reason - - from - aws_account as a - left join aws_iam_account_password_policy as pol on a.account_id = pol.account_id; + QueryToExecute: "select\n 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when require_symbols then 'ok'\n else 'alarm'\n end as status,\n case\n when minimum_password_length is null then 'No password policy set.'\n when require_symbols then 'Symbol required.'\n else 'Symbol not required.'\n end as reason\n \nfrom\n aws_account as a\n left join aws_iam_account_password_policy as pol on a.account_id = pol.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v120_1_9.yaml b/compliance/controls/pending/aws/aws_cis_v120_1_9.yaml index bdea0dae0..3968b139d 100755 --- a/compliance/controls/pending/aws/aws_cis_v120_1_9.yaml +++ b/compliance/controls/pending/aws/aws_cis_v120_1_9.yaml @@ -1,27 +1,13 @@ ID: aws_cis_v120_1_9 Title: "1.9 Ensure IAM password policy requires minimum length of 14 or greater" Description: "Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length. It is recommended that the password policy require a minimum password length 14." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when minimum_password_length >= 14 then 'ok' - else 'alarm' - end as status, - case - when minimum_password_length is null then 'No password policy set.' - else 'Minimum password length set to ' || minimum_password_length || '.' - end as reason - - from - aws_account as a - left join aws_iam_account_password_policy as pol on a.account_id = pol.account_id; + QueryToExecute: "select\n 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when minimum_password_length >= 14 then 'ok'\n else 'alarm'\n end as status,\n case\n when minimum_password_length is null then 'No password policy set.'\n else 'Minimum password length set to ' || minimum_password_length || '.'\n end as reason\n \nfrom\n aws_account as a\n left join aws_iam_account_password_policy as pol on a.account_id = pol.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v120_2_1.yaml b/compliance/controls/pending/aws/aws_cis_v120_2_1.yaml index d5854330f..5938ea466 100755 --- a/compliance/controls/pending/aws/aws_cis_v120_2_1.yaml +++ b/compliance/controls/pending/aws/aws_cis_v120_2_1.yaml @@ -1,48 +1,13 @@ ID: aws_cis_v120_2_1 Title: "2.1 Ensure CloudTrail is enabled in all regions" Description: "AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation)." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with event_selectors_trail_details as ( - select - distinct account_id - from - aws_cloudtrail_trail, - jsonb_array_elements(event_selectors) as e - where - (is_logging and is_multi_region_trail and e ->> 'ReadWriteType' = 'All') - ), - advanced_event_selectors_trail_details as ( - select - distinct account_id - from - aws_cloudtrail_trail, - jsonb_array_elements_text(advanced_event_selectors) as a - where - -- when readOnly = true, then it is readOnly, when readOnly = false then it is writeOnly, if advanced_event_selectors is not null then it is both ReadWriteType - (is_logging and is_multi_region_trail and advanced_event_selectors is not null and (not a like '%readOnly%')) - ) - select - a.title as resource, - case - when d.account_id is null and ad.account_id is null then 'alarm' - else 'ok' - end as status, - case - when d.account_id is null and ad.account_id is null then 'cloudtrail disabled.' - else 'cloudtrail enabled.' - end as reason - - - from - aws_account as a - left join event_selectors_trail_details as d on d.account_id = a.account_id - left join advanced_event_selectors_trail_details as ad on ad.account_id = a.account_id; + QueryToExecute: "with event_selectors_trail_details as (\n select\n distinct account_id\n from\n aws_cloudtrail_trail,\n jsonb_array_elements(event_selectors) as e\n where\n (is_logging and is_multi_region_trail and e ->> 'ReadWriteType' = 'All')\n),\nadvanced_event_selectors_trail_details as (\n select\n distinct account_id\n from\n aws_cloudtrail_trail,\n jsonb_array_elements_text(advanced_event_selectors) as a\n where\n -- when readOnly = true, then it is readOnly, when readOnly = false then it is writeOnly, if advanced_event_selectors is not null then it is both ReadWriteType\n (is_logging and is_multi_region_trail and advanced_event_selectors is not null and (not a like '%readOnly%'))\n)\nselect\n a.title as resource,\n case\n when d.account_id is null and ad.account_id is null then 'alarm'\n else 'ok'\n end as status,\n case\n when d.account_id is null and ad.account_id is null then 'cloudtrail disabled.'\n else 'cloudtrail enabled.'\n end as reason\n\n \nfrom\n aws_account as a\n left join event_selectors_trail_details as d on d.account_id = a.account_id\n left join advanced_event_selectors_trail_details as ad on ad.account_id = a.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v120_3_1.yaml b/compliance/controls/pending/aws/aws_cis_v120_3_1.yaml index 35d42860e..2dd292a17 100755 --- a/compliance/controls/pending/aws/aws_cis_v120_3_1.yaml +++ b/compliance/controls/pending/aws/aws_cis_v120_3_1.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v120_3_1 Title: "3.1 Ensure a log metric filter and alarm exist for unauthorized API calls" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for unauthorized API calls." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\$\.errorCode\s*=\s*"\*UnauthorizedOperation".+\$\.errorCode\s*=\s*"AccessDenied\*".+\$\.sourceIPAddress\s*!=\s*"delivery.logs.amazonaws.com".+\$\.eventName\s*!=\s*"HeadBucket"' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for unauthorized API calls.' - else filter_name || ' forwards events for unauthorized API calls.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\$\\.errorCode\\s*=\\s*\"\\*UnauthorizedOperation\".+\\$\\.errorCode\\s*=\\s*\"AccessDenied\\*\".+\\$\\.sourceIPAddress\\s*!=\\s*\"delivery.logs.amazonaws.com\".+\\$\\.eventName\\s*!=\\s*\"HeadBucket\"'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for unauthorized API calls.'\n else filter_name || ' forwards events for unauthorized API calls.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v120_3_10.yaml b/compliance/controls/pending/aws/aws_cis_v120_3_10.yaml index cdb938e74..1023e8a54 100755 --- a/compliance/controls/pending/aws/aws_cis_v120_3_10.yaml +++ b/compliance/controls/pending/aws/aws_cis_v120_3_10.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v120_3_10 Title: "3.10 Ensure a log metric filter and alarm exist for security group changes" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Groups are a stateful packet filter that controls ingress and egress traffic within a VPC. It is recommended that a metric filter and alarm be established changes to Security Groups." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*AuthorizeSecurityGroupIngress.+\$\.eventName\s*=\s*AuthorizeSecurityGroupEgress.+\$\.eventName\s*=\s*RevokeSecurityGroupIngress.+\$\.eventName\s*=\s*RevokeSecurityGroupEgress.+\$\.eventName\s*=\s*CreateSecurityGroup.+\$\.eventName\s*=\s*DeleteSecurityGroup' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for security group changes.' - else filter_name || ' forwards events for security group changes.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.eventName\\s*=\\s*AuthorizeSecurityGroupIngress.+\\$\\.eventName\\s*=\\s*AuthorizeSecurityGroupEgress.+\\$\\.eventName\\s*=\\s*RevokeSecurityGroupIngress.+\\$\\.eventName\\s*=\\s*RevokeSecurityGroupEgress.+\\$\\.eventName\\s*=\\s*CreateSecurityGroup.+\\$\\.eventName\\s*=\\s*DeleteSecurityGroup'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for security group changes.'\n else filter_name || ' forwards events for security group changes.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v120_3_2.yaml b/compliance/controls/pending/aws/aws_cis_v120_3_2.yaml index 26659c405..698bf2332 100755 --- a/compliance/controls/pending/aws/aws_cis_v120_3_2.yaml +++ b/compliance/controls/pending/aws/aws_cis_v120_3_2.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v120_3_2 Title: "3.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA)." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\(\s*\$\.eventName\s*=\s*"ConsoleLogin"\)\s+&&\s+\(\s*\$.additionalEventData\.MFAUsed\s*!=\s*"Yes"' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for console sign-in without MFA.' - else filter_name || ' forwards events for console sign-in without MFA.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\(\\s*\\$\\.eventName\\s*=\\s*\"ConsoleLogin\"\\)\\s+&&\\s+\\(\\s*\\$.additionalEventData\\.MFAUsed\\s*!=\\s*\"Yes\"'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for console sign-in without MFA.'\n else filter_name || ' forwards events for console sign-in without MFA.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v120_3_3.yaml b/compliance/controls/pending/aws/aws_cis_v120_3_3.yaml index 1c9d99c77..e8aa1795f 100755 --- a/compliance/controls/pending/aws/aws_cis_v120_3_3.yaml +++ b/compliance/controls/pending/aws/aws_cis_v120_3_3.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v120_3_3 Title: "3.3 Ensure a log metric filter and alarm exist for usage of \\\"root\\\" account" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for root login attempts." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.userIdentity\.type\s*=\s*"Root".+\$\.userIdentity\.invokedBy NOT EXISTS.+\$\.eventType\s*!=\s*"AwsServiceEvent"' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for usage of "root" account.' - else filter_name || ' forwards events for usage of "root" account.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.userIdentity\\.type\\s*=\\s*\"Root\".+\\$\\.userIdentity\\.invokedBy NOT EXISTS.+\\$\\.eventType\\s*!=\\s*\"AwsServiceEvent\"'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for usage of \"root\" account.'\n else filter_name || ' forwards events for usage of \"root\" account.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v120_3_4.yaml b/compliance/controls/pending/aws/aws_cis_v120_3_4.yaml index b65c17ce4..44c53c606 100755 --- a/compliance/controls/pending/aws/aws_cis_v120_3_4.yaml +++ b/compliance/controls/pending/aws/aws_cis_v120_3_4.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v120_3_4 Title: "3.4 Ensure a log metric filter and alarm exist for IAM policy changes" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*DeleteGroupPolicy.+\$\.eventName\s*=\s*DeleteRolePolicy.+\$\.eventName\s*=\s*DeleteUserPolicy.+\$\.eventName\s*=\s*PutGroupPolicy.+\$\.eventName\s*=\s*PutRolePolicy.+\$\.eventName\s*=\s*PutUserPolicy.+\$\.eventName\s*=\s*CreatePolicy.+\$\.eventName\s*=\s*DeletePolicy.+\$\.eventName\s*=\s*CreatePolicyVersion.+\$\.eventName\s*=\s*DeletePolicyVersion.+\$\.eventName\s*=\s*AttachRolePolicy.+\$\.eventName\s*=\s*DetachRolePolicy.+\$\.eventName\s*=\s*AttachUserPolicy.+\$\.eventName\s*=\s*DetachUserPolicy.+\$\.eventName\s*=\s*AttachGroupPolicy.+\$\.eventName\s*=\s*DetachGroupPolicy' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for IAM policy changes.' - else filter_name || ' forwards events for IAM policy changes.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.eventName\\s*=\\s*DeleteGroupPolicy.+\\$\\.eventName\\s*=\\s*DeleteRolePolicy.+\\$\\.eventName\\s*=\\s*DeleteUserPolicy.+\\$\\.eventName\\s*=\\s*PutGroupPolicy.+\\$\\.eventName\\s*=\\s*PutRolePolicy.+\\$\\.eventName\\s*=\\s*PutUserPolicy.+\\$\\.eventName\\s*=\\s*CreatePolicy.+\\$\\.eventName\\s*=\\s*DeletePolicy.+\\$\\.eventName\\s*=\\s*CreatePolicyVersion.+\\$\\.eventName\\s*=\\s*DeletePolicyVersion.+\\$\\.eventName\\s*=\\s*AttachRolePolicy.+\\$\\.eventName\\s*=\\s*DetachRolePolicy.+\\$\\.eventName\\s*=\\s*AttachUserPolicy.+\\$\\.eventName\\s*=\\s*DetachUserPolicy.+\\$\\.eventName\\s*=\\s*AttachGroupPolicy.+\\$\\.eventName\\s*=\\s*DetachGroupPolicy'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for IAM policy changes.'\n else filter_name || ' forwards events for IAM policy changes.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v120_3_6.yaml b/compliance/controls/pending/aws/aws_cis_v120_3_6.yaml index ef068dabc..ff4a1a786 100755 --- a/compliance/controls/pending/aws/aws_cis_v120_3_6.yaml +++ b/compliance/controls/pending/aws/aws_cis_v120_3_6.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v120_3_6 Title: "3.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for failed console authentication attempts." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*ConsoleLogin.+\$\.errorMessage\s*=\s*"Failed authentication"' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for console authentication failures.' - else f.filter_name || ' forwards events for console authentication failures.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.eventName\\s*=\\s*ConsoleLogin.+\\$\\.errorMessage\\s*=\\s*\"Failed authentication\"'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for console authentication failures.'\n else f.filter_name || ' forwards events for console authentication failures.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v120_3_7.yaml b/compliance/controls/pending/aws/aws_cis_v120_3_7.yaml index 0f4e3d86c..e3b15b499 100755 --- a/compliance/controls/pending/aws/aws_cis_v120_3_7.yaml +++ b/compliance/controls/pending/aws/aws_cis_v120_3_7.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v120_3_7 Title: "3.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.eventSource\s*=\s*kms.amazonaws.com.+\$\.eventName\s*=\s*DisableKey.+\$\.eventName\s*=\s*ScheduleKeyDeletion' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for disabling/deletion of CMKs.' - else filter_name || ' forwards events for disabling/deletion of CMKs.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.eventSource\\s*=\\s*kms.amazonaws.com.+\\$\\.eventName\\s*=\\s*DisableKey.+\\$\\.eventName\\s*=\\s*ScheduleKeyDeletion'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for disabling/deletion of CMKs.'\n else filter_name || ' forwards events for disabling/deletion of CMKs.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v120_3_8.yaml b/compliance/controls/pending/aws/aws_cis_v120_3_8.yaml index d4c5e4b8e..5250b2a46 100755 --- a/compliance/controls/pending/aws/aws_cis_v120_3_8.yaml +++ b/compliance/controls/pending/aws/aws_cis_v120_3_8.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v120_3_8 Title: "3.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for changes to S3 bucket policies." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.eventSource\s*=\s*s3.amazonaws.com.+\$\.eventName\s*=\s*PutBucketAcl.+\$\.eventName\s*=\s*PutBucketPolicy.+\$\.eventName\s*=\s*PutBucketCors.+\$\.eventName\s*=\s*PutBucketLifecycle.+\$\.eventName\s*=\s*PutBucketReplication.+\$\.eventName\s*=\s*DeleteBucketPolicy.+\$\.eventName\s*=\s*DeleteBucketCors.+\$\.eventName\s*=\s*DeleteBucketLifecycle.+\$\.eventName\s*=\s*DeleteBucketReplication' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for S3 bucket policy changes.' - else filter_name || ' forwards events for S3 bucket policy changes.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.eventSource\\s*=\\s*s3.amazonaws.com.+\\$\\.eventName\\s*=\\s*PutBucketAcl.+\\$\\.eventName\\s*=\\s*PutBucketPolicy.+\\$\\.eventName\\s*=\\s*PutBucketCors.+\\$\\.eventName\\s*=\\s*PutBucketLifecycle.+\\$\\.eventName\\s*=\\s*PutBucketReplication.+\\$\\.eventName\\s*=\\s*DeleteBucketPolicy.+\\$\\.eventName\\s*=\\s*DeleteBucketCors.+\\$\\.eventName\\s*=\\s*DeleteBucketLifecycle.+\\$\\.eventName\\s*=\\s*DeleteBucketReplication'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for S3 bucket policy changes.'\n else filter_name || ' forwards events for S3 bucket policy changes.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v120_3_9.yaml b/compliance/controls/pending/aws/aws_cis_v120_3_9.yaml index d33319031..9bc3173c2 100755 --- a/compliance/controls/pending/aws/aws_cis_v120_3_9.yaml +++ b/compliance/controls/pending/aws/aws_cis_v120_3_9.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v120_3_9 Title: "3.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.eventSource\s*=\s*config.amazonaws.com.+\$\.eventName\s*=\s*StopConfigurationRecorder.+\$\.eventName\s*=\s*DeleteDeliveryChannel.+\$\.eventName\s*=\s*PutDeliveryChannel.+\$\.eventName\s*=\s*PutConfigurationRecorder' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for AWS Config configuration changes.' - else filter_name || ' forwards events for AWS Config configuration changes.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.eventSource\\s*=\\s*config.amazonaws.com.+\\$\\.eventName\\s*=\\s*StopConfigurationRecorder.+\\$\\.eventName\\s*=\\s*DeleteDeliveryChannel.+\\$\\.eventName\\s*=\\s*PutDeliveryChannel.+\\$\\.eventName\\s*=\\s*PutConfigurationRecorder'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for AWS Config configuration changes.'\n else filter_name || ' forwards events for AWS Config configuration changes.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v120_4_3.yaml b/compliance/controls/pending/aws/aws_cis_v120_4_3.yaml index 9ad11cff9..aa538a085 100755 --- a/compliance/controls/pending/aws/aws_cis_v120_4_3.yaml +++ b/compliance/controls/pending/aws/aws_cis_v120_4_3.yaml @@ -1,34 +1,13 @@ ID: aws_cis_v120_4_3 Title: "4.3 Ensure the default security group of every VPC restricts all traffic" Description: "A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic. The default VPC in every region should have its default security group updated to comply. Any newly created VPCs will automatically contain a default security group that will need remediation to comply with this recommendation." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn resource, - case - when jsonb_array_length(ip_permissions) = 0 and jsonb_array_length(ip_permissions_egress) = 0 then 'ok' - else 'alarm' - end status, - case - when jsonb_array_length(ip_permissions) > 0 and jsonb_array_length(ip_permissions_egress) > 0 - then 'Default security group ' || group_id || ' has inbound and outbound rules.' - when jsonb_array_length(ip_permissions) > 0 and jsonb_array_length(ip_permissions_egress) = 0 - then 'Default security group ' || group_id || ' has inbound rules.' - when jsonb_array_length(ip_permissions) = 0 and jsonb_array_length(ip_permissions_egress) > 0 - then 'Default security group ' || group_id || ' has outbound rules.' - else 'Default security group ' || group_id || ' has no inbound or outbound rules.' - end reason - - - from - aws_vpc_security_group - where - group_name = 'default'; + QueryToExecute: "select\n arn resource,\n case\n when jsonb_array_length(ip_permissions) = 0 and jsonb_array_length(ip_permissions_egress) = 0 then 'ok'\n else 'alarm'\n end status,\n case\n when jsonb_array_length(ip_permissions) > 0 and jsonb_array_length(ip_permissions_egress) > 0\n then 'Default security group ' || group_id || ' has inbound and outbound rules.'\n when jsonb_array_length(ip_permissions) > 0 and jsonb_array_length(ip_permissions_egress) = 0\n then 'Default security group ' || group_id || ' has inbound rules.'\n when jsonb_array_length(ip_permissions) = 0 and jsonb_array_length(ip_permissions_egress) > 0\n then 'Default security group ' || group_id || ' has outbound rules.'\n else 'Default security group ' || group_id || ' has no inbound or outbound rules.'\n end reason\n \n \nfrom\n aws_vpc_security_group\nwhere\n group_name = 'default';\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v130_1_6.yaml b/compliance/controls/pending/aws/aws_cis_v130_1_6.yaml index 6f9a2a69c..ad363ebb5 100755 --- a/compliance/controls/pending/aws/aws_cis_v130_1_6.yaml +++ b/compliance/controls/pending/aws/aws_cis_v130_1_6.yaml @@ -1,28 +1,13 @@ ID: aws_cis_v130_1_6 Title: "1.6 Ensure hardware MFA is enabled for the \\\"root user\\\" account" Description: "The root user account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2, it is recommended that the root user account be protected with a hardware MFA." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - 'arn:' || s.partition || ':::' || s.account_id as resource, - case - when s.account_mfa_enabled and d.serial_number is null then 'ok' - else 'alarm' - end status, - case - when s.account_mfa_enabled = false then 'MFA not enabled for root account.' - when d.serial_number is not null then 'MFA enabled for root account, but the MFA associated is a virtual device.' - else 'Hardware MFA device enabled for root account.' - end reason - - from - aws_iam_account_summary as s - left join aws_iam_virtual_mfa_device as d on (d.user ->> 'Arn') = 'arn:' || s.partition || ':iam::' || s.account_id || ':root'; + QueryToExecute: "select\n 'arn:' || s.partition || ':::' || s.account_id as resource,\n case\n when s.account_mfa_enabled and d.serial_number is null then 'ok'\n else 'alarm'\n end status,\n case\n when s.account_mfa_enabled = false then 'MFA not enabled for root account.'\n when d.serial_number is not null then 'MFA enabled for root account, but the MFA associated is a virtual device.'\n else 'Hardware MFA device enabled for root account.'\n end reason\n \nfrom\n aws_iam_account_summary as s\n left join aws_iam_virtual_mfa_device as d on (d.user ->> 'Arn') = 'arn:' || s.partition || ':iam::' || s.account_id || ':root';\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v130_1_9.yaml b/compliance/controls/pending/aws/aws_cis_v130_1_9.yaml index 843d057d3..c17625749 100755 --- a/compliance/controls/pending/aws/aws_cis_v130_1_9.yaml +++ b/compliance/controls/pending/aws/aws_cis_v130_1_9.yaml @@ -1,28 +1,13 @@ ID: aws_cis_v130_1_9 Title: "1.9 Ensure IAM password policy prevents password reuse" Description: "IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when password_reuse_prevention >= 24 then 'ok' - else 'alarm' - end as status, - case - when minimum_password_length is null then 'No password policy set.' - when password_reuse_prevention is null then 'Password reuse prevention not set.' - else 'Password reuse prevention set to ' || password_reuse_prevention || '.' - end as reason - - from - aws_account as a - left join aws_iam_account_password_policy as pol on a.account_id = pol.account_id; + QueryToExecute: "select\n 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when password_reuse_prevention >= 24 then 'ok'\n else 'alarm'\n end as status,\n case\n when minimum_password_length is null then 'No password policy set.'\n when password_reuse_prevention is null then 'Password reuse prevention not set.'\n else 'Password reuse prevention set to ' || password_reuse_prevention || '.'\n end as reason\n \nfrom\n aws_account as a\n left join aws_iam_account_password_policy as pol on a.account_id = pol.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v130_3_1.yaml b/compliance/controls/pending/aws/aws_cis_v130_3_1.yaml index fe130b0d3..bd042e1e5 100755 --- a/compliance/controls/pending/aws/aws_cis_v130_3_1.yaml +++ b/compliance/controls/pending/aws/aws_cis_v130_3_1.yaml @@ -1,48 +1,13 @@ ID: aws_cis_v130_3_1 Title: "3.1 Ensure CloudTrail is enabled in all regions" Description: "AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation)." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with event_selectors_trail_details as ( - select - distinct account_id - from - aws_cloudtrail_trail, - jsonb_array_elements(event_selectors) as e - where - (is_logging and is_multi_region_trail and e ->> 'ReadWriteType' = 'All') - ), - advanced_event_selectors_trail_details as ( - select - distinct account_id - from - aws_cloudtrail_trail, - jsonb_array_elements_text(advanced_event_selectors) as a - where - -- when readOnly = true, then it is readOnly, when readOnly = false then it is writeOnly, if advanced_event_selectors is not null then it is both ReadWriteType - (is_logging and is_multi_region_trail and advanced_event_selectors is not null and (not a like '%readOnly%')) - ) - select - a.title as resource, - case - when d.account_id is null and ad.account_id is null then 'alarm' - else 'ok' - end as status, - case - when d.account_id is null and ad.account_id is null then 'cloudtrail disabled.' - else 'cloudtrail enabled.' - end as reason - - - from - aws_account as a - left join event_selectors_trail_details as d on d.account_id = a.account_id - left join advanced_event_selectors_trail_details as ad on ad.account_id = a.account_id; + QueryToExecute: "with event_selectors_trail_details as (\n select\n distinct account_id\n from\n aws_cloudtrail_trail,\n jsonb_array_elements(event_selectors) as e\n where\n (is_logging and is_multi_region_trail and e ->> 'ReadWriteType' = 'All')\n),\nadvanced_event_selectors_trail_details as (\n select\n distinct account_id\n from\n aws_cloudtrail_trail,\n jsonb_array_elements_text(advanced_event_selectors) as a\n where\n -- when readOnly = true, then it is readOnly, when readOnly = false then it is writeOnly, if advanced_event_selectors is not null then it is both ReadWriteType\n (is_logging and is_multi_region_trail and advanced_event_selectors is not null and (not a like '%readOnly%'))\n)\nselect\n a.title as resource,\n case\n when d.account_id is null and ad.account_id is null then 'alarm'\n else 'ok'\n end as status,\n case\n when d.account_id is null and ad.account_id is null then 'cloudtrail disabled.'\n else 'cloudtrail enabled.'\n end as reason\n\n \nfrom\n aws_account as a\n left join event_selectors_trail_details as d on d.account_id = a.account_id\n left join advanced_event_selectors_trail_details as ad on ad.account_id = a.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v130_3_9.yaml b/compliance/controls/pending/aws/aws_cis_v130_3_9.yaml index 7d65f51bd..6a816f329 100755 --- a/compliance/controls/pending/aws/aws_cis_v130_3_9.yaml +++ b/compliance/controls/pending/aws/aws_cis_v130_3_9.yaml @@ -1,54 +1,13 @@ ID: aws_cis_v130_3_9 Title: "3.9 Ensure VPC flow logging is enabled in all VPCs" Description: "VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet \\\"Rejects\\\" for VPCs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with vpcs as ( - select - arn, - account_id, - region, - owner_id, - vpc_id, - tags, - _ctx - from - aws_vpc - order by - vpc_id - ), - flowlogs as ( - select - resource_id, - account_id, - region - from - aws_vpc_flow_log - order by - resource_id - ) - select - v.arn as resource, - case - when v.account_id <> v.owner_id then 'skip' - when f.resource_id is not null then 'ok' - else 'alarm' - end as status, - case - when v.account_id <> v.owner_id then v.vpc_id || ' is a shared VPC.' - when f.resource_id is not null then v.vpc_id || ' flow logging enabled.' - else v.vpc_id || ' flow logging disabled.' - end as reason - - - from - vpcs as v - left join flowlogs as f on v.vpc_id = f.resource_id; + QueryToExecute: "with vpcs as (\n select\n arn,\n account_id,\n region,\n owner_id,\n vpc_id,\n tags,\n _ctx\n from\n aws_vpc\n order by\n vpc_id\n),\nflowlogs as (\n select\n resource_id,\n account_id,\n region\n from\n aws_vpc_flow_log\n order by\n resource_id\n)\nselect\n v.arn as resource,\n case\n when v.account_id <> v.owner_id then 'skip'\n when f.resource_id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when v.account_id <> v.owner_id then v.vpc_id || ' is a shared VPC.'\n when f.resource_id is not null then v.vpc_id || ' flow logging enabled.'\n else v.vpc_id || ' flow logging disabled.'\n end as reason\n \n \nfrom\n vpcs as v\n left join flowlogs as f on v.vpc_id = f.resource_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v130_4_1.yaml b/compliance/controls/pending/aws/aws_cis_v130_4_1.yaml index bd73b0a08..c501325ab 100755 --- a/compliance/controls/pending/aws/aws_cis_v130_4_1.yaml +++ b/compliance/controls/pending/aws/aws_cis_v130_4_1.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v130_4_1 Title: "4.1 Ensure a log metric filter and alarm exist for unauthorized API calls" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for unauthorized API calls." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\$\.errorCode\s*=\s*"\*UnauthorizedOperation".+\$\.errorCode\s*=\s*"AccessDenied\*".+\$\.sourceIPAddress\s*!=\s*"delivery.logs.amazonaws.com".+\$\.eventName\s*!=\s*"HeadBucket"' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for unauthorized API calls.' - else filter_name || ' forwards events for unauthorized API calls.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\$\\.errorCode\\s*=\\s*\"\\*UnauthorizedOperation\".+\\$\\.errorCode\\s*=\\s*\"AccessDenied\\*\".+\\$\\.sourceIPAddress\\s*!=\\s*\"delivery.logs.amazonaws.com\".+\\$\\.eventName\\s*!=\\s*\"HeadBucket\"'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for unauthorized API calls.'\n else filter_name || ' forwards events for unauthorized API calls.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v130_4_10.yaml b/compliance/controls/pending/aws/aws_cis_v130_4_10.yaml index c799f1be7..58b839314 100755 --- a/compliance/controls/pending/aws/aws_cis_v130_4_10.yaml +++ b/compliance/controls/pending/aws/aws_cis_v130_4_10.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v130_4_10 Title: "4.10 Ensure a log metric filter and alarm exist for security group changes" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Groups are a stateful packet filter that controls ingress and egress traffic within a VPC. It is recommended that a metric filter and alarm be established for detecting changes to Security Groups." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*AuthorizeSecurityGroupIngress.+\$\.eventName\s*=\s*AuthorizeSecurityGroupEgress.+\$\.eventName\s*=\s*RevokeSecurityGroupIngress.+\$\.eventName\s*=\s*RevokeSecurityGroupEgress.+\$\.eventName\s*=\s*CreateSecurityGroup.+\$\.eventName\s*=\s*DeleteSecurityGroup' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for security group changes.' - else filter_name || ' forwards events for security group changes.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.eventName\\s*=\\s*AuthorizeSecurityGroupIngress.+\\$\\.eventName\\s*=\\s*AuthorizeSecurityGroupEgress.+\\$\\.eventName\\s*=\\s*RevokeSecurityGroupIngress.+\\$\\.eventName\\s*=\\s*RevokeSecurityGroupEgress.+\\$\\.eventName\\s*=\\s*CreateSecurityGroup.+\\$\\.eventName\\s*=\\s*DeleteSecurityGroup'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for security group changes.'\n else filter_name || ' forwards events for security group changes.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v130_4_11.yaml b/compliance/controls/pending/aws/aws_cis_v130_4_11.yaml index a053da580..e244fc4c5 100755 --- a/compliance/controls/pending/aws/aws_cis_v130_4_11.yaml +++ b/compliance/controls/pending/aws/aws_cis_v130_4_11.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v130_4_11 Title: "4.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC. It is recommended that a metric filter and alarm be established for changes made to NACLs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*CreateNetworkAcl.+\$\.eventName\s*=\s*CreateNetworkAclEntry.+\$\.eventName\s*=\s*DeleteNetworkAcl.+\$\.eventName\s*=\s*DeleteNetworkAclEntry.+\$\.eventName\s*=\s*ReplaceNetworkAclEntry.+\$\.eventName\s*=\s*ReplaceNetworkAclAssociation' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for changes to NACLs.' - else filter_name || ' forwards events for changes to NACLs.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.eventName\\s*=\\s*CreateNetworkAcl.+\\$\\.eventName\\s*=\\s*CreateNetworkAclEntry.+\\$\\.eventName\\s*=\\s*DeleteNetworkAcl.+\\$\\.eventName\\s*=\\s*DeleteNetworkAclEntry.+\\$\\.eventName\\s*=\\s*ReplaceNetworkAclEntry.+\\$\\.eventName\\s*=\\s*ReplaceNetworkAclAssociation'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for changes to NACLs.'\n else filter_name || ' forwards events for changes to NACLs.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v130_4_12.yaml b/compliance/controls/pending/aws/aws_cis_v130_4_12.yaml index b03c536de..c10c595a8 100755 --- a/compliance/controls/pending/aws/aws_cis_v130_4_12.yaml +++ b/compliance/controls/pending/aws/aws_cis_v130_4_12.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v130_4_12 Title: "4.12 Ensure a log metric filter and alarm exist for changes to network gateways" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*CreateCustomerGateway.+\$\.eventName\s*=\s*DeleteCustomerGateway.+\$\.eventName\s*=\s*AttachInternetGateway.+\$\.eventName\s*=\s*CreateInternetGateway.+\$\.eventName\s*=\s*DeleteInternetGateway.+\$\.eventName\s*=\s*DetachInternetGateway' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for changes to network gateways.' - else filter_name || ' forwards events for changes to network gateways.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.eventName\\s*=\\s*CreateCustomerGateway.+\\$\\.eventName\\s*=\\s*DeleteCustomerGateway.+\\$\\.eventName\\s*=\\s*AttachInternetGateway.+\\$\\.eventName\\s*=\\s*CreateInternetGateway.+\\$\\.eventName\\s*=\\s*DeleteInternetGateway.+\\$\\.eventName\\s*=\\s*DetachInternetGateway'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for changes to network gateways.'\n else filter_name || ' forwards events for changes to network gateways.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v130_4_14.yaml b/compliance/controls/pending/aws/aws_cis_v130_4_14.yaml index 9eb1052ab..300ca446e 100755 --- a/compliance/controls/pending/aws/aws_cis_v130_4_14.yaml +++ b/compliance/controls/pending/aws/aws_cis_v130_4_14.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v130_4_14 Title: "4.14 Ensure a log metric filter and alarm exist for VPC changes" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*CreateVpc.+\$\.eventName\s*=\s*DeleteVpc.+\$\.eventName\s*=\s*ModifyVpcAttribute.+\$\.eventName\s*=\s*AcceptVpcPeeringConnection.+\$\.eventName\s*=\s*CreateVpcPeeringConnection.+\$\.eventName\s*=\s*DeleteVpcPeeringConnection.+\$\.eventName\s*=\s*RejectVpcPeeringConnection.+\$\.eventName\s*=\s*AttachClassicLinkVpc.+\$\.eventName\s*=\s*DetachClassicLinkVpc.+\$\.eventName\s*=\s*DisableVpcClassicLink.+\$\.eventName\s*=\s*EnableVpcClassicLink' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for VPC changes.' - else filter_name || ' forwards events for VPC changes.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.eventName\\s*=\\s*CreateVpc.+\\$\\.eventName\\s*=\\s*DeleteVpc.+\\$\\.eventName\\s*=\\s*ModifyVpcAttribute.+\\$\\.eventName\\s*=\\s*AcceptVpcPeeringConnection.+\\$\\.eventName\\s*=\\s*CreateVpcPeeringConnection.+\\$\\.eventName\\s*=\\s*DeleteVpcPeeringConnection.+\\$\\.eventName\\s*=\\s*RejectVpcPeeringConnection.+\\$\\.eventName\\s*=\\s*AttachClassicLinkVpc.+\\$\\.eventName\\s*=\\s*DetachClassicLinkVpc.+\\$\\.eventName\\s*=\\s*DisableVpcClassicLink.+\\$\\.eventName\\s*=\\s*EnableVpcClassicLink'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for VPC changes.'\n else filter_name || ' forwards events for VPC changes.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v130_4_15.yaml b/compliance/controls/pending/aws/aws_cis_v130_4_15.yaml index 3b602e93c..255a92b23 100755 --- a/compliance/controls/pending/aws/aws_cis_v130_4_15.yaml +++ b/compliance/controls/pending/aws/aws_cis_v130_4_15.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v130_4_15 Title: "4.15 Ensure a log metric filter and alarm exists for AWS Organizations changes" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for AWS Organizations changes made in the master AWS Account." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.eventSource\s*=\s*organizations.amazonaws.com.+\$\.eventName\s*=\s*"?AcceptHandshake"?.+\$\.eventName\s*=\s*"?AttachPolicy"?.+\$\.eventName\s*=\s*"?CreateAccount"?.+\$\.eventName\s*=\s*"?CreateOrganizationalUnit"?.+\$\.eventName\s*=\s*"?CreatePolicy"?.+\$\.eventName\s*=\s*"?DeclineHandshake"?.+\$\.eventName\s*=\s*"?DeleteOrganization"?.+\$\.eventName\s*=\s*"?DeleteOrganizationalUnit"?.+\$\.eventName\s*=\s*"?DeletePolicy"?.+\$\.eventName\s*=\s*"?DetachPolicy"?.+\$\.eventName\s*=\s*"?DisablePolicyType"?.+\$\.eventName\s*=\s*"?EnablePolicyType"?.+\$\.eventName\s*=\s*"?InviteAccountToOrganization"?.+\$\.eventName\s*=\s*"?LeaveOrganization"?.+\$\.eventName\s*=\s*"?MoveAccount"?.+\$\.eventName\s*=\s*"?RemoveAccountFromOrganization"?.+\$\.eventName\s*=\s*"?UpdatePolicy"?.+\$\.eventName\s*=\s*"?UpdateOrganizationalUnit"?' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exists for AWS Organizations changes.' - else filter_name || ' forwards relevant events for AWS Organizations changes.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.eventSource\\s*=\\s*organizations.amazonaws.com.+\\$\\.eventName\\s*=\\s*\"?AcceptHandshake\"?.+\\$\\.eventName\\s*=\\s*\"?AttachPolicy\"?.+\\$\\.eventName\\s*=\\s*\"?CreateAccount\"?.+\\$\\.eventName\\s*=\\s*\"?CreateOrganizationalUnit\"?.+\\$\\.eventName\\s*=\\s*\"?CreatePolicy\"?.+\\$\\.eventName\\s*=\\s*\"?DeclineHandshake\"?.+\\$\\.eventName\\s*=\\s*\"?DeleteOrganization\"?.+\\$\\.eventName\\s*=\\s*\"?DeleteOrganizationalUnit\"?.+\\$\\.eventName\\s*=\\s*\"?DeletePolicy\"?.+\\$\\.eventName\\s*=\\s*\"?DetachPolicy\"?.+\\$\\.eventName\\s*=\\s*\"?DisablePolicyType\"?.+\\$\\.eventName\\s*=\\s*\"?EnablePolicyType\"?.+\\$\\.eventName\\s*=\\s*\"?InviteAccountToOrganization\"?.+\\$\\.eventName\\s*=\\s*\"?LeaveOrganization\"?.+\\$\\.eventName\\s*=\\s*\"?MoveAccount\"?.+\\$\\.eventName\\s*=\\s*\"?RemoveAccountFromOrganization\"?.+\\$\\.eventName\\s*=\\s*\"?UpdatePolicy\"?.+\\$\\.eventName\\s*=\\s*\"?UpdateOrganizationalUnit\"?'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exists for AWS Organizations changes.'\n else filter_name || ' forwards relevant events for AWS Organizations changes.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v130_4_2.yaml b/compliance/controls/pending/aws/aws_cis_v130_4_2.yaml index bdd0500a3..be84d1bb3 100755 --- a/compliance/controls/pending/aws/aws_cis_v130_4_2.yaml +++ b/compliance/controls/pending/aws/aws_cis_v130_4_2.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v130_4_2 Title: "4.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA)." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\(\s*\$\.eventName\s*=\s*"ConsoleLogin"\)\s+&&\s+\(\s*\$.additionalEventData\.MFAUsed\s*!=\s*"Yes"' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for console sign-in without MFA.' - else filter_name || ' forwards events for console sign-in without MFA.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\(\\s*\\$\\.eventName\\s*=\\s*\"ConsoleLogin\"\\)\\s+&&\\s+\\(\\s*\\$.additionalEventData\\.MFAUsed\\s*!=\\s*\"Yes\"'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for console sign-in without MFA.'\n else filter_name || ' forwards events for console sign-in without MFA.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v130_4_4.yaml b/compliance/controls/pending/aws/aws_cis_v130_4_4.yaml index 371f3d115..92e064cba 100755 --- a/compliance/controls/pending/aws/aws_cis_v130_4_4.yaml +++ b/compliance/controls/pending/aws/aws_cis_v130_4_4.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v130_4_4 Title: "4.4 Ensure a log metric filter and alarm exist for IAM policy changes" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*DeleteGroupPolicy.+\$\.eventName\s*=\s*DeleteRolePolicy.+\$\.eventName\s*=\s*DeleteUserPolicy.+\$\.eventName\s*=\s*PutGroupPolicy.+\$\.eventName\s*=\s*PutRolePolicy.+\$\.eventName\s*=\s*PutUserPolicy.+\$\.eventName\s*=\s*CreatePolicy.+\$\.eventName\s*=\s*DeletePolicy.+\$\.eventName\s*=\s*CreatePolicyVersion.+\$\.eventName\s*=\s*DeletePolicyVersion.+\$\.eventName\s*=\s*AttachRolePolicy.+\$\.eventName\s*=\s*DetachRolePolicy.+\$\.eventName\s*=\s*AttachUserPolicy.+\$\.eventName\s*=\s*DetachUserPolicy.+\$\.eventName\s*=\s*AttachGroupPolicy.+\$\.eventName\s*=\s*DetachGroupPolicy' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for IAM policy changes.' - else filter_name || ' forwards events for IAM policy changes.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.eventName\\s*=\\s*DeleteGroupPolicy.+\\$\\.eventName\\s*=\\s*DeleteRolePolicy.+\\$\\.eventName\\s*=\\s*DeleteUserPolicy.+\\$\\.eventName\\s*=\\s*PutGroupPolicy.+\\$\\.eventName\\s*=\\s*PutRolePolicy.+\\$\\.eventName\\s*=\\s*PutUserPolicy.+\\$\\.eventName\\s*=\\s*CreatePolicy.+\\$\\.eventName\\s*=\\s*DeletePolicy.+\\$\\.eventName\\s*=\\s*CreatePolicyVersion.+\\$\\.eventName\\s*=\\s*DeletePolicyVersion.+\\$\\.eventName\\s*=\\s*AttachRolePolicy.+\\$\\.eventName\\s*=\\s*DetachRolePolicy.+\\$\\.eventName\\s*=\\s*AttachUserPolicy.+\\$\\.eventName\\s*=\\s*DetachUserPolicy.+\\$\\.eventName\\s*=\\s*AttachGroupPolicy.+\\$\\.eventName\\s*=\\s*DetachGroupPolicy'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for IAM policy changes.'\n else filter_name || ' forwards events for IAM policy changes.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v130_4_5.yaml b/compliance/controls/pending/aws/aws_cis_v130_4_5.yaml index eb723a9ba..82437a654 100755 --- a/compliance/controls/pending/aws/aws_cis_v130_4_5.yaml +++ b/compliance/controls/pending/aws/aws_cis_v130_4_5.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v130_4_5 Title: "4.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*CreateTrail.+\$\.eventName\s*=\s*UpdateTrail.+\$\.eventName\s*=\s*DeleteTrail.+\$\.eventName\s*=\s*StartLogging.+\$\.eventName\s*=\s*StopLogging' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for CloudTrail configuration changes.' - else filter_name || ' forwards events for CloudTrail configuration changes.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.eventName\\s*=\\s*CreateTrail.+\\$\\.eventName\\s*=\\s*UpdateTrail.+\\$\\.eventName\\s*=\\s*DeleteTrail.+\\$\\.eventName\\s*=\\s*StartLogging.+\\$\\.eventName\\s*=\\s*StopLogging'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for CloudTrail configuration changes.'\n else filter_name || ' forwards events for CloudTrail configuration changes.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v130_4_6.yaml b/compliance/controls/pending/aws/aws_cis_v130_4_6.yaml index b1b07f33a..590ec9b7f 100755 --- a/compliance/controls/pending/aws/aws_cis_v130_4_6.yaml +++ b/compliance/controls/pending/aws/aws_cis_v130_4_6.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v130_4_6 Title: "4.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for failed console authentication attempts." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*ConsoleLogin.+\$\.errorMessage\s*=\s*"Failed authentication"' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for console authentication failures.' - else f.filter_name || ' forwards events for console authentication failures.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.eventName\\s*=\\s*ConsoleLogin.+\\$\\.errorMessage\\s*=\\s*\"Failed authentication\"'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for console authentication failures.'\n else f.filter_name || ' forwards events for console authentication failures.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v130_4_7.yaml b/compliance/controls/pending/aws/aws_cis_v130_4_7.yaml index 8525c5225..04fbfd88f 100755 --- a/compliance/controls/pending/aws/aws_cis_v130_4_7.yaml +++ b/compliance/controls/pending/aws/aws_cis_v130_4_7.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v130_4_7 Title: "4.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.eventSource\s*=\s*kms.amazonaws.com.+\$\.eventName\s*=\s*DisableKey.+\$\.eventName\s*=\s*ScheduleKeyDeletion' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for disabling/deletion of CMKs.' - else filter_name || ' forwards events for disabling/deletion of CMKs.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.eventSource\\s*=\\s*kms.amazonaws.com.+\\$\\.eventName\\s*=\\s*DisableKey.+\\$\\.eventName\\s*=\\s*ScheduleKeyDeletion'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for disabling/deletion of CMKs.'\n else filter_name || ' forwards events for disabling/deletion of CMKs.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v130_4_9.yaml b/compliance/controls/pending/aws/aws_cis_v130_4_9.yaml index 8c2c2c543..9ff6f9ec4 100755 --- a/compliance/controls/pending/aws/aws_cis_v130_4_9.yaml +++ b/compliance/controls/pending/aws/aws_cis_v130_4_9.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v130_4_9 Title: "4.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.eventSource\s*=\s*config.amazonaws.com.+\$\.eventName\s*=\s*StopConfigurationRecorder.+\$\.eventName\s*=\s*DeleteDeliveryChannel.+\$\.eventName\s*=\s*PutDeliveryChannel.+\$\.eventName\s*=\s*PutConfigurationRecorder' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for AWS Config configuration changes.' - else filter_name || ' forwards events for AWS Config configuration changes.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.eventSource\\s*=\\s*config.amazonaws.com.+\\$\\.eventName\\s*=\\s*StopConfigurationRecorder.+\\$\\.eventName\\s*=\\s*DeleteDeliveryChannel.+\\$\\.eventName\\s*=\\s*PutDeliveryChannel.+\\$\\.eventName\\s*=\\s*PutConfigurationRecorder'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for AWS Config configuration changes.'\n else filter_name || ' forwards events for AWS Config configuration changes.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v130_5_1.yaml b/compliance/controls/pending/aws/aws_cis_v130_5_1.yaml index 9a3e2ce64..f8be4531d 100755 --- a/compliance/controls/pending/aws/aws_cis_v130_5_1.yaml +++ b/compliance/controls/pending/aws/aws_cis_v130_5_1.yaml @@ -1,86 +1,13 @@ ID: aws_cis_v130_5_1 Title: "5.1 Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports" Description: "The Network Access Control List (NACL) function provide stateless filtering of ingress and egress network traffic to AWS resources. It is recommended that no NACL allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with bad_rules as ( - select - network_acl_id, - count(*) as num_bad_rules, - tags, - region, - account_id - from - aws_vpc_network_acl, - jsonb_array_elements(entries) as att - where - att ->> 'Egress' = 'false' -- as per aws egress = false indicates the ingress - and ( - att ->> 'CidrBlock' = '0.0.0.0/0' - or att ->> 'Ipv6CidrBlock' = '::/0' - ) - and att ->> 'RuleAction' = 'allow' - and ( - ( - att ->> 'Protocol' = '-1' -- all traffic - and att ->> 'PortRange' is null - ) - or ( - (att -> 'PortRange' ->> 'From') :: int <= 22 - and (att -> 'PortRange' ->> 'To') :: int >= 22 - and att ->> 'Protocol' in('6', '17') -- TCP or UDP - ) - or ( - (att -> 'PortRange' ->> 'From') :: int <= 3389 - and (att -> 'PortRange' ->> 'To') :: int >= 3389 - and att ->> 'Protocol' in('6', '17') -- TCP or UDP - ) - ) - group by - network_acl_id, - region, - account_id, - tags - order by - network_acl_id, - region, - account_id, - tags - ), - aws_vpc_network_acls as ( - select - network_acl_id, - tags, - partition, - region, - account_id - from - aws_vpc_network_acl - order by - network_acl_id, - region, - account_id - ) - select - 'arn:' || acl.partition || ':ec2:' || acl.region || ':' || acl.account_id || ':network-acl/' || acl.network_acl_id as resource, - case - when bad_rules.network_acl_id is null then 'ok' - else 'alarm' - end as status, - case - when bad_rules.network_acl_id is null then acl.network_acl_id || ' does not allow ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.' - else acl.network_acl_id || ' contains ' || bad_rules.num_bad_rules || ' rule(s) allowing ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.' - end as reason - - - from - aws_vpc_network_acls as acl - left join bad_rules on bad_rules.network_acl_id = acl.network_acl_id; + QueryToExecute: "with bad_rules as (\n select\n network_acl_id,\n count(*) as num_bad_rules,\n tags,\n region,\n account_id\n from\n aws_vpc_network_acl,\n jsonb_array_elements(entries) as att\n where\n att ->> 'Egress' = 'false' -- as per aws egress = false indicates the ingress\n and (\n att ->> 'CidrBlock' = '0.0.0.0/0'\n or att ->> 'Ipv6CidrBlock' = '::/0'\n )\n and att ->> 'RuleAction' = 'allow'\n and (\n (\n att ->> 'Protocol' = '-1' -- all traffic\n and att ->> 'PortRange' is null\n )\n or (\n (att -> 'PortRange' ->> 'From') :: int <= 22\n and (att -> 'PortRange' ->> 'To') :: int >= 22\n and att ->> 'Protocol' in('6', '17') -- TCP or UDP\n )\n or (\n (att -> 'PortRange' ->> 'From') :: int <= 3389\n and (att -> 'PortRange' ->> 'To') :: int >= 3389\n and att ->> 'Protocol' in('6', '17') -- TCP or UDP\n )\n )\n group by\n network_acl_id,\n region,\n account_id,\n tags\n order by\n network_acl_id,\n region,\n account_id,\n tags\n),\naws_vpc_network_acls as (\n select\n network_acl_id,\n tags,\n partition,\n region,\n account_id\n from\n aws_vpc_network_acl\n order by\n network_acl_id,\n region,\n account_id\n)\nselect\n 'arn:' || acl.partition || ':ec2:' || acl.region || ':' || acl.account_id || ':network-acl/' || acl.network_acl_id as resource,\n case\n when bad_rules.network_acl_id is null then 'ok'\n else 'alarm'\n end as status,\n case\n when bad_rules.network_acl_id is null then acl.network_acl_id || ' does not allow ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.'\n else acl.network_acl_id || ' contains ' || bad_rules.num_bad_rules || ' rule(s) allowing ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.'\n end as reason\n \n \nfrom\n aws_vpc_network_acls as acl\n left join bad_rules on bad_rules.network_acl_id = acl.network_acl_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v130_5_3.yaml b/compliance/controls/pending/aws/aws_cis_v130_5_3.yaml index da668d5bf..ec187c1d5 100755 --- a/compliance/controls/pending/aws/aws_cis_v130_5_3.yaml +++ b/compliance/controls/pending/aws/aws_cis_v130_5_3.yaml @@ -1,34 +1,13 @@ ID: aws_cis_v130_5_3 Title: "5.3 Ensure the default security group of every VPC restricts all traffic" Description: "A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn resource, - case - when jsonb_array_length(ip_permissions) = 0 and jsonb_array_length(ip_permissions_egress) = 0 then 'ok' - else 'alarm' - end status, - case - when jsonb_array_length(ip_permissions) > 0 and jsonb_array_length(ip_permissions_egress) > 0 - then 'Default security group ' || group_id || ' has inbound and outbound rules.' - when jsonb_array_length(ip_permissions) > 0 and jsonb_array_length(ip_permissions_egress) = 0 - then 'Default security group ' || group_id || ' has inbound rules.' - when jsonb_array_length(ip_permissions) = 0 and jsonb_array_length(ip_permissions_egress) > 0 - then 'Default security group ' || group_id || ' has outbound rules.' - else 'Default security group ' || group_id || ' has no inbound or outbound rules.' - end reason - - - from - aws_vpc_security_group - where - group_name = 'default'; + QueryToExecute: "select\n arn resource,\n case\n when jsonb_array_length(ip_permissions) = 0 and jsonb_array_length(ip_permissions_egress) = 0 then 'ok'\n else 'alarm'\n end status,\n case\n when jsonb_array_length(ip_permissions) > 0 and jsonb_array_length(ip_permissions_egress) > 0\n then 'Default security group ' || group_id || ' has inbound and outbound rules.'\n when jsonb_array_length(ip_permissions) > 0 and jsonb_array_length(ip_permissions_egress) = 0\n then 'Default security group ' || group_id || ' has inbound rules.'\n when jsonb_array_length(ip_permissions) = 0 and jsonb_array_length(ip_permissions_egress) > 0\n then 'Default security group ' || group_id || ' has outbound rules.'\n else 'Default security group ' || group_id || ' has no inbound or outbound rules.'\n end reason\n \n \nfrom\n aws_vpc_security_group\nwhere\n group_name = 'default';\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v140_1_6.yaml b/compliance/controls/pending/aws/aws_cis_v140_1_6.yaml index 5796c0c16..549e1fa34 100755 --- a/compliance/controls/pending/aws/aws_cis_v140_1_6.yaml +++ b/compliance/controls/pending/aws/aws_cis_v140_1_6.yaml @@ -1,28 +1,13 @@ ID: aws_cis_v140_1_6 Title: "1.6 Ensure hardware MFA is enabled for the 'root' user account" Description: "The 'root' user account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2, it is recommended that the root user account be protected with a hardware MFA." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - 'arn:' || s.partition || ':::' || s.account_id as resource, - case - when s.account_mfa_enabled and d.serial_number is null then 'ok' - else 'alarm' - end status, - case - when s.account_mfa_enabled = false then 'MFA not enabled for root account.' - when d.serial_number is not null then 'MFA enabled for root account, but the MFA associated is a virtual device.' - else 'Hardware MFA device enabled for root account.' - end reason - - from - aws_iam_account_summary as s - left join aws_iam_virtual_mfa_device as d on (d.user ->> 'Arn') = 'arn:' || s.partition || ':iam::' || s.account_id || ':root'; + QueryToExecute: "select\n 'arn:' || s.partition || ':::' || s.account_id as resource,\n case\n when s.account_mfa_enabled and d.serial_number is null then 'ok'\n else 'alarm'\n end status,\n case\n when s.account_mfa_enabled = false then 'MFA not enabled for root account.'\n when d.serial_number is not null then 'MFA enabled for root account, but the MFA associated is a virtual device.'\n else 'Hardware MFA device enabled for root account.'\n end reason\n \nfrom\n aws_iam_account_summary as s\n left join aws_iam_virtual_mfa_device as d on (d.user ->> 'Arn') = 'arn:' || s.partition || ':iam::' || s.account_id || ':root';\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v140_1_8.yaml b/compliance/controls/pending/aws/aws_cis_v140_1_8.yaml index 7b1e9634e..26e7125ed 100755 --- a/compliance/controls/pending/aws/aws_cis_v140_1_8.yaml +++ b/compliance/controls/pending/aws/aws_cis_v140_1_8.yaml @@ -1,27 +1,13 @@ ID: aws_cis_v140_1_8 Title: "1.8 Ensure IAM password policy requires minimum length of 14 or greater" Description: "Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length. It is recommended that the password policy require a minimum password length 14." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when minimum_password_length >= 14 then 'ok' - else 'alarm' - end as status, - case - when minimum_password_length is null then 'No password policy set.' - else 'Minimum password length set to ' || minimum_password_length || '.' - end as reason - - from - aws_account as a - left join aws_iam_account_password_policy as pol on a.account_id = pol.account_id; + QueryToExecute: "select\n 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when minimum_password_length >= 14 then 'ok'\n else 'alarm'\n end as status,\n case\n when minimum_password_length is null then 'No password policy set.'\n else 'Minimum password length set to ' || minimum_password_length || '.'\n end as reason\n \nfrom\n aws_account as a\n left join aws_iam_account_password_policy as pol on a.account_id = pol.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v140_1_9.yaml b/compliance/controls/pending/aws/aws_cis_v140_1_9.yaml index 0d36674b2..3e487fd40 100755 --- a/compliance/controls/pending/aws/aws_cis_v140_1_9.yaml +++ b/compliance/controls/pending/aws/aws_cis_v140_1_9.yaml @@ -1,28 +1,13 @@ ID: aws_cis_v140_1_9 Title: "1.9 Ensure IAM password policy prevents password reuse" Description: "IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when password_reuse_prevention >= 24 then 'ok' - else 'alarm' - end as status, - case - when minimum_password_length is null then 'No password policy set.' - when password_reuse_prevention is null then 'Password reuse prevention not set.' - else 'Password reuse prevention set to ' || password_reuse_prevention || '.' - end as reason - - from - aws_account as a - left join aws_iam_account_password_policy as pol on a.account_id = pol.account_id; + QueryToExecute: "select\n 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when password_reuse_prevention >= 24 then 'ok'\n else 'alarm'\n end as status,\n case\n when minimum_password_length is null then 'No password policy set.'\n when password_reuse_prevention is null then 'Password reuse prevention not set.'\n else 'Password reuse prevention set to ' || password_reuse_prevention || '.'\n end as reason\n \nfrom\n aws_account as a\n left join aws_iam_account_password_policy as pol on a.account_id = pol.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v140_2_1_5.yaml b/compliance/controls/pending/aws/aws_cis_v140_2_1_5.yaml index 0806d3ab9..47d17d856 100755 --- a/compliance/controls/pending/aws/aws_cis_v140_2_1_5.yaml +++ b/compliance/controls/pending/aws/aws_cis_v140_2_1_5.yaml @@ -1,44 +1,13 @@ ID: aws_cis_v140_2_1_5 Title: "2.1.5 Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'" Description: "Amazon S3 provides Block public access (bucket settings) and Block public access (account settings) to help you manage public access to Amazon S3 resources. By default, S3 buckets and objects are created with public access disabled. However, an IAM principle with sufficient S3 permissions can enable public access at the bucket and/or object level. While enabled, Block public access (bucket settings) prevents an individual bucket, and its contained objects, from becoming publicly accessible. Similarly, Block public access (account settings) prevents all buckets, and contained objects, from becoming publicly accessible across the entire account." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - case - when (bucket.block_public_acls or s3account.block_public_acls) - and (bucket.block_public_policy or s3account.block_public_policy) - and (bucket.ignore_public_acls or s3account.ignore_public_acls) - and (bucket.restrict_public_buckets or s3account.restrict_public_buckets) - then 'ok' - else 'alarm' - end as status, - case - when (bucket.block_public_acls or s3account.block_public_acls) - and (bucket.block_public_policy or s3account.block_public_policy) - and (bucket.ignore_public_acls or s3account.ignore_public_acls) - and (bucket.restrict_public_buckets or s3account.restrict_public_buckets) - then name || ' all public access blocks enabled.' - else name || ' not enabled for: ' || - concat_ws(', ', - case when not (bucket.block_public_acls or s3account.block_public_acls) then 'block_public_acls' end, - case when not (bucket.block_public_policy or s3account.block_public_policy) then 'block_public_policy' end, - case when not (bucket.ignore_public_acls or s3account.ignore_public_acls) then 'ignore_public_acls' end, - case when not (bucket.restrict_public_buckets or s3account.restrict_public_buckets) then 'restrict_public_buckets' end - ) || '.' - end as reason - - - from - aws_s3_bucket as bucket, - aws_s3_account_settings as s3account - where - s3account.account_id = bucket.account_id; + QueryToExecute: "select\n arn as resource,\n case\n when (bucket.block_public_acls or s3account.block_public_acls)\n and (bucket.block_public_policy or s3account.block_public_policy)\n and (bucket.ignore_public_acls or s3account.ignore_public_acls)\n and (bucket.restrict_public_buckets or s3account.restrict_public_buckets)\n then 'ok'\n else 'alarm'\n end as status,\n case\n when (bucket.block_public_acls or s3account.block_public_acls)\n and (bucket.block_public_policy or s3account.block_public_policy)\n and (bucket.ignore_public_acls or s3account.ignore_public_acls)\n and (bucket.restrict_public_buckets or s3account.restrict_public_buckets)\n then name || ' all public access blocks enabled.'\n else name || ' not enabled for: ' ||\n concat_ws(', ',\n case when not (bucket.block_public_acls or s3account.block_public_acls) then 'block_public_acls' end,\n case when not (bucket.block_public_policy or s3account.block_public_policy) then 'block_public_policy' end,\n case when not (bucket.ignore_public_acls or s3account.ignore_public_acls) then 'ignore_public_acls' end,\n case when not (bucket.restrict_public_buckets or s3account.restrict_public_buckets) then 'restrict_public_buckets' end\n ) || '.'\n end as reason\n \n \nfrom\n aws_s3_bucket as bucket,\n aws_s3_account_settings as s3account\nwhere\n s3account.account_id = bucket.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v140_3_1.yaml b/compliance/controls/pending/aws/aws_cis_v140_3_1.yaml index 73dc054b9..203a8c9dc 100755 --- a/compliance/controls/pending/aws/aws_cis_v140_3_1.yaml +++ b/compliance/controls/pending/aws/aws_cis_v140_3_1.yaml @@ -1,48 +1,13 @@ ID: aws_cis_v140_3_1 Title: "3.1 Ensure CloudTrail is enabled in all regions" Description: "AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation)." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with event_selectors_trail_details as ( - select - distinct account_id - from - aws_cloudtrail_trail, - jsonb_array_elements(event_selectors) as e - where - (is_logging and is_multi_region_trail and e ->> 'ReadWriteType' = 'All') - ), - advanced_event_selectors_trail_details as ( - select - distinct account_id - from - aws_cloudtrail_trail, - jsonb_array_elements_text(advanced_event_selectors) as a - where - -- when readOnly = true, then it is readOnly, when readOnly = false then it is writeOnly, if advanced_event_selectors is not null then it is both ReadWriteType - (is_logging and is_multi_region_trail and advanced_event_selectors is not null and (not a like '%readOnly%')) - ) - select - a.title as resource, - case - when d.account_id is null and ad.account_id is null then 'alarm' - else 'ok' - end as status, - case - when d.account_id is null and ad.account_id is null then 'cloudtrail disabled.' - else 'cloudtrail enabled.' - end as reason - - - from - aws_account as a - left join event_selectors_trail_details as d on d.account_id = a.account_id - left join advanced_event_selectors_trail_details as ad on ad.account_id = a.account_id; + QueryToExecute: "with event_selectors_trail_details as (\n select\n distinct account_id\n from\n aws_cloudtrail_trail,\n jsonb_array_elements(event_selectors) as e\n where\n (is_logging and is_multi_region_trail and e ->> 'ReadWriteType' = 'All')\n),\nadvanced_event_selectors_trail_details as (\n select\n distinct account_id\n from\n aws_cloudtrail_trail,\n jsonb_array_elements_text(advanced_event_selectors) as a\n where\n -- when readOnly = true, then it is readOnly, when readOnly = false then it is writeOnly, if advanced_event_selectors is not null then it is both ReadWriteType\n (is_logging and is_multi_region_trail and advanced_event_selectors is not null and (not a like '%readOnly%'))\n)\nselect\n a.title as resource,\n case\n when d.account_id is null and ad.account_id is null then 'alarm'\n else 'ok'\n end as status,\n case\n when d.account_id is null and ad.account_id is null then 'cloudtrail disabled.'\n else 'cloudtrail enabled.'\n end as reason\n\n \nfrom\n aws_account as a\n left join event_selectors_trail_details as d on d.account_id = a.account_id\n left join advanced_event_selectors_trail_details as ad on ad.account_id = a.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v140_4_1.yaml b/compliance/controls/pending/aws/aws_cis_v140_4_1.yaml index 1316b12e3..f2bb8e2c6 100755 --- a/compliance/controls/pending/aws/aws_cis_v140_4_1.yaml +++ b/compliance/controls/pending/aws/aws_cis_v140_4_1.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v140_4_1 Title: "4.1 Ensure a log metric filter and alarm exist for unauthorized API calls" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for unauthorized API calls." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\$\.errorCode\s*=\s*"\*UnauthorizedOperation".+\$\.errorCode\s*=\s*"AccessDenied\*".+\$\.sourceIPAddress\s*!=\s*"delivery.logs.amazonaws.com".+\$\.eventName\s*!=\s*"HeadBucket"' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for unauthorized API calls.' - else filter_name || ' forwards events for unauthorized API calls.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\$\\.errorCode\\s*=\\s*\"\\*UnauthorizedOperation\".+\\$\\.errorCode\\s*=\\s*\"AccessDenied\\*\".+\\$\\.sourceIPAddress\\s*!=\\s*\"delivery.logs.amazonaws.com\".+\\$\\.eventName\\s*!=\\s*\"HeadBucket\"'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for unauthorized API calls.'\n else filter_name || ' forwards events for unauthorized API calls.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v140_4_10.yaml b/compliance/controls/pending/aws/aws_cis_v140_4_10.yaml index bfa496b5c..ede022a53 100755 --- a/compliance/controls/pending/aws/aws_cis_v140_4_10.yaml +++ b/compliance/controls/pending/aws/aws_cis_v140_4_10.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v140_4_10 Title: "4.10 Ensure a log metric filter and alarm exist for security group changes" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Groups are a stateful packet filter that controls ingress and egress traffic within a VPC. It is recommended that a metric filter and alarm be established for detecting changes to Security Groups." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*AuthorizeSecurityGroupIngress.+\$\.eventName\s*=\s*AuthorizeSecurityGroupEgress.+\$\.eventName\s*=\s*RevokeSecurityGroupIngress.+\$\.eventName\s*=\s*RevokeSecurityGroupEgress.+\$\.eventName\s*=\s*CreateSecurityGroup.+\$\.eventName\s*=\s*DeleteSecurityGroup' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for security group changes.' - else filter_name || ' forwards events for security group changes.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.eventName\\s*=\\s*AuthorizeSecurityGroupIngress.+\\$\\.eventName\\s*=\\s*AuthorizeSecurityGroupEgress.+\\$\\.eventName\\s*=\\s*RevokeSecurityGroupIngress.+\\$\\.eventName\\s*=\\s*RevokeSecurityGroupEgress.+\\$\\.eventName\\s*=\\s*CreateSecurityGroup.+\\$\\.eventName\\s*=\\s*DeleteSecurityGroup'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for security group changes.'\n else filter_name || ' forwards events for security group changes.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v140_4_11.yaml b/compliance/controls/pending/aws/aws_cis_v140_4_11.yaml index 7886789f9..1cfa69d21 100755 --- a/compliance/controls/pending/aws/aws_cis_v140_4_11.yaml +++ b/compliance/controls/pending/aws/aws_cis_v140_4_11.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v140_4_11 Title: "4.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC. It is recommended that a metric filter and alarm be established for changes made to NACLs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*CreateNetworkAcl.+\$\.eventName\s*=\s*CreateNetworkAclEntry.+\$\.eventName\s*=\s*DeleteNetworkAcl.+\$\.eventName\s*=\s*DeleteNetworkAclEntry.+\$\.eventName\s*=\s*ReplaceNetworkAclEntry.+\$\.eventName\s*=\s*ReplaceNetworkAclAssociation' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for changes to NACLs.' - else filter_name || ' forwards events for changes to NACLs.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.eventName\\s*=\\s*CreateNetworkAcl.+\\$\\.eventName\\s*=\\s*CreateNetworkAclEntry.+\\$\\.eventName\\s*=\\s*DeleteNetworkAcl.+\\$\\.eventName\\s*=\\s*DeleteNetworkAclEntry.+\\$\\.eventName\\s*=\\s*ReplaceNetworkAclEntry.+\\$\\.eventName\\s*=\\s*ReplaceNetworkAclAssociation'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for changes to NACLs.'\n else filter_name || ' forwards events for changes to NACLs.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v140_4_12.yaml b/compliance/controls/pending/aws/aws_cis_v140_4_12.yaml index 11e68c131..5de37147e 100755 --- a/compliance/controls/pending/aws/aws_cis_v140_4_12.yaml +++ b/compliance/controls/pending/aws/aws_cis_v140_4_12.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v140_4_12 Title: "4.12 Ensure a log metric filter and alarm exist for changes to network gateways" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*CreateCustomerGateway.+\$\.eventName\s*=\s*DeleteCustomerGateway.+\$\.eventName\s*=\s*AttachInternetGateway.+\$\.eventName\s*=\s*CreateInternetGateway.+\$\.eventName\s*=\s*DeleteInternetGateway.+\$\.eventName\s*=\s*DetachInternetGateway' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for changes to network gateways.' - else filter_name || ' forwards events for changes to network gateways.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.eventName\\s*=\\s*CreateCustomerGateway.+\\$\\.eventName\\s*=\\s*DeleteCustomerGateway.+\\$\\.eventName\\s*=\\s*AttachInternetGateway.+\\$\\.eventName\\s*=\\s*CreateInternetGateway.+\\$\\.eventName\\s*=\\s*DeleteInternetGateway.+\\$\\.eventName\\s*=\\s*DetachInternetGateway'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for changes to network gateways.'\n else filter_name || ' forwards events for changes to network gateways.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v140_4_13.yaml b/compliance/controls/pending/aws/aws_cis_v140_4_13.yaml index 61163f834..6b818694b 100755 --- a/compliance/controls/pending/aws/aws_cis_v140_4_13.yaml +++ b/compliance/controls/pending/aws/aws_cis_v140_4_13.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v140_4_13 Title: "4.13 Ensure a log metric filter and alarm exist for route table changes" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways. It is recommended that a metric filter and alarm be established for changes to route tables." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*CreateRoute.+\$\.eventName\s*=\s*CreateRouteTable.+\$\.eventName\s*=\s*ReplaceRoute.+\$\.eventName\s*=\s*ReplaceRouteTableAssociation.+\$\.eventName\s*=\s*DeleteRouteTable.+\$\.eventName\s*=\s*DeleteRoute.+\$\.eventName\s*=\s*DisassociateRouteTable' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for route table changes.' - else filter_name || ' forwards events for route table changes.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.eventName\\s*=\\s*CreateRoute.+\\$\\.eventName\\s*=\\s*CreateRouteTable.+\\$\\.eventName\\s*=\\s*ReplaceRoute.+\\$\\.eventName\\s*=\\s*ReplaceRouteTableAssociation.+\\$\\.eventName\\s*=\\s*DeleteRouteTable.+\\$\\.eventName\\s*=\\s*DeleteRoute.+\\$\\.eventName\\s*=\\s*DisassociateRouteTable'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for route table changes.'\n else filter_name || ' forwards events for route table changes.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v140_4_15.yaml b/compliance/controls/pending/aws/aws_cis_v140_4_15.yaml index 09a418e00..77f741e79 100755 --- a/compliance/controls/pending/aws/aws_cis_v140_4_15.yaml +++ b/compliance/controls/pending/aws/aws_cis_v140_4_15.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v140_4_15 Title: "4.15 Ensure a log metric filter and alarm exists for AWS Organizations changes" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for AWS Organizations changes made in the master AWS Account." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.eventSource\s*=\s*organizations.amazonaws.com.+\$\.eventName\s*=\s*"?AcceptHandshake"?.+\$\.eventName\s*=\s*"?AttachPolicy"?.+\$\.eventName\s*=\s*"?CreateAccount"?.+\$\.eventName\s*=\s*"?CreateOrganizationalUnit"?.+\$\.eventName\s*=\s*"?CreatePolicy"?.+\$\.eventName\s*=\s*"?DeclineHandshake"?.+\$\.eventName\s*=\s*"?DeleteOrganization"?.+\$\.eventName\s*=\s*"?DeleteOrganizationalUnit"?.+\$\.eventName\s*=\s*"?DeletePolicy"?.+\$\.eventName\s*=\s*"?DetachPolicy"?.+\$\.eventName\s*=\s*"?DisablePolicyType"?.+\$\.eventName\s*=\s*"?EnablePolicyType"?.+\$\.eventName\s*=\s*"?InviteAccountToOrganization"?.+\$\.eventName\s*=\s*"?LeaveOrganization"?.+\$\.eventName\s*=\s*"?MoveAccount"?.+\$\.eventName\s*=\s*"?RemoveAccountFromOrganization"?.+\$\.eventName\s*=\s*"?UpdatePolicy"?.+\$\.eventName\s*=\s*"?UpdateOrganizationalUnit"?' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exists for AWS Organizations changes.' - else filter_name || ' forwards relevant events for AWS Organizations changes.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.eventSource\\s*=\\s*organizations.amazonaws.com.+\\$\\.eventName\\s*=\\s*\"?AcceptHandshake\"?.+\\$\\.eventName\\s*=\\s*\"?AttachPolicy\"?.+\\$\\.eventName\\s*=\\s*\"?CreateAccount\"?.+\\$\\.eventName\\s*=\\s*\"?CreateOrganizationalUnit\"?.+\\$\\.eventName\\s*=\\s*\"?CreatePolicy\"?.+\\$\\.eventName\\s*=\\s*\"?DeclineHandshake\"?.+\\$\\.eventName\\s*=\\s*\"?DeleteOrganization\"?.+\\$\\.eventName\\s*=\\s*\"?DeleteOrganizationalUnit\"?.+\\$\\.eventName\\s*=\\s*\"?DeletePolicy\"?.+\\$\\.eventName\\s*=\\s*\"?DetachPolicy\"?.+\\$\\.eventName\\s*=\\s*\"?DisablePolicyType\"?.+\\$\\.eventName\\s*=\\s*\"?EnablePolicyType\"?.+\\$\\.eventName\\s*=\\s*\"?InviteAccountToOrganization\"?.+\\$\\.eventName\\s*=\\s*\"?LeaveOrganization\"?.+\\$\\.eventName\\s*=\\s*\"?MoveAccount\"?.+\\$\\.eventName\\s*=\\s*\"?RemoveAccountFromOrganization\"?.+\\$\\.eventName\\s*=\\s*\"?UpdatePolicy\"?.+\\$\\.eventName\\s*=\\s*\"?UpdateOrganizationalUnit\"?'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exists for AWS Organizations changes.'\n else filter_name || ' forwards relevant events for AWS Organizations changes.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v140_4_2.yaml b/compliance/controls/pending/aws/aws_cis_v140_4_2.yaml index 3e3cd6b87..d9f81c56f 100755 --- a/compliance/controls/pending/aws/aws_cis_v140_4_2.yaml +++ b/compliance/controls/pending/aws/aws_cis_v140_4_2.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v140_4_2 Title: "4.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA)." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\(\s*\$\.eventName\s*=\s*"ConsoleLogin"\)\s+&&\s+\(\s*\$.additionalEventData\.MFAUsed\s*!=\s*"Yes"' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for console sign-in without MFA.' - else filter_name || ' forwards events for console sign-in without MFA.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\(\\s*\\$\\.eventName\\s*=\\s*\"ConsoleLogin\"\\)\\s+&&\\s+\\(\\s*\\$.additionalEventData\\.MFAUsed\\s*!=\\s*\"Yes\"'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for console sign-in without MFA.'\n else filter_name || ' forwards events for console sign-in without MFA.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v140_4_3.yaml b/compliance/controls/pending/aws/aws_cis_v140_4_3.yaml index ffc74e246..6ba8be49a 100755 --- a/compliance/controls/pending/aws/aws_cis_v140_4_3.yaml +++ b/compliance/controls/pending/aws/aws_cis_v140_4_3.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v140_4_3 Title: "4.3 Ensure a log metric filter and alarm exist for usage of 'root' account" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for root login attempts." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.userIdentity\.type\s*=\s*"Root".+\$\.userIdentity\.invokedBy NOT EXISTS.+\$\.eventType\s*!=\s*"AwsServiceEvent"' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for usage of "root" account.' - else filter_name || ' forwards events for usage of "root" account.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.userIdentity\\.type\\s*=\\s*\"Root\".+\\$\\.userIdentity\\.invokedBy NOT EXISTS.+\\$\\.eventType\\s*!=\\s*\"AwsServiceEvent\"'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for usage of \"root\" account.'\n else filter_name || ' forwards events for usage of \"root\" account.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v140_4_4.yaml b/compliance/controls/pending/aws/aws_cis_v140_4_4.yaml index 2b257192c..c1b450235 100755 --- a/compliance/controls/pending/aws/aws_cis_v140_4_4.yaml +++ b/compliance/controls/pending/aws/aws_cis_v140_4_4.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v140_4_4 Title: "4.4 Ensure a log metric filter and alarm exist for IAM policy changes" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*DeleteGroupPolicy.+\$\.eventName\s*=\s*DeleteRolePolicy.+\$\.eventName\s*=\s*DeleteUserPolicy.+\$\.eventName\s*=\s*PutGroupPolicy.+\$\.eventName\s*=\s*PutRolePolicy.+\$\.eventName\s*=\s*PutUserPolicy.+\$\.eventName\s*=\s*CreatePolicy.+\$\.eventName\s*=\s*DeletePolicy.+\$\.eventName\s*=\s*CreatePolicyVersion.+\$\.eventName\s*=\s*DeletePolicyVersion.+\$\.eventName\s*=\s*AttachRolePolicy.+\$\.eventName\s*=\s*DetachRolePolicy.+\$\.eventName\s*=\s*AttachUserPolicy.+\$\.eventName\s*=\s*DetachUserPolicy.+\$\.eventName\s*=\s*AttachGroupPolicy.+\$\.eventName\s*=\s*DetachGroupPolicy' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for IAM policy changes.' - else filter_name || ' forwards events for IAM policy changes.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.eventName\\s*=\\s*DeleteGroupPolicy.+\\$\\.eventName\\s*=\\s*DeleteRolePolicy.+\\$\\.eventName\\s*=\\s*DeleteUserPolicy.+\\$\\.eventName\\s*=\\s*PutGroupPolicy.+\\$\\.eventName\\s*=\\s*PutRolePolicy.+\\$\\.eventName\\s*=\\s*PutUserPolicy.+\\$\\.eventName\\s*=\\s*CreatePolicy.+\\$\\.eventName\\s*=\\s*DeletePolicy.+\\$\\.eventName\\s*=\\s*CreatePolicyVersion.+\\$\\.eventName\\s*=\\s*DeletePolicyVersion.+\\$\\.eventName\\s*=\\s*AttachRolePolicy.+\\$\\.eventName\\s*=\\s*DetachRolePolicy.+\\$\\.eventName\\s*=\\s*AttachUserPolicy.+\\$\\.eventName\\s*=\\s*DetachUserPolicy.+\\$\\.eventName\\s*=\\s*AttachGroupPolicy.+\\$\\.eventName\\s*=\\s*DetachGroupPolicy'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for IAM policy changes.'\n else filter_name || ' forwards events for IAM policy changes.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v140_4_6.yaml b/compliance/controls/pending/aws/aws_cis_v140_4_6.yaml index 9efd4dbc7..2544fd4f8 100755 --- a/compliance/controls/pending/aws/aws_cis_v140_4_6.yaml +++ b/compliance/controls/pending/aws/aws_cis_v140_4_6.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v140_4_6 Title: "4.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for failed console authentication attempts." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*ConsoleLogin.+\$\.errorMessage\s*=\s*"Failed authentication"' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for console authentication failures.' - else f.filter_name || ' forwards events for console authentication failures.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.eventName\\s*=\\s*ConsoleLogin.+\\$\\.errorMessage\\s*=\\s*\"Failed authentication\"'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for console authentication failures.'\n else f.filter_name || ' forwards events for console authentication failures.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v140_4_9.yaml b/compliance/controls/pending/aws/aws_cis_v140_4_9.yaml index b68a72cc3..2de030d21 100755 --- a/compliance/controls/pending/aws/aws_cis_v140_4_9.yaml +++ b/compliance/controls/pending/aws/aws_cis_v140_4_9.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v140_4_9 Title: "4.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.eventSource\s*=\s*config.amazonaws.com.+\$\.eventName\s*=\s*StopConfigurationRecorder.+\$\.eventName\s*=\s*DeleteDeliveryChannel.+\$\.eventName\s*=\s*PutDeliveryChannel.+\$\.eventName\s*=\s*PutConfigurationRecorder' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for AWS Config configuration changes.' - else filter_name || ' forwards events for AWS Config configuration changes.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.eventSource\\s*=\\s*config.amazonaws.com.+\\$\\.eventName\\s*=\\s*StopConfigurationRecorder.+\\$\\.eventName\\s*=\\s*DeleteDeliveryChannel.+\\$\\.eventName\\s*=\\s*PutDeliveryChannel.+\\$\\.eventName\\s*=\\s*PutConfigurationRecorder'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for AWS Config configuration changes.'\n else filter_name || ' forwards events for AWS Config configuration changes.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v140_5_3.yaml b/compliance/controls/pending/aws/aws_cis_v140_5_3.yaml index 6d28d1f88..660466c79 100755 --- a/compliance/controls/pending/aws/aws_cis_v140_5_3.yaml +++ b/compliance/controls/pending/aws/aws_cis_v140_5_3.yaml @@ -1,34 +1,13 @@ ID: aws_cis_v140_5_3 Title: "5.3 Ensure the default security group of every VPC restricts all traffic" Description: "A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn resource, - case - when jsonb_array_length(ip_permissions) = 0 and jsonb_array_length(ip_permissions_egress) = 0 then 'ok' - else 'alarm' - end status, - case - when jsonb_array_length(ip_permissions) > 0 and jsonb_array_length(ip_permissions_egress) > 0 - then 'Default security group ' || group_id || ' has inbound and outbound rules.' - when jsonb_array_length(ip_permissions) > 0 and jsonb_array_length(ip_permissions_egress) = 0 - then 'Default security group ' || group_id || ' has inbound rules.' - when jsonb_array_length(ip_permissions) = 0 and jsonb_array_length(ip_permissions_egress) > 0 - then 'Default security group ' || group_id || ' has outbound rules.' - else 'Default security group ' || group_id || ' has no inbound or outbound rules.' - end reason - - - from - aws_vpc_security_group - where - group_name = 'default'; + QueryToExecute: "select\n arn resource,\n case\n when jsonb_array_length(ip_permissions) = 0 and jsonb_array_length(ip_permissions_egress) = 0 then 'ok'\n else 'alarm'\n end status,\n case\n when jsonb_array_length(ip_permissions) > 0 and jsonb_array_length(ip_permissions_egress) > 0\n then 'Default security group ' || group_id || ' has inbound and outbound rules.'\n when jsonb_array_length(ip_permissions) > 0 and jsonb_array_length(ip_permissions_egress) = 0\n then 'Default security group ' || group_id || ' has inbound rules.'\n when jsonb_array_length(ip_permissions) = 0 and jsonb_array_length(ip_permissions_egress) > 0\n then 'Default security group ' || group_id || ' has outbound rules.'\n else 'Default security group ' || group_id || ' has no inbound or outbound rules.'\n end reason\n \n \nfrom\n aws_vpc_security_group\nwhere\n group_name = 'default';\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v150_1_20.yaml b/compliance/controls/pending/aws/aws_cis_v150_1_20.yaml index 72e58ecb7..214efc044 100755 --- a/compliance/controls/pending/aws/aws_cis_v150_1_20.yaml +++ b/compliance/controls/pending/aws/aws_cis_v150_1_20.yaml @@ -1,30 +1,13 @@ ID: aws_cis_v150_1_20 Title: "1.20 Ensure that IAM Access analyzer is enabled for all regions" Description: "Enable IAM Access analyzer for IAM policies about all resources in each region. IAM Access Analyzer is a technology introduced at AWS reinvent 2019. After the Analyzer is enabled in IAM, scan results are displayed on the console showing the accessible resources. Scans show resources that other accounts and federated users can access, such as KMS keys and IAM roles. So the results allow you to determine if an unintended user is allowed, making it easier for administrators to monitor least privileges access. Access Analyzer analyzes only policies that are applied to resources in the same AWS Region." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - 'arn:' || r.partition || '::' || r.region || ':' || r.account_id as resource, - case - -- Skip any regions that are disabled in the account. - when r.opt_in_status = 'not-opted-in' then 'skip' - when aa.arn is not null then 'ok' - else 'alarm' - end as status, - case - when r.opt_in_status = 'not-opted-in' then r.region || ' region is disabled.' - when aa.arn is not null then aa.name || ' enabled in ' || r.region || '.' - else 'Access Analyzer not enabled in ' || r.region || '.' - end as reason - - from - aws_region as r - left join aws_accessanalyzer_analyzer as aa on r.account_id = aa.account_id and r.region = aa.region; + QueryToExecute: "select\n 'arn:' || r.partition || '::' || r.region || ':' || r.account_id as resource,\n case\n -- Skip any regions that are disabled in the account.\n when r.opt_in_status = 'not-opted-in' then 'skip'\n when aa.arn is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when r.opt_in_status = 'not-opted-in' then r.region || ' region is disabled.'\n when aa.arn is not null then aa.name || ' enabled in ' || r.region || '.'\n else 'Access Analyzer not enabled in ' || r.region || '.'\n end as reason\n \nfrom\n aws_region as r\n left join aws_accessanalyzer_analyzer as aa on r.account_id = aa.account_id and r.region = aa.region;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v150_1_6.yaml b/compliance/controls/pending/aws/aws_cis_v150_1_6.yaml index 1a7b6a5c5..d015b27db 100755 --- a/compliance/controls/pending/aws/aws_cis_v150_1_6.yaml +++ b/compliance/controls/pending/aws/aws_cis_v150_1_6.yaml @@ -1,28 +1,13 @@ ID: aws_cis_v150_1_6 Title: "1.6 Ensure hardware MFA is enabled for the 'root' user account" Description: "The 'root' user account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2, it is recommended that the root user account be protected with a hardware MFA." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - 'arn:' || s.partition || ':::' || s.account_id as resource, - case - when s.account_mfa_enabled and d.serial_number is null then 'ok' - else 'alarm' - end status, - case - when s.account_mfa_enabled = false then 'MFA not enabled for root account.' - when d.serial_number is not null then 'MFA enabled for root account, but the MFA associated is a virtual device.' - else 'Hardware MFA device enabled for root account.' - end reason - - from - aws_iam_account_summary as s - left join aws_iam_virtual_mfa_device as d on (d.user ->> 'Arn') = 'arn:' || s.partition || ':iam::' || s.account_id || ':root'; + QueryToExecute: "select\n 'arn:' || s.partition || ':::' || s.account_id as resource,\n case\n when s.account_mfa_enabled and d.serial_number is null then 'ok'\n else 'alarm'\n end status,\n case\n when s.account_mfa_enabled = false then 'MFA not enabled for root account.'\n when d.serial_number is not null then 'MFA enabled for root account, but the MFA associated is a virtual device.'\n else 'Hardware MFA device enabled for root account.'\n end reason\n \nfrom\n aws_iam_account_summary as s\n left join aws_iam_virtual_mfa_device as d on (d.user ->> 'Arn') = 'arn:' || s.partition || ':iam::' || s.account_id || ':root';\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v150_2_1_5.yaml b/compliance/controls/pending/aws/aws_cis_v150_2_1_5.yaml index 942487544..ba301e748 100755 --- a/compliance/controls/pending/aws/aws_cis_v150_2_1_5.yaml +++ b/compliance/controls/pending/aws/aws_cis_v150_2_1_5.yaml @@ -1,44 +1,13 @@ ID: aws_cis_v150_2_1_5 Title: "2.1.5 Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'" Description: "Amazon S3 provides Block public access (bucket settings) and Block public access (account settings) to help you manage public access to Amazon S3 resources. By default, S3 buckets and objects are created with public access disabled. However, an IAM principle with sufficient S3 permissions can enable public access at the bucket and/or object level. While enabled, Block public access (bucket settings) prevents an individual bucket, and its contained objects, from becoming publicly accessible. Similarly, Block public access (account settings) prevents all buckets, and contained objects, from becoming publicly accessible across the entire account." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - case - when (bucket.block_public_acls or s3account.block_public_acls) - and (bucket.block_public_policy or s3account.block_public_policy) - and (bucket.ignore_public_acls or s3account.ignore_public_acls) - and (bucket.restrict_public_buckets or s3account.restrict_public_buckets) - then 'ok' - else 'alarm' - end as status, - case - when (bucket.block_public_acls or s3account.block_public_acls) - and (bucket.block_public_policy or s3account.block_public_policy) - and (bucket.ignore_public_acls or s3account.ignore_public_acls) - and (bucket.restrict_public_buckets or s3account.restrict_public_buckets) - then name || ' all public access blocks enabled.' - else name || ' not enabled for: ' || - concat_ws(', ', - case when not (bucket.block_public_acls or s3account.block_public_acls) then 'block_public_acls' end, - case when not (bucket.block_public_policy or s3account.block_public_policy) then 'block_public_policy' end, - case when not (bucket.ignore_public_acls or s3account.ignore_public_acls) then 'ignore_public_acls' end, - case when not (bucket.restrict_public_buckets or s3account.restrict_public_buckets) then 'restrict_public_buckets' end - ) || '.' - end as reason - - - from - aws_s3_bucket as bucket, - aws_s3_account_settings as s3account - where - s3account.account_id = bucket.account_id; + QueryToExecute: "select\n arn as resource,\n case\n when (bucket.block_public_acls or s3account.block_public_acls)\n and (bucket.block_public_policy or s3account.block_public_policy)\n and (bucket.ignore_public_acls or s3account.ignore_public_acls)\n and (bucket.restrict_public_buckets or s3account.restrict_public_buckets)\n then 'ok'\n else 'alarm'\n end as status,\n case\n when (bucket.block_public_acls or s3account.block_public_acls)\n and (bucket.block_public_policy or s3account.block_public_policy)\n and (bucket.ignore_public_acls or s3account.ignore_public_acls)\n and (bucket.restrict_public_buckets or s3account.restrict_public_buckets)\n then name || ' all public access blocks enabled.'\n else name || ' not enabled for: ' ||\n concat_ws(', ',\n case when not (bucket.block_public_acls or s3account.block_public_acls) then 'block_public_acls' end,\n case when not (bucket.block_public_policy or s3account.block_public_policy) then 'block_public_policy' end,\n case when not (bucket.ignore_public_acls or s3account.ignore_public_acls) then 'ignore_public_acls' end,\n case when not (bucket.restrict_public_buckets or s3account.restrict_public_buckets) then 'restrict_public_buckets' end\n ) || '.'\n end as reason\n \n \nfrom\n aws_s3_bucket as bucket,\n aws_s3_account_settings as s3account\nwhere\n s3account.account_id = bucket.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v150_3_1.yaml b/compliance/controls/pending/aws/aws_cis_v150_3_1.yaml index d49017522..0259ae021 100755 --- a/compliance/controls/pending/aws/aws_cis_v150_3_1.yaml +++ b/compliance/controls/pending/aws/aws_cis_v150_3_1.yaml @@ -1,48 +1,13 @@ ID: aws_cis_v150_3_1 Title: "3.1 Ensure CloudTrail is enabled in all regions" Description: "AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation)." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with event_selectors_trail_details as ( - select - distinct account_id - from - aws_cloudtrail_trail, - jsonb_array_elements(event_selectors) as e - where - (is_logging and is_multi_region_trail and e ->> 'ReadWriteType' = 'All') - ), - advanced_event_selectors_trail_details as ( - select - distinct account_id - from - aws_cloudtrail_trail, - jsonb_array_elements_text(advanced_event_selectors) as a - where - -- when readOnly = true, then it is readOnly, when readOnly = false then it is writeOnly, if advanced_event_selectors is not null then it is both ReadWriteType - (is_logging and is_multi_region_trail and advanced_event_selectors is not null and (not a like '%readOnly%')) - ) - select - a.title as resource, - case - when d.account_id is null and ad.account_id is null then 'alarm' - else 'ok' - end as status, - case - when d.account_id is null and ad.account_id is null then 'cloudtrail disabled.' - else 'cloudtrail enabled.' - end as reason - - - from - aws_account as a - left join event_selectors_trail_details as d on d.account_id = a.account_id - left join advanced_event_selectors_trail_details as ad on ad.account_id = a.account_id; + QueryToExecute: "with event_selectors_trail_details as (\n select\n distinct account_id\n from\n aws_cloudtrail_trail,\n jsonb_array_elements(event_selectors) as e\n where\n (is_logging and is_multi_region_trail and e ->> 'ReadWriteType' = 'All')\n),\nadvanced_event_selectors_trail_details as (\n select\n distinct account_id\n from\n aws_cloudtrail_trail,\n jsonb_array_elements_text(advanced_event_selectors) as a\n where\n -- when readOnly = true, then it is readOnly, when readOnly = false then it is writeOnly, if advanced_event_selectors is not null then it is both ReadWriteType\n (is_logging and is_multi_region_trail and advanced_event_selectors is not null and (not a like '%readOnly%'))\n)\nselect\n a.title as resource,\n case\n when d.account_id is null and ad.account_id is null then 'alarm'\n else 'ok'\n end as status,\n case\n when d.account_id is null and ad.account_id is null then 'cloudtrail disabled.'\n else 'cloudtrail enabled.'\n end as reason\n\n \nfrom\n aws_account as a\n left join event_selectors_trail_details as d on d.account_id = a.account_id\n left join advanced_event_selectors_trail_details as ad on ad.account_id = a.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v150_4_1.yaml b/compliance/controls/pending/aws/aws_cis_v150_4_1.yaml index fc0dd2540..e4eabff7a 100755 --- a/compliance/controls/pending/aws/aws_cis_v150_4_1.yaml +++ b/compliance/controls/pending/aws/aws_cis_v150_4_1.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v150_4_1 Title: "4.1 Ensure a log metric filter and alarm exist for unauthorized API calls" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for unauthorized API calls." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\$\.errorCode\s*=\s*"\*UnauthorizedOperation".+\$\.errorCode\s*=\s*"AccessDenied\*".+\$\.sourceIPAddress\s*!=\s*"delivery.logs.amazonaws.com".+\$\.eventName\s*!=\s*"HeadBucket"' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for unauthorized API calls.' - else filter_name || ' forwards events for unauthorized API calls.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\$\\.errorCode\\s*=\\s*\"\\*UnauthorizedOperation\".+\\$\\.errorCode\\s*=\\s*\"AccessDenied\\*\".+\\$\\.sourceIPAddress\\s*!=\\s*\"delivery.logs.amazonaws.com\".+\\$\\.eventName\\s*!=\\s*\"HeadBucket\"'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for unauthorized API calls.'\n else filter_name || ' forwards events for unauthorized API calls.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v150_4_11.yaml b/compliance/controls/pending/aws/aws_cis_v150_4_11.yaml index da3d08968..13bc370a7 100755 --- a/compliance/controls/pending/aws/aws_cis_v150_4_11.yaml +++ b/compliance/controls/pending/aws/aws_cis_v150_4_11.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v150_4_11 Title: "4.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC. It is recommended that a metric filter and alarm be established for changes made to NACLs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*CreateNetworkAcl.+\$\.eventName\s*=\s*CreateNetworkAclEntry.+\$\.eventName\s*=\s*DeleteNetworkAcl.+\$\.eventName\s*=\s*DeleteNetworkAclEntry.+\$\.eventName\s*=\s*ReplaceNetworkAclEntry.+\$\.eventName\s*=\s*ReplaceNetworkAclAssociation' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for changes to NACLs.' - else filter_name || ' forwards events for changes to NACLs.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.eventName\\s*=\\s*CreateNetworkAcl.+\\$\\.eventName\\s*=\\s*CreateNetworkAclEntry.+\\$\\.eventName\\s*=\\s*DeleteNetworkAcl.+\\$\\.eventName\\s*=\\s*DeleteNetworkAclEntry.+\\$\\.eventName\\s*=\\s*ReplaceNetworkAclEntry.+\\$\\.eventName\\s*=\\s*ReplaceNetworkAclAssociation'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for changes to NACLs.'\n else filter_name || ' forwards events for changes to NACLs.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v150_4_12.yaml b/compliance/controls/pending/aws/aws_cis_v150_4_12.yaml index f42cff869..f7b888b77 100755 --- a/compliance/controls/pending/aws/aws_cis_v150_4_12.yaml +++ b/compliance/controls/pending/aws/aws_cis_v150_4_12.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v150_4_12 Title: "4.12 Ensure a log metric filter and alarm exist for changes to network gateways" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*CreateCustomerGateway.+\$\.eventName\s*=\s*DeleteCustomerGateway.+\$\.eventName\s*=\s*AttachInternetGateway.+\$\.eventName\s*=\s*CreateInternetGateway.+\$\.eventName\s*=\s*DeleteInternetGateway.+\$\.eventName\s*=\s*DetachInternetGateway' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for changes to network gateways.' - else filter_name || ' forwards events for changes to network gateways.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.eventName\\s*=\\s*CreateCustomerGateway.+\\$\\.eventName\\s*=\\s*DeleteCustomerGateway.+\\$\\.eventName\\s*=\\s*AttachInternetGateway.+\\$\\.eventName\\s*=\\s*CreateInternetGateway.+\\$\\.eventName\\s*=\\s*DeleteInternetGateway.+\\$\\.eventName\\s*=\\s*DetachInternetGateway'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for changes to network gateways.'\n else filter_name || ' forwards events for changes to network gateways.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v150_4_13.yaml b/compliance/controls/pending/aws/aws_cis_v150_4_13.yaml index 7dd47b9ec..7faa36488 100755 --- a/compliance/controls/pending/aws/aws_cis_v150_4_13.yaml +++ b/compliance/controls/pending/aws/aws_cis_v150_4_13.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v150_4_13 Title: "4.13 Ensure a log metric filter and alarm exist for route table changes" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways. It is recommended that a metric filter and alarm be established for changes to route tables." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*CreateRoute.+\$\.eventName\s*=\s*CreateRouteTable.+\$\.eventName\s*=\s*ReplaceRoute.+\$\.eventName\s*=\s*ReplaceRouteTableAssociation.+\$\.eventName\s*=\s*DeleteRouteTable.+\$\.eventName\s*=\s*DeleteRoute.+\$\.eventName\s*=\s*DisassociateRouteTable' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for route table changes.' - else filter_name || ' forwards events for route table changes.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.eventName\\s*=\\s*CreateRoute.+\\$\\.eventName\\s*=\\s*CreateRouteTable.+\\$\\.eventName\\s*=\\s*ReplaceRoute.+\\$\\.eventName\\s*=\\s*ReplaceRouteTableAssociation.+\\$\\.eventName\\s*=\\s*DeleteRouteTable.+\\$\\.eventName\\s*=\\s*DeleteRoute.+\\$\\.eventName\\s*=\\s*DisassociateRouteTable'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for route table changes.'\n else filter_name || ' forwards events for route table changes.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v150_4_15.yaml b/compliance/controls/pending/aws/aws_cis_v150_4_15.yaml index d9c3f71cb..8ace5ef92 100755 --- a/compliance/controls/pending/aws/aws_cis_v150_4_15.yaml +++ b/compliance/controls/pending/aws/aws_cis_v150_4_15.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v150_4_15 Title: "4.15 Ensure a log metric filter and alarm exists for AWS Organizations changes" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for AWS Organizations changes made in the master AWS Account." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.eventSource\s*=\s*organizations.amazonaws.com.+\$\.eventName\s*=\s*"?AcceptHandshake"?.+\$\.eventName\s*=\s*"?AttachPolicy"?.+\$\.eventName\s*=\s*"?CreateAccount"?.+\$\.eventName\s*=\s*"?CreateOrganizationalUnit"?.+\$\.eventName\s*=\s*"?CreatePolicy"?.+\$\.eventName\s*=\s*"?DeclineHandshake"?.+\$\.eventName\s*=\s*"?DeleteOrganization"?.+\$\.eventName\s*=\s*"?DeleteOrganizationalUnit"?.+\$\.eventName\s*=\s*"?DeletePolicy"?.+\$\.eventName\s*=\s*"?DetachPolicy"?.+\$\.eventName\s*=\s*"?DisablePolicyType"?.+\$\.eventName\s*=\s*"?EnablePolicyType"?.+\$\.eventName\s*=\s*"?InviteAccountToOrganization"?.+\$\.eventName\s*=\s*"?LeaveOrganization"?.+\$\.eventName\s*=\s*"?MoveAccount"?.+\$\.eventName\s*=\s*"?RemoveAccountFromOrganization"?.+\$\.eventName\s*=\s*"?UpdatePolicy"?.+\$\.eventName\s*=\s*"?UpdateOrganizationalUnit"?' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exists for AWS Organizations changes.' - else filter_name || ' forwards relevant events for AWS Organizations changes.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.eventSource\\s*=\\s*organizations.amazonaws.com.+\\$\\.eventName\\s*=\\s*\"?AcceptHandshake\"?.+\\$\\.eventName\\s*=\\s*\"?AttachPolicy\"?.+\\$\\.eventName\\s*=\\s*\"?CreateAccount\"?.+\\$\\.eventName\\s*=\\s*\"?CreateOrganizationalUnit\"?.+\\$\\.eventName\\s*=\\s*\"?CreatePolicy\"?.+\\$\\.eventName\\s*=\\s*\"?DeclineHandshake\"?.+\\$\\.eventName\\s*=\\s*\"?DeleteOrganization\"?.+\\$\\.eventName\\s*=\\s*\"?DeleteOrganizationalUnit\"?.+\\$\\.eventName\\s*=\\s*\"?DeletePolicy\"?.+\\$\\.eventName\\s*=\\s*\"?DetachPolicy\"?.+\\$\\.eventName\\s*=\\s*\"?DisablePolicyType\"?.+\\$\\.eventName\\s*=\\s*\"?EnablePolicyType\"?.+\\$\\.eventName\\s*=\\s*\"?InviteAccountToOrganization\"?.+\\$\\.eventName\\s*=\\s*\"?LeaveOrganization\"?.+\\$\\.eventName\\s*=\\s*\"?MoveAccount\"?.+\\$\\.eventName\\s*=\\s*\"?RemoveAccountFromOrganization\"?.+\\$\\.eventName\\s*=\\s*\"?UpdatePolicy\"?.+\\$\\.eventName\\s*=\\s*\"?UpdateOrganizationalUnit\"?'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exists for AWS Organizations changes.'\n else filter_name || ' forwards relevant events for AWS Organizations changes.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v150_4_2.yaml b/compliance/controls/pending/aws/aws_cis_v150_4_2.yaml index 7219a8c2f..245c12a8e 100755 --- a/compliance/controls/pending/aws/aws_cis_v150_4_2.yaml +++ b/compliance/controls/pending/aws/aws_cis_v150_4_2.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v150_4_2 Title: "4.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA)." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\(\s*\$\.eventName\s*=\s*"ConsoleLogin"\)\s+&&\s+\(\s*\$.additionalEventData\.MFAUsed\s*!=\s*"Yes"' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for console sign-in without MFA.' - else filter_name || ' forwards events for console sign-in without MFA.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\(\\s*\\$\\.eventName\\s*=\\s*\"ConsoleLogin\"\\)\\s+&&\\s+\\(\\s*\\$.additionalEventData\\.MFAUsed\\s*!=\\s*\"Yes\"'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for console sign-in without MFA.'\n else filter_name || ' forwards events for console sign-in without MFA.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v150_4_4.yaml b/compliance/controls/pending/aws/aws_cis_v150_4_4.yaml index 37f5cbd90..2c509b3e4 100755 --- a/compliance/controls/pending/aws/aws_cis_v150_4_4.yaml +++ b/compliance/controls/pending/aws/aws_cis_v150_4_4.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v150_4_4 Title: "4.4 Ensure a log metric filter and alarm exist for IAM policy changes" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*DeleteGroupPolicy.+\$\.eventName\s*=\s*DeleteRolePolicy.+\$\.eventName\s*=\s*DeleteUserPolicy.+\$\.eventName\s*=\s*PutGroupPolicy.+\$\.eventName\s*=\s*PutRolePolicy.+\$\.eventName\s*=\s*PutUserPolicy.+\$\.eventName\s*=\s*CreatePolicy.+\$\.eventName\s*=\s*DeletePolicy.+\$\.eventName\s*=\s*CreatePolicyVersion.+\$\.eventName\s*=\s*DeletePolicyVersion.+\$\.eventName\s*=\s*AttachRolePolicy.+\$\.eventName\s*=\s*DetachRolePolicy.+\$\.eventName\s*=\s*AttachUserPolicy.+\$\.eventName\s*=\s*DetachUserPolicy.+\$\.eventName\s*=\s*AttachGroupPolicy.+\$\.eventName\s*=\s*DetachGroupPolicy' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for IAM policy changes.' - else filter_name || ' forwards events for IAM policy changes.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.eventName\\s*=\\s*DeleteGroupPolicy.+\\$\\.eventName\\s*=\\s*DeleteRolePolicy.+\\$\\.eventName\\s*=\\s*DeleteUserPolicy.+\\$\\.eventName\\s*=\\s*PutGroupPolicy.+\\$\\.eventName\\s*=\\s*PutRolePolicy.+\\$\\.eventName\\s*=\\s*PutUserPolicy.+\\$\\.eventName\\s*=\\s*CreatePolicy.+\\$\\.eventName\\s*=\\s*DeletePolicy.+\\$\\.eventName\\s*=\\s*CreatePolicyVersion.+\\$\\.eventName\\s*=\\s*DeletePolicyVersion.+\\$\\.eventName\\s*=\\s*AttachRolePolicy.+\\$\\.eventName\\s*=\\s*DetachRolePolicy.+\\$\\.eventName\\s*=\\s*AttachUserPolicy.+\\$\\.eventName\\s*=\\s*DetachUserPolicy.+\\$\\.eventName\\s*=\\s*AttachGroupPolicy.+\\$\\.eventName\\s*=\\s*DetachGroupPolicy'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for IAM policy changes.'\n else filter_name || ' forwards events for IAM policy changes.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v150_4_6.yaml b/compliance/controls/pending/aws/aws_cis_v150_4_6.yaml index 8bdee0833..084a647c1 100755 --- a/compliance/controls/pending/aws/aws_cis_v150_4_6.yaml +++ b/compliance/controls/pending/aws/aws_cis_v150_4_6.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v150_4_6 Title: "4.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for failed console authentication attempts." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*ConsoleLogin.+\$\.errorMessage\s*=\s*"Failed authentication"' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for console authentication failures.' - else f.filter_name || ' forwards events for console authentication failures.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.eventName\\s*=\\s*ConsoleLogin.+\\$\\.errorMessage\\s*=\\s*\"Failed authentication\"'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for console authentication failures.'\n else f.filter_name || ' forwards events for console authentication failures.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v150_4_9.yaml b/compliance/controls/pending/aws/aws_cis_v150_4_9.yaml index eaeaff030..e17e2e44a 100755 --- a/compliance/controls/pending/aws/aws_cis_v150_4_9.yaml +++ b/compliance/controls/pending/aws/aws_cis_v150_4_9.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v150_4_9 Title: "4.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.eventSource\s*=\s*config.amazonaws.com.+\$\.eventName\s*=\s*StopConfigurationRecorder.+\$\.eventName\s*=\s*DeleteDeliveryChannel.+\$\.eventName\s*=\s*PutDeliveryChannel.+\$\.eventName\s*=\s*PutConfigurationRecorder' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for AWS Config configuration changes.' - else filter_name || ' forwards events for AWS Config configuration changes.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.eventSource\\s*=\\s*config.amazonaws.com.+\\$\\.eventName\\s*=\\s*StopConfigurationRecorder.+\\$\\.eventName\\s*=\\s*DeleteDeliveryChannel.+\\$\\.eventName\\s*=\\s*PutDeliveryChannel.+\\$\\.eventName\\s*=\\s*PutConfigurationRecorder'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for AWS Config configuration changes.'\n else filter_name || ' forwards events for AWS Config configuration changes.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v150_5_1.yaml b/compliance/controls/pending/aws/aws_cis_v150_5_1.yaml index 00dd0b299..9fe61ba6a 100755 --- a/compliance/controls/pending/aws/aws_cis_v150_5_1.yaml +++ b/compliance/controls/pending/aws/aws_cis_v150_5_1.yaml @@ -1,86 +1,13 @@ ID: aws_cis_v150_5_1 Title: "5.1 Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports" Description: "The Network Access Control List (NACL) function provide stateless filtering of ingress and egress network traffic to AWS resources. It is recommended that no NACL allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with bad_rules as ( - select - network_acl_id, - count(*) as num_bad_rules, - tags, - region, - account_id - from - aws_vpc_network_acl, - jsonb_array_elements(entries) as att - where - att ->> 'Egress' = 'false' -- as per aws egress = false indicates the ingress - and ( - att ->> 'CidrBlock' = '0.0.0.0/0' - or att ->> 'Ipv6CidrBlock' = '::/0' - ) - and att ->> 'RuleAction' = 'allow' - and ( - ( - att ->> 'Protocol' = '-1' -- all traffic - and att ->> 'PortRange' is null - ) - or ( - (att -> 'PortRange' ->> 'From') :: int <= 22 - and (att -> 'PortRange' ->> 'To') :: int >= 22 - and att ->> 'Protocol' in('6', '17') -- TCP or UDP - ) - or ( - (att -> 'PortRange' ->> 'From') :: int <= 3389 - and (att -> 'PortRange' ->> 'To') :: int >= 3389 - and att ->> 'Protocol' in('6', '17') -- TCP or UDP - ) - ) - group by - network_acl_id, - region, - account_id, - tags - order by - network_acl_id, - region, - account_id, - tags - ), - aws_vpc_network_acls as ( - select - network_acl_id, - tags, - partition, - region, - account_id - from - aws_vpc_network_acl - order by - network_acl_id, - region, - account_id - ) - select - 'arn:' || acl.partition || ':ec2:' || acl.region || ':' || acl.account_id || ':network-acl/' || acl.network_acl_id as resource, - case - when bad_rules.network_acl_id is null then 'ok' - else 'alarm' - end as status, - case - when bad_rules.network_acl_id is null then acl.network_acl_id || ' does not allow ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.' - else acl.network_acl_id || ' contains ' || bad_rules.num_bad_rules || ' rule(s) allowing ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.' - end as reason - - - from - aws_vpc_network_acls as acl - left join bad_rules on bad_rules.network_acl_id = acl.network_acl_id; + QueryToExecute: "with bad_rules as (\n select\n network_acl_id,\n count(*) as num_bad_rules,\n tags,\n region,\n account_id\n from\n aws_vpc_network_acl,\n jsonb_array_elements(entries) as att\n where\n att ->> 'Egress' = 'false' -- as per aws egress = false indicates the ingress\n and (\n att ->> 'CidrBlock' = '0.0.0.0/0'\n or att ->> 'Ipv6CidrBlock' = '::/0'\n )\n and att ->> 'RuleAction' = 'allow'\n and (\n (\n att ->> 'Protocol' = '-1' -- all traffic\n and att ->> 'PortRange' is null\n )\n or (\n (att -> 'PortRange' ->> 'From') :: int <= 22\n and (att -> 'PortRange' ->> 'To') :: int >= 22\n and att ->> 'Protocol' in('6', '17') -- TCP or UDP\n )\n or (\n (att -> 'PortRange' ->> 'From') :: int <= 3389\n and (att -> 'PortRange' ->> 'To') :: int >= 3389\n and att ->> 'Protocol' in('6', '17') -- TCP or UDP\n )\n )\n group by\n network_acl_id,\n region,\n account_id,\n tags\n order by\n network_acl_id,\n region,\n account_id,\n tags\n),\naws_vpc_network_acls as (\n select\n network_acl_id,\n tags,\n partition,\n region,\n account_id\n from\n aws_vpc_network_acl\n order by\n network_acl_id,\n region,\n account_id\n)\nselect\n 'arn:' || acl.partition || ':ec2:' || acl.region || ':' || acl.account_id || ':network-acl/' || acl.network_acl_id as resource,\n case\n when bad_rules.network_acl_id is null then 'ok'\n else 'alarm'\n end as status,\n case\n when bad_rules.network_acl_id is null then acl.network_acl_id || ' does not allow ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.'\n else acl.network_acl_id || ' contains ' || bad_rules.num_bad_rules || ' rule(s) allowing ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.'\n end as reason\n \n \nfrom\n aws_vpc_network_acls as acl\n left join bad_rules on bad_rules.network_acl_id = acl.network_acl_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v200_1_22.yaml b/compliance/controls/pending/aws/aws_cis_v200_1_22.yaml index 405f2d0e8..09a162a78 100755 --- a/compliance/controls/pending/aws/aws_cis_v200_1_22.yaml +++ b/compliance/controls/pending/aws/aws_cis_v200_1_22.yaml @@ -1,54 +1,13 @@ ID: aws_cis_v200_1_22 Title: "1.22 Ensure access to AWSCloudShellFullAccess is restricted" Description: "AWS CloudShell is a convenient way of running CLI commands against AWS services; a managed IAM policy ('AWSCloudShellFullAccess') provides full access to CloudShell, which allows file upload and download capability between a user's local system and the CloudShell environment. Within the CloudShell environment a user has sudo permissions, and can access the internet. So it is feasible to install file transfer software (for example) and move data from CloudShell to external internet servers." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - case - when attached_policy_arns @> '["arn:aws:iam::aws:policy/AWSCloudShellFullAccess"]' then 'alarm' - else 'ok' - end status, - case - when attached_policy_arns @> '["arn:aws:iam::aws:policy/AWSCloudShellFullAccess"]' then 'User ' || title || ' has access to AWSCloudShellFullAccess.' - else 'User ' || title || ' access to AWSCloudShellFullAccess is restricted.' - end as reason - - from - aws_iam_user - union - select - arn as resource, - case - when attached_policy_arns @> '["arn:aws:iam::aws:policy/AWSCloudShellFullAccess"]' then 'alarm' - else 'ok' - end status, - case - when attached_policy_arns @> '["arn:aws:iam::aws:policy/AWSCloudShellFullAccess"]' then 'Role ' || title || ' has access to AWSCloudShellFullAccess.' - else 'Role ' || title || ' access to AWSCloudShellFullAccess is restricted.' - end as reason - - from - aws_iam_role - union - select - arn as resource, - case - when attached_policy_arns @> '["arn:aws:iam::aws:policy/AWSCloudShellFullAccess"]' then 'alarm' - else 'ok' - end status, - case - when attached_policy_arns @> '["arn:aws:iam::aws:policy/AWSCloudShellFullAccess"]' then 'Group ' || title || ' has access to AWSCloudShellFullAccess.' - else 'Group ' || title || ' access to AWSCloudShellFullAccess is restricted.' - end as reason - - from - aws_iam_group; + QueryToExecute: "select\n arn as resource,\n case\n when attached_policy_arns @> '[\"arn:aws:iam::aws:policy/AWSCloudShellFullAccess\"]' then 'alarm'\n else 'ok'\n end status,\n case\n when attached_policy_arns @> '[\"arn:aws:iam::aws:policy/AWSCloudShellFullAccess\"]' then 'User ' || title || ' has access to AWSCloudShellFullAccess.'\n else 'User ' || title || ' access to AWSCloudShellFullAccess is restricted.'\n end as reason\n \nfrom\n aws_iam_user\nunion\nselect\n arn as resource,\n case\n when attached_policy_arns @> '[\"arn:aws:iam::aws:policy/AWSCloudShellFullAccess\"]' then 'alarm'\n else 'ok'\n end status,\n case\n when attached_policy_arns @> '[\"arn:aws:iam::aws:policy/AWSCloudShellFullAccess\"]' then 'Role ' || title || ' has access to AWSCloudShellFullAccess.'\n else 'Role ' || title || ' access to AWSCloudShellFullAccess is restricted.'\n end as reason\n \nfrom\n aws_iam_role\nunion\nselect\n arn as resource,\n case\n when attached_policy_arns @> '[\"arn:aws:iam::aws:policy/AWSCloudShellFullAccess\"]' then 'alarm'\n else 'ok'\n end status,\n case\n when attached_policy_arns @> '[\"arn:aws:iam::aws:policy/AWSCloudShellFullAccess\"]' then 'Group ' || title || ' has access to AWSCloudShellFullAccess.'\n else 'Group ' || title || ' access to AWSCloudShellFullAccess is restricted.'\n end as reason\n \nfrom\n aws_iam_group;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v200_1_6.yaml b/compliance/controls/pending/aws/aws_cis_v200_1_6.yaml index 2f9cc2ced..968b88758 100755 --- a/compliance/controls/pending/aws/aws_cis_v200_1_6.yaml +++ b/compliance/controls/pending/aws/aws_cis_v200_1_6.yaml @@ -1,28 +1,13 @@ ID: aws_cis_v200_1_6 Title: "1.6 Ensure hardware MFA is enabled for the 'root' user account" Description: "The 'root' user account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2, it is recommended that the root user account be protected with a hardware MFA." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - 'arn:' || s.partition || ':::' || s.account_id as resource, - case - when s.account_mfa_enabled and d.serial_number is null then 'ok' - else 'alarm' - end status, - case - when s.account_mfa_enabled = false then 'MFA not enabled for root account.' - when d.serial_number is not null then 'MFA enabled for root account, but the MFA associated is a virtual device.' - else 'Hardware MFA device enabled for root account.' - end reason - - from - aws_iam_account_summary as s - left join aws_iam_virtual_mfa_device as d on (d.user ->> 'Arn') = 'arn:' || s.partition || ':iam::' || s.account_id || ':root'; + QueryToExecute: "select\n 'arn:' || s.partition || ':::' || s.account_id as resource,\n case\n when s.account_mfa_enabled and d.serial_number is null then 'ok'\n else 'alarm'\n end status,\n case\n when s.account_mfa_enabled = false then 'MFA not enabled for root account.'\n when d.serial_number is not null then 'MFA enabled for root account, but the MFA associated is a virtual device.'\n else 'Hardware MFA device enabled for root account.'\n end reason\n \nfrom\n aws_iam_account_summary as s\n left join aws_iam_virtual_mfa_device as d on (d.user ->> 'Arn') = 'arn:' || s.partition || ':iam::' || s.account_id || ':root';\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v200_1_9.yaml b/compliance/controls/pending/aws/aws_cis_v200_1_9.yaml index d405edf4f..b9b56f70c 100755 --- a/compliance/controls/pending/aws/aws_cis_v200_1_9.yaml +++ b/compliance/controls/pending/aws/aws_cis_v200_1_9.yaml @@ -1,28 +1,13 @@ ID: aws_cis_v200_1_9 Title: "1.9 Ensure IAM password policy prevents password reuse" Description: "IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when password_reuse_prevention >= 24 then 'ok' - else 'alarm' - end as status, - case - when minimum_password_length is null then 'No password policy set.' - when password_reuse_prevention is null then 'Password reuse prevention not set.' - else 'Password reuse prevention set to ' || password_reuse_prevention || '.' - end as reason - - from - aws_account as a - left join aws_iam_account_password_policy as pol on a.account_id = pol.account_id; + QueryToExecute: "select\n 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when password_reuse_prevention >= 24 then 'ok'\n else 'alarm'\n end as status,\n case\n when minimum_password_length is null then 'No password policy set.'\n when password_reuse_prevention is null then 'Password reuse prevention not set.'\n else 'Password reuse prevention set to ' || password_reuse_prevention || '.'\n end as reason\n \nfrom\n aws_account as a\n left join aws_iam_account_password_policy as pol on a.account_id = pol.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v200_3_1.yaml b/compliance/controls/pending/aws/aws_cis_v200_3_1.yaml index 483f132bc..70fc875d0 100755 --- a/compliance/controls/pending/aws/aws_cis_v200_3_1.yaml +++ b/compliance/controls/pending/aws/aws_cis_v200_3_1.yaml @@ -1,48 +1,13 @@ ID: aws_cis_v200_3_1 Title: "3.1 Ensure CloudTrail is enabled in all regions" Description: "AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation)." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with event_selectors_trail_details as ( - select - distinct account_id - from - aws_cloudtrail_trail, - jsonb_array_elements(event_selectors) as e - where - (is_logging and is_multi_region_trail and e ->> 'ReadWriteType' = 'All') - ), - advanced_event_selectors_trail_details as ( - select - distinct account_id - from - aws_cloudtrail_trail, - jsonb_array_elements_text(advanced_event_selectors) as a - where - -- when readOnly = true, then it is readOnly, when readOnly = false then it is writeOnly, if advanced_event_selectors is not null then it is both ReadWriteType - (is_logging and is_multi_region_trail and advanced_event_selectors is not null and (not a like '%readOnly%')) - ) - select - a.title as resource, - case - when d.account_id is null and ad.account_id is null then 'alarm' - else 'ok' - end as status, - case - when d.account_id is null and ad.account_id is null then 'cloudtrail disabled.' - else 'cloudtrail enabled.' - end as reason - - - from - aws_account as a - left join event_selectors_trail_details as d on d.account_id = a.account_id - left join advanced_event_selectors_trail_details as ad on ad.account_id = a.account_id; + QueryToExecute: "with event_selectors_trail_details as (\n select\n distinct account_id\n from\n aws_cloudtrail_trail,\n jsonb_array_elements(event_selectors) as e\n where\n (is_logging and is_multi_region_trail and e ->> 'ReadWriteType' = 'All')\n),\nadvanced_event_selectors_trail_details as (\n select\n distinct account_id\n from\n aws_cloudtrail_trail,\n jsonb_array_elements_text(advanced_event_selectors) as a\n where\n -- when readOnly = true, then it is readOnly, when readOnly = false then it is writeOnly, if advanced_event_selectors is not null then it is both ReadWriteType\n (is_logging and is_multi_region_trail and advanced_event_selectors is not null and (not a like '%readOnly%'))\n)\nselect\n a.title as resource,\n case\n when d.account_id is null and ad.account_id is null then 'alarm'\n else 'ok'\n end as status,\n case\n when d.account_id is null and ad.account_id is null then 'cloudtrail disabled.'\n else 'cloudtrail enabled.'\n end as reason\n\n \nfrom\n aws_account as a\n left join event_selectors_trail_details as d on d.account_id = a.account_id\n left join advanced_event_selectors_trail_details as ad on ad.account_id = a.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v200_4_1.yaml b/compliance/controls/pending/aws/aws_cis_v200_4_1.yaml index dd1389272..a2dff6f23 100755 --- a/compliance/controls/pending/aws/aws_cis_v200_4_1.yaml +++ b/compliance/controls/pending/aws/aws_cis_v200_4_1.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v200_4_1 Title: "4.1 Ensure unauthorized API calls are monitored" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, and establishing corresponding metric filters and alarms." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\$\.errorCode\s*=\s*"\*UnauthorizedOperation".+\$\.errorCode\s*=\s*"AccessDenied\*".+\$\.sourceIPAddress\s*!=\s*"delivery.logs.amazonaws.com".+\$\.eventName\s*!=\s*"HeadBucket"' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for unauthorized API calls.' - else filter_name || ' forwards events for unauthorized API calls.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\$\\.errorCode\\s*=\\s*\"\\*UnauthorizedOperation\".+\\$\\.errorCode\\s*=\\s*\"AccessDenied\\*\".+\\$\\.sourceIPAddress\\s*!=\\s*\"delivery.logs.amazonaws.com\".+\\$\\.eventName\\s*!=\\s*\"HeadBucket\"'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for unauthorized API calls.'\n else filter_name || ' forwards events for unauthorized API calls.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v200_4_10.yaml b/compliance/controls/pending/aws/aws_cis_v200_4_10.yaml index 671b3d9c4..d1cba93c2 100755 --- a/compliance/controls/pending/aws/aws_cis_v200_4_10.yaml +++ b/compliance/controls/pending/aws/aws_cis_v200_4_10.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v200_4_10 Title: "4.10 Ensure security group changes are monitored" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, and establishing corresponding metric filters and alarms. Security Groups are a stateful packet filter that controls ingress and egress traffic within a VPC." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*AuthorizeSecurityGroupIngress.+\$\.eventName\s*=\s*AuthorizeSecurityGroupEgress.+\$\.eventName\s*=\s*RevokeSecurityGroupIngress.+\$\.eventName\s*=\s*RevokeSecurityGroupEgress.+\$\.eventName\s*=\s*CreateSecurityGroup.+\$\.eventName\s*=\s*DeleteSecurityGroup' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for security group changes.' - else filter_name || ' forwards events for security group changes.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.eventName\\s*=\\s*AuthorizeSecurityGroupIngress.+\\$\\.eventName\\s*=\\s*AuthorizeSecurityGroupEgress.+\\$\\.eventName\\s*=\\s*RevokeSecurityGroupIngress.+\\$\\.eventName\\s*=\\s*RevokeSecurityGroupEgress.+\\$\\.eventName\\s*=\\s*CreateSecurityGroup.+\\$\\.eventName\\s*=\\s*DeleteSecurityGroup'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for security group changes.'\n else filter_name || ' forwards events for security group changes.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v200_4_11.yaml b/compliance/controls/pending/aws/aws_cis_v200_4_11.yaml index e9a272da7..1b50ae973 100755 --- a/compliance/controls/pending/aws/aws_cis_v200_4_11.yaml +++ b/compliance/controls/pending/aws/aws_cis_v200_4_11.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v200_4_11 Title: "4.11 Ensure Network Access Control Lists (NACL) changes are monitored" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC. It is recommended that a metric filter and alarm be established for changes made to NACLs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*CreateNetworkAcl.+\$\.eventName\s*=\s*CreateNetworkAclEntry.+\$\.eventName\s*=\s*DeleteNetworkAcl.+\$\.eventName\s*=\s*DeleteNetworkAclEntry.+\$\.eventName\s*=\s*ReplaceNetworkAclEntry.+\$\.eventName\s*=\s*ReplaceNetworkAclAssociation' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for changes to NACLs.' - else filter_name || ' forwards events for changes to NACLs.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.eventName\\s*=\\s*CreateNetworkAcl.+\\$\\.eventName\\s*=\\s*CreateNetworkAclEntry.+\\$\\.eventName\\s*=\\s*DeleteNetworkAcl.+\\$\\.eventName\\s*=\\s*DeleteNetworkAclEntry.+\\$\\.eventName\\s*=\\s*ReplaceNetworkAclEntry.+\\$\\.eventName\\s*=\\s*ReplaceNetworkAclAssociation'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for changes to NACLs.'\n else filter_name || ' forwards events for changes to NACLs.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v200_4_13.yaml b/compliance/controls/pending/aws/aws_cis_v200_4_13.yaml index 810c4f299..e21b459b4 100755 --- a/compliance/controls/pending/aws/aws_cis_v200_4_13.yaml +++ b/compliance/controls/pending/aws/aws_cis_v200_4_13.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v200_4_13 Title: "4.13 Ensure route table changes are monitored" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways. It is recommended that a metric filter and alarm be established for changes to route tables." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*CreateRoute.+\$\.eventName\s*=\s*CreateRouteTable.+\$\.eventName\s*=\s*ReplaceRoute.+\$\.eventName\s*=\s*ReplaceRouteTableAssociation.+\$\.eventName\s*=\s*DeleteRouteTable.+\$\.eventName\s*=\s*DeleteRoute.+\$\.eventName\s*=\s*DisassociateRouteTable' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for route table changes.' - else filter_name || ' forwards events for route table changes.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.eventName\\s*=\\s*CreateRoute.+\\$\\.eventName\\s*=\\s*CreateRouteTable.+\\$\\.eventName\\s*=\\s*ReplaceRoute.+\\$\\.eventName\\s*=\\s*ReplaceRouteTableAssociation.+\\$\\.eventName\\s*=\\s*DeleteRouteTable.+\\$\\.eventName\\s*=\\s*DeleteRoute.+\\$\\.eventName\\s*=\\s*DisassociateRouteTable'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for route table changes.'\n else filter_name || ' forwards events for route table changes.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v200_4_14.yaml b/compliance/controls/pending/aws/aws_cis_v200_4_14.yaml index 1e7149ca9..700c05607 100755 --- a/compliance/controls/pending/aws/aws_cis_v200_4_14.yaml +++ b/compliance/controls/pending/aws/aws_cis_v200_4_14.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v200_4_14 Title: "4.14 Ensure VPC changes are monitored" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, and establishing corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*CreateVpc.+\$\.eventName\s*=\s*DeleteVpc.+\$\.eventName\s*=\s*ModifyVpcAttribute.+\$\.eventName\s*=\s*AcceptVpcPeeringConnection.+\$\.eventName\s*=\s*CreateVpcPeeringConnection.+\$\.eventName\s*=\s*DeleteVpcPeeringConnection.+\$\.eventName\s*=\s*RejectVpcPeeringConnection.+\$\.eventName\s*=\s*AttachClassicLinkVpc.+\$\.eventName\s*=\s*DetachClassicLinkVpc.+\$\.eventName\s*=\s*DisableVpcClassicLink.+\$\.eventName\s*=\s*EnableVpcClassicLink' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for VPC changes.' - else filter_name || ' forwards events for VPC changes.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.eventName\\s*=\\s*CreateVpc.+\\$\\.eventName\\s*=\\s*DeleteVpc.+\\$\\.eventName\\s*=\\s*ModifyVpcAttribute.+\\$\\.eventName\\s*=\\s*AcceptVpcPeeringConnection.+\\$\\.eventName\\s*=\\s*CreateVpcPeeringConnection.+\\$\\.eventName\\s*=\\s*DeleteVpcPeeringConnection.+\\$\\.eventName\\s*=\\s*RejectVpcPeeringConnection.+\\$\\.eventName\\s*=\\s*AttachClassicLinkVpc.+\\$\\.eventName\\s*=\\s*DetachClassicLinkVpc.+\\$\\.eventName\\s*=\\s*DisableVpcClassicLink.+\\$\\.eventName\\s*=\\s*EnableVpcClassicLink'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for VPC changes.'\n else filter_name || ' forwards events for VPC changes.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v200_4_15.yaml b/compliance/controls/pending/aws/aws_cis_v200_4_15.yaml index 930622beb..0660b5ee3 100755 --- a/compliance/controls/pending/aws/aws_cis_v200_4_15.yaml +++ b/compliance/controls/pending/aws/aws_cis_v200_4_15.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v200_4_15 Title: "4.15 Ensure AWS Organizations changes are monitored" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for AWS Organizations changes made in the master AWS Account." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.eventSource\s*=\s*organizations.amazonaws.com.+\$\.eventName\s*=\s*"?AcceptHandshake"?.+\$\.eventName\s*=\s*"?AttachPolicy"?.+\$\.eventName\s*=\s*"?CreateAccount"?.+\$\.eventName\s*=\s*"?CreateOrganizationalUnit"?.+\$\.eventName\s*=\s*"?CreatePolicy"?.+\$\.eventName\s*=\s*"?DeclineHandshake"?.+\$\.eventName\s*=\s*"?DeleteOrganization"?.+\$\.eventName\s*=\s*"?DeleteOrganizationalUnit"?.+\$\.eventName\s*=\s*"?DeletePolicy"?.+\$\.eventName\s*=\s*"?DetachPolicy"?.+\$\.eventName\s*=\s*"?DisablePolicyType"?.+\$\.eventName\s*=\s*"?EnablePolicyType"?.+\$\.eventName\s*=\s*"?InviteAccountToOrganization"?.+\$\.eventName\s*=\s*"?LeaveOrganization"?.+\$\.eventName\s*=\s*"?MoveAccount"?.+\$\.eventName\s*=\s*"?RemoveAccountFromOrganization"?.+\$\.eventName\s*=\s*"?UpdatePolicy"?.+\$\.eventName\s*=\s*"?UpdateOrganizationalUnit"?' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exists for AWS Organizations changes.' - else filter_name || ' forwards relevant events for AWS Organizations changes.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.eventSource\\s*=\\s*organizations.amazonaws.com.+\\$\\.eventName\\s*=\\s*\"?AcceptHandshake\"?.+\\$\\.eventName\\s*=\\s*\"?AttachPolicy\"?.+\\$\\.eventName\\s*=\\s*\"?CreateAccount\"?.+\\$\\.eventName\\s*=\\s*\"?CreateOrganizationalUnit\"?.+\\$\\.eventName\\s*=\\s*\"?CreatePolicy\"?.+\\$\\.eventName\\s*=\\s*\"?DeclineHandshake\"?.+\\$\\.eventName\\s*=\\s*\"?DeleteOrganization\"?.+\\$\\.eventName\\s*=\\s*\"?DeleteOrganizationalUnit\"?.+\\$\\.eventName\\s*=\\s*\"?DeletePolicy\"?.+\\$\\.eventName\\s*=\\s*\"?DetachPolicy\"?.+\\$\\.eventName\\s*=\\s*\"?DisablePolicyType\"?.+\\$\\.eventName\\s*=\\s*\"?EnablePolicyType\"?.+\\$\\.eventName\\s*=\\s*\"?InviteAccountToOrganization\"?.+\\$\\.eventName\\s*=\\s*\"?LeaveOrganization\"?.+\\$\\.eventName\\s*=\\s*\"?MoveAccount\"?.+\\$\\.eventName\\s*=\\s*\"?RemoveAccountFromOrganization\"?.+\\$\\.eventName\\s*=\\s*\"?UpdatePolicy\"?.+\\$\\.eventName\\s*=\\s*\"?UpdateOrganizationalUnit\"?'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exists for AWS Organizations changes.'\n else filter_name || ' forwards relevant events for AWS Organizations changes.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v200_4_16.yaml b/compliance/controls/pending/aws/aws_cis_v200_4_16.yaml index 424522b00..c2c4f8a0c 100755 --- a/compliance/controls/pending/aws/aws_cis_v200_4_16.yaml +++ b/compliance/controls/pending/aws/aws_cis_v200_4_16.yaml @@ -1,32 +1,13 @@ ID: aws_cis_v200_4_16 Title: "4.16 Ensure AWS Security Hub is enabled" Description: "Security Hub collects security data from across AWS accounts, services, and supported third-party partner products and helps you analyze your security trends and identify the highest priority security issues. When you enable Security Hub, it begins to consume, aggregate, organize, and prioritize findings from AWS services that you have enabled, such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie. You can also enable integrations with AWS partner security products." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - 'arn:' || r.partition || '::' || r.region || ':' || r.account_id as resource, - case - when r.region = any(array['af-south-1', 'eu-south-1', 'cn-north-1', 'cn-northwest-1', 'ap-northeast-3']) then 'skip' - -- Skip any regions that are disabled in the account. - when r.opt_in_status = 'not-opted-in' then 'skip' - when h.hub_arn is not null then 'ok' - else 'alarm' - end as status, - case - when r.region = any(array['af-south-1', 'eu-south-1', 'cn-north-1', 'cn-northwest-1', 'ap-northeast-3']) then r.region || ' region not supported.' - when r.opt_in_status = 'not-opted-in' then r.region || ' region is disabled.' - when h.hub_arn is not null then 'Security Hub enabled in ' || r.region || '.' - else 'Security Hub disabled in ' || r.region || '.' - end as reason - - from - aws_region as r - left join aws_securityhub_hub as h on r.account_id = h.account_id and r.name = h.region; + QueryToExecute: "select\n 'arn:' || r.partition || '::' || r.region || ':' || r.account_id as resource,\n case\n when r.region = any(array['af-south-1', 'eu-south-1', 'cn-north-1', 'cn-northwest-1', 'ap-northeast-3']) then 'skip'\n -- Skip any regions that are disabled in the account.\n when r.opt_in_status = 'not-opted-in' then 'skip'\n when h.hub_arn is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when r.region = any(array['af-south-1', 'eu-south-1', 'cn-north-1', 'cn-northwest-1', 'ap-northeast-3']) then r.region || ' region not supported.'\n when r.opt_in_status = 'not-opted-in' then r.region || ' region is disabled.'\n when h.hub_arn is not null then 'Security Hub enabled in ' || r.region || '.'\n else 'Security Hub disabled in ' || r.region || '.'\n end as reason\n \nfrom\n aws_region as r\n left join aws_securityhub_hub as h on r.account_id = h.account_id and r.name = h.region;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v200_4_2.yaml b/compliance/controls/pending/aws/aws_cis_v200_4_2.yaml index 0aacddafd..268830d46 100755 --- a/compliance/controls/pending/aws/aws_cis_v200_4_2.yaml +++ b/compliance/controls/pending/aws/aws_cis_v200_4_2.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v200_4_2 Title: "4.2 Ensure management console sign-in without MFA is monitored" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, and establishing corresponding metric filters and alarms." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\(\s*\$\.eventName\s*=\s*"ConsoleLogin"\)\s+&&\s+\(\s*\$.additionalEventData\.MFAUsed\s*!=\s*"Yes"' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for console sign-in without MFA.' - else filter_name || ' forwards events for console sign-in without MFA.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\(\\s*\\$\\.eventName\\s*=\\s*\"ConsoleLogin\"\\)\\s+&&\\s+\\(\\s*\\$.additionalEventData\\.MFAUsed\\s*!=\\s*\"Yes\"'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for console sign-in without MFA.'\n else filter_name || ' forwards events for console sign-in without MFA.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v200_4_4.yaml b/compliance/controls/pending/aws/aws_cis_v200_4_4.yaml index 2d5d6e64b..f1a0a17b6 100755 --- a/compliance/controls/pending/aws/aws_cis_v200_4_4.yaml +++ b/compliance/controls/pending/aws/aws_cis_v200_4_4.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v200_4_4 Title: "4.4 Ensure IAM policy changes are monitored" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*DeleteGroupPolicy.+\$\.eventName\s*=\s*DeleteRolePolicy.+\$\.eventName\s*=\s*DeleteUserPolicy.+\$\.eventName\s*=\s*PutGroupPolicy.+\$\.eventName\s*=\s*PutRolePolicy.+\$\.eventName\s*=\s*PutUserPolicy.+\$\.eventName\s*=\s*CreatePolicy.+\$\.eventName\s*=\s*DeletePolicy.+\$\.eventName\s*=\s*CreatePolicyVersion.+\$\.eventName\s*=\s*DeletePolicyVersion.+\$\.eventName\s*=\s*AttachRolePolicy.+\$\.eventName\s*=\s*DetachRolePolicy.+\$\.eventName\s*=\s*AttachUserPolicy.+\$\.eventName\s*=\s*DetachUserPolicy.+\$\.eventName\s*=\s*AttachGroupPolicy.+\$\.eventName\s*=\s*DetachGroupPolicy' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for IAM policy changes.' - else filter_name || ' forwards events for IAM policy changes.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.eventName\\s*=\\s*DeleteGroupPolicy.+\\$\\.eventName\\s*=\\s*DeleteRolePolicy.+\\$\\.eventName\\s*=\\s*DeleteUserPolicy.+\\$\\.eventName\\s*=\\s*PutGroupPolicy.+\\$\\.eventName\\s*=\\s*PutRolePolicy.+\\$\\.eventName\\s*=\\s*PutUserPolicy.+\\$\\.eventName\\s*=\\s*CreatePolicy.+\\$\\.eventName\\s*=\\s*DeletePolicy.+\\$\\.eventName\\s*=\\s*CreatePolicyVersion.+\\$\\.eventName\\s*=\\s*DeletePolicyVersion.+\\$\\.eventName\\s*=\\s*AttachRolePolicy.+\\$\\.eventName\\s*=\\s*DetachRolePolicy.+\\$\\.eventName\\s*=\\s*AttachUserPolicy.+\\$\\.eventName\\s*=\\s*DetachUserPolicy.+\\$\\.eventName\\s*=\\s*AttachGroupPolicy.+\\$\\.eventName\\s*=\\s*DetachGroupPolicy'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for IAM policy changes.'\n else filter_name || ' forwards events for IAM policy changes.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v200_4_5.yaml b/compliance/controls/pending/aws/aws_cis_v200_4_5.yaml index bc783d737..fe775007a 100755 --- a/compliance/controls/pending/aws/aws_cis_v200_4_5.yaml +++ b/compliance/controls/pending/aws/aws_cis_v200_4_5.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v200_4_5 Title: "4.5 Ensure CloudTrail configuration changes are monitored" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, where metric filters and alarms can be established. It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*CreateTrail.+\$\.eventName\s*=\s*UpdateTrail.+\$\.eventName\s*=\s*DeleteTrail.+\$\.eventName\s*=\s*StartLogging.+\$\.eventName\s*=\s*StopLogging' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for CloudTrail configuration changes.' - else filter_name || ' forwards events for CloudTrail configuration changes.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.eventName\\s*=\\s*CreateTrail.+\\$\\.eventName\\s*=\\s*UpdateTrail.+\\$\\.eventName\\s*=\\s*DeleteTrail.+\\$\\.eventName\\s*=\\s*StartLogging.+\\$\\.eventName\\s*=\\s*StopLogging'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for CloudTrail configuration changes.'\n else filter_name || ' forwards events for CloudTrail configuration changes.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v200_4_7.yaml b/compliance/controls/pending/aws/aws_cis_v200_4_7.yaml index c86aeaeab..b87efd261 100755 --- a/compliance/controls/pending/aws/aws_cis_v200_4_7.yaml +++ b/compliance/controls/pending/aws/aws_cis_v200_4_7.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v200_4_7 Title: "4.7 Ensure disabling or scheduled deletion of customer created CMKs is monitored" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.eventSource\s*=\s*kms.amazonaws.com.+\$\.eventName\s*=\s*DisableKey.+\$\.eventName\s*=\s*ScheduleKeyDeletion' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for disabling/deletion of CMKs.' - else filter_name || ' forwards events for disabling/deletion of CMKs.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.eventSource\\s*=\\s*kms.amazonaws.com.+\\$\\.eventName\\s*=\\s*DisableKey.+\\$\\.eventName\\s*=\\s*ScheduleKeyDeletion'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for disabling/deletion of CMKs.'\n else filter_name || ' forwards events for disabling/deletion of CMKs.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v200_4_8.yaml b/compliance/controls/pending/aws/aws_cis_v200_4_8.yaml index de780df8f..b67d65dda 100755 --- a/compliance/controls/pending/aws/aws_cis_v200_4_8.yaml +++ b/compliance/controls/pending/aws/aws_cis_v200_4_8.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v200_4_8 Title: "4.8 Ensure S3 bucket policy changes are monitored" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for changes to S3 bucket policies." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.eventSource\s*=\s*s3.amazonaws.com.+\$\.eventName\s*=\s*PutBucketAcl.+\$\.eventName\s*=\s*PutBucketPolicy.+\$\.eventName\s*=\s*PutBucketCors.+\$\.eventName\s*=\s*PutBucketLifecycle.+\$\.eventName\s*=\s*PutBucketReplication.+\$\.eventName\s*=\s*DeleteBucketPolicy.+\$\.eventName\s*=\s*DeleteBucketCors.+\$\.eventName\s*=\s*DeleteBucketLifecycle.+\$\.eventName\s*=\s*DeleteBucketReplication' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for S3 bucket policy changes.' - else filter_name || ' forwards events for S3 bucket policy changes.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.eventSource\\s*=\\s*s3.amazonaws.com.+\\$\\.eventName\\s*=\\s*PutBucketAcl.+\\$\\.eventName\\s*=\\s*PutBucketPolicy.+\\$\\.eventName\\s*=\\s*PutBucketCors.+\\$\\.eventName\\s*=\\s*PutBucketLifecycle.+\\$\\.eventName\\s*=\\s*PutBucketReplication.+\\$\\.eventName\\s*=\\s*DeleteBucketPolicy.+\\$\\.eventName\\s*=\\s*DeleteBucketCors.+\\$\\.eventName\\s*=\\s*DeleteBucketLifecycle.+\\$\\.eventName\\s*=\\s*DeleteBucketReplication'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for S3 bucket policy changes.'\n else filter_name || ' forwards events for S3 bucket policy changes.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v200_4_9.yaml b/compliance/controls/pending/aws/aws_cis_v200_4_9.yaml index 282e0ec5c..4767cedde 100755 --- a/compliance/controls/pending/aws/aws_cis_v200_4_9.yaml +++ b/compliance/controls/pending/aws/aws_cis_v200_4_9.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v200_4_9 Title: "4.9 Ensure AWS Config configuration changes are monitored" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to AWS Config's configurations." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.eventSource\s*=\s*config.amazonaws.com.+\$\.eventName\s*=\s*StopConfigurationRecorder.+\$\.eventName\s*=\s*DeleteDeliveryChannel.+\$\.eventName\s*=\s*PutDeliveryChannel.+\$\.eventName\s*=\s*PutConfigurationRecorder' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for AWS Config configuration changes.' - else filter_name || ' forwards events for AWS Config configuration changes.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.eventSource\\s*=\\s*config.amazonaws.com.+\\$\\.eventName\\s*=\\s*StopConfigurationRecorder.+\\$\\.eventName\\s*=\\s*DeleteDeliveryChannel.+\\$\\.eventName\\s*=\\s*PutDeliveryChannel.+\\$\\.eventName\\s*=\\s*PutConfigurationRecorder'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for AWS Config configuration changes.'\n else filter_name || ' forwards events for AWS Config configuration changes.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v200_5_1.yaml b/compliance/controls/pending/aws/aws_cis_v200_5_1.yaml index d5eed7e06..33a5eafa5 100755 --- a/compliance/controls/pending/aws/aws_cis_v200_5_1.yaml +++ b/compliance/controls/pending/aws/aws_cis_v200_5_1.yaml @@ -1,86 +1,13 @@ ID: aws_cis_v200_5_1 Title: "5.1 Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports" Description: "The Network Access Control List (NACL) function provide stateless filtering of ingress and egress network traffic to AWS resources. It is recommended that no NACL allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389, using either the TCP (6), UDP (17) or ALL (-1) protocols." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with bad_rules as ( - select - network_acl_id, - count(*) as num_bad_rules, - tags, - region, - account_id - from - aws_vpc_network_acl, - jsonb_array_elements(entries) as att - where - att ->> 'Egress' = 'false' -- as per aws egress = false indicates the ingress - and ( - att ->> 'CidrBlock' = '0.0.0.0/0' - or att ->> 'Ipv6CidrBlock' = '::/0' - ) - and att ->> 'RuleAction' = 'allow' - and ( - ( - att ->> 'Protocol' = '-1' -- all traffic - and att ->> 'PortRange' is null - ) - or ( - (att -> 'PortRange' ->> 'From') :: int <= 22 - and (att -> 'PortRange' ->> 'To') :: int >= 22 - and att ->> 'Protocol' in('6', '17') -- TCP or UDP - ) - or ( - (att -> 'PortRange' ->> 'From') :: int <= 3389 - and (att -> 'PortRange' ->> 'To') :: int >= 3389 - and att ->> 'Protocol' in('6', '17') -- TCP or UDP - ) - ) - group by - network_acl_id, - region, - account_id, - tags - order by - network_acl_id, - region, - account_id, - tags - ), - aws_vpc_network_acls as ( - select - network_acl_id, - tags, - partition, - region, - account_id - from - aws_vpc_network_acl - order by - network_acl_id, - region, - account_id - ) - select - 'arn:' || acl.partition || ':ec2:' || acl.region || ':' || acl.account_id || ':network-acl/' || acl.network_acl_id as resource, - case - when bad_rules.network_acl_id is null then 'ok' - else 'alarm' - end as status, - case - when bad_rules.network_acl_id is null then acl.network_acl_id || ' does not allow ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.' - else acl.network_acl_id || ' contains ' || bad_rules.num_bad_rules || ' rule(s) allowing ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.' - end as reason - - - from - aws_vpc_network_acls as acl - left join bad_rules on bad_rules.network_acl_id = acl.network_acl_id; + QueryToExecute: "with bad_rules as (\n select\n network_acl_id,\n count(*) as num_bad_rules,\n tags,\n region,\n account_id\n from\n aws_vpc_network_acl,\n jsonb_array_elements(entries) as att\n where\n att ->> 'Egress' = 'false' -- as per aws egress = false indicates the ingress\n and (\n att ->> 'CidrBlock' = '0.0.0.0/0'\n or att ->> 'Ipv6CidrBlock' = '::/0'\n )\n and att ->> 'RuleAction' = 'allow'\n and (\n (\n att ->> 'Protocol' = '-1' -- all traffic\n and att ->> 'PortRange' is null\n )\n or (\n (att -> 'PortRange' ->> 'From') :: int <= 22\n and (att -> 'PortRange' ->> 'To') :: int >= 22\n and att ->> 'Protocol' in('6', '17') -- TCP or UDP\n )\n or (\n (att -> 'PortRange' ->> 'From') :: int <= 3389\n and (att -> 'PortRange' ->> 'To') :: int >= 3389\n and att ->> 'Protocol' in('6', '17') -- TCP or UDP\n )\n )\n group by\n network_acl_id,\n region,\n account_id,\n tags\n order by\n network_acl_id,\n region,\n account_id,\n tags\n),\naws_vpc_network_acls as (\n select\n network_acl_id,\n tags,\n partition,\n region,\n account_id\n from\n aws_vpc_network_acl\n order by\n network_acl_id,\n region,\n account_id\n)\nselect\n 'arn:' || acl.partition || ':ec2:' || acl.region || ':' || acl.account_id || ':network-acl/' || acl.network_acl_id as resource,\n case\n when bad_rules.network_acl_id is null then 'ok'\n else 'alarm'\n end as status,\n case\n when bad_rules.network_acl_id is null then acl.network_acl_id || ' does not allow ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.'\n else acl.network_acl_id || ' contains ' || bad_rules.num_bad_rules || ' rule(s) allowing ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.'\n end as reason\n \n \nfrom\n aws_vpc_network_acls as acl\n left join bad_rules on bad_rules.network_acl_id = acl.network_acl_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v300_1_13.yaml b/compliance/controls/pending/aws/aws_cis_v300_1_13.yaml index f6f276ce3..ac40d9588 100755 --- a/compliance/controls/pending/aws/aws_cis_v300_1_13.yaml +++ b/compliance/controls/pending/aws/aws_cis_v300_1_13.yaml @@ -1,33 +1,13 @@ ID: aws_cis_v300_1_13 Title: "1.13 Ensure there is only one active access key available for any single IAM user" Description: "Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK)." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - u.arn as resource, - case - when count(k.*) > 1 then 'alarm' - else 'ok' - end as status, - u.name || ' has ' || count(k.*) || ' active access key(s).' as reason - - - from - aws_iam_user as u - left join aws_iam_access_key as k on u.name = k.user_name and u.account_id = k.account_id - where - k.status = 'Active' or k.status is null - group by - u.arn, - u.name, - u.account_id, - u.tags, - u._ctx; + QueryToExecute: "select\n u.arn as resource,\n case\n when count(k.*) > 1 then 'alarm'\n else 'ok'\n end as status,\n u.name || ' has ' || count(k.*) || ' active access key(s).' as reason\n \n \nfrom\n aws_iam_user as u\n left join aws_iam_access_key as k on u.name = k.user_name and u.account_id = k.account_id\nwhere\n k.status = 'Active' or k.status is null\ngroup by\n u.arn,\n u.name,\n u.account_id,\n u.tags,\n u._ctx;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v300_1_22.yaml b/compliance/controls/pending/aws/aws_cis_v300_1_22.yaml index 0718d1567..06e19d4d7 100755 --- a/compliance/controls/pending/aws/aws_cis_v300_1_22.yaml +++ b/compliance/controls/pending/aws/aws_cis_v300_1_22.yaml @@ -1,54 +1,13 @@ ID: aws_cis_v300_1_22 Title: "1.22 Ensure access to AWSCloudShellFullAccess is restricted" Description: "AWS CloudShell is a convenient way of running CLI commands against AWS services; a managed IAM policy ('AWSCloudShellFullAccess') provides full access to CloudShell, which allows file upload and download capability between a user's local system and the CloudShell environment. Within the CloudShell environment a user has sudo permissions, and can access the internet. So it is feasible to install file transfer software (for example) and move data from CloudShell to external internet servers." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - case - when attached_policy_arns @> '["arn:aws:iam::aws:policy/AWSCloudShellFullAccess"]' then 'alarm' - else 'ok' - end status, - case - when attached_policy_arns @> '["arn:aws:iam::aws:policy/AWSCloudShellFullAccess"]' then 'User ' || title || ' has access to AWSCloudShellFullAccess.' - else 'User ' || title || ' access to AWSCloudShellFullAccess is restricted.' - end as reason - - from - aws_iam_user - union - select - arn as resource, - case - when attached_policy_arns @> '["arn:aws:iam::aws:policy/AWSCloudShellFullAccess"]' then 'alarm' - else 'ok' - end status, - case - when attached_policy_arns @> '["arn:aws:iam::aws:policy/AWSCloudShellFullAccess"]' then 'Role ' || title || ' has access to AWSCloudShellFullAccess.' - else 'Role ' || title || ' access to AWSCloudShellFullAccess is restricted.' - end as reason - - from - aws_iam_role - union - select - arn as resource, - case - when attached_policy_arns @> '["arn:aws:iam::aws:policy/AWSCloudShellFullAccess"]' then 'alarm' - else 'ok' - end status, - case - when attached_policy_arns @> '["arn:aws:iam::aws:policy/AWSCloudShellFullAccess"]' then 'Group ' || title || ' has access to AWSCloudShellFullAccess.' - else 'Group ' || title || ' access to AWSCloudShellFullAccess is restricted.' - end as reason - - from - aws_iam_group; + QueryToExecute: "select\n arn as resource,\n case\n when attached_policy_arns @> '[\"arn:aws:iam::aws:policy/AWSCloudShellFullAccess\"]' then 'alarm'\n else 'ok'\n end status,\n case\n when attached_policy_arns @> '[\"arn:aws:iam::aws:policy/AWSCloudShellFullAccess\"]' then 'User ' || title || ' has access to AWSCloudShellFullAccess.'\n else 'User ' || title || ' access to AWSCloudShellFullAccess is restricted.'\n end as reason\n \nfrom\n aws_iam_user\nunion\nselect\n arn as resource,\n case\n when attached_policy_arns @> '[\"arn:aws:iam::aws:policy/AWSCloudShellFullAccess\"]' then 'alarm'\n else 'ok'\n end status,\n case\n when attached_policy_arns @> '[\"arn:aws:iam::aws:policy/AWSCloudShellFullAccess\"]' then 'Role ' || title || ' has access to AWSCloudShellFullAccess.'\n else 'Role ' || title || ' access to AWSCloudShellFullAccess is restricted.'\n end as reason\n \nfrom\n aws_iam_role\nunion\nselect\n arn as resource,\n case\n when attached_policy_arns @> '[\"arn:aws:iam::aws:policy/AWSCloudShellFullAccess\"]' then 'alarm'\n else 'ok'\n end status,\n case\n when attached_policy_arns @> '[\"arn:aws:iam::aws:policy/AWSCloudShellFullAccess\"]' then 'Group ' || title || ' has access to AWSCloudShellFullAccess.'\n else 'Group ' || title || ' access to AWSCloudShellFullAccess is restricted.'\n end as reason\n \nfrom\n aws_iam_group;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v300_1_9.yaml b/compliance/controls/pending/aws/aws_cis_v300_1_9.yaml index 1e4741402..3528819c8 100755 --- a/compliance/controls/pending/aws/aws_cis_v300_1_9.yaml +++ b/compliance/controls/pending/aws/aws_cis_v300_1_9.yaml @@ -1,28 +1,13 @@ ID: aws_cis_v300_1_9 Title: "1.9 Ensure IAM password policy prevents password reuse" Description: "IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when password_reuse_prevention >= 24 then 'ok' - else 'alarm' - end as status, - case - when minimum_password_length is null then 'No password policy set.' - when password_reuse_prevention is null then 'Password reuse prevention not set.' - else 'Password reuse prevention set to ' || password_reuse_prevention || '.' - end as reason - - from - aws_account as a - left join aws_iam_account_password_policy as pol on a.account_id = pol.account_id; + QueryToExecute: "select\n 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when password_reuse_prevention >= 24 then 'ok'\n else 'alarm'\n end as status,\n case\n when minimum_password_length is null then 'No password policy set.'\n when password_reuse_prevention is null then 'Password reuse prevention not set.'\n else 'Password reuse prevention set to ' || password_reuse_prevention || '.'\n end as reason\n \nfrom\n aws_account as a\n left join aws_iam_account_password_policy as pol on a.account_id = pol.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v300_2_1_4.yaml b/compliance/controls/pending/aws/aws_cis_v300_2_1_4.yaml index 9cd6adc3f..64a2d3ab3 100755 --- a/compliance/controls/pending/aws/aws_cis_v300_2_1_4.yaml +++ b/compliance/controls/pending/aws/aws_cis_v300_2_1_4.yaml @@ -1,44 +1,13 @@ ID: aws_cis_v300_2_1_4 Title: "2.1.4 Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'" Description: "Amazon S3 provides Block public access (bucket settings) and Block public access (account settings) to help you manage public access to Amazon S3 resources. By default, S3 buckets and objects are created with public access disabled. However, an IAM principle with sufficient S3 permissions can enable public access at the bucket and/or object level. While enabled, Block public access (bucket settings) prevents an individual bucket, and its contained objects, from becoming publicly accessible. Similarly, Block public access (account settings) prevents all buckets, and contained objects, from becoming publicly accessible across the entire account." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - case - when (bucket.block_public_acls or s3account.block_public_acls) - and (bucket.block_public_policy or s3account.block_public_policy) - and (bucket.ignore_public_acls or s3account.ignore_public_acls) - and (bucket.restrict_public_buckets or s3account.restrict_public_buckets) - then 'ok' - else 'alarm' - end as status, - case - when (bucket.block_public_acls or s3account.block_public_acls) - and (bucket.block_public_policy or s3account.block_public_policy) - and (bucket.ignore_public_acls or s3account.ignore_public_acls) - and (bucket.restrict_public_buckets or s3account.restrict_public_buckets) - then name || ' all public access blocks enabled.' - else name || ' not enabled for: ' || - concat_ws(', ', - case when not (bucket.block_public_acls or s3account.block_public_acls) then 'block_public_acls' end, - case when not (bucket.block_public_policy or s3account.block_public_policy) then 'block_public_policy' end, - case when not (bucket.ignore_public_acls or s3account.ignore_public_acls) then 'ignore_public_acls' end, - case when not (bucket.restrict_public_buckets or s3account.restrict_public_buckets) then 'restrict_public_buckets' end - ) || '.' - end as reason - - - from - aws_s3_bucket as bucket, - aws_s3_account_settings as s3account - where - s3account.account_id = bucket.account_id; + QueryToExecute: "select\n arn as resource,\n case\n when (bucket.block_public_acls or s3account.block_public_acls)\n and (bucket.block_public_policy or s3account.block_public_policy)\n and (bucket.ignore_public_acls or s3account.ignore_public_acls)\n and (bucket.restrict_public_buckets or s3account.restrict_public_buckets)\n then 'ok'\n else 'alarm'\n end as status,\n case\n when (bucket.block_public_acls or s3account.block_public_acls)\n and (bucket.block_public_policy or s3account.block_public_policy)\n and (bucket.ignore_public_acls or s3account.ignore_public_acls)\n and (bucket.restrict_public_buckets or s3account.restrict_public_buckets)\n then name || ' all public access blocks enabled.'\n else name || ' not enabled for: ' ||\n concat_ws(', ',\n case when not (bucket.block_public_acls or s3account.block_public_acls) then 'block_public_acls' end,\n case when not (bucket.block_public_policy or s3account.block_public_policy) then 'block_public_policy' end,\n case when not (bucket.ignore_public_acls or s3account.ignore_public_acls) then 'ignore_public_acls' end,\n case when not (bucket.restrict_public_buckets or s3account.restrict_public_buckets) then 'restrict_public_buckets' end\n ) || '.'\n end as reason\n \n \nfrom\n aws_s3_bucket as bucket,\n aws_s3_account_settings as s3account\nwhere\n s3account.account_id = bucket.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v300_3_1.yaml b/compliance/controls/pending/aws/aws_cis_v300_3_1.yaml index 6cf744ed6..21e9b5ed2 100755 --- a/compliance/controls/pending/aws/aws_cis_v300_3_1.yaml +++ b/compliance/controls/pending/aws/aws_cis_v300_3_1.yaml @@ -1,48 +1,13 @@ ID: aws_cis_v300_3_1 Title: "3.1 Ensure CloudTrail is enabled in all regions" Description: "AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation)." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with event_selectors_trail_details as ( - select - distinct account_id - from - aws_cloudtrail_trail, - jsonb_array_elements(event_selectors) as e - where - (is_logging and is_multi_region_trail and e ->> 'ReadWriteType' = 'All') - ), - advanced_event_selectors_trail_details as ( - select - distinct account_id - from - aws_cloudtrail_trail, - jsonb_array_elements_text(advanced_event_selectors) as a - where - -- when readOnly = true, then it is readOnly, when readOnly = false then it is writeOnly, if advanced_event_selectors is not null then it is both ReadWriteType - (is_logging and is_multi_region_trail and advanced_event_selectors is not null and (not a like '%readOnly%')) - ) - select - a.title as resource, - case - when d.account_id is null and ad.account_id is null then 'alarm' - else 'ok' - end as status, - case - when d.account_id is null and ad.account_id is null then 'cloudtrail disabled.' - else 'cloudtrail enabled.' - end as reason - - - from - aws_account as a - left join event_selectors_trail_details as d on d.account_id = a.account_id - left join advanced_event_selectors_trail_details as ad on ad.account_id = a.account_id; + QueryToExecute: "with event_selectors_trail_details as (\n select\n distinct account_id\n from\n aws_cloudtrail_trail,\n jsonb_array_elements(event_selectors) as e\n where\n (is_logging and is_multi_region_trail and e ->> 'ReadWriteType' = 'All')\n),\nadvanced_event_selectors_trail_details as (\n select\n distinct account_id\n from\n aws_cloudtrail_trail,\n jsonb_array_elements_text(advanced_event_selectors) as a\n where\n -- when readOnly = true, then it is readOnly, when readOnly = false then it is writeOnly, if advanced_event_selectors is not null then it is both ReadWriteType\n (is_logging and is_multi_region_trail and advanced_event_selectors is not null and (not a like '%readOnly%'))\n)\nselect\n a.title as resource,\n case\n when d.account_id is null and ad.account_id is null then 'alarm'\n else 'ok'\n end as status,\n case\n when d.account_id is null and ad.account_id is null then 'cloudtrail disabled.'\n else 'cloudtrail enabled.'\n end as reason\n\n \nfrom\n aws_account as a\n left join event_selectors_trail_details as d on d.account_id = a.account_id\n left join advanced_event_selectors_trail_details as ad on ad.account_id = a.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v300_3_7.yaml b/compliance/controls/pending/aws/aws_cis_v300_3_7.yaml index 1bc19a3ad..938334798 100755 --- a/compliance/controls/pending/aws/aws_cis_v300_3_7.yaml +++ b/compliance/controls/pending/aws/aws_cis_v300_3_7.yaml @@ -1,54 +1,13 @@ ID: aws_cis_v300_3_7 Title: "3.7 Ensure VPC flow logging is enabled in all VPCs" Description: "VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet `Rejects` for VPCs." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with vpcs as ( - select - arn, - account_id, - region, - owner_id, - vpc_id, - tags, - _ctx - from - aws_vpc - order by - vpc_id - ), - flowlogs as ( - select - resource_id, - account_id, - region - from - aws_vpc_flow_log - order by - resource_id - ) - select - v.arn as resource, - case - when v.account_id <> v.owner_id then 'skip' - when f.resource_id is not null then 'ok' - else 'alarm' - end as status, - case - when v.account_id <> v.owner_id then v.vpc_id || ' is a shared VPC.' - when f.resource_id is not null then v.vpc_id || ' flow logging enabled.' - else v.vpc_id || ' flow logging disabled.' - end as reason - - - from - vpcs as v - left join flowlogs as f on v.vpc_id = f.resource_id; + QueryToExecute: "with vpcs as (\n select\n arn,\n account_id,\n region,\n owner_id,\n vpc_id,\n tags,\n _ctx\n from\n aws_vpc\n order by\n vpc_id\n),\nflowlogs as (\n select\n resource_id,\n account_id,\n region\n from\n aws_vpc_flow_log\n order by\n resource_id\n)\nselect\n v.arn as resource,\n case\n when v.account_id <> v.owner_id then 'skip'\n when f.resource_id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when v.account_id <> v.owner_id then v.vpc_id || ' is a shared VPC.'\n when f.resource_id is not null then v.vpc_id || ' flow logging enabled.'\n else v.vpc_id || ' flow logging disabled.'\n end as reason\n \n \nfrom\n vpcs as v\n left join flowlogs as f on v.vpc_id = f.resource_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v300_4_1.yaml b/compliance/controls/pending/aws/aws_cis_v300_4_1.yaml index d5820a683..0d4d289df 100755 --- a/compliance/controls/pending/aws/aws_cis_v300_4_1.yaml +++ b/compliance/controls/pending/aws/aws_cis_v300_4_1.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v300_4_1 Title: "4.1 Ensure unauthorized API calls are monitored" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, and establishing corresponding metric filters and alarms." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\$\.errorCode\s*=\s*"\*UnauthorizedOperation".+\$\.errorCode\s*=\s*"AccessDenied\*".+\$\.sourceIPAddress\s*!=\s*"delivery.logs.amazonaws.com".+\$\.eventName\s*!=\s*"HeadBucket"' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for unauthorized API calls.' - else filter_name || ' forwards events for unauthorized API calls.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\$\\.errorCode\\s*=\\s*\"\\*UnauthorizedOperation\".+\\$\\.errorCode\\s*=\\s*\"AccessDenied\\*\".+\\$\\.sourceIPAddress\\s*!=\\s*\"delivery.logs.amazonaws.com\".+\\$\\.eventName\\s*!=\\s*\"HeadBucket\"'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for unauthorized API calls.'\n else filter_name || ' forwards events for unauthorized API calls.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v300_4_10.yaml b/compliance/controls/pending/aws/aws_cis_v300_4_10.yaml index 8577c3a9c..ec2fcf5f4 100755 --- a/compliance/controls/pending/aws/aws_cis_v300_4_10.yaml +++ b/compliance/controls/pending/aws/aws_cis_v300_4_10.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v300_4_10 Title: "4.10 Ensure security group changes are monitored" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, and establishing corresponding metric filters and alarms. Security Groups are a stateful packet filter that controls ingress and egress traffic within a VPC." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*AuthorizeSecurityGroupIngress.+\$\.eventName\s*=\s*AuthorizeSecurityGroupEgress.+\$\.eventName\s*=\s*RevokeSecurityGroupIngress.+\$\.eventName\s*=\s*RevokeSecurityGroupEgress.+\$\.eventName\s*=\s*CreateSecurityGroup.+\$\.eventName\s*=\s*DeleteSecurityGroup' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for security group changes.' - else filter_name || ' forwards events for security group changes.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.eventName\\s*=\\s*AuthorizeSecurityGroupIngress.+\\$\\.eventName\\s*=\\s*AuthorizeSecurityGroupEgress.+\\$\\.eventName\\s*=\\s*RevokeSecurityGroupIngress.+\\$\\.eventName\\s*=\\s*RevokeSecurityGroupEgress.+\\$\\.eventName\\s*=\\s*CreateSecurityGroup.+\\$\\.eventName\\s*=\\s*DeleteSecurityGroup'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for security group changes.'\n else filter_name || ' forwards events for security group changes.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v300_4_13.yaml b/compliance/controls/pending/aws/aws_cis_v300_4_13.yaml index 71f1a32f0..ff216a046 100755 --- a/compliance/controls/pending/aws/aws_cis_v300_4_13.yaml +++ b/compliance/controls/pending/aws/aws_cis_v300_4_13.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v300_4_13 Title: "4.13 Ensure route table changes are monitored" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways. It is recommended that a metric filter and alarm be established for changes to route tables." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*CreateRoute.+\$\.eventName\s*=\s*CreateRouteTable.+\$\.eventName\s*=\s*ReplaceRoute.+\$\.eventName\s*=\s*ReplaceRouteTableAssociation.+\$\.eventName\s*=\s*DeleteRouteTable.+\$\.eventName\s*=\s*DeleteRoute.+\$\.eventName\s*=\s*DisassociateRouteTable' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for route table changes.' - else filter_name || ' forwards events for route table changes.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.eventName\\s*=\\s*CreateRoute.+\\$\\.eventName\\s*=\\s*CreateRouteTable.+\\$\\.eventName\\s*=\\s*ReplaceRoute.+\\$\\.eventName\\s*=\\s*ReplaceRouteTableAssociation.+\\$\\.eventName\\s*=\\s*DeleteRouteTable.+\\$\\.eventName\\s*=\\s*DeleteRoute.+\\$\\.eventName\\s*=\\s*DisassociateRouteTable'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for route table changes.'\n else filter_name || ' forwards events for route table changes.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v300_4_15.yaml b/compliance/controls/pending/aws/aws_cis_v300_4_15.yaml index ef8005bce..be432442a 100755 --- a/compliance/controls/pending/aws/aws_cis_v300_4_15.yaml +++ b/compliance/controls/pending/aws/aws_cis_v300_4_15.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v300_4_15 Title: "4.15 Ensure AWS Organizations changes are monitored" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for AWS Organizations changes made in the master AWS Account." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.eventSource\s*=\s*organizations.amazonaws.com.+\$\.eventName\s*=\s*"?AcceptHandshake"?.+\$\.eventName\s*=\s*"?AttachPolicy"?.+\$\.eventName\s*=\s*"?CreateAccount"?.+\$\.eventName\s*=\s*"?CreateOrganizationalUnit"?.+\$\.eventName\s*=\s*"?CreatePolicy"?.+\$\.eventName\s*=\s*"?DeclineHandshake"?.+\$\.eventName\s*=\s*"?DeleteOrganization"?.+\$\.eventName\s*=\s*"?DeleteOrganizationalUnit"?.+\$\.eventName\s*=\s*"?DeletePolicy"?.+\$\.eventName\s*=\s*"?DetachPolicy"?.+\$\.eventName\s*=\s*"?DisablePolicyType"?.+\$\.eventName\s*=\s*"?EnablePolicyType"?.+\$\.eventName\s*=\s*"?InviteAccountToOrganization"?.+\$\.eventName\s*=\s*"?LeaveOrganization"?.+\$\.eventName\s*=\s*"?MoveAccount"?.+\$\.eventName\s*=\s*"?RemoveAccountFromOrganization"?.+\$\.eventName\s*=\s*"?UpdatePolicy"?.+\$\.eventName\s*=\s*"?UpdateOrganizationalUnit"?' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exists for AWS Organizations changes.' - else filter_name || ' forwards relevant events for AWS Organizations changes.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.eventSource\\s*=\\s*organizations.amazonaws.com.+\\$\\.eventName\\s*=\\s*\"?AcceptHandshake\"?.+\\$\\.eventName\\s*=\\s*\"?AttachPolicy\"?.+\\$\\.eventName\\s*=\\s*\"?CreateAccount\"?.+\\$\\.eventName\\s*=\\s*\"?CreateOrganizationalUnit\"?.+\\$\\.eventName\\s*=\\s*\"?CreatePolicy\"?.+\\$\\.eventName\\s*=\\s*\"?DeclineHandshake\"?.+\\$\\.eventName\\s*=\\s*\"?DeleteOrganization\"?.+\\$\\.eventName\\s*=\\s*\"?DeleteOrganizationalUnit\"?.+\\$\\.eventName\\s*=\\s*\"?DeletePolicy\"?.+\\$\\.eventName\\s*=\\s*\"?DetachPolicy\"?.+\\$\\.eventName\\s*=\\s*\"?DisablePolicyType\"?.+\\$\\.eventName\\s*=\\s*\"?EnablePolicyType\"?.+\\$\\.eventName\\s*=\\s*\"?InviteAccountToOrganization\"?.+\\$\\.eventName\\s*=\\s*\"?LeaveOrganization\"?.+\\$\\.eventName\\s*=\\s*\"?MoveAccount\"?.+\\$\\.eventName\\s*=\\s*\"?RemoveAccountFromOrganization\"?.+\\$\\.eventName\\s*=\\s*\"?UpdatePolicy\"?.+\\$\\.eventName\\s*=\\s*\"?UpdateOrganizationalUnit\"?'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exists for AWS Organizations changes.'\n else filter_name || ' forwards relevant events for AWS Organizations changes.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v300_4_16.yaml b/compliance/controls/pending/aws/aws_cis_v300_4_16.yaml index 08ea7a6d2..95b1a4e50 100755 --- a/compliance/controls/pending/aws/aws_cis_v300_4_16.yaml +++ b/compliance/controls/pending/aws/aws_cis_v300_4_16.yaml @@ -1,32 +1,13 @@ ID: aws_cis_v300_4_16 Title: "4.16 Ensure AWS Security Hub is enabled" Description: "Security Hub collects security data from across AWS accounts, services, and supported third-party partner products and helps you analyze your security trends and identify the highest priority security issues. When you enable Security Hub, it begins to consume, aggregate, organize, and prioritize findings from AWS services that you have enabled, such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie. You can also enable integrations with AWS partner security products." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - 'arn:' || r.partition || '::' || r.region || ':' || r.account_id as resource, - case - when r.region = any(array['af-south-1', 'eu-south-1', 'cn-north-1', 'cn-northwest-1', 'ap-northeast-3']) then 'skip' - -- Skip any regions that are disabled in the account. - when r.opt_in_status = 'not-opted-in' then 'skip' - when h.hub_arn is not null then 'ok' - else 'alarm' - end as status, - case - when r.region = any(array['af-south-1', 'eu-south-1', 'cn-north-1', 'cn-northwest-1', 'ap-northeast-3']) then r.region || ' region not supported.' - when r.opt_in_status = 'not-opted-in' then r.region || ' region is disabled.' - when h.hub_arn is not null then 'Security Hub enabled in ' || r.region || '.' - else 'Security Hub disabled in ' || r.region || '.' - end as reason - - from - aws_region as r - left join aws_securityhub_hub as h on r.account_id = h.account_id and r.name = h.region; + QueryToExecute: "select\n 'arn:' || r.partition || '::' || r.region || ':' || r.account_id as resource,\n case\n when r.region = any(array['af-south-1', 'eu-south-1', 'cn-north-1', 'cn-northwest-1', 'ap-northeast-3']) then 'skip'\n -- Skip any regions that are disabled in the account.\n when r.opt_in_status = 'not-opted-in' then 'skip'\n when h.hub_arn is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when r.region = any(array['af-south-1', 'eu-south-1', 'cn-north-1', 'cn-northwest-1', 'ap-northeast-3']) then r.region || ' region not supported.'\n when r.opt_in_status = 'not-opted-in' then r.region || ' region is disabled.'\n when h.hub_arn is not null then 'Security Hub enabled in ' || r.region || '.'\n else 'Security Hub disabled in ' || r.region || '.'\n end as reason\n \nfrom\n aws_region as r\n left join aws_securityhub_hub as h on r.account_id = h.account_id and r.name = h.region;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v300_4_2.yaml b/compliance/controls/pending/aws/aws_cis_v300_4_2.yaml index cc474cb40..d1b872e30 100755 --- a/compliance/controls/pending/aws/aws_cis_v300_4_2.yaml +++ b/compliance/controls/pending/aws/aws_cis_v300_4_2.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v300_4_2 Title: "4.2 Ensure management console sign-in without MFA is monitored" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, and establishing corresponding metric filters and alarms." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\(\s*\$\.eventName\s*=\s*"ConsoleLogin"\)\s+&&\s+\(\s*\$.additionalEventData\.MFAUsed\s*!=\s*"Yes"' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for console sign-in without MFA.' - else filter_name || ' forwards events for console sign-in without MFA.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\(\\s*\\$\\.eventName\\s*=\\s*\"ConsoleLogin\"\\)\\s+&&\\s+\\(\\s*\\$.additionalEventData\\.MFAUsed\\s*!=\\s*\"Yes\"'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for console sign-in without MFA.'\n else filter_name || ' forwards events for console sign-in without MFA.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v300_4_3.yaml b/compliance/controls/pending/aws/aws_cis_v300_4_3.yaml index 7bbd917e6..4dae47ad8 100755 --- a/compliance/controls/pending/aws/aws_cis_v300_4_3.yaml +++ b/compliance/controls/pending/aws/aws_cis_v300_4_3.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v300_4_3 Title: "4.3 Ensure usage of 'root' account is monitored" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, and establishing corresponding metric filters and alarms." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.userIdentity\.type\s*=\s*"Root".+\$\.userIdentity\.invokedBy NOT EXISTS.+\$\.eventType\s*!=\s*"AwsServiceEvent"' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for usage of "root" account.' - else filter_name || ' forwards events for usage of "root" account.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.userIdentity\\.type\\s*=\\s*\"Root\".+\\$\\.userIdentity\\.invokedBy NOT EXISTS.+\\$\\.eventType\\s*!=\\s*\"AwsServiceEvent\"'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for usage of \"root\" account.'\n else filter_name || ' forwards events for usage of \"root\" account.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v300_4_4.yaml b/compliance/controls/pending/aws/aws_cis_v300_4_4.yaml index 63150ac5e..d31b632d9 100755 --- a/compliance/controls/pending/aws/aws_cis_v300_4_4.yaml +++ b/compliance/controls/pending/aws/aws_cis_v300_4_4.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v300_4_4 Title: "4.4 Ensure IAM policy changes are monitored" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*DeleteGroupPolicy.+\$\.eventName\s*=\s*DeleteRolePolicy.+\$\.eventName\s*=\s*DeleteUserPolicy.+\$\.eventName\s*=\s*PutGroupPolicy.+\$\.eventName\s*=\s*PutRolePolicy.+\$\.eventName\s*=\s*PutUserPolicy.+\$\.eventName\s*=\s*CreatePolicy.+\$\.eventName\s*=\s*DeletePolicy.+\$\.eventName\s*=\s*CreatePolicyVersion.+\$\.eventName\s*=\s*DeletePolicyVersion.+\$\.eventName\s*=\s*AttachRolePolicy.+\$\.eventName\s*=\s*DetachRolePolicy.+\$\.eventName\s*=\s*AttachUserPolicy.+\$\.eventName\s*=\s*DetachUserPolicy.+\$\.eventName\s*=\s*AttachGroupPolicy.+\$\.eventName\s*=\s*DetachGroupPolicy' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for IAM policy changes.' - else filter_name || ' forwards events for IAM policy changes.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.eventName\\s*=\\s*DeleteGroupPolicy.+\\$\\.eventName\\s*=\\s*DeleteRolePolicy.+\\$\\.eventName\\s*=\\s*DeleteUserPolicy.+\\$\\.eventName\\s*=\\s*PutGroupPolicy.+\\$\\.eventName\\s*=\\s*PutRolePolicy.+\\$\\.eventName\\s*=\\s*PutUserPolicy.+\\$\\.eventName\\s*=\\s*CreatePolicy.+\\$\\.eventName\\s*=\\s*DeletePolicy.+\\$\\.eventName\\s*=\\s*CreatePolicyVersion.+\\$\\.eventName\\s*=\\s*DeletePolicyVersion.+\\$\\.eventName\\s*=\\s*AttachRolePolicy.+\\$\\.eventName\\s*=\\s*DetachRolePolicy.+\\$\\.eventName\\s*=\\s*AttachUserPolicy.+\\$\\.eventName\\s*=\\s*DetachUserPolicy.+\\$\\.eventName\\s*=\\s*AttachGroupPolicy.+\\$\\.eventName\\s*=\\s*DetachGroupPolicy'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for IAM policy changes.'\n else filter_name || ' forwards events for IAM policy changes.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v300_4_5.yaml b/compliance/controls/pending/aws/aws_cis_v300_4_5.yaml index e2b394f15..05f6725a7 100755 --- a/compliance/controls/pending/aws/aws_cis_v300_4_5.yaml +++ b/compliance/controls/pending/aws/aws_cis_v300_4_5.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v300_4_5 Title: "4.5 Ensure CloudTrail configuration changes are monitored" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, where metric filters and alarms can be established. It is recommended that a metric filter and alarm be utilized for detecting changes to CloudTrail's configurations." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*CreateTrail.+\$\.eventName\s*=\s*UpdateTrail.+\$\.eventName\s*=\s*DeleteTrail.+\$\.eventName\s*=\s*StartLogging.+\$\.eventName\s*=\s*StopLogging' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for CloudTrail configuration changes.' - else filter_name || ' forwards events for CloudTrail configuration changes.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.eventName\\s*=\\s*CreateTrail.+\\$\\.eventName\\s*=\\s*UpdateTrail.+\\$\\.eventName\\s*=\\s*DeleteTrail.+\\$\\.eventName\\s*=\\s*StartLogging.+\\$\\.eventName\\s*=\\s*StopLogging'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for CloudTrail configuration changes.'\n else filter_name || ' forwards events for CloudTrail configuration changes.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v300_4_6.yaml b/compliance/controls/pending/aws/aws_cis_v300_4_6.yaml index 7c687b5d1..585ef2d0f 100755 --- a/compliance/controls/pending/aws/aws_cis_v300_4_6.yaml +++ b/compliance/controls/pending/aws/aws_cis_v300_4_6.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v300_4_6 Title: "4.6 Ensure AWS Management Console authentication failures are monitored" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for failed console authentication attempts." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.eventName\s*=\s*ConsoleLogin.+\$\.errorMessage\s*=\s*"Failed authentication"' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for console authentication failures.' - else f.filter_name || ' forwards events for console authentication failures.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.eventName\\s*=\\s*ConsoleLogin.+\\$\\.errorMessage\\s*=\\s*\"Failed authentication\"'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for console authentication failures.'\n else f.filter_name || ' forwards events for console authentication failures.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v300_4_7.yaml b/compliance/controls/pending/aws/aws_cis_v300_4_7.yaml index c4b925b58..cbbc25414 100755 --- a/compliance/controls/pending/aws/aws_cis_v300_4_7.yaml +++ b/compliance/controls/pending/aws/aws_cis_v300_4_7.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v300_4_7 Title: "4.7 Ensure disabling or scheduled deletion of customer created CMKs is monitored" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.eventSource\s*=\s*kms.amazonaws.com.+\$\.eventName\s*=\s*DisableKey.+\$\.eventName\s*=\s*ScheduleKeyDeletion' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for disabling/deletion of CMKs.' - else filter_name || ' forwards events for disabling/deletion of CMKs.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.eventSource\\s*=\\s*kms.amazonaws.com.+\\$\\.eventName\\s*=\\s*DisableKey.+\\$\\.eventName\\s*=\\s*ScheduleKeyDeletion'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for disabling/deletion of CMKs.'\n else filter_name || ' forwards events for disabling/deletion of CMKs.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v300_4_8.yaml b/compliance/controls/pending/aws/aws_cis_v300_4_8.yaml index 8ce4c4735..559c03f6a 100755 --- a/compliance/controls/pending/aws/aws_cis_v300_4_8.yaml +++ b/compliance/controls/pending/aws/aws_cis_v300_4_8.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v300_4_8 Title: "4.8 Ensure S3 bucket policy changes are monitored" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for changes to S3 bucket policies." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.eventSource\s*=\s*s3.amazonaws.com.+\$\.eventName\s*=\s*PutBucketAcl.+\$\.eventName\s*=\s*PutBucketPolicy.+\$\.eventName\s*=\s*PutBucketCors.+\$\.eventName\s*=\s*PutBucketLifecycle.+\$\.eventName\s*=\s*PutBucketReplication.+\$\.eventName\s*=\s*DeleteBucketPolicy.+\$\.eventName\s*=\s*DeleteBucketCors.+\$\.eventName\s*=\s*DeleteBucketLifecycle.+\$\.eventName\s*=\s*DeleteBucketReplication' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for S3 bucket policy changes.' - else filter_name || ' forwards events for S3 bucket policy changes.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.eventSource\\s*=\\s*s3.amazonaws.com.+\\$\\.eventName\\s*=\\s*PutBucketAcl.+\\$\\.eventName\\s*=\\s*PutBucketPolicy.+\\$\\.eventName\\s*=\\s*PutBucketCors.+\\$\\.eventName\\s*=\\s*PutBucketLifecycle.+\\$\\.eventName\\s*=\\s*PutBucketReplication.+\\$\\.eventName\\s*=\\s*DeleteBucketPolicy.+\\$\\.eventName\\s*=\\s*DeleteBucketCors.+\\$\\.eventName\\s*=\\s*DeleteBucketLifecycle.+\\$\\.eventName\\s*=\\s*DeleteBucketReplication'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for S3 bucket policy changes.'\n else filter_name || ' forwards events for S3 bucket policy changes.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v300_4_9.yaml b/compliance/controls/pending/aws/aws_cis_v300_4_9.yaml index 37d150ea5..b4197898e 100755 --- a/compliance/controls/pending/aws/aws_cis_v300_4_9.yaml +++ b/compliance/controls/pending/aws/aws_cis_v300_4_9.yaml @@ -1,90 +1,13 @@ ID: aws_cis_v300_4_9 Title: "4.9 Ensure AWS Config configuration changes are monitored" Description: "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs, or an external Security information and event management (SIEM) environment, and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to AWS Config's configurations." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with trails as ( - select - trail.account_id, - trail.name as trail_name, - trail.is_logging, - split_part(trail.log_group_arn, ':', 7) as log_group_name - from - aws_cloudtrail_trail as trail, - jsonb_array_elements(trail.event_selectors) as se - where - trail.is_multi_region_trail is true - and trail.is_logging - and se ->> 'ReadWriteType' = 'All' - and trail.log_group_arn is not null - order by - trail_name - ), - alarms as ( - select - metric_name, - action_arn as topic_arn - from - aws_cloudwatch_alarm, - jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn - order by - metric_name - ), - topic_subscriptions as ( - select - subscription_arn, - topic_arn - from - aws_sns_topic_subscription - order by - subscription_arn - ), - metric_filters as ( - select - filter.name as filter_name, - filter_pattern, - log_group_name, - metric_transformation_name - from - aws_cloudwatch_log_metric_filter as filter - where - filter.filter_pattern ~ '\s*\$\.eventSource\s*=\s*config.amazonaws.com.+\$\.eventName\s*=\s*StopConfigurationRecorder.+\$\.eventName\s*=\s*DeleteDeliveryChannel.+\$\.eventName\s*=\s*PutDeliveryChannel.+\$\.eventName\s*=\s*PutConfigurationRecorder' - order by - filter_name - ), - filter_data as ( - select - t.account_id, - t.trail_name, - f.filter_name - from - trails as t - join - metric_filters as f on f.log_group_name = t.log_group_name - join - alarms as alarm on alarm.metric_name = f.metric_transformation_name - join - topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn - ) - select - distinct 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when f.trail_name is null then 'alarm' - else 'ok' - end as status, - case - when f.trail_name is null then 'No log metric filter and alarm exist for AWS Config configuration changes.' - else filter_name || ' forwards events for AWS Config configuration changes.' - end as reason - - from - aws_account as a - left join filter_data as f on a.account_id = f.account_id; + QueryToExecute: "with trails as (\n select\n trail.account_id,\n trail.name as trail_name,\n trail.is_logging,\n split_part(trail.log_group_arn, ':', 7) as log_group_name\n from\n aws_cloudtrail_trail as trail,\n jsonb_array_elements(trail.event_selectors) as se\n where\n trail.is_multi_region_trail is true\n and trail.is_logging\n and se ->> 'ReadWriteType' = 'All'\n and trail.log_group_arn is not null\n order by\n trail_name\n),\nalarms as (\n select\n metric_name,\n action_arn as topic_arn\n from\n aws_cloudwatch_alarm,\n jsonb_array_elements_text(aws_cloudwatch_alarm.alarm_actions) as action_arn\n order by\n metric_name\n),\ntopic_subscriptions as (\n select\n subscription_arn,\n topic_arn\n from\n aws_sns_topic_subscription\n order by\n subscription_arn\n),\nmetric_filters as (\n select\n filter.name as filter_name,\n filter_pattern,\n log_group_name,\n metric_transformation_name\n from\n aws_cloudwatch_log_metric_filter as filter\n where\n filter.filter_pattern ~ '\\s*\\$\\.eventSource\\s*=\\s*config.amazonaws.com.+\\$\\.eventName\\s*=\\s*StopConfigurationRecorder.+\\$\\.eventName\\s*=\\s*DeleteDeliveryChannel.+\\$\\.eventName\\s*=\\s*PutDeliveryChannel.+\\$\\.eventName\\s*=\\s*PutConfigurationRecorder'\n order by\n filter_name\n),\nfilter_data as (\n select\n t.account_id,\n t.trail_name,\n f.filter_name\n from\n trails as t\n join\n metric_filters as f on f.log_group_name = t.log_group_name\n join\n alarms as alarm on alarm.metric_name = f.metric_transformation_name\n join\n topic_subscriptions as subscription on subscription.topic_arn = alarm.topic_arn\n)\nselect\n distinct 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when f.trail_name is null then 'alarm'\n else 'ok'\n end as status,\n case\n when f.trail_name is null then 'No log metric filter and alarm exist for AWS Config configuration changes.'\n else filter_name || ' forwards events for AWS Config configuration changes.'\n end as reason\n \nfrom\n aws_account as a\n left join filter_data as f on a.account_id = f.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v300_5_1.yaml b/compliance/controls/pending/aws/aws_cis_v300_5_1.yaml index 005ae79c5..4550827ac 100755 --- a/compliance/controls/pending/aws/aws_cis_v300_5_1.yaml +++ b/compliance/controls/pending/aws/aws_cis_v300_5_1.yaml @@ -1,86 +1,13 @@ ID: aws_cis_v300_5_1 Title: "5.1 Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports" Description: "The Network Access Control List (NACL) function provide stateless filtering of ingress and egress network traffic to AWS resources. It is recommended that no NACL allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389, using either the TCP (6), UDP (17) or ALL (-1) protocols." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with bad_rules as ( - select - network_acl_id, - count(*) as num_bad_rules, - tags, - region, - account_id - from - aws_vpc_network_acl, - jsonb_array_elements(entries) as att - where - att ->> 'Egress' = 'false' -- as per aws egress = false indicates the ingress - and ( - att ->> 'CidrBlock' = '0.0.0.0/0' - or att ->> 'Ipv6CidrBlock' = '::/0' - ) - and att ->> 'RuleAction' = 'allow' - and ( - ( - att ->> 'Protocol' = '-1' -- all traffic - and att ->> 'PortRange' is null - ) - or ( - (att -> 'PortRange' ->> 'From') :: int <= 22 - and (att -> 'PortRange' ->> 'To') :: int >= 22 - and att ->> 'Protocol' in('6', '17') -- TCP or UDP - ) - or ( - (att -> 'PortRange' ->> 'From') :: int <= 3389 - and (att -> 'PortRange' ->> 'To') :: int >= 3389 - and att ->> 'Protocol' in('6', '17') -- TCP or UDP - ) - ) - group by - network_acl_id, - region, - account_id, - tags - order by - network_acl_id, - region, - account_id, - tags - ), - aws_vpc_network_acls as ( - select - network_acl_id, - tags, - partition, - region, - account_id - from - aws_vpc_network_acl - order by - network_acl_id, - region, - account_id - ) - select - 'arn:' || acl.partition || ':ec2:' || acl.region || ':' || acl.account_id || ':network-acl/' || acl.network_acl_id as resource, - case - when bad_rules.network_acl_id is null then 'ok' - else 'alarm' - end as status, - case - when bad_rules.network_acl_id is null then acl.network_acl_id || ' does not allow ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.' - else acl.network_acl_id || ' contains ' || bad_rules.num_bad_rules || ' rule(s) allowing ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.' - end as reason - - - from - aws_vpc_network_acls as acl - left join bad_rules on bad_rules.network_acl_id = acl.network_acl_id; + QueryToExecute: "with bad_rules as (\n select\n network_acl_id,\n count(*) as num_bad_rules,\n tags,\n region,\n account_id\n from\n aws_vpc_network_acl,\n jsonb_array_elements(entries) as att\n where\n att ->> 'Egress' = 'false' -- as per aws egress = false indicates the ingress\n and (\n att ->> 'CidrBlock' = '0.0.0.0/0'\n or att ->> 'Ipv6CidrBlock' = '::/0'\n )\n and att ->> 'RuleAction' = 'allow'\n and (\n (\n att ->> 'Protocol' = '-1' -- all traffic\n and att ->> 'PortRange' is null\n )\n or (\n (att -> 'PortRange' ->> 'From') :: int <= 22\n and (att -> 'PortRange' ->> 'To') :: int >= 22\n and att ->> 'Protocol' in('6', '17') -- TCP or UDP\n )\n or (\n (att -> 'PortRange' ->> 'From') :: int <= 3389\n and (att -> 'PortRange' ->> 'To') :: int >= 3389\n and att ->> 'Protocol' in('6', '17') -- TCP or UDP\n )\n )\n group by\n network_acl_id,\n region,\n account_id,\n tags\n order by\n network_acl_id,\n region,\n account_id,\n tags\n),\naws_vpc_network_acls as (\n select\n network_acl_id,\n tags,\n partition,\n region,\n account_id\n from\n aws_vpc_network_acl\n order by\n network_acl_id,\n region,\n account_id\n)\nselect\n 'arn:' || acl.partition || ':ec2:' || acl.region || ':' || acl.account_id || ':network-acl/' || acl.network_acl_id as resource,\n case\n when bad_rules.network_acl_id is null then 'ok'\n else 'alarm'\n end as status,\n case\n when bad_rules.network_acl_id is null then acl.network_acl_id || ' does not allow ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.'\n else acl.network_acl_id || ' contains ' || bad_rules.num_bad_rules || ' rule(s) allowing ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.'\n end as reason\n \n \nfrom\n aws_vpc_network_acls as acl\n left join bad_rules on bad_rules.network_acl_id = acl.network_acl_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cis_v300_5_4.yaml b/compliance/controls/pending/aws/aws_cis_v300_5_4.yaml index ff24d6656..b61c31183 100755 --- a/compliance/controls/pending/aws/aws_cis_v300_5_4.yaml +++ b/compliance/controls/pending/aws/aws_cis_v300_5_4.yaml @@ -1,34 +1,13 @@ ID: aws_cis_v300_5_4 Title: "5.4 Ensure the default security group of every VPC restricts all traffic" Description: "A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn resource, - case - when jsonb_array_length(ip_permissions) = 0 and jsonb_array_length(ip_permissions_egress) = 0 then 'ok' - else 'alarm' - end status, - case - when jsonb_array_length(ip_permissions) > 0 and jsonb_array_length(ip_permissions_egress) > 0 - then 'Default security group ' || group_id || ' has inbound and outbound rules.' - when jsonb_array_length(ip_permissions) > 0 and jsonb_array_length(ip_permissions_egress) = 0 - then 'Default security group ' || group_id || ' has inbound rules.' - when jsonb_array_length(ip_permissions) = 0 and jsonb_array_length(ip_permissions_egress) > 0 - then 'Default security group ' || group_id || ' has outbound rules.' - else 'Default security group ' || group_id || ' has no inbound or outbound rules.' - end reason - - - from - aws_vpc_security_group - where - group_name = 'default'; + QueryToExecute: "select\n arn resource,\n case\n when jsonb_array_length(ip_permissions) = 0 and jsonb_array_length(ip_permissions_egress) = 0 then 'ok'\n else 'alarm'\n end status,\n case\n when jsonb_array_length(ip_permissions) > 0 and jsonb_array_length(ip_permissions_egress) > 0\n then 'Default security group ' || group_id || ' has inbound and outbound rules.'\n when jsonb_array_length(ip_permissions) > 0 and jsonb_array_length(ip_permissions_egress) = 0\n then 'Default security group ' || group_id || ' has inbound rules.'\n when jsonb_array_length(ip_permissions) = 0 and jsonb_array_length(ip_permissions_egress) > 0\n then 'Default security group ' || group_id || ' has outbound rules.'\n else 'Default security group ' || group_id || ' has no inbound or outbound rules.'\n end reason\n \n \nfrom\n aws_vpc_security_group\nwhere\n group_name = 'default';\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_cloudfront_distribution_non_s3_origins_encryption_in_transit_enabled.yaml b/compliance/controls/pending/aws/aws_cloudfront_distribution_non_s3_origins_encryption_in_transit_enabled.yaml index b0cfb7f6a..eb9e21425 100755 --- a/compliance/controls/pending/aws/aws_cloudfront_distribution_non_s3_origins_encryption_in_transit_enabled.yaml +++ b/compliance/controls/pending/aws/aws_cloudfront_distribution_non_s3_origins_encryption_in_transit_enabled.yaml @@ -1,56 +1,13 @@ ID: aws_cloudfront_distribution_non_s3_origins_encryption_in_transit_enabled Title: "CloudFront distributions should encrypt traffic to non S3 origins" Description: "This control ensures that conection between cloudfront and oriign server is encrypted. It is recommended to enforce HTTPS-only traffic between a CloudFront distribution and the origin." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with viewer_protocol_policy_value as ( - select - distinct arn - from - aws_cloudfront_distribution, - jsonb_array_elements( - case jsonb_typeof(cache_behaviors -> 'Items') - when 'array' then (cache_behaviors -> 'Items') - else null end - ) as cb - where - cb ->> 'ViewerProtocolPolicy' = 'allow-all' - ), - origin_protocol_policy_value as ( - select - distinct arn, - o -> 'CustomOriginConfig' ->> 'OriginProtocolPolicy' as origin_protocol_policy - from - aws_cloudfront_distribution, - jsonb_array_elements(origins) as o - where - o -> 'CustomOriginConfig' ->> 'OriginProtocolPolicy' = 'http-only' - or o -> 'CustomOriginConfig' ->> 'OriginProtocolPolicy' = 'match-viewer' - and o -> 'S3OriginConfig' is null - ) - select - b.arn as resource, - case - when o.arn is not null and o.origin_protocol_policy = 'http-only' then 'alarm' - when o.arn is not null and o.origin_protocol_policy = 'match-viewer' and ( v.arn is not null or (default_cache_behavior ->> 'ViewerProtocolPolicy' = 'allow-all') ) then 'alarm' - else 'ok' - end as status, - case - when o.arn is not null and o.origin_protocol_policy = 'http-only' then title || ' origins traffic not encrypted in transit.' - when o.arn is not null and o.origin_protocol_policy = 'match-viewer' and ( v.arn is not null or (default_cache_behavior ->> 'ViewerProtocolPolicy' = 'allow-all') ) then title || ' origins traffic not encrypted in transit.' - else title || ' origins traffic encrypted in transit.' - end as reason - - - from - aws_cloudfront_distribution as b - left join origin_protocol_policy_value as o on b.arn = o.arn - left join viewer_protocol_policy_value as v on b.arn = v.arn; + QueryToExecute: "with viewer_protocol_policy_value as (\n select\n distinct arn\n from\n aws_cloudfront_distribution,\n jsonb_array_elements(\n case jsonb_typeof(cache_behaviors -> 'Items')\n when 'array' then (cache_behaviors -> 'Items')\n else null end\n ) as cb\n where\n cb ->> 'ViewerProtocolPolicy' = 'allow-all'\n),\norigin_protocol_policy_value as (\n select\n distinct arn,\n o -> 'CustomOriginConfig' ->> 'OriginProtocolPolicy' as origin_protocol_policy\n from\n aws_cloudfront_distribution,\n jsonb_array_elements(origins) as o\n where\n o -> 'CustomOriginConfig' ->> 'OriginProtocolPolicy' = 'http-only'\n or o -> 'CustomOriginConfig' ->> 'OriginProtocolPolicy' = 'match-viewer'\n and o -> 'S3OriginConfig' is null\n)\nselect\n b.arn as resource,\n case\n when o.arn is not null and o.origin_protocol_policy = 'http-only' then 'alarm'\n when o.arn is not null and o.origin_protocol_policy = 'match-viewer' and ( v.arn is not null or (default_cache_behavior ->> 'ViewerProtocolPolicy' = 'allow-all') ) then 'alarm'\n else 'ok'\n end as status,\n case\n when o.arn is not null and o.origin_protocol_policy = 'http-only' then title || ' origins traffic not encrypted in transit.'\n when o.arn is not null and o.origin_protocol_policy = 'match-viewer' and ( v.arn is not null or (default_cache_behavior ->> 'ViewerProtocolPolicy' = 'allow-all') ) then title || ' origins traffic not encrypted in transit.'\n else title || ' origins traffic encrypted in transit.'\n end as reason\n \n \nfrom\n aws_cloudfront_distribution as b\n left join origin_protocol_policy_value as o on b.arn = o.arn\n left join viewer_protocol_policy_value as v on b.arn = v.arn;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_codedeploy_deployment_group_lambda_allatonce_traffic_shift_disabled.yaml b/compliance/controls/pending/aws/aws_codedeploy_deployment_group_lambda_allatonce_traffic_shift_disabled.yaml index 0ef0e1d96..58f0a32f0 100755 --- a/compliance/controls/pending/aws/aws_codedeploy_deployment_group_lambda_allatonce_traffic_shift_disabled.yaml +++ b/compliance/controls/pending/aws/aws_codedeploy_deployment_group_lambda_allatonce_traffic_shift_disabled.yaml @@ -1,69 +1,13 @@ ID: aws_codedeploy_deployment_group_lambda_allatonce_traffic_shift_disabled Title: "Codedeploy deployment groups lambda allatonce traffic shift should be disabled" Description: "This control checks if the deployment group for Lambda Compute Platform is not using the default deployment configuration. The rule is non-compliant if the deployment group is using the deployment configuration 'CodeDeployDefault.LambdaAllAtOnce'." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with codedeployment_groups as ( - select - arn, - application_name, - deployment_config_name, - tags, - title, - region, - account_id, - _ctx - from - aws_codedeploy_deployment_group - group by - arn, - application_name, - deployment_config_name, - tags, - title, - region, - account_id, - _ctx - ), - codedeploy_apps as ( - select - application_name, - compute_platform, - region, - account_id, - title - from - aws_codedeploy_app - group by - application_name, - compute_platform, - region, - account_id, - title - ) - select - g.arn as resource, - case - when a.compute_platform <> 'Lambda' then 'skip' - when deployment_config_name = 'CodeDeployDefault.LambdaAllAtOnce' then 'alarm' - else 'ok' - end as status, - case - when a.compute_platform <> 'Lambda' then g.title || ' using ' || a.compute_platform || ' compute platform.' - else g.title || ' using '|| deployment_config_name || ' deployment config.' - end as reason - - - from - codedeployment_groups as g, - codedeploy_apps as a - where - g.application_name = a.application_name; + QueryToExecute: "with codedeployment_groups as (\n select\n arn,\n application_name,\n deployment_config_name,\n tags,\n title,\n region,\n account_id,\n _ctx\n from\n aws_codedeploy_deployment_group\n group by\n arn,\n application_name,\n deployment_config_name,\n tags,\n title,\n region,\n account_id,\n _ctx\n),\ncodedeploy_apps as (\n select\n application_name,\n compute_platform,\n region,\n account_id,\n title\n from\n aws_codedeploy_app\n group by\n application_name,\n compute_platform,\n region,\n account_id,\n title\n)\nselect\n g.arn as resource,\n case\n when a.compute_platform <> 'Lambda' then 'skip'\n when deployment_config_name = 'CodeDeployDefault.LambdaAllAtOnce' then 'alarm'\n else 'ok'\n end as status,\n case\n when a.compute_platform <> 'Lambda' then g.title || ' using ' || a.compute_platform || ' compute platform.'\n else g.title || ' using '|| deployment_config_name || ' deployment config.'\n end as reason\n \n \nfrom\n codedeployment_groups as g,\n codedeploy_apps as a\nwhere\n g.application_name = a.application_name;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_dms_replication_task_target_database_logging_enabled.yaml b/compliance/controls/pending/aws/aws_dms_replication_task_target_database_logging_enabled.yaml index af9a12f14..bd34b1581 100755 --- a/compliance/controls/pending/aws/aws_dms_replication_task_target_database_logging_enabled.yaml +++ b/compliance/controls/pending/aws/aws_dms_replication_task_target_database_logging_enabled.yaml @@ -1,53 +1,13 @@ ID: aws_dms_replication_task_target_database_logging_enabled Title: "DMS replication tasks for the target database should have logging enabled" Description: "This control checks whether logging is enabled with the minimum severity level of LOGGER_SEVERITY_DEFAULT for DMS replication tasks TARGET_APPLY and TARGET_LOAD. The control fails if logging isn't enabled for these tasks or if the minimum severity level is less than LOGGER_SEVERITY_DEFAULT." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with replication_task_target_apply as ( - select - arn - from - aws_dms_replication_task, - jsonb_array_elements(replication_task_settings -> 'Logging' -> 'LogComponents') as o - where - o ->> 'Id' = 'TARGET_APPLY' - and o ->> 'Severity' in ('LOGGER_SEVERITY_DEFAULT', 'LOGGER_SEVERITY_DEBUG', 'LOGGER_SEVERITY_DETAILED_DEBUG') - ), replication_task_target_load as ( - select - arn - from - aws_dms_replication_task, - jsonb_array_elements(replication_task_settings -> 'Logging' -> 'LogComponents') as o - where - o ->> 'Id' = 'TARGET_LOAD' - and o ->> 'Severity' in ('LOGGER_SEVERITY_DEFAULT', 'LOGGER_SEVERITY_DEBUG', 'LOGGER_SEVERITY_DETAILED_DEBUG') - ) - select - t.arn as resource, - (replication_task_settings -> 'Logging' ->> 'EnableLogging')::bool, - case - when (replication_task_settings -> 'Logging' ->> 'EnableLogging')::bool - and a.arn is not null - and l.arn is not null then 'ok' - else 'alarm' - end as status, - case - when (replication_task_settings -> 'Logging' ->> 'EnableLogging')::bool - and a.arn is not null - and l.arn is not null then title || ' target database logging enabled.' - else title || 'target database logging disabled.' - end as reason - - - from - aws_dms_replication_task as t - left join replication_task_target_apply as a on a.arn = t.arn - left join replication_task_target_load as l on l.arn = t.arn; + QueryToExecute: "with replication_task_target_apply as (\n select\n arn\n from\n aws_dms_replication_task,\n jsonb_array_elements(replication_task_settings -> 'Logging' -> 'LogComponents') as o\n where\n o ->> 'Id' = 'TARGET_APPLY'\n and o ->> 'Severity' in ('LOGGER_SEVERITY_DEFAULT', 'LOGGER_SEVERITY_DEBUG', 'LOGGER_SEVERITY_DETAILED_DEBUG')\n), replication_task_target_load as (\n select\n arn\n from\n aws_dms_replication_task,\n jsonb_array_elements(replication_task_settings -> 'Logging' -> 'LogComponents') as o\n where\n o ->> 'Id' = 'TARGET_LOAD'\n and o ->> 'Severity' in ('LOGGER_SEVERITY_DEFAULT', 'LOGGER_SEVERITY_DEBUG', 'LOGGER_SEVERITY_DETAILED_DEBUG')\n)\nselect\n t.arn as resource,\n (replication_task_settings -> 'Logging' ->> 'EnableLogging')::bool,\n case\n when (replication_task_settings -> 'Logging' ->> 'EnableLogging')::bool\n and a.arn is not null\n and l.arn is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when (replication_task_settings -> 'Logging' ->> 'EnableLogging')::bool\n and a.arn is not null\n and l.arn is not null then title || ' target database logging enabled.'\n else title || 'target database logging disabled.'\n end as reason\n \n \nfrom\n aws_dms_replication_task as t\n left join replication_task_target_apply as a on a.arn = t.arn\n left join replication_task_target_load as l on l.arn = t.arn;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_docdb_cluster_snapshot_restrict_public_access.yaml b/compliance/controls/pending/aws/aws_docdb_cluster_snapshot_restrict_public_access.yaml index 620f7a0c9..632688d6e 100755 --- a/compliance/controls/pending/aws/aws_docdb_cluster_snapshot_restrict_public_access.yaml +++ b/compliance/controls/pending/aws/aws_docdb_cluster_snapshot_restrict_public_access.yaml @@ -1,28 +1,13 @@ ID: aws_docdb_cluster_snapshot_restrict_public_access Title: "Amazon DocumentDB manual cluster snapshots should not be public" Description: "This control checks whether an Amazon DocumentDB manual cluster snapshot is public. The control fails if the manual cluster snapshot is public." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - case - when (cluster_snapshot ->> 'AttributeName' = 'restore') and cluster_snapshot -> 'AttributeValues' = '["all"]' then 'alarm' - else 'ok' - end status, - case - when (cluster_snapshot ->> 'AttributeName' = 'restore') and cluster_snapshot -> 'AttributeValues' = '["all"]' then title || ' does not restrict public access.' - else title || ' restrict public access.' - end reason - - - from - aws_docdb_cluster_snapshot, - jsonb_array_elements(db_cluster_snapshot_attributes) as cluster_snapshot; + QueryToExecute: "select\n arn as resource,\n case\n when (cluster_snapshot ->> 'AttributeName' = 'restore') and cluster_snapshot -> 'AttributeValues' = '[\"all\"]' then 'alarm'\n else 'ok'\n end status,\n case\n when (cluster_snapshot ->> 'AttributeName' = 'restore') and cluster_snapshot -> 'AttributeValues' = '[\"all\"]' then title || ' does not restrict public access.'\n else title || ' restrict public access.'\n end reason\n \n \nfrom\n aws_docdb_cluster_snapshot,\n jsonb_array_elements(db_cluster_snapshot_attributes) as cluster_snapshot;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_ec2_instance_no_high_level_finding_in_inspector_scan.yaml b/compliance/controls/pending/aws/aws_ec2_instance_no_high_level_finding_in_inspector_scan.yaml index 1cad6aaff..50ffc60ce 100755 --- a/compliance/controls/pending/aws/aws_ec2_instance_no_high_level_finding_in_inspector_scan.yaml +++ b/compliance/controls/pending/aws/aws_ec2_instance_no_high_level_finding_in_inspector_scan.yaml @@ -1,48 +1,13 @@ ID: aws_ec2_instance_no_high_level_finding_in_inspector_scan Title: "EC2 instances high level findings should not be there in inspector scans" Description: "AWS Inspector scans operating system packages installed on your AWS EC2 instances for vulnerabilities and network reachability issues. Each finding has the name of the detected vulnerability and provides a severity rating, information about the affected resource, and details such as how to remediate the reported vulnerability." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with severity_list as ( - select - distinct title , - a ->> 'Value' as instance_id - from - aws_inspector_finding, - jsonb_array_elements(attributes) as a - where - severity = 'High' - and asset_type = 'ec2-instance' - and a ->> 'Key' = 'INSTANCE_ID' - group by - a ->> 'Value', - title - ), ec2_istance_list as ( - select - distinct instance_id - from - severity_list - ) - select - arn as resource, - case - when l.instance_id is null then 'ok' - else 'alarm' - end as status, - case - when l.instance_id is null then i.title || ' has no high level finding in inspector scans.' - else i.title || ' has ' || (select count(*) from severity_list where instance_id = i.instance_id) || ' high level findings in inspector scans.' - end as reason - - - from - aws_ec2_instance as i - left join ec2_istance_list as l on i.instance_id = l.instance_id; + QueryToExecute: "with severity_list as (\n select\n distinct title ,\n a ->> 'Value' as instance_id\n from\n aws_inspector_finding,\n jsonb_array_elements(attributes) as a\n where\n severity = 'High'\n and asset_type = 'ec2-instance'\n and a ->> 'Key' = 'INSTANCE_ID'\n group by\n a ->> 'Value',\n title\n), ec2_istance_list as (\n select\n distinct instance_id\n from\n severity_list\n)\nselect\n arn as resource,\n case\n when l.instance_id is null then 'ok'\n else 'alarm'\n end as status,\n case\n when l.instance_id is null then i.title || ' has no high level finding in inspector scans.'\n else i.title || ' has ' || (select count(*) from severity_list where instance_id = i.instance_id) || ' high level findings in inspector scans.'\n end as reason\n \n \nfrom\n aws_ec2_instance as i\n left join ec2_istance_list as l on i.instance_id = l.instance_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_ec2_instance_no_iam_role_with_database_management_write_access.yaml b/compliance/controls/pending/aws/aws_ec2_instance_no_iam_role_with_database_management_write_access.yaml index 5e5817bfa..6b03b6ebe 100755 --- a/compliance/controls/pending/aws/aws_ec2_instance_no_iam_role_with_database_management_write_access.yaml +++ b/compliance/controls/pending/aws/aws_ec2_instance_no_iam_role_with_database_management_write_access.yaml @@ -1,56 +1,13 @@ ID: aws_ec2_instance_no_iam_role_with_database_management_write_access Title: "EC2 instance IAM role should not allow database management write access" Description: "This control ensures that EC2 instance IAM role does not allow database management write access." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with iam_roles as ( - select - r.arn as role_arn, - i.arn as intance_arn - from - aws_iam_role as r, - jsonb_array_elements_text(instance_profile_arns) as p - left join aws_ec2_instance as i on p = i.iam_instance_profile_arn - where - i.arn is not null - ), iam_role_with_permission as ( - select - arn - from - aws_iam_role, - jsonb_array_elements(assume_role_policy_std -> 'Statement') as s, - jsonb_array_elements_text(s -> 'Principal' -> 'Service') as service, - jsonb_array_elements_text(s -> 'Action') as action - where - arn in (select role_arn from iam_roles) - and s ->> 'Effect' = 'Allow' - and service = 'ec2.amazonaws.com' - and ( - (action in ('rds:modifydbcluster','rds:modifydbclusterendpoint','rds:modifydbinstance','rds:modifydbsnapshot','rds:modifyglobalcluster','dynamodb:updateitem','dynamodb:updatetable','memorydb:updatecluster','neptune-db:resetdatabase','neptune-db:writedataviaquery','docdb-elastic:updatecluster','elasticache:modifycachecluster','cassandra:alter','cassandra:modify','qldb:executestatement','qldb:partiqlupdate','qldb:sendcommand','qldb:updateledger','redshift:modifycluster','redshift:modifyclustersnapshot','redshift:modifyendpointaccess','timestream:updatedatabase','timestream:updatetable','timestream:writerecords','*:*') - ) - ) - ) - select - i.arn as resource, - case - when p.arn is null then 'ok' - else 'alarm' - end status, - case - when p.arn is null then title || ' has no database management write level access.' - else title || ' has database management write level access.' - end as reason - - - from - aws_ec2_instance as i - left join iam_roles as r on r.intance_arn = i.arn - left join iam_role_with_permission as p on p.arn = r.role_arn; + QueryToExecute: "with iam_roles as (\n select\n r.arn as role_arn,\n i.arn as intance_arn\n from\n aws_iam_role as r,\n jsonb_array_elements_text(instance_profile_arns) as p\n left join aws_ec2_instance as i on p = i.iam_instance_profile_arn\n where\n i.arn is not null\n), iam_role_with_permission as (\n select\n arn\n from\n aws_iam_role,\n jsonb_array_elements(assume_role_policy_std -> 'Statement') as s,\n jsonb_array_elements_text(s -> 'Principal' -> 'Service') as service,\n jsonb_array_elements_text(s -> 'Action') as action\n where\n arn in (select role_arn from iam_roles)\n and s ->> 'Effect' = 'Allow'\n and service = 'ec2.amazonaws.com'\n and (\n (action in ('rds:modifydbcluster','rds:modifydbclusterendpoint','rds:modifydbinstance','rds:modifydbsnapshot','rds:modifyglobalcluster','dynamodb:updateitem','dynamodb:updatetable','memorydb:updatecluster','neptune-db:resetdatabase','neptune-db:writedataviaquery','docdb-elastic:updatecluster','elasticache:modifycachecluster','cassandra:alter','cassandra:modify','qldb:executestatement','qldb:partiqlupdate','qldb:sendcommand','qldb:updateledger','redshift:modifycluster','redshift:modifyclustersnapshot','redshift:modifyendpointaccess','timestream:updatedatabase','timestream:updatetable','timestream:writerecords','*:*')\n )\n )\n)\nselect\n i.arn as resource,\n case\n when p.arn is null then 'ok'\n else 'alarm'\n end status,\n case\n when p.arn is null then title || ' has no database management write level access.'\n else title || ' has database management write level access.'\n end as reason\n \n \nfrom\n aws_ec2_instance as i\n left join iam_roles as r on r.intance_arn = i.arn\n left join iam_role_with_permission as p on p.arn = r.role_arn;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_ec2_instance_no_iam_role_with_defense_evasion_impact_of_aws_security_services_access.yaml b/compliance/controls/pending/aws/aws_ec2_instance_no_iam_role_with_defense_evasion_impact_of_aws_security_services_access.yaml index f535ce2f5..f70493310 100755 --- a/compliance/controls/pending/aws/aws_ec2_instance_no_iam_role_with_defense_evasion_impact_of_aws_security_services_access.yaml +++ b/compliance/controls/pending/aws/aws_ec2_instance_no_iam_role_with_defense_evasion_impact_of_aws_security_services_access.yaml @@ -1,53 +1,13 @@ ID: aws_ec2_instance_no_iam_role_with_defense_evasion_impact_of_aws_security_services_access Title: "EC2 instance IAM role should not allow defense evasion impact of AWS security services access" Description: "This control ensures that EC2 instance IAM role does not allow defense evasion impact of AWS security services access." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with iam_roles as ( - select - r.arn as role_arn, - i.arn as intance_arn - from - aws_iam_role as r, - jsonb_array_elements_text(instance_profile_arns) as p - left join aws_ec2_instance as i on p = i.iam_instance_profile_arn - where - i.arn is not null - ), iam_role_with_permission as ( - select - arn - from - aws_iam_role, - jsonb_array_elements(assume_role_policy_std -> 'Statement') as s, - jsonb_array_elements_text(s -> 'Principal' -> 'Service') as service, - jsonb_array_elements_text(s -> 'Action') as action - where - arn in (select role_arn from iam_roles) - and s ->> 'Effect' = 'Allow' - and service = 'ec2.amazonaws.com' - and action in ( 'guardduty:updatedetector','guardduty:deletedetector','guardduty:deletemembers','guardduty:updatefilter','guardduty:deletefilter','shield:disableapplicationlayerautomaticresponse','shield:updateprotectiongroup','shield:deletesubscription','detective:disassociatemembership','detective:deletemembers','inspector:disable','config:stopconfigurationrecorder','config:deleteconfigurationrecorder','config:deleteconfigrule','config:deleteorganizationconfigrule','cloudwatch:disablealarmactions','cloudwatch:disableinsightrules','*:*') - ) - select - i.arn as resource, - case - when p.arn is null then 'ok' - else 'alarm' - end status, - case - when p.arn is null then title || ' has no IAM role with defense evasion impact of AWS security services access.' - else title || ' has IAM role with defense evasion impact of AWS security services access.' - end as reason - - - from - aws_ec2_instance as i - left join iam_roles as r on r.intance_arn = i.arn - left join iam_role_with_permission as p on p.arn = r.role_arn; + QueryToExecute: "with iam_roles as (\n select\n r.arn as role_arn,\n i.arn as intance_arn\n from\n aws_iam_role as r,\n jsonb_array_elements_text(instance_profile_arns) as p\n left join aws_ec2_instance as i on p = i.iam_instance_profile_arn\n where\n i.arn is not null\n), iam_role_with_permission as (\n select\n arn\n from\n aws_iam_role,\n jsonb_array_elements(assume_role_policy_std -> 'Statement') as s,\n jsonb_array_elements_text(s -> 'Principal' -> 'Service') as service,\n jsonb_array_elements_text(s -> 'Action') as action\n where\n arn in (select role_arn from iam_roles)\n and s ->> 'Effect' = 'Allow'\n and service = 'ec2.amazonaws.com'\n and action in ( 'guardduty:updatedetector','guardduty:deletedetector','guardduty:deletemembers','guardduty:updatefilter','guardduty:deletefilter','shield:disableapplicationlayerautomaticresponse','shield:updateprotectiongroup','shield:deletesubscription','detective:disassociatemembership','detective:deletemembers','inspector:disable','config:stopconfigurationrecorder','config:deleteconfigurationrecorder','config:deleteconfigrule','config:deleteorganizationconfigrule','cloudwatch:disablealarmactions','cloudwatch:disableinsightrules','*:*')\n)\nselect\n i.arn as resource,\n case\n when p.arn is null then 'ok'\n else 'alarm'\n end status,\n case\n when p.arn is null then title || ' has no IAM role with defense evasion impact of AWS security services access.'\n else title || ' has IAM role with defense evasion impact of AWS security services access.'\n end as reason\n \n \nfrom\n aws_ec2_instance as i\n left join iam_roles as r on r.intance_arn = i.arn\n left join iam_role_with_permission as p on p.arn = r.role_arn;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_ec2_instance_no_iam_role_with_new_user_creation_with_attached_policy_access.yaml b/compliance/controls/pending/aws/aws_ec2_instance_no_iam_role_with_new_user_creation_with_attached_policy_access.yaml index 04dfc35cd..351c146ac 100755 --- a/compliance/controls/pending/aws/aws_ec2_instance_no_iam_role_with_new_user_creation_with_attached_policy_access.yaml +++ b/compliance/controls/pending/aws/aws_ec2_instance_no_iam_role_with_new_user_creation_with_attached_policy_access.yaml @@ -1,54 +1,13 @@ ID: aws_ec2_instance_no_iam_role_with_new_user_creation_with_attached_policy_access Title: "EC2 instance IAM role should not allow new user creation with attached policy access" Description: "This control ensures that EC2 instance IAM role does not allow new user creation with attached policy access." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with iam_roles as ( - select - r.arn as role_arn, - i.arn as intance_arn - from - aws_iam_role as r, - jsonb_array_elements_text(instance_profile_arns) as p - left join aws_ec2_instance as i on p = i.iam_instance_profile_arn - where - i.arn is not null - ), iam_role_with_permission as ( - select - arn - from - aws_iam_role, - jsonb_array_elements(assume_role_policy_std -> 'Statement') as s, - jsonb_array_elements_text(s -> 'Principal' -> 'Service') as service, - jsonb_array_elements_text(s -> 'Action') as action - where - arn in (select role_arn from iam_roles) - and s ->> 'Effect' = 'Allow' - and service = 'ec2.amazonaws.com' - and action = 'iam:createuser' - and action = 'iam:attachuserpolicy' - ) - select - i.arn as resource, - case - when p.arn is null then 'ok' - else 'alarm' - end status, - case - when p.arn is null then title || ' has no new user creation access with attached policy.' - else title || ' has new user creation access with attached policy.' - end as reason - - - from - aws_ec2_instance as i - left join iam_roles as r on r.intance_arn = i.arn - left join iam_role_with_permission as p on p.arn = r.role_arn; + QueryToExecute: "with iam_roles as (\n select\n r.arn as role_arn,\n i.arn as intance_arn\n from\n aws_iam_role as r,\n jsonb_array_elements_text(instance_profile_arns) as p\n left join aws_ec2_instance as i on p = i.iam_instance_profile_arn\n where\n i.arn is not null\n), iam_role_with_permission as (\n select\n arn\n from\n aws_iam_role,\n jsonb_array_elements(assume_role_policy_std -> 'Statement') as s,\n jsonb_array_elements_text(s -> 'Principal' -> 'Service') as service,\n jsonb_array_elements_text(s -> 'Action') as action\n where\n arn in (select role_arn from iam_roles)\n and s ->> 'Effect' = 'Allow'\n and service = 'ec2.amazonaws.com'\n and action = 'iam:createuser'\n and action = 'iam:attachuserpolicy'\n)\nselect\n i.arn as resource,\n case\n when p.arn is null then 'ok'\n else 'alarm'\n end status,\n case\n when p.arn is null then title || ' has no new user creation access with attached policy.'\n else title || ' has new user creation access with attached policy.'\n end as reason\n \n \nfrom\n aws_ec2_instance as i\n left join iam_roles as r on r.intance_arn = i.arn\n left join iam_role_with_permission as p on p.arn = r.role_arn;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_ec2_instance_no_iam_role_with_write_access_to_resource_based_policies.yaml b/compliance/controls/pending/aws/aws_ec2_instance_no_iam_role_with_write_access_to_resource_based_policies.yaml index ca4032c6b..3377f60a6 100755 --- a/compliance/controls/pending/aws/aws_ec2_instance_no_iam_role_with_write_access_to_resource_based_policies.yaml +++ b/compliance/controls/pending/aws/aws_ec2_instance_no_iam_role_with_write_access_to_resource_based_policies.yaml @@ -1,55 +1,13 @@ ID: aws_ec2_instance_no_iam_role_with_write_access_to_resource_based_policies Title: "EC2 instance IAM role should not allow write access to resource based policies" Description: "This control ensures that EC2 instance IAM role does not allow write access to resource based policies." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with iam_roles as ( - select - r.arn as role_arn, - i.arn as intance_arn - from - aws_iam_role as r, - jsonb_array_elements_text(instance_profile_arns) as p - left join aws_ec2_instance as i on p = i.iam_instance_profile_arn - where - i.arn is not null - ), iam_role_with_permission as ( - select - arn - from - aws_iam_role, - jsonb_array_elements(assume_role_policy_std -> 'Statement') as s, - jsonb_array_elements_text(s -> 'Principal' -> 'Service') as service, - jsonb_array_elements_text(s -> 'Action') as action - where - arn in (select role_arn from iam_roles) - and s ->> 'Effect' = 'Allow' - and service = 'ec2.amazonaws.com' - and action in ( - 'ecr:setrepositorypolicy','serverlessrepo:putapplicationpolicy','backup:putbackupvaultaccesspolicy','efs:putfilesystempolicy','glacier:setvaultaccesspolicy','secretsmanager:putresourcepolicy','events:putpermission','mediastore:putcontainerpolicy','glue:putresourcepolicy','ses:putidentitypolicy','lambda:addpermission','lambda:addlayerversionpermission','s3:putbucketpolicy','s3:putbucketacl','s3:putObject','s3:putobjectacl','kms:creategrant','kms:putkeypolicy','es:Updateelasticsearchdomainconfig','sns:addpermission','sqs:addpermission','*:*' - ) - ) - select - i.arn as resource, - case - when p.arn is null then 'ok' - else 'alarm' - end status, - case - when p.arn is null then title || ' has no write access permission to resource based policies.' - else title || ' has write access permission to resource based policies.' - end as reason - - - from - aws_ec2_instance as i - left join iam_roles as r on r.intance_arn = i.arn - left join iam_role_with_permission as p on p.arn = r.role_arn; + QueryToExecute: "with iam_roles as (\n select\n r.arn as role_arn,\n i.arn as intance_arn\n from\n aws_iam_role as r,\n jsonb_array_elements_text(instance_profile_arns) as p\n left join aws_ec2_instance as i on p = i.iam_instance_profile_arn\n where\n i.arn is not null\n), iam_role_with_permission as (\n select\n arn\n from\n aws_iam_role,\n jsonb_array_elements(assume_role_policy_std -> 'Statement') as s,\n jsonb_array_elements_text(s -> 'Principal' -> 'Service') as service,\n jsonb_array_elements_text(s -> 'Action') as action\n where\n arn in (select role_arn from iam_roles)\n and s ->> 'Effect' = 'Allow'\n and service = 'ec2.amazonaws.com'\n and action in (\n'ecr:setrepositorypolicy','serverlessrepo:putapplicationpolicy','backup:putbackupvaultaccesspolicy','efs:putfilesystempolicy','glacier:setvaultaccesspolicy','secretsmanager:putresourcepolicy','events:putpermission','mediastore:putcontainerpolicy','glue:putresourcepolicy','ses:putidentitypolicy','lambda:addpermission','lambda:addlayerversionpermission','s3:putbucketpolicy','s3:putbucketacl','s3:putObject','s3:putobjectacl','kms:creategrant','kms:putkeypolicy','es:Updateelasticsearchdomainconfig','sns:addpermission','sqs:addpermission','*:*'\n )\n)\nselect\n i.arn as resource,\n case\n when p.arn is null then 'ok'\n else 'alarm'\n end status,\n case\n when p.arn is null then title || ' has no write access permission to resource based policies.'\n else title || ' has write access permission to resource based policies.'\n end as reason\n \n \nfrom\n aws_ec2_instance as i\n left join iam_roles as r on r.intance_arn = i.arn\n left join iam_role_with_permission as p on p.arn = r.role_arn;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_ecs_cluster_instance_in_vpc.yaml b/compliance/controls/pending/aws/aws_ecs_cluster_instance_in_vpc.yaml index b3bb1e073..7bdff2561 100755 --- a/compliance/controls/pending/aws/aws_ecs_cluster_instance_in_vpc.yaml +++ b/compliance/controls/pending/aws/aws_ecs_cluster_instance_in_vpc.yaml @@ -1,28 +1,13 @@ ID: aws_ecs_cluster_instance_in_vpc Title: "ECS cluster instances should be in a VPC" Description: "Deploy AWS ECS cluster instance within an AWS Virtual Private Cloud (AWS VPC) for a secure communication between a instance and other services within the AWS VPC." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - c.arn as resource, - case - when i.vpc_id is null then 'alarm' - else 'ok' - end as status, - case - when i.vpc_id is null then c.title || ' not in VPC.' - else c.title || ' in VPC.' - end as reason - - - from - aws_ecs_container_instance as c - left join aws_ec2_instance as i on c.ec2_instance_id = i.instance_id; + QueryToExecute: "select\n c.arn as resource,\n case\n when i.vpc_id is null then 'alarm'\n else 'ok'\n end as status,\n case\n when i.vpc_id is null then c.title || ' not in VPC.'\n else c.title || ' in VPC.'\n end as reason\n \n \nfrom\n aws_ecs_container_instance as c\n left join aws_ec2_instance as i on c.ec2_instance_id = i.instance_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_elb_application_lb_listener_certificate_expire_30_days.yaml b/compliance/controls/pending/aws/aws_elb_application_lb_listener_certificate_expire_30_days.yaml index 1662943a1..730e86979 100755 --- a/compliance/controls/pending/aws/aws_elb_application_lb_listener_certificate_expire_30_days.yaml +++ b/compliance/controls/pending/aws/aws_elb_application_lb_listener_certificate_expire_30_days.yaml @@ -1,25 +1,13 @@ ID: aws_elb_application_lb_listener_certificate_expire_30_days Title: "ELB application load balancers secured listener certificate should not expire within next 30 days" Description: "This control ensures that SSL/TLS certificates used in application load balancers are renewed 30 days before their expiration date." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - load_balancer_arn as resource, - case - when date(not_after) - date(current_date) >= 30 then 'ok' - else 'alarm' - end as status, - l.title || ' certificate set to expire in ' || extract(day from not_after - current_date) || ' days.' as reason - - from - aws_ec2_load_balancer_listener as l, - jsonb_array_elements(certificates) as c - left join aws_acm_certificate as a on c ->> 'CertificateArn' = a.certificate_arn; + QueryToExecute: "select\n load_balancer_arn as resource,\n case\n when date(not_after) - date(current_date) >= 30 then 'ok'\n else 'alarm'\n end as status,\n l.title || ' certificate set to expire in ' || extract(day from not_after - current_date) || ' days.' as reason\n \nfrom\n aws_ec2_load_balancer_listener as l,\n jsonb_array_elements(certificates) as c\n left join aws_acm_certificate as a on c ->> 'CertificateArn' = a.certificate_arn;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_elb_application_lb_listener_certificate_expire_7_days.yaml b/compliance/controls/pending/aws/aws_elb_application_lb_listener_certificate_expire_7_days.yaml index 7712df8ee..ea468f6b7 100755 --- a/compliance/controls/pending/aws/aws_elb_application_lb_listener_certificate_expire_7_days.yaml +++ b/compliance/controls/pending/aws/aws_elb_application_lb_listener_certificate_expire_7_days.yaml @@ -1,25 +1,13 @@ ID: aws_elb_application_lb_listener_certificate_expire_7_days Title: "ELB application load balancers secured listener certificate should not expire within next 7 days" Description: "This control ensures that SSL/TLS certificates used in application load balancers are renewed 7 days before their expiration date." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - load_balancer_arn as resource, - case - when date(not_after) - date(current_date) >= 7 then 'ok' - else 'alarm' - end as status, - l.title || ' certificate set to expire in ' || extract(day from not_after - current_date) || ' days.' as reason - - from - aws_ec2_load_balancer_listener as l, - jsonb_array_elements(certificates) as c - left join aws_acm_certificate as a on c ->> 'CertificateArn' = a.certificate_arn; + QueryToExecute: "select\n load_balancer_arn as resource,\n case\n when date(not_after) - date(current_date) >= 7 then 'ok'\n else 'alarm'\n end as status,\n l.title || ' certificate set to expire in ' || extract(day from not_after - current_date) || ' days.' as reason\n \nfrom\n aws_ec2_load_balancer_listener as l,\n jsonb_array_elements(certificates) as c\n left join aws_acm_certificate as a on c ->> 'CertificateArn' = a.certificate_arn;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_emr_cluster_encryption_at_rest_enabled.yaml b/compliance/controls/pending/aws/aws_emr_cluster_encryption_at_rest_enabled.yaml index fe14f4885..f0b997ce9 100755 --- a/compliance/controls/pending/aws/aws_emr_cluster_encryption_at_rest_enabled.yaml +++ b/compliance/controls/pending/aws/aws_emr_cluster_encryption_at_rest_enabled.yaml @@ -1,30 +1,13 @@ ID: aws_emr_cluster_encryption_at_rest_enabled Title: "EMR clusters encryption at rest should be enabled" Description: "This control checks whether EMR clusters have encryption at rest enabled. The check fails if encryption at rest is not enabled as sensitive data should be protected." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - cluster_arn as resource, - case - when s.name is null then 'alarm' - when s.name is not null and (encryption_configuration -> 'EnableAtRestEncryption')::bool then 'ok' - else 'alarm' - end as status, - case - when s.name is null then c.title || ' security configuration disabled.' - when s.name is not null and (encryption_configuration -> 'EnableAtRestEncryption')::bool then c.title || ' encryption at rest enabled.' - else c.title || ' encryption at rest disabled.' - end as reason - - - from - aws_emr_cluster as c - left join aws_emr_security_configuration as s on c.security_configuration = s.name and s.region = s.region and s.account_id = c.account_id; + QueryToExecute: "select\n cluster_arn as resource,\n case\n when s.name is null then 'alarm'\n when s.name is not null and (encryption_configuration -> 'EnableAtRestEncryption')::bool then 'ok'\n else 'alarm'\n end as status,\n case\n when s.name is null then c.title || ' security configuration disabled.'\n when s.name is not null and (encryption_configuration -> 'EnableAtRestEncryption')::bool then c.title || ' encryption at rest enabled.'\n else c.title || ' encryption at rest disabled.'\n end as reason\n \n \nfrom\n aws_emr_cluster as c\n left join aws_emr_security_configuration as s on c.security_configuration = s.name and s.region = s.region and s.account_id = c.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_emr_cluster_encryption_at_rest_with_cse_cmk.yaml b/compliance/controls/pending/aws/aws_emr_cluster_encryption_at_rest_with_cse_cmk.yaml index 1e458a586..acd0ca544 100755 --- a/compliance/controls/pending/aws/aws_emr_cluster_encryption_at_rest_with_cse_cmk.yaml +++ b/compliance/controls/pending/aws/aws_emr_cluster_encryption_at_rest_with_cse_cmk.yaml @@ -1,32 +1,13 @@ ID: aws_emr_cluster_encryption_at_rest_with_cse_cmk Title: "EMR clusters client side encryption (CSE CMK) enabled with CMK" Description: "This control checks whether EMR client side encryption (CSE CMK) is enabled with CMK. The check fails if encryption at rest is not enabled with CSE-CMK." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - cluster_arn as resource, - case - when s.name is null then 'alarm' - when not (encryption_configuration -> 'EnableAtRestEncryption')::bool then 'alarm' - when (encryption_configuration -> 'AtRestEncryptionConfiguration' -> 'S3EncryptionConfiguration' ->> 'EncryptionMode') = 'CSE-Custom' then 'ok' - else 'alarm' - end as status, - case - when s.name is null then c.title || ' security configuration disabled.' - when not (encryption_configuration -> 'EnableAtRestEncryption')::bool then c.title || ' encryption at rest disabled.' - when (encryption_configuration -> 'AtRestEncryptionConfiguration' -> 'S3EncryptionConfiguration' ->> 'EncryptionMode') = 'CSE-Custom' then c.title || ' encryption at rest enabled with CSE-CMK.' - else c.title || ' encryption at rest not enabled with CSE-CMK.' - end as reason - - - from - aws_emr_cluster as c - left join aws_emr_security_configuration as s on c.security_configuration = s.name and s.region = s.region and s.account_id = c.account_id; + QueryToExecute: "select\n cluster_arn as resource,\n case\n when s.name is null then 'alarm'\n when not (encryption_configuration -> 'EnableAtRestEncryption')::bool then 'alarm'\n when (encryption_configuration -> 'AtRestEncryptionConfiguration' -> 'S3EncryptionConfiguration' ->> 'EncryptionMode') = 'CSE-Custom' then 'ok'\n else 'alarm'\n end as status,\n case\n when s.name is null then c.title || ' security configuration disabled.'\n when not (encryption_configuration -> 'EnableAtRestEncryption')::bool then c.title || ' encryption at rest disabled.'\n when (encryption_configuration -> 'AtRestEncryptionConfiguration' -> 'S3EncryptionConfiguration' ->> 'EncryptionMode') = 'CSE-Custom' then c.title || ' encryption at rest enabled with CSE-CMK.'\n else c.title || ' encryption at rest not enabled with CSE-CMK.'\n end as reason\n \n \nfrom\n aws_emr_cluster as c\n left join aws_emr_security_configuration as s on c.security_configuration = s.name and s.region = s.region and s.account_id = c.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_emr_cluster_encryption_in_transit_enabled.yaml b/compliance/controls/pending/aws/aws_emr_cluster_encryption_in_transit_enabled.yaml index 118b9cd7c..fc629df57 100755 --- a/compliance/controls/pending/aws/aws_emr_cluster_encryption_in_transit_enabled.yaml +++ b/compliance/controls/pending/aws/aws_emr_cluster_encryption_in_transit_enabled.yaml @@ -1,30 +1,13 @@ ID: aws_emr_cluster_encryption_in_transit_enabled Title: "EMR clusters encryption in transit should be enabled" Description: "This control checks whether EMR clusters have encryption in transit enabled. This control fails if an EMR cluster isn't encrypted in transit." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - cluster_arn as resource, - case - when s.name is null then 'alarm' - when s.name is not null and (encryption_configuration -> 'EnableInTransitEncryption')::bool then 'ok' - else 'alarm' - end as status, - case - when s.name is null then c.title || ' security configuration disabled.' - when s.name is not null and (encryption_configuration -> 'EnableInTransitEncryption')::bool then c.title || ' encryption in transit enabled.' - else c.title || ' encryption in transit disabled.' - end as reason - - - from - aws_emr_cluster as c - left join aws_emr_security_configuration as s on c.security_configuration = s.name and s.region = s.region and s.account_id = c.account_id; + QueryToExecute: "select\n cluster_arn as resource,\n case\n when s.name is null then 'alarm'\n when s.name is not null and (encryption_configuration -> 'EnableInTransitEncryption')::bool then 'ok'\n else 'alarm'\n end as status,\n case\n when s.name is null then c.title || ' security configuration disabled.'\n when s.name is not null and (encryption_configuration -> 'EnableInTransitEncryption')::bool then c.title || ' encryption in transit enabled.'\n else c.title || ' encryption in transit disabled.'\n end as reason\n \n \nfrom\n aws_emr_cluster as c\n left join aws_emr_security_configuration as s on c.security_configuration = s.name and s.region = s.region and s.account_id = c.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_emr_cluster_local_disk_encryption_enabled.yaml b/compliance/controls/pending/aws/aws_emr_cluster_local_disk_encryption_enabled.yaml index a19523782..8a1f59514 100755 --- a/compliance/controls/pending/aws/aws_emr_cluster_local_disk_encryption_enabled.yaml +++ b/compliance/controls/pending/aws/aws_emr_cluster_local_disk_encryption_enabled.yaml @@ -1,34 +1,13 @@ ID: aws_emr_cluster_local_disk_encryption_enabled Title: "EMR clusters local disk encryption should be enabled" Description: "This control checks whether EMR cluster have local disk encryption enabled. This control fails if an EMR cluster local disk isn't encrypted." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - cluster_arn as resource, - case - when s.name is null then 'alarm' - when s.name is not null - and (encryption_configuration -> 'EnableAtRestEncryption')::bool - and (encryption_configuration -> 'AtRestEncryptionConfiguration' -> 'LocalDiskEncryptionConfiguration') is not null then 'ok' - else 'alarm' - end as status, - case - when s.name is null then c.title || ' security configuration disabled.' - when s.name is not null - and (encryption_configuration -> 'EnableAtRestEncryption')::bool - and (encryption_configuration -> 'AtRestEncryptionConfiguration' -> 'LocalDiskEncryptionConfiguration') is not null then c.title || ' local disk encryption enabled.' - else c.title || ' local disk encryption disabled.' - end as reason - - - from - aws_emr_cluster as c - left join aws_emr_security_configuration as s on c.security_configuration = s.name and s.region = s.region and s.account_id = c.account_id; + QueryToExecute: "select\n cluster_arn as resource,\n case\n when s.name is null then 'alarm'\n when s.name is not null\n and (encryption_configuration -> 'EnableAtRestEncryption')::bool\n and (encryption_configuration -> 'AtRestEncryptionConfiguration' -> 'LocalDiskEncryptionConfiguration') is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when s.name is null then c.title || ' security configuration disabled.'\n when s.name is not null\n and (encryption_configuration -> 'EnableAtRestEncryption')::bool\n and (encryption_configuration -> 'AtRestEncryptionConfiguration' -> 'LocalDiskEncryptionConfiguration') is not null then c.title || ' local disk encryption enabled.'\n else c.title || ' local disk encryption disabled.'\n end as reason\n \n \nfrom\n aws_emr_cluster as c\n left join aws_emr_security_configuration as s on c.security_configuration = s.name and s.region = s.region and s.account_id = c.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_foundational_security_cloudfront_13.yaml b/compliance/controls/pending/aws/aws_foundational_security_cloudfront_13.yaml index 16bfca02a..2b07a132d 100755 --- a/compliance/controls/pending/aws/aws_foundational_security_cloudfront_13.yaml +++ b/compliance/controls/pending/aws/aws_foundational_security_cloudfront_13.yaml @@ -1,32 +1,13 @@ ID: aws_foundational_security_cloudfront_13 Title: "13 CloudFront distributions should use origin access control" Description: "This control checks whether an Amazon CloudFront distribution with an Amazon S3 origin has origin access control (OAC) configured. The control fails if OAC isn't configured for the CloudFront distribution." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - case - when o ->> 'DomainName' not like '%s3.amazonaws.com' then 'skip' - when o ->> 'DomainName' like '%s3.amazonaws.com' - and o -> 'S3OriginConfig' ->> 'OriginAccessIdentity' = '' then 'alarm' - else 'ok' - end as status, - case - when o ->> 'DomainName' not like '%s3.amazonaws.com' then title || ' origin type is not s3.' - when o ->> 'DomainName' like '%s3.amazonaws.com' - and o -> 'S3OriginConfig' ->> 'OriginAccessIdentity' = '' then title || ' origin access identity not configured.' - else title || ' origin access identity configured.' - end as reason - - - from - aws_cloudfront_distribution, - jsonb_array_elements(origins) as o; + QueryToExecute: "select\n arn as resource,\n case\n when o ->> 'DomainName' not like '%s3.amazonaws.com' then 'skip'\n when o ->> 'DomainName' like '%s3.amazonaws.com'\n and o -> 'S3OriginConfig' ->> 'OriginAccessIdentity' = '' then 'alarm'\n else 'ok'\n end as status,\n case\n when o ->> 'DomainName' not like '%s3.amazonaws.com' then title || ' origin type is not s3.'\n when o ->> 'DomainName' like '%s3.amazonaws.com'\n and o -> 'S3OriginConfig' ->> 'OriginAccessIdentity' = '' then title || ' origin access identity not configured.'\n else title || ' origin access identity configured.'\n end as reason\n \n \nfrom\n aws_cloudfront_distribution,\n jsonb_array_elements(origins) as o;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_foundational_security_cloudfront_9.yaml b/compliance/controls/pending/aws/aws_foundational_security_cloudfront_9.yaml index 46dcd0eb8..7679bb5bc 100755 --- a/compliance/controls/pending/aws/aws_foundational_security_cloudfront_9.yaml +++ b/compliance/controls/pending/aws/aws_foundational_security_cloudfront_9.yaml @@ -1,55 +1,13 @@ ID: aws_foundational_security_cloudfront_9 Title: "9 CloudFront distributions should encrypt traffic to custom origins" Description: "This control checks if Amazon CloudFront distributions are encrypting traffic to custom origins. This control fails for a CloudFront distribution whose origin protocol policy allows 'http-only'. This control also fails if the distribution's origin protocol policy is 'match-viewer' while the viewer protocol policy is 'allow-all'." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with viewer_protocol_policy_value as ( - select - distinct arn - from - aws_cloudfront_distribution, - jsonb_array_elements( - case jsonb_typeof(cache_behaviors -> 'Items') - when 'array' then (cache_behaviors -> 'Items') - else null end - ) as cb - where - cb ->> 'ViewerProtocolPolicy' = 'allow-all' - ), - origin_protocol_policy_value as ( - select - distinct arn, - o -> 'CustomOriginConfig' ->> 'OriginProtocolPolicy' as origin_protocol_policy - from - aws_cloudfront_distribution, - jsonb_array_elements(origins) as o - where - o -> 'CustomOriginConfig' ->> 'OriginProtocolPolicy' = 'http-only' - or o -> 'CustomOriginConfig' ->> 'OriginProtocolPolicy' = 'match-viewer' - ) - select - b.arn as resource, - case - when o.arn is not null and o.origin_protocol_policy = 'http-only' then 'alarm' - when o.arn is not null and o.origin_protocol_policy = 'match-viewer' and ( v.arn is not null or (default_cache_behavior ->> 'ViewerProtocolPolicy' = 'allow-all') ) then 'alarm' - else 'ok' - end as status, - case - when o.arn is not null and o.origin_protocol_policy = 'http-only' then title || ' custom origins traffic not encrypted in transit.' - when o.arn is not null and o.origin_protocol_policy = 'match-viewer' and ( v.arn is not null or (default_cache_behavior ->> 'ViewerProtocolPolicy' = 'allow-all') ) then title || ' custom origins traffic not encrypted in transit.' - else title || ' custom origins traffic encrypted in transit.' - end as reason - - - from - aws_cloudfront_distribution as b - left join origin_protocol_policy_value as o on b.arn = o.arn - left join viewer_protocol_policy_value as v on b.arn = v.arn; + QueryToExecute: "with viewer_protocol_policy_value as (\n select\n distinct arn\n from\n aws_cloudfront_distribution,\n jsonb_array_elements(\n case jsonb_typeof(cache_behaviors -> 'Items')\n when 'array' then (cache_behaviors -> 'Items')\n else null end\n ) as cb\n where\n cb ->> 'ViewerProtocolPolicy' = 'allow-all'\n),\norigin_protocol_policy_value as (\n select\n distinct arn,\n o -> 'CustomOriginConfig' ->> 'OriginProtocolPolicy' as origin_protocol_policy\n from\n aws_cloudfront_distribution,\n jsonb_array_elements(origins) as o\n where\n o -> 'CustomOriginConfig' ->> 'OriginProtocolPolicy' = 'http-only'\n or o -> 'CustomOriginConfig' ->> 'OriginProtocolPolicy' = 'match-viewer'\n)\nselect\n b.arn as resource,\n case\n when o.arn is not null and o.origin_protocol_policy = 'http-only' then 'alarm'\n when o.arn is not null and o.origin_protocol_policy = 'match-viewer' and ( v.arn is not null or (default_cache_behavior ->> 'ViewerProtocolPolicy' = 'allow-all') ) then 'alarm'\n else 'ok'\n end as status,\n case\n when o.arn is not null and o.origin_protocol_policy = 'http-only' then title || ' custom origins traffic not encrypted in transit.'\n when o.arn is not null and o.origin_protocol_policy = 'match-viewer' and ( v.arn is not null or (default_cache_behavior ->> 'ViewerProtocolPolicy' = 'allow-all') ) then title || ' custom origins traffic not encrypted in transit.'\n else title || ' custom origins traffic encrypted in transit.'\n end as reason\n \n \nfrom\n aws_cloudfront_distribution as b\n left join origin_protocol_policy_value as o on b.arn = o.arn\n left join viewer_protocol_policy_value as v on b.arn = v.arn;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_foundational_security_dms_7.yaml b/compliance/controls/pending/aws/aws_foundational_security_dms_7.yaml index cba10f75d..54d7c89d1 100755 --- a/compliance/controls/pending/aws/aws_foundational_security_dms_7.yaml +++ b/compliance/controls/pending/aws/aws_foundational_security_dms_7.yaml @@ -1,53 +1,13 @@ ID: aws_foundational_security_dms_7 Title: "7 DMS replication tasks for the target database should have logging enabled" Description: "This control checks whether logging is enabled with the minimum severity level of LOGGER_SEVERITY_DEFAULT for DMS replication tasks TARGET_APPLY and TARGET_LOAD. The control fails if logging isn't enabled for these tasks or if the minimum severity level is less than LOGGER_SEVERITY_DEFAULT." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with replication_task_target_apply as ( - select - arn - from - aws_dms_replication_task, - jsonb_array_elements(replication_task_settings -> 'Logging' -> 'LogComponents') as o - where - o ->> 'Id' = 'TARGET_APPLY' - and o ->> 'Severity' in ('LOGGER_SEVERITY_DEFAULT', 'LOGGER_SEVERITY_DEBUG', 'LOGGER_SEVERITY_DETAILED_DEBUG') - ), replication_task_target_load as ( - select - arn - from - aws_dms_replication_task, - jsonb_array_elements(replication_task_settings -> 'Logging' -> 'LogComponents') as o - where - o ->> 'Id' = 'TARGET_LOAD' - and o ->> 'Severity' in ('LOGGER_SEVERITY_DEFAULT', 'LOGGER_SEVERITY_DEBUG', 'LOGGER_SEVERITY_DETAILED_DEBUG') - ) - select - t.arn as resource, - (replication_task_settings -> 'Logging' ->> 'EnableLogging')::bool, - case - when (replication_task_settings -> 'Logging' ->> 'EnableLogging')::bool - and a.arn is not null - and l.arn is not null then 'ok' - else 'alarm' - end as status, - case - when (replication_task_settings -> 'Logging' ->> 'EnableLogging')::bool - and a.arn is not null - and l.arn is not null then title || ' target database logging enabled.' - else title || 'target database logging disabled.' - end as reason - - - from - aws_dms_replication_task as t - left join replication_task_target_apply as a on a.arn = t.arn - left join replication_task_target_load as l on l.arn = t.arn; + QueryToExecute: "with replication_task_target_apply as (\n select\n arn\n from\n aws_dms_replication_task,\n jsonb_array_elements(replication_task_settings -> 'Logging' -> 'LogComponents') as o\n where\n o ->> 'Id' = 'TARGET_APPLY'\n and o ->> 'Severity' in ('LOGGER_SEVERITY_DEFAULT', 'LOGGER_SEVERITY_DEBUG', 'LOGGER_SEVERITY_DETAILED_DEBUG')\n), replication_task_target_load as (\n select\n arn\n from\n aws_dms_replication_task,\n jsonb_array_elements(replication_task_settings -> 'Logging' -> 'LogComponents') as o\n where\n o ->> 'Id' = 'TARGET_LOAD'\n and o ->> 'Severity' in ('LOGGER_SEVERITY_DEFAULT', 'LOGGER_SEVERITY_DEBUG', 'LOGGER_SEVERITY_DETAILED_DEBUG')\n)\nselect\n t.arn as resource,\n (replication_task_settings -> 'Logging' ->> 'EnableLogging')::bool,\n case\n when (replication_task_settings -> 'Logging' ->> 'EnableLogging')::bool\n and a.arn is not null\n and l.arn is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when (replication_task_settings -> 'Logging' ->> 'EnableLogging')::bool\n and a.arn is not null\n and l.arn is not null then title || ' target database logging enabled.'\n else title || 'target database logging disabled.'\n end as reason\n \n \nfrom\n aws_dms_replication_task as t\n left join replication_task_target_apply as a on a.arn = t.arn\n left join replication_task_target_load as l on l.arn = t.arn;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_foundational_security_docdb_3.yaml b/compliance/controls/pending/aws/aws_foundational_security_docdb_3.yaml index dc957e906..a3f938eea 100755 --- a/compliance/controls/pending/aws/aws_foundational_security_docdb_3.yaml +++ b/compliance/controls/pending/aws/aws_foundational_security_docdb_3.yaml @@ -1,28 +1,13 @@ ID: aws_foundational_security_docdb_3 Title: "3 Amazon DocumentDB manual cluster snapshots should not be public" Description: "This control checks whether an Amazon DocumentDB manual cluster snapshot is public. The control fails if the manual cluster snapshot is public." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - case - when (cluster_snapshot ->> 'AttributeName' = 'restore') and cluster_snapshot -> 'AttributeValues' = '["all"]' then 'alarm' - else 'ok' - end status, - case - when (cluster_snapshot ->> 'AttributeName' = 'restore') and cluster_snapshot -> 'AttributeValues' = '["all"]' then title || ' does not restrict public access.' - else title || ' restrict public access.' - end reason - - - from - aws_docdb_cluster_snapshot, - jsonb_array_elements(db_cluster_snapshot_attributes) as cluster_snapshot; + QueryToExecute: "select\n arn as resource,\n case\n when (cluster_snapshot ->> 'AttributeName' = 'restore') and cluster_snapshot -> 'AttributeValues' = '[\"all\"]' then 'alarm'\n else 'ok'\n end status,\n case\n when (cluster_snapshot ->> 'AttributeName' = 'restore') and cluster_snapshot -> 'AttributeValues' = '[\"all\"]' then title || ' does not restrict public access.'\n else title || ' restrict public access.'\n end reason\n \n \nfrom\n aws_docdb_cluster_snapshot,\n jsonb_array_elements(db_cluster_snapshot_attributes) as cluster_snapshot;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: critical Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_foundational_security_ec2_10.yaml b/compliance/controls/pending/aws/aws_foundational_security_ec2_10.yaml index 7628a8371..3db91d079 100755 --- a/compliance/controls/pending/aws/aws_foundational_security_ec2_10.yaml +++ b/compliance/controls/pending/aws/aws_foundational_security_ec2_10.yaml @@ -1,41 +1,13 @@ ID: aws_foundational_security_ec2_10 Title: "10 Amazon EC2 should be configured to use VPC endpoints" Description: "This control checks whether a service endpoint for Amazon EC2 is created for each VPC. The control fails if a VPC does not have a VPC endpoint created for the Amazon EC2 service." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - case - when vpc_id not in ( - select - vpc_id - from - aws_vpc_endpoint - where - service_name like 'com.amazonaws.' || region || '.ec2' - ) then 'alarm' - else 'ok' - end as status, - case - when vpc_id not in ( - select - vpc_id - from - aws_vpc_endpoint - where - service_name like 'com.amazonaws.' || region || '.ec2' - ) then title || ' not configured to use VPC endpoints.' - else title || ' configured to use VPC endpoints.' - end as reason - - - from - aws_vpc; + QueryToExecute: "select\n arn as resource,\n case\n when vpc_id not in (\n select\n vpc_id\n from\n aws_vpc_endpoint\n where\n service_name like 'com.amazonaws.' || region || '.ec2'\n ) then 'alarm'\n else 'ok'\n end as status,\n case\n when vpc_id not in (\n select\n vpc_id\n from\n aws_vpc_endpoint\n where\n service_name like 'com.amazonaws.' || region || '.ec2'\n ) then title || ' not configured to use VPC endpoints.'\n else title || ' configured to use VPC endpoints.'\n end as reason\n \n \nfrom\n aws_vpc;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_foundational_security_ec2_21.yaml b/compliance/controls/pending/aws/aws_foundational_security_ec2_21.yaml index 98e4549d6..29569981b 100755 --- a/compliance/controls/pending/aws/aws_foundational_security_ec2_21.yaml +++ b/compliance/controls/pending/aws/aws_foundational_security_ec2_21.yaml @@ -1,86 +1,13 @@ ID: aws_foundational_security_ec2_21 Title: "21 Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389" Description: "This control checks if default ports for SSH/RDP ingress traffic for network access control lists (NACLs) is unrestricted. The rule fails if a NACL inbound entry allows a source CIDR block of '0.0.0.0/0' or '::/0' for ports 22 or 3389." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with bad_rules as ( - select - network_acl_id, - count(*) as num_bad_rules, - tags, - region, - account_id - from - aws_vpc_network_acl, - jsonb_array_elements(entries) as att - where - att ->> 'Egress' = 'false' -- as per aws egress = false indicates the ingress - and ( - att ->> 'CidrBlock' = '0.0.0.0/0' - or att ->> 'Ipv6CidrBlock' = '::/0' - ) - and att ->> 'RuleAction' = 'allow' - and ( - ( - att ->> 'Protocol' = '-1' -- all traffic - and att ->> 'PortRange' is null - ) - or ( - (att -> 'PortRange' ->> 'From') :: int <= 22 - and (att -> 'PortRange' ->> 'To') :: int >= 22 - and att ->> 'Protocol' in('6', '17') -- TCP or UDP - ) - or ( - (att -> 'PortRange' ->> 'From') :: int <= 3389 - and (att -> 'PortRange' ->> 'To') :: int >= 3389 - and att ->> 'Protocol' in('6', '17') -- TCP or UDP - ) - ) - group by - network_acl_id, - region, - account_id, - tags - order by - network_acl_id, - region, - account_id, - tags - ), - aws_vpc_network_acls as ( - select - network_acl_id, - tags, - partition, - region, - account_id - from - aws_vpc_network_acl - order by - network_acl_id, - region, - account_id - ) - select - 'arn:' || acl.partition || ':ec2:' || acl.region || ':' || acl.account_id || ':network-acl/' || acl.network_acl_id as resource, - case - when bad_rules.network_acl_id is null then 'ok' - else 'alarm' - end as status, - case - when bad_rules.network_acl_id is null then acl.network_acl_id || ' does not allow ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.' - else acl.network_acl_id || ' contains ' || bad_rules.num_bad_rules || ' rule(s) allowing ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.' - end as reason - - - from - aws_vpc_network_acls as acl - left join bad_rules on bad_rules.network_acl_id = acl.network_acl_id; + QueryToExecute: "with bad_rules as (\n select\n network_acl_id,\n count(*) as num_bad_rules,\n tags,\n region,\n account_id\n from\n aws_vpc_network_acl,\n jsonb_array_elements(entries) as att\n where\n att ->> 'Egress' = 'false' -- as per aws egress = false indicates the ingress\n and (\n att ->> 'CidrBlock' = '0.0.0.0/0'\n or att ->> 'Ipv6CidrBlock' = '::/0'\n )\n and att ->> 'RuleAction' = 'allow'\n and (\n (\n att ->> 'Protocol' = '-1' -- all traffic\n and att ->> 'PortRange' is null\n )\n or (\n (att -> 'PortRange' ->> 'From') :: int <= 22\n and (att -> 'PortRange' ->> 'To') :: int >= 22\n and att ->> 'Protocol' in('6', '17') -- TCP or UDP\n )\n or (\n (att -> 'PortRange' ->> 'From') :: int <= 3389\n and (att -> 'PortRange' ->> 'To') :: int >= 3389\n and att ->> 'Protocol' in('6', '17') -- TCP or UDP\n )\n )\n group by\n network_acl_id,\n region,\n account_id,\n tags\n order by\n network_acl_id,\n region,\n account_id,\n tags\n),\naws_vpc_network_acls as (\n select\n network_acl_id,\n tags,\n partition,\n region,\n account_id\n from\n aws_vpc_network_acl\n order by\n network_acl_id,\n region,\n account_id\n)\nselect\n 'arn:' || acl.partition || ':ec2:' || acl.region || ':' || acl.account_id || ':network-acl/' || acl.network_acl_id as resource,\n case\n when bad_rules.network_acl_id is null then 'ok'\n else 'alarm'\n end as status,\n case\n when bad_rules.network_acl_id is null then acl.network_acl_id || ' does not allow ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.'\n else acl.network_acl_id || ' contains ' || bad_rules.num_bad_rules || ' rule(s) allowing ingress to port 22 or 3389 from 0.0.0.0/0 or ::/0.'\n end as reason\n \n \nfrom\n aws_vpc_network_acls as acl\n left join bad_rules on bad_rules.network_acl_id = acl.network_acl_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_foundational_security_ec2_25.yaml b/compliance/controls/pending/aws/aws_foundational_security_ec2_25.yaml index 12687a51b..26c4c06c8 100755 --- a/compliance/controls/pending/aws/aws_foundational_security_ec2_25.yaml +++ b/compliance/controls/pending/aws/aws_foundational_security_ec2_25.yaml @@ -1,45 +1,13 @@ ID: aws_foundational_security_ec2_25 Title: "25 Amazon EC2 launch templates should not assign public IPs to network interfaces" Description: "This control checks if Amazon EC2 launch templates are configured to assign public IP addresses to network interfaces upon launch. The control fails if an EC2 launch template is configured to assign a public IP address to network interfaces or if there is at least one network interface that has a public IP address." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with public_launch_templates as ( - select - i.tags ->> 'aws:ec2launchtemplate:id' as public_launch_template_id - from - aws_ec2_instance as i, - jsonb_array_elements(launch_template_data -> 'NetworkInterfaces') as nic - where - (nic -> 'AssociatePublicIpAddress')::bool - ), - launch_templates_associated_instance as ( - select - distinct tags ->> 'aws:ec2launchtemplate:id' as launch_template_id - from - aws_ec2_instance - ) - select - t.launch_template_id as resource, - case - when i.launch_template_id is null then 'skip' - when t.launch_template_id in ( select public_launch_template_id from public_launch_templates ) then 'alarm' - else 'ok' - end as status, - case - when i.launch_template_id is null then t.title || ' does not launch any instance.' - when t.launch_template_id in ( select public_launch_template_id from public_launch_templates ) then t.title || ' publicly accessible.' - else t.title || ' not publicly accessible.' - end as reason - - - from - aws_ec2_launch_template as t - left join launch_templates_associated_instance as i on i.launch_template_id = t.launch_template_id; + QueryToExecute: "with public_launch_templates as (\n select\n i.tags ->> 'aws:ec2launchtemplate:id' as public_launch_template_id\n from\n aws_ec2_instance as i,\n jsonb_array_elements(launch_template_data -> 'NetworkInterfaces') as nic\n where\n (nic -> 'AssociatePublicIpAddress')::bool\n),\nlaunch_templates_associated_instance as (\n select\n distinct tags ->> 'aws:ec2launchtemplate:id' as launch_template_id\n from\n aws_ec2_instance\n)\nselect\n t.launch_template_id as resource,\n case\n when i.launch_template_id is null then 'skip'\n when t.launch_template_id in ( select public_launch_template_id from public_launch_templates ) then 'alarm'\n else 'ok'\n end as status,\n case\n when i.launch_template_id is null then t.title || ' does not launch any instance.'\n when t.launch_template_id in ( select public_launch_template_id from public_launch_templates ) then t.title || ' publicly accessible.'\n else t.title || ' not publicly accessible.'\n end as reason\n \n \nfrom\n aws_ec2_launch_template as t\n left join launch_templates_associated_instance as i on i.launch_template_id = t.launch_template_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_foundational_security_ec2_6.yaml b/compliance/controls/pending/aws/aws_foundational_security_ec2_6.yaml index 4a8c40442..2897a8972 100755 --- a/compliance/controls/pending/aws/aws_foundational_security_ec2_6.yaml +++ b/compliance/controls/pending/aws/aws_foundational_security_ec2_6.yaml @@ -1,54 +1,13 @@ ID: aws_foundational_security_ec2_6 Title: "6 VPC flow logging should be enabled in all VPCs" Description: "This control checks whether Amazon VPC Flow Logs are found and enabled for VPCs. The traffic type is set to Reject. With the VPC Flow Logs feature, you can capture information about the IP address traffic going to and from network interfaces in your VPC. After you create a flow log, you can view and retrieve its data in CloudWatch Logs. To reduce cost, you can also send your flow logs to Amazon S3." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with vpcs as ( - select - arn, - account_id, - region, - owner_id, - vpc_id, - tags, - _ctx - from - aws_vpc - order by - vpc_id - ), - flowlogs as ( - select - resource_id, - account_id, - region - from - aws_vpc_flow_log - order by - resource_id - ) - select - v.arn as resource, - case - when v.account_id <> v.owner_id then 'skip' - when f.resource_id is not null then 'ok' - else 'alarm' - end as status, - case - when v.account_id <> v.owner_id then v.vpc_id || ' is a shared VPC.' - when f.resource_id is not null then v.vpc_id || ' flow logging enabled.' - else v.vpc_id || ' flow logging disabled.' - end as reason - - - from - vpcs as v - left join flowlogs as f on v.vpc_id = f.resource_id; + QueryToExecute: "with vpcs as (\n select\n arn,\n account_id,\n region,\n owner_id,\n vpc_id,\n tags,\n _ctx\n from\n aws_vpc\n order by\n vpc_id\n),\nflowlogs as (\n select\n resource_id,\n account_id,\n region\n from\n aws_vpc_flow_log\n order by\n resource_id\n)\nselect\n v.arn as resource,\n case\n when v.account_id <> v.owner_id then 'skip'\n when f.resource_id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when v.account_id <> v.owner_id then v.vpc_id || ' is a shared VPC.'\n when f.resource_id is not null then v.vpc_id || ' flow logging enabled.'\n else v.vpc_id || ' flow logging disabled.'\n end as reason\n \n \nfrom\n vpcs as v\n left join flowlogs as f on v.vpc_id = f.resource_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_foundational_security_elb_13.yaml b/compliance/controls/pending/aws/aws_foundational_security_elb_13.yaml index 4bc2f18c2..5b315fffb 100755 --- a/compliance/controls/pending/aws/aws_foundational_security_elb_13.yaml +++ b/compliance/controls/pending/aws/aws_foundational_security_elb_13.yaml @@ -1,48 +1,13 @@ ID: aws_foundational_security_elb_13 Title: "13 Application, Network, and Gateway Load Balancers should span multiple Availability Zones" Description: "This control checks whether an Elastic Load Balancer V2 (Application, Network, or Gateway Load Balancer) has registered instances from multiple Availability Zones. The control fails if an Elastic Load Balancer V2 has instances registered in fewer than two Availability Zones." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - case - when jsonb_array_length(availability_zones) < 2 then 'alarm' - else 'ok' - end as status, - title || ' has ' || jsonb_array_length(availability_zones) || ' availability zone(s).' as reason - - - from - aws_ec2_application_load_balancer - union - select - arn as resource, - case - when jsonb_array_length(availability_zones) < 2 then 'alarm' - else 'ok' - end as status, - title || ' has ' || jsonb_array_length(availability_zones) || ' availability zone(s).' as reason - - - from - aws_ec2_network_load_balancer - union - select - arn as resource, - case - when jsonb_array_length(availability_zones) < 2 then 'alarm' - else 'ok' - end as status, - title || ' has ' || jsonb_array_length(availability_zones) || ' availability zone(s).' as reason - - - from - aws_ec2_gateway_load_balancer; + QueryToExecute: "select\n arn as resource,\n case\n when jsonb_array_length(availability_zones) < 2 then 'alarm'\n else 'ok'\n end as status,\n title || ' has ' || jsonb_array_length(availability_zones) || ' availability zone(s).' as reason\n \n \nfrom\n aws_ec2_application_load_balancer\nunion\nselect\n arn as resource,\n case\n when jsonb_array_length(availability_zones) < 2 then 'alarm'\n else 'ok'\n end as status,\n title || ' has ' || jsonb_array_length(availability_zones) || ' availability zone(s).' as reason\n \n \nfrom\n aws_ec2_network_load_balancer\nunion\nselect\n arn as resource,\n case\n when jsonb_array_length(availability_zones) < 2 then 'alarm'\n else 'ok'\n end as status,\n title || ' has ' || jsonb_array_length(availability_zones) || ' availability zone(s).' as reason\n \n \nfrom\n aws_ec2_gateway_load_balancer;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_foundational_security_elb_3.yaml b/compliance/controls/pending/aws/aws_foundational_security_elb_3.yaml index aab8b23f4..3c381e4a8 100755 --- a/compliance/controls/pending/aws/aws_foundational_security_elb_3.yaml +++ b/compliance/controls/pending/aws/aws_foundational_security_elb_3.yaml @@ -1,29 +1,13 @@ ID: aws_foundational_security_elb_3 Title: "3 Classic Load Balancer listeners should be configured with HTTPS or TLS termination" Description: "This control checks whether your Classic Load Balancer listeners are configured with HTTPS or TLS protocol for front-end (client to load balancer) connections. The control is applicable if a Classic Load Balancer has listeners. If your Classic Load Balancer does not have a listener configured, then the control does not report any findings. The control passes if the Classic Load Balancer listeners are configured with TLS or HTTPS for front-end connections. The control fails if the listener is not configured with TLS or HTTPS for front-end connections." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - 'arn:' || partition || ':elasticloadbalancing:' || region || ':' || account_id || ':loadbalancer/' || title as resource, - case - when listener_description -> 'Listener' ->> 'Protocol' in ('HTTPS', 'SSL', 'TLS') then 'ok' - else 'alarm' - end as status, - case - when listener_description -> 'Listener' ->> 'Protocol' = 'HTTPS' then title || ' configured with HTTPS protocol.' - when listener_description -> 'Listener' ->> 'Protocol' = 'SSL' then title || ' configured with TLS protocol.' - else title || ' configured with ' || (listener_description -> 'Listener' ->> 'Protocol') || ' protocol.' - end as reason - - - from - aws_ec2_classic_load_balancer, - jsonb_array_elements(listener_descriptions) as listener_description; + QueryToExecute: "select\n 'arn:' || partition || ':elasticloadbalancing:' || region || ':' || account_id || ':loadbalancer/' || title as resource,\n case\n when listener_description -> 'Listener' ->> 'Protocol' in ('HTTPS', 'SSL', 'TLS') then 'ok'\n else 'alarm'\n end as status,\n case\n when listener_description -> 'Listener' ->> 'Protocol' = 'HTTPS' then title || ' configured with HTTPS protocol.'\n when listener_description -> 'Listener' ->> 'Protocol' = 'SSL' then title || ' configured with TLS protocol.'\n else title || ' configured with ' || (listener_description -> 'Listener' ->> 'Protocol') || ' protocol.'\n end as reason\n \n \nfrom\n aws_ec2_classic_load_balancer,\n jsonb_array_elements(listener_descriptions) as listener_description;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_foundational_security_elb_5.yaml b/compliance/controls/pending/aws/aws_foundational_security_elb_5.yaml index 75691a641..52e86ab0d 100755 --- a/compliance/controls/pending/aws/aws_foundational_security_elb_5.yaml +++ b/compliance/controls/pending/aws/aws_foundational_security_elb_5.yaml @@ -1,46 +1,13 @@ ID: aws_foundational_security_elb_5 Title: "5 Application and Classic Load Balancers logging should be enabled" Description: "This control checks whether the Application Load Balancer and the Classic Load Balancer have logging enabled. The control fails if access_logs.s3.enabled is false." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - ( - select - arn as resource, - case - when load_balancer_attributes @> '[{"Key": "access_logs.s3.enabled", "Value": "true"}]' then 'ok' - else 'alarm' - end as status, - case - when load_balancer_attributes @> '[{"Key": "access_logs.s3.enabled", "Value": "true"}]' then title || ' logging enabled.' - else title || ' logging disabled.' - end as reason - - - from - aws_ec2_application_load_balancer - ) - union - ( - select - 'arn:' || partition || ':elasticloadbalancing:' || region || ':' || account_id || ':loadbalancer/' || title as resource, - case - when access_log_enabled = 'true' then 'ok' - else 'alarm' - end as status, - case - when access_log_enabled = 'true' then title || ' logging enabled.' - else title || ' logging disabled.' - end as reason - - - from - aws_ec2_classic_load_balancer - ); + QueryToExecute: "(\n select\n arn as resource,\n case\n when load_balancer_attributes @> '[{\"Key\": \"access_logs.s3.enabled\", \"Value\": \"true\"}]' then 'ok'\n else 'alarm'\n end as status,\n case\n when load_balancer_attributes @> '[{\"Key\": \"access_logs.s3.enabled\", \"Value\": \"true\"}]' then title || ' logging enabled.'\n else title || ' logging disabled.'\n end as reason\n \n \n from\n aws_ec2_application_load_balancer\n)\nunion\n(\n select\n 'arn:' || partition || ':elasticloadbalancing:' || region || ':' || account_id || ':loadbalancer/' || title as resource,\n case\n when access_log_enabled = 'true' then 'ok'\n else 'alarm'\n end as status,\n case\n when access_log_enabled = 'true' then title || ' logging enabled.'\n else title || ' logging disabled.'\n end as reason\n \n \n from\n aws_ec2_classic_load_balancer\n);\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_foundational_security_guardduty_1.yaml b/compliance/controls/pending/aws/aws_foundational_security_guardduty_1.yaml index 3093bec7c..eda8d3cdd 100755 --- a/compliance/controls/pending/aws/aws_foundational_security_guardduty_1.yaml +++ b/compliance/controls/pending/aws/aws_foundational_security_guardduty_1.yaml @@ -1,35 +1,13 @@ ID: aws_foundational_security_guardduty_1 Title: "1 GuardDuty should be enabled" Description: "This control checks whether Amazon GuardDuty is enabled in your GuardDuty account and Region. It is highly recommended that you enable GuardDuty in all supported AWS Regions. Doing so allows GuardDuty to generate findings about unauthorized or unusual activity, even in Regions that you do not actively use. This also allows GuardDuty to monitor CloudTrail events for global AWS services such as IAM." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - 'arn:' || r.partition || '::' || r.region || ':' || r.account_id as resource, - case - when r.region = any(array['af-south-1', 'ap-northeast-3', 'ap-southeast-3', 'eu-south-1', 'cn-north-1', 'cn-northwest-1', 'me-south-1', 'us-gov-east-1']) then 'skip' - -- Skip any regions that are disabled in the account. - when r.opt_in_status = 'not-opted-in' then 'skip' - when status = 'ENABLED' and master_account ->> 'AccountId' is null then 'ok' - when status = 'ENABLED' and master_account ->> 'AccountId' is not null then 'info' - else 'alarm' - end as status, - case - when r.region = any(array['af-south-1', 'ap-northeast-3', 'ap-southeast-3', 'eu-south-1', 'cn-north-1', 'cn-northwest-1', 'me-south-1', 'us-gov-east-1']) then r.region || ' region not supported.' - when r.opt_in_status = 'not-opted-in' then r.region || ' region is disabled.' - when status is null then 'No GuardDuty detector found in ' || r.region || '.' - when status = 'ENABLED' and master_account ->> 'AccountId' is null then r.region || ' detector ' || d.title || ' enabled.' - when status = 'ENABLED' and master_account ->> 'AccountId' is not null then r.region || ' detector ' || d.title || ' is managed by account ' || (master_account ->> 'AccountId') || ' via delegated admin.' - else r.region || ' detector ' || d.title || ' disabled.' - end as reason - - from - aws_region as r - left join aws_guardduty_detector d on r.account_id = d.account_id and r.name = d.region; + QueryToExecute: "select\n 'arn:' || r.partition || '::' || r.region || ':' || r.account_id as resource,\n case\n when r.region = any(array['af-south-1', 'ap-northeast-3', 'ap-southeast-3', 'eu-south-1', 'cn-north-1', 'cn-northwest-1', 'me-south-1', 'us-gov-east-1']) then 'skip'\n -- Skip any regions that are disabled in the account.\n when r.opt_in_status = 'not-opted-in' then 'skip'\n when status = 'ENABLED' and master_account ->> 'AccountId' is null then 'ok'\n when status = 'ENABLED' and master_account ->> 'AccountId' is not null then 'info'\n else 'alarm'\n end as status,\n case\n when r.region = any(array['af-south-1', 'ap-northeast-3', 'ap-southeast-3', 'eu-south-1', 'cn-north-1', 'cn-northwest-1', 'me-south-1', 'us-gov-east-1']) then r.region || ' region not supported.'\n when r.opt_in_status = 'not-opted-in' then r.region || ' region is disabled.'\n when status is null then 'No GuardDuty detector found in ' || r.region || '.'\n when status = 'ENABLED' and master_account ->> 'AccountId' is null then r.region || ' detector ' || d.title || ' enabled.'\n when status = 'ENABLED' and master_account ->> 'AccountId' is not null then r.region || ' detector ' || d.title || ' is managed by account ' || (master_account ->> 'AccountId') || ' via delegated admin.'\n else r.region || ' detector ' || d.title || ' disabled.'\n end as reason\n \nfrom\n aws_region as r\n left join aws_guardduty_detector d on r.account_id = d.account_id and r.name = d.region;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: high Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_foundational_security_iam_6.yaml b/compliance/controls/pending/aws/aws_foundational_security_iam_6.yaml index a6cbb9678..46051d686 100755 --- a/compliance/controls/pending/aws/aws_foundational_security_iam_6.yaml +++ b/compliance/controls/pending/aws/aws_foundational_security_iam_6.yaml @@ -1,28 +1,13 @@ ID: aws_foundational_security_iam_6 Title: "6 Hardware MFA should be enabled for the root user" Description: "This control checks whether your AWS account is enabled to use a hardware multi-factor authentication (MFA) device to sign in with root user credentials." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - 'arn:' || s.partition || ':::' || s.account_id as resource, - case - when s.account_mfa_enabled and d.serial_number is null then 'ok' - else 'alarm' - end status, - case - when s.account_mfa_enabled = false then 'MFA not enabled for root account.' - when d.serial_number is not null then 'MFA enabled for root account, but the MFA associated is a virtual device.' - else 'Hardware MFA device enabled for root account.' - end reason - - from - aws_iam_account_summary as s - left join aws_iam_virtual_mfa_device as d on (d.user ->> 'Arn') = 'arn:' || s.partition || ':iam::' || s.account_id || ':root'; + QueryToExecute: "select\n 'arn:' || s.partition || ':::' || s.account_id as resource,\n case\n when s.account_mfa_enabled and d.serial_number is null then 'ok'\n else 'alarm'\n end status,\n case\n when s.account_mfa_enabled = false then 'MFA not enabled for root account.'\n when d.serial_number is not null then 'MFA enabled for root account, but the MFA associated is a virtual device.'\n else 'Hardware MFA device enabled for root account.'\n end reason\n \nfrom\n aws_iam_account_summary as s\n left join aws_iam_virtual_mfa_device as d on (d.user ->> 'Arn') = 'arn:' || s.partition || ':iam::' || s.account_id || ':root';\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: critical Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_foundational_security_iam_7.yaml b/compliance/controls/pending/aws/aws_foundational_security_iam_7.yaml index c4fadb347..4a1dcd855 100755 --- a/compliance/controls/pending/aws/aws_foundational_security_iam_7.yaml +++ b/compliance/controls/pending/aws/aws_foundational_security_iam_7.yaml @@ -1,47 +1,13 @@ ID: aws_foundational_security_iam_7 Title: "7 Password policies for IAM users should have strong configurations" Description: "This control checks whether the account password policy for IAM users uses the recommended configurations." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when - minimum_password_length >= 8 - and require_lowercase_characters = 'true' - and require_uppercase_characters = 'true' - and require_numbers = 'true' - and require_symbols = 'true' - then 'ok' - else 'alarm' - end as status, - case - when minimum_password_length is null then 'No password policy set.' - when - minimum_password_length >= 8 - and require_lowercase_characters = 'true' - and require_uppercase_characters = 'true' - and require_numbers = 'true' - and require_symbols = 'true' - then 'Strong password policies configured.' - else 'Password policy ' || - concat_ws(', ', - case when minimum_password_length < 8 then ('minimum password length set to ' || minimum_password_length) end, - case when not (require_lowercase_characters = 'true') then 'lowercase characters not required' end, - case when not (require_uppercase_characters = 'true') then 'uppercase characters not required' end, - case when not (require_numbers) then 'numbers not required' end, - case when not (require_symbols) then 'symbols not required' end - ) || '.' - end as reason - - from - aws_account as a - left join aws_iam_account_password_policy as pol on a.account_id = pol.account_id; + QueryToExecute: "select\n 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when\n minimum_password_length >= 8\n and require_lowercase_characters = 'true'\n and require_uppercase_characters = 'true'\n and require_numbers = 'true'\n and require_symbols = 'true'\n then 'ok'\n else 'alarm'\n end as status,\n case\n when minimum_password_length is null then 'No password policy set.'\n when\n minimum_password_length >= 8\n and require_lowercase_characters = 'true'\n and require_uppercase_characters = 'true'\n and require_numbers = 'true'\n and require_symbols = 'true'\n then 'Strong password policies configured.'\n else 'Password policy ' ||\n concat_ws(', ',\n case when minimum_password_length < 8 then ('minimum password length set to ' || minimum_password_length) end,\n case when not (require_lowercase_characters = 'true') then 'lowercase characters not required' end,\n case when not (require_uppercase_characters = 'true') then 'uppercase characters not required' end,\n case when not (require_numbers) then 'numbers not required' end,\n case when not (require_symbols) then 'symbols not required' end\n ) || '.'\n end as reason\n \nfrom\n aws_account as a\n left join aws_iam_account_password_policy as pol on a.account_id = pol.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_foundational_security_kms_2.yaml b/compliance/controls/pending/aws/aws_foundational_security_kms_2.yaml index 024bc2710..c52885b56 100755 --- a/compliance/controls/pending/aws/aws_foundational_security_kms_2.yaml +++ b/compliance/controls/pending/aws/aws_foundational_security_kms_2.yaml @@ -1,97 +1,13 @@ ID: aws_foundational_security_kms_2 Title: "2 IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys" Description: "Checks whether the inline policies that are embedded in your IAM identities (role, user, or group) allow the AWS KMS decryption actions on all KMS keys. This control uses Zelkova, an automated reasoning engine, to validate and warn you about policies that may grant broad access to your secrets across AWS accounts. This control fails if kms:Decrypt or kms:ReEncryptFrom actions are allowed on all KMS keys in an inline policy." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with user_with_decrypt_grant as ( - select - distinct arn - from - aws_iam_user, - jsonb_array_elements(inline_policies_std) as inline_policy, - jsonb_array_elements(inline_policy -> 'PolicyDocument' -> 'Statement') as statement - where - statement ->> 'Effect' = 'Allow' - and statement -> 'Resource' ?| array['*', 'arn:aws:kms:*:' || account_id || ':key/*', 'arn:aws:kms:*:' || account_id || ':alias/*'] - and statement -> 'Action' ?| array['*', 'kms:*', 'kms:decrypt', 'kms:deencrypt*', 'kms:reencryptfrom'] - ), - role_with_decrypt_grant as ( - select - distinct arn - from - aws_iam_role, - jsonb_array_elements(inline_policies_std) as inline_policy, - jsonb_array_elements(inline_policy -> 'PolicyDocument' -> 'Statement') as statement - where - statement ->> 'Effect' = 'Allow' - and statement -> 'Resource' ?| array['*', 'arn:aws:kms:*:' || account_id || ':key/*', 'arn:aws:kms:*:' || account_id || ':alias/*'] - and statement -> 'Action' ?| array['*', 'kms:*', 'kms:decrypt', 'kms:deencrypt*', 'kms:reencryptfrom'] - ), - group_with_decrypt_grant as ( - select - distinct arn - from - aws_iam_group, - jsonb_array_elements(inline_policies_std) as inline_policy, - jsonb_array_elements(inline_policy -> 'PolicyDocument' -> 'Statement') as statement - where - statement ->> 'Effect' = 'Allow' - and statement -> 'Resource' ?| array['*', 'arn:aws:kms:*:' || account_id || ':key/*', 'arn:aws:kms:*:' || account_id || ':alias/*'] - and statement -> 'Action' ?| array['*', 'kms:*', 'kms:decrypt', 'kms:deencrypt*', 'kms:reencryptfrom'] - ) - select - i.arn as resource, - case - when d.arn is null then 'ok' - else 'alarm' - end as status, - case - when d.arn is null then 'User ' || i.title || ' not allowed to perform decryption actions on all keys.' - else 'User ' || i.title || ' allowed to perform decryption actions on all keys.' - end as reason - - - from - aws_iam_user i - left join user_with_decrypt_grant d on i.arn = d.arn - union - select - r.arn as resource, - case - when d.arn is null then 'ok' - else 'alarm' - end as status, - case - when d.arn is null then 'Role ' || r.title || ' not allowed to perform decryption actions on all keys.' - else 'Role ' || r.title || ' allowed to perform decryption actions on all keys.' - end as reason - - - from - aws_iam_role r - left join role_with_decrypt_grant d on r.arn = d.arn - where - r.arn not like '%service-role/%' - union - select - g.arn as resource, - case - when d.arn is null then 'ok' - else 'alarm' - end as status, - case - when d.arn is null then 'Role ' || g.title || ' not allowed to perform decryption actions on all keys.' - else 'Group ' || g.title || ' allowed to perform decryption actions on all keys.' - end as reason - - from - aws_iam_group g - left join group_with_decrypt_grant d on g.arn = d.arn; + QueryToExecute: "with user_with_decrypt_grant as (\n select\n distinct arn\n from\n aws_iam_user,\n jsonb_array_elements(inline_policies_std) as inline_policy,\n jsonb_array_elements(inline_policy -> 'PolicyDocument' -> 'Statement') as statement\n where\n statement ->> 'Effect' = 'Allow'\n and statement -> 'Resource' ?| array['*', 'arn:aws:kms:*:' || account_id || ':key/*', 'arn:aws:kms:*:' || account_id || ':alias/*']\n and statement -> 'Action' ?| array['*', 'kms:*', 'kms:decrypt', 'kms:deencrypt*', 'kms:reencryptfrom']\n),\nrole_with_decrypt_grant as (\n select\n distinct arn\n from\n aws_iam_role,\n jsonb_array_elements(inline_policies_std) as inline_policy,\n jsonb_array_elements(inline_policy -> 'PolicyDocument' -> 'Statement') as statement\n where\n statement ->> 'Effect' = 'Allow'\n and statement -> 'Resource' ?| array['*', 'arn:aws:kms:*:' || account_id || ':key/*', 'arn:aws:kms:*:' || account_id || ':alias/*']\n and statement -> 'Action' ?| array['*', 'kms:*', 'kms:decrypt', 'kms:deencrypt*', 'kms:reencryptfrom']\n),\ngroup_with_decrypt_grant as (\n select\n distinct arn\n from\n aws_iam_group,\n jsonb_array_elements(inline_policies_std) as inline_policy,\n jsonb_array_elements(inline_policy -> 'PolicyDocument' -> 'Statement') as statement\n where\n statement ->> 'Effect' = 'Allow'\n and statement -> 'Resource' ?| array['*', 'arn:aws:kms:*:' || account_id || ':key/*', 'arn:aws:kms:*:' || account_id || ':alias/*']\n and statement -> 'Action' ?| array['*', 'kms:*', 'kms:decrypt', 'kms:deencrypt*', 'kms:reencryptfrom']\n)\nselect\n i.arn as resource,\n case\n when d.arn is null then 'ok'\n else 'alarm'\n end as status,\n case\n when d.arn is null then 'User ' || i.title || ' not allowed to perform decryption actions on all keys.'\n else 'User ' || i.title || ' allowed to perform decryption actions on all keys.'\n end as reason\n\n \nfrom\n aws_iam_user i\n left join user_with_decrypt_grant d on i.arn = d.arn\nunion\nselect\n r.arn as resource,\n case\n when d.arn is null then 'ok'\n else 'alarm'\n end as status,\n case\n when d.arn is null then 'Role ' || r.title || ' not allowed to perform decryption actions on all keys.'\n else 'Role ' || r.title || ' allowed to perform decryption actions on all keys.'\n end as reason\n\n \nfrom\n aws_iam_role r\n left join role_with_decrypt_grant d on r.arn = d.arn\nwhere\n r.arn not like '%service-role/%'\nunion\nselect\n g.arn as resource,\n case\n when d.arn is null then 'ok'\n else 'alarm'\n end as status,\n case\n when d.arn is null then 'Role ' || g.title || ' not allowed to perform decryption actions on all keys.'\n else 'Group ' || g.title || ' allowed to perform decryption actions on all keys.'\n end as reason\n \nfrom\n aws_iam_group g\n left join group_with_decrypt_grant d on g.arn = d.arn;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_foundational_security_lambda_5.yaml b/compliance/controls/pending/aws/aws_foundational_security_lambda_5.yaml index 4a14e9910..9b6d6d60e 100755 --- a/compliance/controls/pending/aws/aws_foundational_security_lambda_5.yaml +++ b/compliance/controls/pending/aws/aws_foundational_security_lambda_5.yaml @@ -1,39 +1,13 @@ ID: aws_foundational_security_lambda_5 Title: "5 VPC Lambda functions should operate in multiple Availability Zones" Description: "This control checks if Lambda has more than one availability zone associated. The rule fails if only one availability zone is associated with Lambda." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - arn as resource, - case - when vpc_id is null or vpc_id = '' then 'skip' - else case - when - ( - select - count(distinct availability_zone_id) - from - aws_vpc_subnet - where - subnet_id in (select jsonb_array_elements_text(vpc_subnet_ids) ) - ) >= 2 - then 'ok' - else 'alarm' - end - end as status, - case - when vpc_id is null or vpc_id = '' then title || ' is not in VPC.' - else title || ' has ' || jsonb_array_length(vpc_subnet_ids) || ' availability zone(s).' - end as reason - - - from - aws_lambda_function; + QueryToExecute: "select\n arn as resource,\n case\n when vpc_id is null or vpc_id = '' then 'skip'\n else case\n when\n (\n select\n count(distinct availability_zone_id)\n from\n aws_vpc_subnet\n where\n subnet_id in (select jsonb_array_elements_text(vpc_subnet_ids) )\n ) >= 2\n then 'ok'\n else 'alarm'\n end\n end as status,\n case\n when vpc_id is null or vpc_id = '' then title || ' is not in VPC.'\n else title || ' has ' || jsonb_array_length(vpc_subnet_ids) || ' availability zone(s).'\n end as reason\n \n \nfrom\n aws_lambda_function;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_foundational_security_rds_1.yaml b/compliance/controls/pending/aws/aws_foundational_security_rds_1.yaml index b889107a5..8b4f4578b 100755 --- a/compliance/controls/pending/aws/aws_foundational_security_rds_1.yaml +++ b/compliance/controls/pending/aws/aws_foundational_security_rds_1.yaml @@ -1,48 +1,13 @@ ID: aws_foundational_security_rds_1 Title: "1 RDS snapshots should be private" Description: "This control checks whether Amazon RDS snapshots are public. This control is intended for RDS instances. It can also return findings for snapshots of Aurora DB instances, Neptune DB instances, and Amazon DocumentDB clusters, even though they are not evaluated for public accessibility. If these findings are not useful, you can suppress them." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - ( - select - arn as resource, - case - when cluster_snapshot -> 'AttributeValues' = '["all"]' then 'alarm' - else 'ok' - end status, - case - when cluster_snapshot -> 'AttributeValues' = '["all"]' then title || ' publicly restorable.' - else title || ' not publicly restorable.' - end reason - - - from - aws_rds_db_cluster_snapshot, - jsonb_array_elements(db_cluster_snapshot_attributes) as cluster_snapshot - ) - union - ( - select - arn as resource, - case - when database_snapshot -> 'AttributeValues' = '["all"]' then 'alarm' - else 'ok' - end status, - case - when database_snapshot -> 'AttributeValues' = '["all"]' then title || ' publicly restorable.' - else title || ' not publicly restorable.' - end reason - - - from - aws_rds_db_snapshot, - jsonb_array_elements(db_snapshot_attributes) as database_snapshot - ); + QueryToExecute: "(\nselect\n arn as resource,\n case\n when cluster_snapshot -> 'AttributeValues' = '[\"all\"]' then 'alarm'\n else 'ok'\n end status,\n case\n when cluster_snapshot -> 'AttributeValues' = '[\"all\"]' then title || ' publicly restorable.'\n else title || ' not publicly restorable.'\n end reason\n \n \nfrom\n aws_rds_db_cluster_snapshot,\n jsonb_array_elements(db_cluster_snapshot_attributes) as cluster_snapshot\n)\nunion\n(\nselect\n arn as resource,\n case\n when database_snapshot -> 'AttributeValues' = '[\"all\"]' then 'alarm'\n else 'ok'\n end status,\n case\n when database_snapshot -> 'AttributeValues' = '[\"all\"]' then title || ' publicly restorable.'\n else title || ' not publicly restorable.'\n end reason\n \n \nfrom\n aws_rds_db_snapshot,\n jsonb_array_elements(db_snapshot_attributes) as database_snapshot\n);\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: critical Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_foundational_security_rds_23.yaml b/compliance/controls/pending/aws/aws_foundational_security_rds_23.yaml index ddd030d59..244724107 100755 --- a/compliance/controls/pending/aws/aws_foundational_security_rds_23.yaml +++ b/compliance/controls/pending/aws/aws_foundational_security_rds_23.yaml @@ -1,58 +1,13 @@ ID: aws_foundational_security_rds_23 Title: "23 RDS databases and clusters should not use a database engine default port" Description: "This control checks whether the RDS cluster or instance uses a port other than the default port of the database engine." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - ( - select - arn as resource, - case - when engine similar to '%(aurora|mysql|mariadb)%' and port = '3306' then 'alarm' - when engine like '%postgres%' and port = '5432' then 'alarm' - when engine like 'oracle%' and port = '1521' then 'alarm' - when engine like 'sqlserver%' and port = '1433' then 'alarm' - else 'ok' - end as status, - case - when engine similar to '%(aurora|mysql|mariadb)%' and port = '3306' then title || ' ' || engine || ' uses a default port.' - when engine like '%postgres%' and port = '5432' then title || ' ' || engine || ' uses a default port.' - when engine like 'oracle%' and port = '1521' then title || ' ' || engine || ' uses a default port.' - when engine like 'sqlserver%' and port = '1433' then title || ' ' || engine || ' uses a default port.' - else title || ' doesnt use a default port.' - end as reason - - - from - aws_rds_db_cluster - ) - union - ( - select - arn as resource, - case - when engine similar to '%(aurora|mysql|mariadb)%' and port = '3306' then 'alarm' - when engine like '%postgres%' and port = '5432' then 'alarm' - when engine like 'oracle%' and port = '1521' then 'alarm' - when engine like 'sqlserver%' and port = '1433' then 'alarm' - else 'ok' - end as status, - case - when engine similar to '%(aurora|mysql|mariadb)%' and port = '3306' then title || ' ' || engine || ' uses a default port.' - when engine like '%postgres%' and port = '5432' then title || ' ' || engine || ' uses a default port.' - when engine like 'oracle%' and port = '1521' then title || ' ' || engine || ' uses a default port.' - when engine like 'sqlserver%' and port = '1433' then title || ' ' || engine || ' uses a default port.' - else title || ' doesnt use a default port.' - end as reason - - - from - aws_rds_db_instance - ); + QueryToExecute: "(\nselect\n arn as resource,\n case\n when engine similar to '%(aurora|mysql|mariadb)%' and port = '3306' then 'alarm'\n when engine like '%postgres%' and port = '5432' then 'alarm'\n when engine like 'oracle%' and port = '1521' then 'alarm'\n when engine like 'sqlserver%' and port = '1433' then 'alarm'\n else 'ok'\n end as status,\n case\n when engine similar to '%(aurora|mysql|mariadb)%' and port = '3306' then title || ' ' || engine || ' uses a default port.'\n when engine like '%postgres%' and port = '5432' then title || ' ' || engine || ' uses a default port.'\n when engine like 'oracle%' and port = '1521' then title || ' ' || engine || ' uses a default port.'\n when engine like 'sqlserver%' and port = '1433' then title || ' ' || engine || ' uses a default port.'\n else title || ' doesnt use a default port.'\n end as reason\n \n \nfrom\n aws_rds_db_cluster\n)\nunion\n(\nselect\n arn as resource,\n case\n when engine similar to '%(aurora|mysql|mariadb)%' and port = '3306' then 'alarm'\n when engine like '%postgres%' and port = '5432' then 'alarm'\n when engine like 'oracle%' and port = '1521' then 'alarm'\n when engine like 'sqlserver%' and port = '1433' then 'alarm'\n else 'ok'\n end as status,\n case\n when engine similar to '%(aurora|mysql|mariadb)%' and port = '3306' then title || ' ' || engine || ' uses a default port.'\n when engine like '%postgres%' and port = '5432' then title || ' ' || engine || ' uses a default port.'\n when engine like 'oracle%' and port = '1521' then title || ' ' || engine || ' uses a default port.'\n when engine like 'sqlserver%' and port = '1433' then title || ' ' || engine || ' uses a default port.'\n else title || ' doesnt use a default port.'\n end as reason\n \n \nfrom\n aws_rds_db_instance\n);\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_foundational_security_rds_4.yaml b/compliance/controls/pending/aws/aws_foundational_security_rds_4.yaml index 57c7ec58e..ca36bfaf0 100755 --- a/compliance/controls/pending/aws/aws_foundational_security_rds_4.yaml +++ b/compliance/controls/pending/aws/aws_foundational_security_rds_4.yaml @@ -1,46 +1,13 @@ ID: aws_foundational_security_rds_4 Title: "4 RDS cluster snapshots and database snapshots should be encrypted at rest" Description: "This control checks whether RDS DB snapshots are encrypted. This control is intended for RDS DB instances. However, it can also generate findings for snapshots of Aurora DB instances, Neptune DB instances, and Amazon DocumentDB clusters. If these findings are not useful, then you can suppress them." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - ( - select - arn as resource, - case - when storage_encrypted then 'ok' - else 'alarm' - end as status, - case - when storage_encrypted then title || ' encrypted at rest.' - else title || ' not encrypted at rest.' - end as reason - - - from - aws_rds_db_cluster_snapshot - ) - union - ( - select - arn as resource, - case - when encrypted then 'ok' - else 'alarm' - end as status, - case - when encrypted then title || ' encrypted at rest.' - else title || ' not encrypted at rest.' - end as reason - - - from - aws_rds_db_snapshot - ); + QueryToExecute: "(\nselect\n arn as resource,\n case\n when storage_encrypted then 'ok'\n else 'alarm'\n end as status,\n case\n when storage_encrypted then title || ' encrypted at rest.'\n else title || ' not encrypted at rest.'\n end as reason\n \n \nfrom\n aws_rds_db_cluster_snapshot\n)\nunion\n(\nselect\n arn as resource,\n case\n when encrypted then 'ok'\n else 'alarm'\n end as status,\n case\n when encrypted then title || ' encrypted at rest.'\n else title || ' not encrypted at rest.'\n end as reason\n \n \nfrom\n aws_rds_db_snapshot\n);\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: medium Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_foundational_security_rds_6.yaml b/compliance/controls/pending/aws/aws_foundational_security_rds_6.yaml index da082911b..ac4745f6d 100755 --- a/compliance/controls/pending/aws/aws_foundational_security_rds_6.yaml +++ b/compliance/controls/pending/aws/aws_foundational_security_rds_6.yaml @@ -1,48 +1,13 @@ ID: aws_foundational_security_rds_6 Title: "6 Enhanced monitoring should be configured for RDS DB instances and clusters" Description: "This control checks whether enhanced monitoring is enabled for your RDS DB instances. In Amazon RDS, Enhanced Monitoring enables a more rapid response to performance changes in underlying infrastructure. These performance changes could result in a lack of availability of the data. Enhanced Monitoring provides real-time metrics of the operating system that your RDS DB instance runs on. An agent is installed on the instance. The agent can obtain metrics more accurately than is possible from the hypervisor layer." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - ( - select - arn as resource, - case - when enabled_cloudwatch_logs_exports is not null then 'ok' - else 'alarm' - end as status, - case - when enabled_cloudwatch_logs_exports is not null then title || ' enhanced monitoring enabled.' - else title || ' enhanced monitoring not enabled.' - end as reason - - - from - aws_rds_db_cluster - ) - union - ( - select - arn as resource, - case - when class = 'db.m1.small' then 'skip' - when enhanced_monitoring_resource_arn is not null then 'ok' - else 'alarm' - end as status, - case - when class = 'db.m1.small' then title || ' enhanced monitoring not supported.' - when enhanced_monitoring_resource_arn is not null then title || ' enhanced monitoring enabled.' - else title || ' enhanced monitoring not enabled.' - end as reason - - - from - aws_rds_db_instance - ); + QueryToExecute: "(\nselect\n arn as resource,\n case\n when enabled_cloudwatch_logs_exports is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when enabled_cloudwatch_logs_exports is not null then title || ' enhanced monitoring enabled.'\n else title || ' enhanced monitoring not enabled.'\n end as reason\n \n \nfrom\n aws_rds_db_cluster\n)\nunion\n(\nselect\n arn as resource,\n case\n when class = 'db.m1.small' then 'skip'\n when enhanced_monitoring_resource_arn is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when class = 'db.m1.small' then title || ' enhanced monitoring not supported.'\n when enhanced_monitoring_resource_arn is not null then title || ' enhanced monitoring enabled.'\n else title || ' enhanced monitoring not enabled.'\n end as reason\n \n \nfrom\n aws_rds_db_instance\n);\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_foundational_security_s3_2.yaml b/compliance/controls/pending/aws/aws_foundational_security_s3_2.yaml index 1c51d8c1f..4bd8ac0f8 100755 --- a/compliance/controls/pending/aws/aws_foundational_security_s3_2.yaml +++ b/compliance/controls/pending/aws/aws_foundational_security_s3_2.yaml @@ -1,68 +1,13 @@ ID: aws_foundational_security_s3_2 Title: "2 S3 buckets should prohibit public read access" Description: "This control checks whether your S3 buckets allow public read access. It evaluates the Block Public Access settings, the bucket policy, and the bucket access control list (ACL)." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with public_acl as ( - select - distinct name - from - aws_s3_bucket, - jsonb_array_elements(acl -> 'Grants') as grants - where - (grants -> 'Grantee' ->> 'URI' = 'http://acs.amazonaws.com/groups/global/AllUsers' - or grants -> 'Grantee' ->> 'URI' = 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers') - and ( - grants ->> 'Permission' = 'FULL_CONTROL' - or grants ->> 'Permission' = 'READ_ACP' - or grants ->> 'Permission' = 'READ' - ) - ),read_access_policy as ( - select - distinct name - from - aws_s3_bucket, - jsonb_array_elements(policy_std -> 'Statement') as s, - jsonb_array_elements_text(s -> 'Action') as action - where - s ->> 'Effect' = 'Allow' - and ( - s -> 'Principal' -> 'AWS' = '["*"]' - or s ->> 'Principal' = '*' - ) - and ( - action = '*' - or action = '*:*' - or action = 's3:*' - or action ilike 's3:get%' - or action ilike 's3:list%' - ) - ) - select - b.arn as resource, - case - when (block_public_acls or a.name is null) and not bucket_policy_is_public then 'ok' - when (block_public_acls or a.name is null) and (bucket_policy_is_public and block_public_policy) then 'ok' - when (block_public_acls or a.name is null) and (bucket_policy_is_public and p.name is null) then 'ok' - else 'alarm' - end as status, - case - when (block_public_acls or a.name is null) and not bucket_policy_is_public then b.title || ' not publicly readable.' - when (block_public_acls or a.name is null) and (bucket_policy_is_public and block_public_policy) then b.title || ' not publicly readable.' - when (block_public_acls or a.name is null) and (bucket_policy_is_public and p.name is null) then b.title || ' not publicly readable.' - else b.title || ' publicly readable.' - end as reason - - - from - aws_s3_bucket as b - left join public_acl as a on b.name = a.name - left join read_access_policy as p on b.name = p.name; + QueryToExecute: "with public_acl as (\n select\n distinct name\n from\n aws_s3_bucket,\n jsonb_array_elements(acl -> 'Grants') as grants\n where\n (grants -> 'Grantee' ->> 'URI' = 'http://acs.amazonaws.com/groups/global/AllUsers'\n or grants -> 'Grantee' ->> 'URI' = 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers')\n and (\n grants ->> 'Permission' = 'FULL_CONTROL'\n or grants ->> 'Permission' = 'READ_ACP'\n or grants ->> 'Permission' = 'READ'\n )\n ),read_access_policy as (\n select\n distinct name\n from\n aws_s3_bucket,\n jsonb_array_elements(policy_std -> 'Statement') as s,\n jsonb_array_elements_text(s -> 'Action') as action\n where\n s ->> 'Effect' = 'Allow'\n and (\n s -> 'Principal' -> 'AWS' = '[\"*\"]'\n or s ->> 'Principal' = '*'\n )\n and (\n action = '*'\n or action = '*:*'\n or action = 's3:*'\n or action ilike 's3:get%'\n or action ilike 's3:list%'\n )\n)\nselect\n b.arn as resource,\n case\n when (block_public_acls or a.name is null) and not bucket_policy_is_public then 'ok'\n when (block_public_acls or a.name is null) and (bucket_policy_is_public and block_public_policy) then 'ok'\n when (block_public_acls or a.name is null) and (bucket_policy_is_public and p.name is null) then 'ok'\n else 'alarm'\n end as status,\n case\n when (block_public_acls or a.name is null) and not bucket_policy_is_public then b.title || ' not publicly readable.'\n when (block_public_acls or a.name is null) and (bucket_policy_is_public and block_public_policy) then b.title || ' not publicly readable.'\n when (block_public_acls or a.name is null) and (bucket_policy_is_public and p.name is null) then b.title || ' not publicly readable.'\n else b.title || ' publicly readable.'\n end as reason\n \n \nfrom\n aws_s3_bucket as b\n left join public_acl as a on b.name = a.name\n left join read_access_policy as p on b.name = p.name;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: critical Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_foundational_security_s3_3.yaml b/compliance/controls/pending/aws/aws_foundational_security_s3_3.yaml index b4bd6c3fc..2b30c3b44 100755 --- a/compliance/controls/pending/aws/aws_foundational_security_s3_3.yaml +++ b/compliance/controls/pending/aws/aws_foundational_security_s3_3.yaml @@ -1,72 +1,13 @@ ID: aws_foundational_security_s3_3 Title: "3 S3 buckets should prohibit public write access" Description: "This control checks whether your S3 buckets allow public write access. It evaluates the block public access settings, the bucket policy, and the bucket access control list (ACL)." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with public_acl as ( - select - distinct name - from - aws_s3_bucket, - jsonb_array_elements(acl -> 'Grants') as grants - where - (grants -> 'Grantee' ->> 'URI' = 'http://acs.amazonaws.com/groups/global/AllUsers' - or grants -> 'Grantee' ->> 'URI' = 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers') - and ( - grants ->> 'Permission' = 'FULL_CONTROL' - or grants ->> 'Permission' = 'WRITE_ACP' - or grants ->> 'Permission' = 'WRITE' - ) - ), write_access_policy as ( - select - distinct name - from - aws_s3_bucket, - jsonb_array_elements(policy_std -> 'Statement') as s, - jsonb_array_elements_text(s -> 'Action') as action - where - s ->> 'Effect' = 'Allow' - and ( - s -> 'Principal' -> 'AWS' = '["*"]' - or s ->> 'Principal' = '*' - ) - and ( - action = '*' - or action = '*:*' - or action = 's3:*' - or action ilike 's3:put%' - or action ilike 's3:delete%' - or action ilike 's3:create%' - or action ilike 's3:update%' - or action ilike 's3:replicate%' - or action ilike 's3:restore%' - ) - ) - select - b.arn as resource, - case - when (block_public_acls or a.name is null) and not bucket_policy_is_public then 'ok' - when (block_public_acls or a.name is null) and (bucket_policy_is_public and block_public_policy) then 'ok' - when bucket_policy_is_public and p.name is null then 'ok' - else 'alarm' - end status, - case - when (block_public_acls or a.name is null ) and not bucket_policy_is_public then b.title || ' not publicly writable.' - when (block_public_acls or a.name is null) and (bucket_policy_is_public and block_public_policy) then b.title || ' not publicly writable.' - when (block_public_acls or a.name is null) and (bucket_policy_is_public and p.name is null) then b.title || ' not publicly writable.' - else b.title || ' publicly writable.' - end reason - - - from - aws_s3_bucket as b - left join public_acl as a on b.name = a.name - left join write_access_policy as p on b.name = p.name; + QueryToExecute: "with public_acl as (\n select\n distinct name\n from\n aws_s3_bucket,\n jsonb_array_elements(acl -> 'Grants') as grants\n where\n (grants -> 'Grantee' ->> 'URI' = 'http://acs.amazonaws.com/groups/global/AllUsers'\n or grants -> 'Grantee' ->> 'URI' = 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers')\n and (\n grants ->> 'Permission' = 'FULL_CONTROL'\n or grants ->> 'Permission' = 'WRITE_ACP'\n or grants ->> 'Permission' = 'WRITE'\n )\n), write_access_policy as (\n select\n distinct name\n from\n aws_s3_bucket,\n jsonb_array_elements(policy_std -> 'Statement') as s,\n jsonb_array_elements_text(s -> 'Action') as action\n where\n s ->> 'Effect' = 'Allow'\n and (\n s -> 'Principal' -> 'AWS' = '[\"*\"]'\n or s ->> 'Principal' = '*'\n )\n and (\n action = '*'\n or action = '*:*'\n or action = 's3:*'\n or action ilike 's3:put%'\n or action ilike 's3:delete%'\n or action ilike 's3:create%'\n or action ilike 's3:update%'\n or action ilike 's3:replicate%'\n or action ilike 's3:restore%'\n )\n)\nselect\n b.arn as resource,\n case\n when (block_public_acls or a.name is null) and not bucket_policy_is_public then 'ok'\n when (block_public_acls or a.name is null) and (bucket_policy_is_public and block_public_policy) then 'ok'\n when bucket_policy_is_public and p.name is null then 'ok'\n else 'alarm'\n end status,\n case\n when (block_public_acls or a.name is null ) and not bucket_policy_is_public then b.title || ' not publicly writable.'\n when (block_public_acls or a.name is null) and (bucket_policy_is_public and block_public_policy) then b.title || ' not publicly writable.'\n when (block_public_acls or a.name is null) and (bucket_policy_is_public and p.name is null) then b.title || ' not publicly writable.'\n else b.title || ' publicly writable.'\n end reason\n \n \nfrom\n aws_s3_bucket as b\n left join public_acl as a on b.name = a.name\n left join write_access_policy as p on b.name = p.name;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: critical Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_glue_dev_endpoint_cloudwatch_logs_encryption_enabled.yaml b/compliance/controls/pending/aws/aws_glue_dev_endpoint_cloudwatch_logs_encryption_enabled.yaml index 54dc63e65..e374a406a 100755 --- a/compliance/controls/pending/aws/aws_glue_dev_endpoint_cloudwatch_logs_encryption_enabled.yaml +++ b/compliance/controls/pending/aws/aws_glue_dev_endpoint_cloudwatch_logs_encryption_enabled.yaml @@ -1,27 +1,13 @@ ID: aws_glue_dev_endpoint_cloudwatch_logs_encryption_enabled Title: "Glue dev endpoints CloudWatch logs encryption should be enabled" Description: "Ensure Glue dev endpoints have CloudWatch logs encryption enabled to protect sensitive information at rest." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - e.arn as resource, - case - when cloud_watch_encryption is not null and cloud_watch_encryption ->> 'CloudWatchEncryptionMode' != 'DISABLED' then 'ok' - else 'alarm' - end as status, - case - when cloud_watch_encryption is not null and cloud_watch_encryption ->> 'CloudWatchEncryptionMode' != 'DISABLED' then e.title || ' CloudWatch logs encryption enabled.' - else e.title || ' CloudWatch logs encryption disabled.' - end as reason - - from - aws_glue_dev_endpoint as e - left join aws_glue_security_configuration as c on e.security_configuration = c.name; + QueryToExecute: "select\n e.arn as resource,\n case\n when cloud_watch_encryption is not null and cloud_watch_encryption ->> 'CloudWatchEncryptionMode' != 'DISABLED' then 'ok'\n else 'alarm'\n end as status,\n case\n when cloud_watch_encryption is not null and cloud_watch_encryption ->> 'CloudWatchEncryptionMode' != 'DISABLED' then e.title || ' CloudWatch logs encryption enabled.'\n else e.title || ' CloudWatch logs encryption disabled.'\n end as reason\n \nfrom\n aws_glue_dev_endpoint as e\n left join aws_glue_security_configuration as c on e.security_configuration = c.name;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_glue_dev_endpoint_job_bookmarks_encryption_enabled.yaml b/compliance/controls/pending/aws/aws_glue_dev_endpoint_job_bookmarks_encryption_enabled.yaml index 126ad1a35..e6f57dd7d 100755 --- a/compliance/controls/pending/aws/aws_glue_dev_endpoint_job_bookmarks_encryption_enabled.yaml +++ b/compliance/controls/pending/aws/aws_glue_dev_endpoint_job_bookmarks_encryption_enabled.yaml @@ -1,27 +1,13 @@ ID: aws_glue_dev_endpoint_job_bookmarks_encryption_enabled Title: "Glue dev endpoints job bookmark encryption should be enabled" Description: "Ensure Glue dev endpoints have job bookmark encryption enabled to protect sensitive information at rest." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - e.arn as resource, - case - when job_bookmarks_encryption is not null and job_bookmarks_encryption ->> 'JobBookmarksEncryptionMode' != 'DISABLED' then 'ok' - else 'alarm' - end as status, - case - when job_bookmarks_encryption is not null and job_bookmarks_encryption ->> 'JobBookmarksEncryptionMode' != 'DISABLED' then e.title || ' job bookmark encryption enabled.' - else e.title || ' job bookmark encryption disabled.' - end as reason - - from - aws_glue_dev_endpoint as e - left join aws_glue_security_configuration as c on e.security_configuration = c.name; + QueryToExecute: "select\n e.arn as resource,\n case\n when job_bookmarks_encryption is not null and job_bookmarks_encryption ->> 'JobBookmarksEncryptionMode' != 'DISABLED' then 'ok'\n else 'alarm'\n end as status,\n case\n when job_bookmarks_encryption is not null and job_bookmarks_encryption ->> 'JobBookmarksEncryptionMode' != 'DISABLED' then e.title || ' job bookmark encryption enabled.'\n else e.title || ' job bookmark encryption disabled.'\n end as reason\n \nfrom\n aws_glue_dev_endpoint as e\n left join aws_glue_security_configuration as c on e.security_configuration = c.name;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_glue_dev_endpoint_s3_encryption_enabled.yaml b/compliance/controls/pending/aws/aws_glue_dev_endpoint_s3_encryption_enabled.yaml index e49aa3a01..14e8a0730 100755 --- a/compliance/controls/pending/aws/aws_glue_dev_endpoint_s3_encryption_enabled.yaml +++ b/compliance/controls/pending/aws/aws_glue_dev_endpoint_s3_encryption_enabled.yaml @@ -1,28 +1,13 @@ ID: aws_glue_dev_endpoint_s3_encryption_enabled Title: "Glue dev endpoints S3 encryption should be enabled" Description: "Ensure Glue dev endpoints have S3 encryption enabled to protect sensitive information at rest." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - d.arn as resource, - case - when e is not null and e ->> 'S3EncryptionMode' != 'DISABLED' then 'ok' - else 'alarm' - end as status, - case - when e is not null and e ->> 'S3EncryptionMode' != 'DISABLED' then d.title || ' S3 encryption enabled.' - else d.title || ' S3 encryption disabled.' - end as reason - - from - aws_glue_dev_endpoint as d - left join aws_glue_security_configuration s on d.security_configuration = s.name, - jsonb_array_elements(s.s3_encryption) e; + QueryToExecute: "select\n d.arn as resource,\n case\n when e is not null and e ->> 'S3EncryptionMode' != 'DISABLED' then 'ok'\n else 'alarm'\n end as status,\n case\n when e is not null and e ->> 'S3EncryptionMode' != 'DISABLED' then d.title || ' S3 encryption enabled.'\n else d.title || ' S3 encryption disabled.'\n end as reason\n \nfrom\n aws_glue_dev_endpoint as d\n left join aws_glue_security_configuration s on d.security_configuration = s.name,\n jsonb_array_elements(s.s3_encryption) e;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_glue_job_cloudwatch_logs_encryption_enabled.yaml b/compliance/controls/pending/aws/aws_glue_job_cloudwatch_logs_encryption_enabled.yaml index cfc526e4a..caeaf450e 100755 --- a/compliance/controls/pending/aws/aws_glue_job_cloudwatch_logs_encryption_enabled.yaml +++ b/compliance/controls/pending/aws/aws_glue_job_cloudwatch_logs_encryption_enabled.yaml @@ -1,27 +1,13 @@ ID: aws_glue_job_cloudwatch_logs_encryption_enabled Title: "Glue jobs CloudWatch logs encryption should be enabled" Description: "Ensure Glue jobs have CloudWatch logs encryption enabled to protect sensitive information at rest." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - j.arn as resource, - case - when cloud_watch_encryption is not null and cloud_watch_encryption ->> 'CloudWatchEncryptionMode' != 'DISABLED' then 'ok' - else 'alarm' - end as status, - case - when cloud_watch_encryption is not null and cloud_watch_encryption ->> 'CloudWatchEncryptionMode' != 'DISABLED' then j.title || ' CloudWatch logs encryption enabled.' - else j.title || ' CloudWatch logs encryption disabled.' - end as reason - - from - aws_glue_job as j - left join aws_glue_security_configuration as c on j.security_configuration = c.name; + QueryToExecute: "select\n j.arn as resource,\n case\n when cloud_watch_encryption is not null and cloud_watch_encryption ->> 'CloudWatchEncryptionMode' != 'DISABLED' then 'ok'\n else 'alarm'\n end as status,\n case\n when cloud_watch_encryption is not null and cloud_watch_encryption ->> 'CloudWatchEncryptionMode' != 'DISABLED' then j.title || ' CloudWatch logs encryption enabled.'\n else j.title || ' CloudWatch logs encryption disabled.'\n end as reason\n \nfrom\n aws_glue_job as j\n left join aws_glue_security_configuration as c on j.security_configuration = c.name;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_glue_job_s3_encryption_enabled.yaml b/compliance/controls/pending/aws/aws_glue_job_s3_encryption_enabled.yaml index 45ba61877..c0f0f5f2f 100755 --- a/compliance/controls/pending/aws/aws_glue_job_s3_encryption_enabled.yaml +++ b/compliance/controls/pending/aws/aws_glue_job_s3_encryption_enabled.yaml @@ -1,28 +1,13 @@ ID: aws_glue_job_s3_encryption_enabled Title: "Glue jobs S3 encryption should be enabled" Description: "Ensure Glue jobs have S3 encryption enabled to protect sensitive information at rest." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - j.arn as resource, - case - when e is not null and e ->> 'S3EncryptionMode' != 'DISABLED' then 'ok' - else 'alarm' - end as status, - case - when e is not null and e ->> 'S3EncryptionMode' != 'DISABLED' then j.title || ' S3 encryption enabled.' - else j.title || ' S3 encryption disabled.' - end as reason - - from - aws_glue_job as j - left join aws_glue_security_configuration as s on j.security_configuration = s.name, - jsonb_array_elements(s.s3_encryption) e; + QueryToExecute: "select\n j.arn as resource,\n case\n when e is not null and e ->> 'S3EncryptionMode' != 'DISABLED' then 'ok'\n else 'alarm'\n end as status,\n case\n when e is not null and e ->> 'S3EncryptionMode' != 'DISABLED' then j.title || ' S3 encryption enabled.'\n else j.title || ' S3 encryption disabled.'\n end as reason\n \nfrom\n aws_glue_job as j\n left join aws_glue_security_configuration as s on j.security_configuration = s.name,\n jsonb_array_elements(s.s3_encryption) e;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_guardduty_centrally_configured.yaml b/compliance/controls/pending/aws/aws_guardduty_centrally_configured.yaml index dff84f614..366fc32ec 100755 --- a/compliance/controls/pending/aws/aws_guardduty_centrally_configured.yaml +++ b/compliance/controls/pending/aws/aws_guardduty_centrally_configured.yaml @@ -1,8 +1,6 @@ ID: aws_guardduty_centrally_configured Title: "GuardDuty Detector should be centrally configured" Description: "Ensure that GuardDuty is centrally configured, if GuardDuty is not under central management, it becomes impossible to centrally manage GuardDuty findings, settings, and member accounts." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -25,7 +23,7 @@ Query: when status = 'ENABLED' and master_account ->> 'AccountId' is not null then r.region || ' detector ' || d.title || ' centrally configured.' else r.region || ' detector ' || d.title || ' not centrally configured..' end as reason - + from aws_region as r left join aws_guardduty_detector d on r.account_id = d.account_id and r.name = d.region; @@ -34,3 +32,5 @@ Query: Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_iam_access_analyzer_enabled_without_findings.yaml b/compliance/controls/pending/aws/aws_iam_access_analyzer_enabled_without_findings.yaml index 964443e14..b916ecab2 100755 --- a/compliance/controls/pending/aws/aws_iam_access_analyzer_enabled_without_findings.yaml +++ b/compliance/controls/pending/aws/aws_iam_access_analyzer_enabled_without_findings.yaml @@ -1,35 +1,13 @@ ID: aws_iam_access_analyzer_enabled_without_findings Title: "IAM Access analyzer should be enabled without findings" Description: "This control checks whether the IAM Access analyzer is enabled without findings. If you grant permissions to an S3 bucket in one of your organization member accounts to a principal in another organization member account, IAM Access Analyzer does not generate a finding. But if you grant permission to a principal in an account that is not a member of the organization, IAM Access Analyzer generates a finding." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - 'arn:' || r.partition || '::' || r.region || ':' || r.account_id as resource, - case - -- Skip any regions that are disabled in the account. - when r.opt_in_status = 'not-opted-in' then 'skip' - when aa.status = 'ACTIVE' and aa.findings is null then 'ok' - when aa.status = 'ACTIVE' and jsonb_array_length(aa.findings) > 0 then 'alarm' - when aa.status = 'NOT_AVAILABLE' then 'alarm' - else 'alarm' - end as status, - case - when r.opt_in_status = 'not-opted-in' then r.region || ' region is disabled.' - when aa.status = 'ACTIVE' and aa.findings is null then aa.name || ' does not have active findings in region ' || r.region || '.' - when aa.status = 'ACTIVE' and jsonb_array_length(aa.findings) > 0 then aa.name || ' has active findings in region ' || r.region || '.' - when aa.status = 'NOT_AVAILABLE' then aa.name || ' is not enabled in region ' || r.region || '.' - else 'IAM Access Analyzer is not active in region ' || r.region || '.' - end as reason - - - from - aws_region as r - left join aws_accessanalyzer_analyzer as aa on r.account_id = aa.account_id and r.region = aa.region; + QueryToExecute: "select\n 'arn:' || r.partition || '::' || r.region || ':' || r.account_id as resource,\n case\n -- Skip any regions that are disabled in the account.\n when r.opt_in_status = 'not-opted-in' then 'skip'\n when aa.status = 'ACTIVE' and aa.findings is null then 'ok'\n when aa.status = 'ACTIVE' and jsonb_array_length(aa.findings) > 0 then 'alarm'\n when aa.status = 'NOT_AVAILABLE' then 'alarm'\n else 'alarm'\n end as status,\n case\n when r.opt_in_status = 'not-opted-in' then r.region || ' region is disabled.'\n when aa.status = 'ACTIVE' and aa.findings is null then aa.name || ' does not have active findings in region ' || r.region || '.'\n when aa.status = 'ACTIVE' and jsonb_array_length(aa.findings) > 0 then aa.name || ' has active findings in region ' || r.region || '.'\n when aa.status = 'NOT_AVAILABLE' then aa.name || ' is not enabled in region ' || r.region || '.'\n else 'IAM Access Analyzer is not active in region ' || r.region || '.'\n end as reason\n \n \nfrom\n aws_region as r\n left join aws_accessanalyzer_analyzer as aa on r.account_id = aa.account_id and r.region = aa.region;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_iam_password_policy_expire_90.yaml b/compliance/controls/pending/aws/aws_iam_password_policy_expire_90.yaml index 5611a5d30..c960bbef5 100755 --- a/compliance/controls/pending/aws/aws_iam_password_policy_expire_90.yaml +++ b/compliance/controls/pending/aws/aws_iam_password_policy_expire_90.yaml @@ -1,27 +1,13 @@ ID: aws_iam_password_policy_expire_90 Title: "Ensure IAM password policy expires passwords within 90 days or less" Description: "IAM password policies can require passwords to be rotated or expired after a given number of days. Security Hub recommends that the password policy expire passwords after 90 days or less. Reducing the password lifetime increases account resiliency against brute force login attempts." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - 'arn:' || a.partition || ':::' || a.account_id as resource, - case - when max_password_age <= 90 then 'ok' - else 'alarm' - end as status, - case - when max_password_age is null then 'Password expiration not set.' - else 'Password expiration set to ' || max_password_age || ' days.' - end as reason - - from - aws_account as a - left join aws_iam_account_password_policy as pol on a.account_id = pol.account_id; + QueryToExecute: "select\n 'arn:' || a.partition || ':::' || a.account_id as resource,\n case\n when max_password_age <= 90 then 'ok'\n else 'alarm'\n end as status,\n case\n when max_password_age is null then 'Password expiration not set.'\n else 'Password expiration set to ' || max_password_age || ' days.'\n end as reason\n \nfrom\n aws_account as a\n left join aws_iam_account_password_policy as pol on a.account_id = pol.account_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_iam_role_cross_account_read_only_access_policy.yaml b/compliance/controls/pending/aws/aws_iam_role_cross_account_read_only_access_policy.yaml index 8503603fd..6d34ba1c8 100755 --- a/compliance/controls/pending/aws/aws_iam_role_cross_account_read_only_access_policy.yaml +++ b/compliance/controls/pending/aws/aws_iam_role_cross_account_read_only_access_policy.yaml @@ -1,52 +1,13 @@ ID: aws_iam_role_cross_account_read_only_access_policy Title: "IAM roles should not have read only access for external AWS accounts" Description: "Ensure IAM Roles do not have ReadOnlyAccess access for external AWS account. The AWS-managed ReadOnlyAccess policy carries a high risk of potential data leakage, posing a significant threat to customer security and privacy." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with read_only_access_roles as ( - select - * - from - aws_iam_role, - jsonb_array_elements_text(attached_policy_arns) as a - where - a = 'arn:aws:iam::aws:policy/ReadOnlyAccess' - ), read_only_access_roles_with_cross_account_access as ( - select - arn - from - read_only_access_roles, - jsonb_array_elements(assume_role_policy_std -> 'Statement') as stmt, - jsonb_array_elements_text( stmt -> 'Principal' -> 'AWS' ) as p - where - stmt ->> 'Effect' = 'Allow' - and ( - p = '*' - or not (p like '%' || account_id || '%') - ) - ) - select - r.arn as resource, - case - when ar.arn is null then 'skip' - when c.arn is not null then 'alarm' - else 'ok' - end as status, - case - when ar.arn is null then r.title || ' not associated with ReadOnlyAccess policy.' - when c.arn is not null then r.title || ' associated with ReadOnlyAccess cross account access.' - else r.title || ' associated ReadOnlyAccess without cross account access.' - end as reason - - from - aws_iam_role as r - left join read_only_access_roles as ar on r.arn = ar.arn - left join read_only_access_roles_with_cross_account_access as c on c.arn = r.arn; + QueryToExecute: "with read_only_access_roles as (\n select\n *\n from\n aws_iam_role,\n jsonb_array_elements_text(attached_policy_arns) as a\n where\n a = 'arn:aws:iam::aws:policy/ReadOnlyAccess'\n), read_only_access_roles_with_cross_account_access as (\n select\n arn\n from\n read_only_access_roles,\n jsonb_array_elements(assume_role_policy_std -> 'Statement') as stmt,\n jsonb_array_elements_text( stmt -> 'Principal' -> 'AWS' ) as p\n where\n stmt ->> 'Effect' = 'Allow'\n and (\n p = '*'\n or not (p like '%' || account_id || '%')\n )\n)\nselect\n r.arn as resource,\n case\n when ar.arn is null then 'skip'\n when c.arn is not null then 'alarm'\n else 'ok'\n end as status,\n case\n when ar.arn is null then r.title || ' not associated with ReadOnlyAccess policy.'\n when c.arn is not null then r.title || ' associated with ReadOnlyAccess cross account access.'\n else r.title || ' associated ReadOnlyAccess without cross account access.'\n end as reason\n \nfrom\n aws_iam_role as r\n left join read_only_access_roles as ar on r.arn = ar.arn\n left join read_only_access_roles_with_cross_account_access as c on c.arn = r.arn;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_iam_user_hardware_mfa_enabled.yaml b/compliance/controls/pending/aws/aws_iam_user_hardware_mfa_enabled.yaml index e173de16c..2ac647f6b 100755 --- a/compliance/controls/pending/aws/aws_iam_user_hardware_mfa_enabled.yaml +++ b/compliance/controls/pending/aws/aws_iam_user_hardware_mfa_enabled.yaml @@ -1,30 +1,13 @@ ID: aws_iam_user_hardware_mfa_enabled Title: "IAM users should have hardware MFA enabled" Description: "Manage access to resources in the AWS Cloud by ensuring hardware MFA is enabled for the user." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - u.arn as resource, - case - when serial_number is null then 'alarm' - when serial_number like any(array['%mfa%','%sms-mfa%']) then 'info' - else 'ok' - end as status, - case - when serial_number is null then u.name || ' MFA device not configured.' - when serial_number like any(array['%mfa%','%sms-mfa%']) then u.name || ' MFA enabled, but the MFA associated is a virtual device.' - else u.name || ' hardware MFA device enabled.' - end as reason - - - from - aws_iam_virtual_mfa_device as m - right join aws_iam_user as u on m.user_id = u.user_id; + QueryToExecute: "select\n u.arn as resource,\n case\n when serial_number is null then 'alarm'\n when serial_number like any(array['%mfa%','%sms-mfa%']) then 'info'\n else 'ok'\n end as status,\n case\n when serial_number is null then u.name || ' MFA device not configured.'\n when serial_number like any(array['%mfa%','%sms-mfa%']) then u.name || ' MFA enabled, but the MFA associated is a virtual device.'\n else u.name || ' hardware MFA device enabled.'\n end as reason\n \n \nfrom\n aws_iam_virtual_mfa_device as m\n right join aws_iam_user as u on m.user_id = u.user_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_lightsail_instance_rdp_restricted_ip.yaml b/compliance/controls/pending/aws/aws_lightsail_instance_rdp_restricted_ip.yaml index cdcd37c09..0ffa171d7 100755 --- a/compliance/controls/pending/aws/aws_lightsail_instance_rdp_restricted_ip.yaml +++ b/compliance/controls/pending/aws/aws_lightsail_instance_rdp_restricted_ip.yaml @@ -1,8 +1,6 @@ ID: aws_lightsail_instance_rdp_restricted_ip Title: "Ensure RDP is restricted to only IP address that should have this access" Description: "Any ports enable within Lightsail by default are open and exposed to the world. For SSH and RDP access you should identify which IP address need access." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -53,3 +51,5 @@ Query: Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_lightsail_instance_ssh_rdp_http_ports_disabled.yaml b/compliance/controls/pending/aws/aws_lightsail_instance_ssh_rdp_http_ports_disabled.yaml index 799e4e5d4..e141fb1d8 100755 --- a/compliance/controls/pending/aws/aws_lightsail_instance_ssh_rdp_http_ports_disabled.yaml +++ b/compliance/controls/pending/aws/aws_lightsail_instance_ssh_rdp_http_ports_disabled.yaml @@ -1,8 +1,6 @@ ID: aws_lightsail_instance_ssh_rdp_http_ports_disabled Title: "Disable SSH and RDP ports for Lightsail instances when not needed" Description: "Any ports enable within Lightsail by default are open and exposed to the world. For SSH and RDP access you should remove and disable these ports when not is use." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -54,3 +52,5 @@ Query: Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_lightsail_instance_ssh_restricted_ip.yaml b/compliance/controls/pending/aws/aws_lightsail_instance_ssh_restricted_ip.yaml index 13638282d..6b4730126 100755 --- a/compliance/controls/pending/aws/aws_lightsail_instance_ssh_restricted_ip.yaml +++ b/compliance/controls/pending/aws/aws_lightsail_instance_ssh_restricted_ip.yaml @@ -1,8 +1,6 @@ ID: aws_lightsail_instance_ssh_restricted_ip Title: "Ensure SSH is restricted to only IP address that should have this access" Description: "Any ports enable within Lightsail by default are open and exposed to the world. For SSH and RDP access you should identify which IP address need access." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -53,3 +51,5 @@ Query: Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_rds_db_cluster_encrypted_with_cmk.yaml b/compliance/controls/pending/aws/aws_rds_db_cluster_encrypted_with_cmk.yaml index d8fc7d647..db42476f6 100755 --- a/compliance/controls/pending/aws/aws_rds_db_cluster_encrypted_with_cmk.yaml +++ b/compliance/controls/pending/aws/aws_rds_db_cluster_encrypted_with_cmk.yaml @@ -1,50 +1,13 @@ ID: aws_rds_db_cluster_encrypted_with_cmk Title: "RDS DB clusters should be encrypted with CMK" Description: "Ensure RDS DB cluster is encrypted using CMK. The rule is non-compliant if the RDS DB cluster is not encrypted using CMK." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with rds_clusters as ( - select - arn, - region, - account_id, - kms_key_id, - storage_encrypted, - title, - tags, - _ctx - from - aws_rds_db_cluster - ), kms_keys as ( - select - k.arn, - k.key_manager, - k.enabled - from - aws_kms_key as k - ) - select - r.arn as resource, - case - when not storage_encrypted then 'alarm' - when storage_encrypted and c.key_manager = 'CUSTOMER' then 'ok' - else 'alarm' - end as status, - case - when not storage_encrypted then title || ' not encrypted.' - when storage_encrypted and c.key_manager = 'CUSTOMER' then title || ' encrypted with CMK.' - else title || ' not encrypted with CMK.' - end as reason - - - from - rds_clusters as r - left join kms_keys as c on r.kms_key_id = c.arn; + QueryToExecute: "with rds_clusters as (\n select\n arn,\n region,\n account_id,\n kms_key_id,\n storage_encrypted,\n title,\n tags,\n _ctx\n from\n aws_rds_db_cluster\n), kms_keys as (\n select\n k.arn,\n k.key_manager,\n k.enabled\n from\n aws_kms_key as k\n)\nselect\n r.arn as resource,\n case\n when not storage_encrypted then 'alarm'\n when storage_encrypted and c.key_manager = 'CUSTOMER' then 'ok'\n else 'alarm'\n end as status,\n case\n when not storage_encrypted then title || ' not encrypted.'\n when storage_encrypted and c.key_manager = 'CUSTOMER' then title || ' encrypted with CMK.'\n else title || ' not encrypted with CMK.'\n end as reason\n \n \nfrom\n rds_clusters as r\n left join kms_keys as c on r.kms_key_id = c.arn;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_rds_db_instance_no_public_subnet.yaml b/compliance/controls/pending/aws/aws_rds_db_instance_no_public_subnet.yaml index 47435a3cb..a028a49f7 100755 --- a/compliance/controls/pending/aws/aws_rds_db_instance_no_public_subnet.yaml +++ b/compliance/controls/pending/aws/aws_rds_db_instance_no_public_subnet.yaml @@ -1,90 +1,13 @@ ID: aws_rds_db_instance_no_public_subnet Title: "RDS DB instances should not use public subnet" Description: "This control checks if RDS DB instance is configured with public subnet as there is a risk of exposing sensitive data." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with subnets_with_explicit_route as ( - select - distinct ( a ->> 'SubnetId') as all_sub - from - aws_vpc_route_table as t, - jsonb_array_elements(associations) as a - where - a ->> 'SubnetId' is not null - ), public_subnets_with_explicit_route as ( - select - distinct a ->> 'SubnetId' as SubnetId - from - aws_vpc_route_table as t, - jsonb_array_elements(associations) as a, - jsonb_array_elements(routes) as r - where - r ->> 'DestinationCidrBlock' = '0.0.0.0/0' - and - ( - r ->> 'GatewayId' like 'igw-%' - or r ->> 'NatGatewayId' like 'nat-%' - ) - and a ->> 'SubnetId' is not null - ), public_subnets_with_implicit_route as ( - select - distinct route_table_id, - vpc_id, - region - from - aws_vpc_route_table as t, - jsonb_array_elements(associations) as a, - jsonb_array_elements(routes) as r - where - a ->> 'Main' = 'true' - and r ->> 'DestinationCidrBlock' = '0.0.0.0/0' - and ( - r ->> 'GatewayId' like 'igw-%' - or r ->> 'NatGatewayId' like 'nat-%' - ) - ), subnet_accessibility as ( - select - subnet_id, - vpc_id, - case - when s.subnet_id in (select all_sub from subnets_with_explicit_route where all_sub not in (select SubnetId from public_subnets_with_explicit_route )) then 'private' - when p.SubnetId is not null or s.vpc_id in ( select vpc_id from public_subnets_with_implicit_route) then 'public' - else 'private' - end as access - from - aws_vpc_subnet as s - left join public_subnets_with_explicit_route as p on p.SubnetId = s.subnet_id - ), cluster_public_subnet as ( - select - distinct arn, - name as subnet_group_name - from - aws_rds_db_subnet_group, - jsonb_array_elements(subnets) as s - left join subnet_accessibility as a on a.subnet_id = s ->> 'SubnetIdentifier' - where - a.access = 'public' - ) - select - c.arn as resource, - case - when s.subnet_group_name is not null then 'alarm' - else 'ok' - end as status, - case - when s.subnet_group_name is not null then c.title || ' has public subnet.' - else c.title || ' has private subnet.' - end as reason - - - from - aws_rds_db_instance as c - left join cluster_public_subnet as s on s.subnet_group_name = c.db_subnet_group_name; + QueryToExecute: "with subnets_with_explicit_route as (\n select\n distinct ( a ->> 'SubnetId') as all_sub\n from\n aws_vpc_route_table as t,\n jsonb_array_elements(associations) as a\n where\n a ->> 'SubnetId' is not null\n), public_subnets_with_explicit_route as (\n select\n distinct a ->> 'SubnetId' as SubnetId\n from\n aws_vpc_route_table as t,\n jsonb_array_elements(associations) as a,\n jsonb_array_elements(routes) as r\n where\n r ->> 'DestinationCidrBlock' = '0.0.0.0/0'\n and\n (\n r ->> 'GatewayId' like 'igw-%'\n or r ->> 'NatGatewayId' like 'nat-%'\n )\n and a ->> 'SubnetId' is not null\n), public_subnets_with_implicit_route as (\n select\n distinct route_table_id,\n vpc_id,\n region\n from\n aws_vpc_route_table as t,\n jsonb_array_elements(associations) as a,\n jsonb_array_elements(routes) as r\n where\n a ->> 'Main' = 'true'\n and r ->> 'DestinationCidrBlock' = '0.0.0.0/0'\n and (\n r ->> 'GatewayId' like 'igw-%'\n or r ->> 'NatGatewayId' like 'nat-%'\n )\n), subnet_accessibility as (\n select\n subnet_id,\n vpc_id,\n case\n when s.subnet_id in (select all_sub from subnets_with_explicit_route where all_sub not in (select SubnetId from public_subnets_with_explicit_route )) then 'private'\n when p.SubnetId is not null or s.vpc_id in ( select vpc_id from public_subnets_with_implicit_route) then 'public'\n else 'private'\n end as access\n from\n aws_vpc_subnet as s\n left join public_subnets_with_explicit_route as p on p.SubnetId = s.subnet_id\n), cluster_public_subnet as (\n select\n distinct arn,\n name as subnet_group_name\n from\n aws_rds_db_subnet_group,\n jsonb_array_elements(subnets) as s\n left join subnet_accessibility as a on a.subnet_id = s ->> 'SubnetIdentifier'\n where\n a.access = 'public'\n)\nselect\n c.arn as resource,\n case\n when s.subnet_group_name is not null then 'alarm'\n else 'ok'\n end as status,\n case\n when s.subnet_group_name is not null then c.title || ' has public subnet.'\n else c.title || ' has private subnet.'\n end as reason\n \n \nfrom\n aws_rds_db_instance as c\n left join cluster_public_subnet as s on s.subnet_group_name = c.db_subnet_group_name;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_redshift_cluster_encrypted_with_cmk.yaml b/compliance/controls/pending/aws/aws_redshift_cluster_encrypted_with_cmk.yaml index 02dd04b31..f68936dde 100755 --- a/compliance/controls/pending/aws/aws_redshift_cluster_encrypted_with_cmk.yaml +++ b/compliance/controls/pending/aws/aws_redshift_cluster_encrypted_with_cmk.yaml @@ -1,49 +1,13 @@ ID: aws_redshift_cluster_encrypted_with_cmk Title: "Redshift clusters should be encrypted with CMK" Description: "Ensure Redshift cluster is encrypted using CMK. The rule is non-compliant if the Redshift clusters is not encrypted using CMK." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with redshift_clusters as ( - select - arn, - region, - account_id, - kms_key_id, - encrypted, - title, - tags, - _ctx - from - aws_redshift_cluster - ), kms_keys as ( - select - k.arn, - k.key_manager - from - aws_kms_key as k - ) - select - r.arn as resource, - case - when not encrypted then 'alarm' - when encrypted and c.key_manager = 'CUSTOMER' then 'ok' - else 'alarm' - end as status, - case - when not encrypted then title || ' not encrypted.' - when encrypted and c.key_manager = 'CUSTOMER' then title || ' encrypted with CMK.' - else title || ' not encrypted with CMK.' - end as reason - - - from - redshift_clusters as r - left join kms_keys as c on r.kms_key_id = c.arn; + QueryToExecute: "with redshift_clusters as (\n select\n arn,\n region,\n account_id,\n kms_key_id,\n encrypted,\n title,\n tags,\n _ctx\n from\n aws_redshift_cluster\n), kms_keys as (\n select\n k.arn,\n k.key_manager\n from\n aws_kms_key as k\n)\nselect\n r.arn as resource,\n case\n when not encrypted then 'alarm'\n when encrypted and c.key_manager = 'CUSTOMER' then 'ok'\n else 'alarm'\n end as status,\n case\n when not encrypted then title || ' not encrypted.'\n when encrypted and c.key_manager = 'CUSTOMER' then title || ' encrypted with CMK.'\n else title || ' not encrypted with CMK.'\n end as reason\n \n \nfrom\n redshift_clusters as r\n left join kms_keys as c on r.kms_key_id = c.arn;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_s3_bucket_object_logging_enabled.yaml b/compliance/controls/pending/aws/aws_s3_bucket_object_logging_enabled.yaml index 392f0fb0c..2e27e4c2a 100755 --- a/compliance/controls/pending/aws/aws_s3_bucket_object_logging_enabled.yaml +++ b/compliance/controls/pending/aws/aws_s3_bucket_object_logging_enabled.yaml @@ -1,75 +1,13 @@ ID: aws_s3_bucket_object_logging_enabled Title: "S3 buckets object logging should be enabled" Description: "Object-Level logging saves events in JSON format in CloudTrail. This is recommended from a security best practice perspective for buckets that contain sensitive data." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with object_logging_cloudtrails as ( - select - d ->> 'Type' as type, - replace(replace(v::text,'"',''),'/','') as bucket_arn - from - aws_cloudtrail_trail, - jsonb_array_elements(event_selectors) e, - jsonb_array_elements(e -> 'DataResources') as d, - jsonb_array_elements(d -> 'Values') v - where - d ->> 'Type' = 'AWS::S3::Object' - ), object_logging_region as ( - select - region as cloudtrail_region, - replace(replace(v::text,'"',''),'/','') as bucket_arn - from - aws_cloudtrail_trail, - jsonb_array_elements(event_selectors) e, - jsonb_array_elements(e -> 'DataResources') as d, - jsonb_array_elements(d -> 'Values') v - where - d ->> 'Type' = 'AWS::S3::Object' - and replace(replace(v::text,'"',''),'/','') = 'arn:aws:s3' - group by - region, - bucket_arn - ), - object_logging_region_advance_es as ( - select - region as cloudtrail_region - from - aws_cloudtrail_trail, - jsonb_array_elements(advanced_event_selectors) a, - jsonb_array_elements(a -> 'FieldSelectors') as f, - jsonb_array_elements_text(f -> 'Equals') e - where - e = 'AWS::S3::Object' - and f ->> 'Field' != 'eventCategory' - group by - region - ) - select - distinct s.arn as resource, - case - when (s.arn = c.bucket_arn) - or (r.bucket_arn = 'arn:aws:s3' and r. cloudtrail_region = s.region ) - or a. cloudtrail_region = s.region then 'ok' - else 'alarm' - end as status, - case - when (s.arn = c.bucket_arn) - or (r.bucket_arn = 'arn:aws:s3' and r. cloudtrail_region = s.region ) - or a. cloudtrail_region = s.region then s.name || ' object logging enabled.' - else s.name || ' object logging not enabled.' - end as reason - - - from - aws_s3_bucket as s - left join object_logging_cloudtrails as c on s.arn = c.bucket_arn - left join object_logging_region as r on r. cloudtrail_region = s.region - left join object_logging_region_advance_es as a on a. cloudtrail_region = s.region; + QueryToExecute: "with object_logging_cloudtrails as (\n select\n d ->> 'Type' as type,\n replace(replace(v::text,'\"',''),'/','') as bucket_arn\n from\n aws_cloudtrail_trail,\n jsonb_array_elements(event_selectors) e,\n jsonb_array_elements(e -> 'DataResources') as d,\n jsonb_array_elements(d -> 'Values') v\n where\n d ->> 'Type' = 'AWS::S3::Object'\n), object_logging_region as (\n select\n region as cloudtrail_region,\n replace(replace(v::text,'\"',''),'/','') as bucket_arn\n from\n aws_cloudtrail_trail,\n jsonb_array_elements(event_selectors) e,\n jsonb_array_elements(e -> 'DataResources') as d,\n jsonb_array_elements(d -> 'Values') v\n where\n d ->> 'Type' = 'AWS::S3::Object'\n and replace(replace(v::text,'\"',''),'/','') = 'arn:aws:s3'\n group by\n region,\n bucket_arn\n),\nobject_logging_region_advance_es as (\n select\n region as cloudtrail_region\n from\n aws_cloudtrail_trail,\n jsonb_array_elements(advanced_event_selectors) a,\n jsonb_array_elements(a -> 'FieldSelectors') as f,\n jsonb_array_elements_text(f -> 'Equals') e\n where\n e = 'AWS::S3::Object'\n and f ->> 'Field' != 'eventCategory'\n group by\n region\n)\nselect\n distinct s.arn as resource,\n case\n when (s.arn = c.bucket_arn)\n or (r.bucket_arn = 'arn:aws:s3' and r. cloudtrail_region = s.region )\n or a. cloudtrail_region = s.region then 'ok'\n else 'alarm'\n end as status,\n case\n when (s.arn = c.bucket_arn)\n or (r.bucket_arn = 'arn:aws:s3' and r. cloudtrail_region = s.region )\n or a. cloudtrail_region = s.region then s.name || ' object logging enabled.'\n else s.name || ' object logging not enabled.'\n end as reason\n \n \nfrom\n aws_s3_bucket as s\n left join object_logging_cloudtrails as c on s.arn = c.bucket_arn\n left join object_logging_region as r on r. cloudtrail_region = s.region\n left join object_logging_region_advance_es as a on a. cloudtrail_region = s.region;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_vpc_subnet_multi_az_enabled.yaml b/compliance/controls/pending/aws/aws_vpc_subnet_multi_az_enabled.yaml index c9a32e7cb..98a88931a 100755 --- a/compliance/controls/pending/aws/aws_vpc_subnet_multi_az_enabled.yaml +++ b/compliance/controls/pending/aws/aws_vpc_subnet_multi_az_enabled.yaml @@ -1,48 +1,13 @@ ID: aws_vpc_subnet_multi_az_enabled Title: "VPCs subnets should exist in multiple availability zones" Description: "Ensure that each VPC has subnets spread across multiple availability zones." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with subnet_list as ( - select - distinct availability_zone, - vpc_id, - count(*) - from - aws_vpc_subnet - group by - vpc_id, availability_zone - ), zone_list as ( - select - vpc_id, - count(*) as num - from - subnet_list - group by - vpc_id - ) - select - arn as resource, - case - when l.num is null then 'alarm' - when l.num > 1 then 'ok' - else 'alarm' - end as status, - case - when l.num is null then v.title || ' no subnet exists.' - when l.num > 1 then v.title || ' subnets exist in ' || num || ' availability zones.' - else v.title || ' subnet(s) exist in single availability zone.' - end as reason - - - from - aws_vpc as v - left join zone_list as l on l.vpc_id = v.vpc_id; + QueryToExecute: "with subnet_list as (\n select\n distinct availability_zone,\n vpc_id,\n count(*)\n from\n aws_vpc_subnet\n group by\n vpc_id, availability_zone\n), zone_list as (\n select\n vpc_id,\n count(*) as num\n from\n subnet_list\n group by\n vpc_id\n)\nselect\n arn as resource,\n case\n when l.num is null then 'alarm'\n when l.num > 1 then 'ok'\n else 'alarm'\n end as status,\n case\n when l.num is null then v.title || ' no subnet exists.'\n when l.num > 1 then v.title || ' subnets exist in ' || num || ' availability zones.'\n else v.title || ' subnet(s) exist in single availability zone.'\n end as reason\n \n \nfrom\n aws_vpc as v\n left join zone_list as l on l.vpc_id = v.vpc_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/aws/aws_vpc_subnet_public_and_private.yaml b/compliance/controls/pending/aws/aws_vpc_subnet_public_and_private.yaml index 75640b26b..e7898a696 100755 --- a/compliance/controls/pending/aws/aws_vpc_subnet_public_and_private.yaml +++ b/compliance/controls/pending/aws/aws_vpc_subnet_public_and_private.yaml @@ -1,83 +1,13 @@ ID: aws_vpc_subnet_public_and_private Title: "VPCs should have both public and private subnets configured" Description: "Ensure that all VPCs have both public and private subnets configured." -Connector: -- aws Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - with subnets_with_explicit_route as ( - select - distinct ( a ->> 'SubnetId') as all_sub - from - aws_vpc_route_table as t, - jsonb_array_elements(associations) as a - where - a ->> 'SubnetId' is not null - ), public_subnets_with_explicit_route as ( - select - distinct a ->> 'SubnetId' as SubnetId - from - aws_vpc_route_table as t, - jsonb_array_elements(associations) as a, - jsonb_array_elements(routes) as r - where - r ->> 'DestinationCidrBlock' = '0.0.0.0/0' - and - ( - r ->> 'GatewayId' like 'igw-%' - or r ->> 'NatGatewayId' like 'nat-%' - ) - and a ->> 'SubnetId' is not null - ), public_subnets_with_implicit_route as ( - select - distinct route_table_id, - vpc_id, - region - from - aws_vpc_route_table as t, - jsonb_array_elements(associations) as a, - jsonb_array_elements(routes) as r - where - a ->> 'Main' = 'true' - and r ->> 'DestinationCidrBlock' = '0.0.0.0/0' - and ( - r ->> 'GatewayId' like 'igw-%' - or r ->> 'NatGatewayId' like 'nat-%' - ) - ), subnet_accessibility as ( - select - subnet_id, - vpc_id, - case - when s.subnet_id in (select all_sub from subnets_with_explicit_route where all_sub not in (select SubnetId from public_subnets_with_explicit_route )) then 'private' - when p.SubnetId is not null or s.vpc_id in ( select vpc_id from public_subnets_with_implicit_route) then 'public' - else 'private' - end as access - from - aws_vpc_subnet as s - left join public_subnets_with_explicit_route as p on p.SubnetId = s.subnet_id - ) - select - arn as resource, - case - when v.vpc_id not in (select vpc_id from subnet_accessibility) then 'alarm' - when 'public' in (select access from subnet_accessibility where vpc_id = v.vpc_id) and 'private' in (select access from subnet_accessibility where vpc_id = v.vpc_id) then 'ok' - when 'public' in (select access from subnet_accessibility where vpc_id = v.vpc_id) and not 'private' in (select access from subnet_accessibility where vpc_id = v.vpc_id) then 'alarm' - when 'private' in (select access from subnet_accessibility where vpc_id = v.vpc_id) and not 'public' in (select access from subnet_accessibility where vpc_id = v.vpc_id) then 'alarm' - end as status, - case - when v.vpc_id not in (select vpc_id from subnet_accessibility) then v.title || ' has no subnet.' - when 'public' in (select access from subnet_accessibility where vpc_id = v.vpc_id) and 'private' in (select access from subnet_accessibility where vpc_id = v.vpc_id) then v.title || ' having both private and public subnet(s).' - when 'public' in (select access from subnet_accessibility where vpc_id = v.vpc_id) and not 'private' in (select access from subnet_accessibility where vpc_id = v.vpc_id) then v.title || ' having only public subnet(s).' - when 'private' in (select access from subnet_accessibility where vpc_id = v.vpc_id) and not 'public' in (select access from subnet_accessibility where vpc_id = v.vpc_id) then v.title || ' having only private subnet(s).' - end as reason - - - from - aws_vpc as v; + QueryToExecute: "with subnets_with_explicit_route as (\n select\n distinct ( a ->> 'SubnetId') as all_sub\n from\n aws_vpc_route_table as t,\n jsonb_array_elements(associations) as a\n where\n a ->> 'SubnetId' is not null\n), public_subnets_with_explicit_route as (\n select\n distinct a ->> 'SubnetId' as SubnetId\n from\n aws_vpc_route_table as t,\n jsonb_array_elements(associations) as a,\n jsonb_array_elements(routes) as r\n where\n r ->> 'DestinationCidrBlock' = '0.0.0.0/0'\n and\n (\n r ->> 'GatewayId' like 'igw-%'\n or r ->> 'NatGatewayId' like 'nat-%'\n )\n and a ->> 'SubnetId' is not null\n), public_subnets_with_implicit_route as (\n select\n distinct route_table_id,\n vpc_id,\n region\n from\n aws_vpc_route_table as t,\n jsonb_array_elements(associations) as a,\n jsonb_array_elements(routes) as r\n where\n a ->> 'Main' = 'true'\n and r ->> 'DestinationCidrBlock' = '0.0.0.0/0'\n and (\n r ->> 'GatewayId' like 'igw-%'\n or r ->> 'NatGatewayId' like 'nat-%'\n )\n), subnet_accessibility as (\nselect\n subnet_id,\n vpc_id,\n case\n when s.subnet_id in (select all_sub from subnets_with_explicit_route where all_sub not in (select SubnetId from public_subnets_with_explicit_route )) then 'private'\n when p.SubnetId is not null or s.vpc_id in ( select vpc_id from public_subnets_with_implicit_route) then 'public'\n else 'private'\n end as access\nfrom\naws_vpc_subnet as s\nleft join public_subnets_with_explicit_route as p on p.SubnetId = s.subnet_id\n)\nselect\n arn as resource,\n case\n when v.vpc_id not in (select vpc_id from subnet_accessibility) then 'alarm'\n when 'public' in (select access from subnet_accessibility where vpc_id = v.vpc_id) and 'private' in (select access from subnet_accessibility where vpc_id = v.vpc_id) then 'ok'\n when 'public' in (select access from subnet_accessibility where vpc_id = v.vpc_id) and not 'private' in (select access from subnet_accessibility where vpc_id = v.vpc_id) then 'alarm'\n when 'private' in (select access from subnet_accessibility where vpc_id = v.vpc_id) and not 'public' in (select access from subnet_accessibility where vpc_id = v.vpc_id) then 'alarm'\n end as status,\n case\n when v.vpc_id not in (select vpc_id from subnet_accessibility) then v.title || ' has no subnet.'\n when 'public' in (select access from subnet_accessibility where vpc_id = v.vpc_id) and 'private' in (select access from subnet_accessibility where vpc_id = v.vpc_id) then v.title || ' having both private and public subnet(s).'\n when 'public' in (select access from subnet_accessibility where vpc_id = v.vpc_id) and not 'private' in (select access from subnet_accessibility where vpc_id = v.vpc_id) then v.title || ' having only public subnet(s).'\n when 'private' in (select access from subnet_accessibility where vpc_id = v.vpc_id) and not 'public' in (select access from subnet_accessibility where vpc_id = v.vpc_id) then v.title || ' having only private subnet(s).'\n end as reason\n \n \nfrom\n aws_vpc as v;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - aws_cloud diff --git a/compliance/controls/pending/azure/azure_application_insights_linked_to_log_analytics_workspace.yaml b/compliance/controls/pending/azure/azure_application_insights_linked_to_log_analytics_workspace.yaml index 9cfac116e..e9d40749e 100755 --- a/compliance/controls/pending/azure/azure_application_insights_linked_to_log_analytics_workspace.yaml +++ b/compliance/controls/pending/azure/azure_application_insights_linked_to_log_analytics_workspace.yaml @@ -1,29 +1,13 @@ ID: azure_application_insights_linked_to_log_analytics_workspace Title: "Azure Monitor Logs for Application Insights should be linked to a Log Analytics workspace" Description: "Link the Application Insights component to a Log Analytics workspace for logs encryption. Customer-managed keys are commonly required to meet regulatory compliance and for more control over the access to your data in Azure Monitor. Linking your component to a Log Analytics workspace that's enabled with a customer-managed key, ensures that your Application Insights logs meet this compliance requirement, see https://docs.microsoft.com/azure/azure-monitor/platform/customer-managed-keys." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - a.id as resource, - case - when type = 'microsoft.insights/components' and workspace_resource_id is not null then 'ok' - else 'alarm' - end as status, - case - when type = 'microsoft.insights/components' and workspace_resource_id is not null then a.name || ' linked to log analytics workspace.' - else a.name || ' not linked to log analytics workspace.' - end as reason - - - - from - azure_application_insight as a - left join azure_subscription sub on sub.subscription_id = a.subscription_id; + QueryToExecute: "select\n a.id as resource,\n case\n when type = 'microsoft.insights/components' and workspace_resource_id is not null then 'ok'\n else 'alarm'\n end as status,\n case\n when type = 'microsoft.insights/components' and workspace_resource_id is not null then a.name || ' linked to log analytics workspace.'\n else a.name || ' not linked to log analytics workspace.'\n end as reason\n \n \n \nfrom\n azure_application_insight as a\n left join azure_subscription sub on sub.subscription_id = a.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_appservice_web_app_worker_more_than_one.yaml b/compliance/controls/pending/azure/azure_appservice_web_app_worker_more_than_one.yaml index 03b2d20db..e24bdbf1d 100755 --- a/compliance/controls/pending/azure/azure_appservice_web_app_worker_more_than_one.yaml +++ b/compliance/controls/pending/azure/azure_appservice_web_app_worker_more_than_one.yaml @@ -1,29 +1,13 @@ ID: azure_appservice_web_app_worker_more_than_one Title: "Web app should have more than one worker" Description: "It is recommended to have more than one worker for failover. This control is non-compliant if Web apps have one or less than one worker." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - p ->> 'ID' as resource, - case - when (p -> 'SiteProperties' -> 'siteConfig' ->> 'numberOfWorkers')::int > 1 then 'ok' - else 'alarm' - end as status, - a.name || ' has ' || (p -> 'SiteProperties' -> 'siteConfig' ->> 'numberOfWorkers') || ' no of worker(s).' as reason - - - - from - azure_app_service_plan as a, - jsonb_array_elements(apps) as p, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "select\n p ->> 'ID' as resource,\n case\n when (p -> 'SiteProperties' -> 'siteConfig' ->> 'numberOfWorkers')::int > 1 then 'ok'\n else 'alarm'\n end as status,\n a.name || ' has ' || (p -> 'SiteProperties' -> 'siteConfig' ->> 'numberOfWorkers') || ' no of worker(s).' as reason\n \n \n \nfrom\n azure_app_service_plan as a,\n jsonb_array_elements(apps) as p,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v130_3_5.yaml b/compliance/controls/pending/azure/azure_cis_v130_3_5.yaml index 3fe8b9607..624f83b4b 100755 --- a/compliance/controls/pending/azure/azure_cis_v130_3_5.yaml +++ b/compliance/controls/pending/azure/azure_cis_v130_3_5.yaml @@ -1,31 +1,13 @@ ID: azure_cis_v130_3_5 Title: "3.5 Ensure that 'Public access level' is set to Private for blob containers" Description: "Disable anonymous access to blob containers and disallow blob public access on storage account." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - container.id as resource, - case - when not account.allow_blob_public_access and container.public_access = 'None' then 'ok' - else 'alarm' - end as status, - case - when not account.allow_blob_public_access and container.public_access = 'None' - then account.name || ' container ' || container.name || ' doesn''t allow anonymous access.' - else account.name || ' container ' || container.name || ' allows anonymous access.' - end as reason - - - - from - azure_storage_container container - join azure_storage_account account on container.account_name = account.name - join azure_subscription sub on sub.subscription_id = account.subscription_id; + QueryToExecute: "select\n container.id as resource,\n case\n when not account.allow_blob_public_access and container.public_access = 'None' then 'ok'\n else 'alarm'\n end as status,\n case\n when not account.allow_blob_public_access and container.public_access = 'None'\n then account.name || ' container ' || container.name || ' doesn''t allow anonymous access.'\n else account.name || ' container ' || container.name || ' allows anonymous access.'\n end as reason\n \n \n \nfrom\n azure_storage_container container\n join azure_storage_account account on container.account_name = account.name\n join azure_subscription sub on sub.subscription_id = account.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v130_4_1_1.yaml b/compliance/controls/pending/azure/azure_cis_v130_4_1_1.yaml index a63632439..eb25ec1c9 100755 --- a/compliance/controls/pending/azure/azure_cis_v130_4_1_1.yaml +++ b/compliance/controls/pending/azure/azure_cis_v130_4_1_1.yaml @@ -1,32 +1,13 @@ ID: azure_cis_v130_4_1_1 Title: "4.1.1 Ensure that 'Auditing' is set to 'On'" Description: "Enable auditing on SQL Servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when audit -> 'properties' ->> 'state' = 'Disabled' then 'alarm' - else 'ok' - end as status, - case - when audit -> 'properties' ->> 'state' = 'Disabled' then name || ' auditing disabled.' - else name || ' auditing enabled.' - end as reason - - - - from - azure_sql_server s, - jsonb_array_elements(server_audit_policy) audit, - azure_subscription sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when audit -> 'properties' ->> 'state' = 'Disabled' then 'alarm'\n else 'ok'\n end as status,\n case\n when audit -> 'properties' ->> 'state' = 'Disabled' then name || ' auditing disabled.'\n else name || ' auditing enabled.'\n end as reason\n \n \n \nfrom\n azure_sql_server s,\n jsonb_array_elements(server_audit_policy) audit,\n azure_subscription sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v130_4_1_3.yaml b/compliance/controls/pending/azure/azure_cis_v130_4_1_3.yaml index a1e7c5546..495bf68e1 100755 --- a/compliance/controls/pending/azure/azure_cis_v130_4_1_3.yaml +++ b/compliance/controls/pending/azure/azure_cis_v130_4_1_3.yaml @@ -1,34 +1,13 @@ ID: azure_cis_v130_4_1_3 Title: "4.1.3 Ensure that 'Auditing' Retention is 'greater than 90 days'" Description: "SQL Server Audit Retention should be configured to be greater than 90 days." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when (audit -> 'properties' ->> 'retentionDays')::integer = 0 then 'ok' - when (audit -> 'properties' ->> 'retentionDays')::integer >= 90 then 'ok' - else 'alarm' - end as status, - case - when (audit -> 'properties' ->> 'retentionDays')::integer = 0 then name || ' audit retention set to unlimited days.' - when (audit -> 'properties' ->> 'retentionDays')::integer >= 90 then name || ' audit retention greater than 90 days.' - else name || ' audit retention less than 90 days.' - end as reason - - - - from - azure_sql_server s, - jsonb_array_elements(server_audit_policy) audit, - azure_subscription sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when (audit -> 'properties' ->> 'retentionDays')::integer = 0 then 'ok'\n when (audit -> 'properties' ->> 'retentionDays')::integer >= 90 then 'ok'\n else 'alarm'\n end as status,\n case\n when (audit -> 'properties' ->> 'retentionDays')::integer = 0 then name || ' audit retention set to unlimited days.'\n when (audit -> 'properties' ->> 'retentionDays')::integer >= 90 then name || ' audit retention greater than 90 days.'\n else name || ' audit retention less than 90 days.'\n end as reason\n \n \n \nfrom\n azure_sql_server s,\n jsonb_array_elements(server_audit_policy) audit,\n azure_subscription sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v130_4_2_1.yaml b/compliance/controls/pending/azure/azure_cis_v130_4_2_1.yaml index ef3d42d01..071ef38c2 100755 --- a/compliance/controls/pending/azure/azure_cis_v130_4_2_1.yaml +++ b/compliance/controls/pending/azure/azure_cis_v130_4_2_1.yaml @@ -1,32 +1,13 @@ ID: azure_cis_v130_4_2_1 Title: "4.2.1 Ensure that Advanced Threat Protection (ATP) on a SQL server is set to 'Enabled'" Description: "Enable \\\"Azure Defender for SQL\\\" on critical SQL Servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when security -> 'properties' ->> 'state' = 'Disabled' then 'alarm' - else 'ok' - end as status, - case - when security -> 'properties' ->> 'state' = 'Disabled' then s.name || ' Azure defender disabled.' - else s.name || ' Azure defender enabled.' - end as reason - - - - from - azure_sql_server s, - jsonb_array_elements(server_security_alert_policy) security, - azure_subscription sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when security -> 'properties' ->> 'state' = 'Disabled' then 'alarm'\n else 'ok'\n end as status,\n case\n when security -> 'properties' ->> 'state' = 'Disabled' then s.name || ' Azure defender disabled.'\n else s.name || ' Azure defender enabled.'\n end as reason\n \n \n \nfrom\n azure_sql_server s,\n jsonb_array_elements(server_security_alert_policy) security,\n azure_subscription sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v130_4_2_2.yaml b/compliance/controls/pending/azure/azure_cis_v130_4_2_2.yaml index 5dd218cff..cd1b09e50 100755 --- a/compliance/controls/pending/azure/azure_cis_v130_4_2_2.yaml +++ b/compliance/controls/pending/azure/azure_cis_v130_4_2_2.yaml @@ -1,33 +1,13 @@ ID: azure_cis_v130_4_2_2 Title: "4.2.2 Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account" Description: "Enable Vulnerability Assessment (VA) service scans for critical SQL servers and corresponding SQL databases." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when security -> 'properties' ->> 'state' = 'Disabled' then 'alarm' - else 'ok' - end as status, - case - when security -> 'properties' ->> 'state' = 'Disabled' then s.name || ' VA setting disabled.' - else s.name || ' VA setting enabled.' - end as reason - - - - from - azure_sql_server s, - jsonb_array_elements(server_security_alert_policy) security, - jsonb_array_elements(server_vulnerability_assessment) assessment, - azure_subscription sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when security -> 'properties' ->> 'state' = 'Disabled' then 'alarm'\n else 'ok'\n end as status,\n case\n when security -> 'properties' ->> 'state' = 'Disabled' then s.name || ' VA setting disabled.'\n else s.name || ' VA setting enabled.'\n end as reason\n \n \n \nfrom\n azure_sql_server s,\n jsonb_array_elements(server_security_alert_policy) security,\n jsonb_array_elements(server_vulnerability_assessment) assessment,\n azure_subscription sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v130_4_2_3.yaml b/compliance/controls/pending/azure/azure_cis_v130_4_2_3.yaml index 44f43fb25..39f3d583a 100755 --- a/compliance/controls/pending/azure/azure_cis_v130_4_2_3.yaml +++ b/compliance/controls/pending/azure/azure_cis_v130_4_2_3.yaml @@ -1,49 +1,13 @@ ID: azure_cis_v130_4_2_3 Title: "4.2.3 Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server" Description: "Enable Vulnerability Assessment (VA) Periodic recurring scans for critical SQL servers and corresponding SQL databases." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when - security -> 'properties' ->> 'state' = 'Disabled' - or - ( - security -> 'properties' ->> 'state' = 'Enabled' - and assessment -> 'properties' ->> 'storageContainerPath' is not null - and assessment -> 'properties' -> 'recurringScans' ->> 'isEnabled' = 'false' - ) - then 'alarm' - else 'ok' - end as status, - case - when - security -> 'properties' ->> 'state' = 'Disabled' - or - ( - security -> 'properties' ->> 'state' = 'Enabled' - and assessment -> 'properties' ->> 'storageContainerPath' is not null - and assessment -> 'properties' -> 'recurringScans' ->> 'isEnabled' = 'false' - ) - then s.name || ' VA setting periodic recurring scans disabled.' - else s.name || ' VA setting periodic recurring scans enabled.' - end as reason - - - - from - azure_sql_server s, - jsonb_array_elements(server_security_alert_policy) security, - jsonb_array_elements(server_vulnerability_assessment) assessment, - azure_subscription sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when\n security -> 'properties' ->> 'state' = 'Disabled'\n or\n (\n security -> 'properties' ->> 'state' = 'Enabled'\n and assessment -> 'properties' ->> 'storageContainerPath' is not null\n and assessment -> 'properties' -> 'recurringScans' ->> 'isEnabled' = 'false'\n )\n then 'alarm'\n else 'ok'\n end as status,\n case\n when\n security -> 'properties' ->> 'state' = 'Disabled'\n or\n (\n security -> 'properties' ->> 'state' = 'Enabled'\n and assessment -> 'properties' ->> 'storageContainerPath' is not null\n and assessment -> 'properties' -> 'recurringScans' ->> 'isEnabled' = 'false'\n )\n then s.name || ' VA setting periodic recurring scans disabled.'\n else s.name || ' VA setting periodic recurring scans enabled.'\n end as reason\n \n \n \nfrom\n azure_sql_server s,\n jsonb_array_elements(server_security_alert_policy) security,\n jsonb_array_elements(server_vulnerability_assessment) assessment,\n azure_subscription sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v130_4_2_4.yaml b/compliance/controls/pending/azure/azure_cis_v130_4_2_4.yaml index 1586e291c..1d2411461 100755 --- a/compliance/controls/pending/azure/azure_cis_v130_4_2_4.yaml +++ b/compliance/controls/pending/azure/azure_cis_v130_4_2_4.yaml @@ -1,49 +1,13 @@ ID: azure_cis_v130_4_2_4 Title: "4.2.4 Ensure that VA setting Send scan reports to is configured for a SQL server" Description: "Configure 'Send scan reports to' with email ids of concerned data owners/stakeholders for a critical SQL servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when - security -> 'properties' ->> 'state' = 'Disabled' - or - ( - security -> 'properties' ->> 'state' = 'Enabled' - and assessment -> 'properties' ->> 'storageContainerPath' is not null - and assessment -> 'properties' -> 'recurringScans' ->> 'emails' = '[]' - ) - then 'alarm' - else 'ok' - end as status, - case - when - security -> 'properties' ->> 'state' = 'Disabled' - or - ( - security -> 'properties' ->> 'state' = 'Enabled' - and assessment -> 'properties' ->> 'storageContainerPath' is not null - and assessment -> 'properties' -> 'recurringScans' ->> 'emails' = '[]' - ) - then s.name || ' VA scan reports and alerts not configured send email.' - else s.name || ' VA scan reports and alerts configured to send email.' - end as reason - - - - from - azure_sql_server s, - jsonb_array_elements(server_security_alert_policy) security, - jsonb_array_elements(server_vulnerability_assessment) assessment, - azure_subscription sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when\n security -> 'properties' ->> 'state' = 'Disabled'\n or\n (\n security -> 'properties' ->> 'state' = 'Enabled'\n and assessment -> 'properties' ->> 'storageContainerPath' is not null\n and assessment -> 'properties' -> 'recurringScans' ->> 'emails' = '[]'\n )\n then 'alarm'\n else 'ok'\n end as status,\n case\n when\n security -> 'properties' ->> 'state' = 'Disabled'\n or\n (\n security -> 'properties' ->> 'state' = 'Enabled'\n and assessment -> 'properties' ->> 'storageContainerPath' is not null\n and assessment -> 'properties' -> 'recurringScans' ->> 'emails' = '[]'\n )\n then s.name || ' VA scan reports and alerts not configured send email.'\n else s.name || ' VA scan reports and alerts configured to send email.'\n end as reason\n \n \n \nfrom\n azure_sql_server s,\n jsonb_array_elements(server_security_alert_policy) security,\n jsonb_array_elements(server_vulnerability_assessment) assessment,\n azure_subscription sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v130_4_2_5.yaml b/compliance/controls/pending/azure/azure_cis_v130_4_2_5.yaml index f530f8509..6c0d7fe02 100755 --- a/compliance/controls/pending/azure/azure_cis_v130_4_2_5.yaml +++ b/compliance/controls/pending/azure/azure_cis_v130_4_2_5.yaml @@ -1,49 +1,13 @@ ID: azure_cis_v130_4_2_5 Title: "4.2.5 Ensure that VA setting 'Also send email notifications to admins and subscription owners' is set for a SQL server" Description: "Enable Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners'." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when - security -> 'properties' ->> 'state' = 'Disabled' - or - ( - security -> 'properties' ->> 'state' = 'Enabled' - and assessment -> 'properties' ->> 'storageContainerPath' is not null - and assessment -> 'properties' -> 'recurringScans' ->> 'emailSubscriptionAdmins' = 'false' - ) - then 'alarm' - else 'ok' - end as status, - case - when - security -> 'properties' ->> 'state' = 'Disabled' - or - ( - security -> 'properties' ->> 'state' = 'Enabled' - and assessment -> 'properties' ->> 'storageContainerPath' is not null - and assessment -> 'properties' -> 'recurringScans' ->> 'emailSubscriptionAdmins' = 'false' - ) - then s.name || ' VA setting not configured to send email notifications to subscription admins and owners.' - else s.name || ' VA setting configured to send email notifications to subscription admins and owners.' - end as reason - - - - from - azure_sql_server s, - jsonb_array_elements(server_security_alert_policy) security, - jsonb_array_elements(server_vulnerability_assessment) assessment, - azure_subscription sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when\n security -> 'properties' ->> 'state' = 'Disabled'\n or\n (\n security -> 'properties' ->> 'state' = 'Enabled'\n and assessment -> 'properties' ->> 'storageContainerPath' is not null\n and assessment -> 'properties' -> 'recurringScans' ->> 'emailSubscriptionAdmins' = 'false'\n )\n then 'alarm'\n else 'ok'\n end as status,\n case\n when\n security -> 'properties' ->> 'state' = 'Disabled'\n or\n (\n security -> 'properties' ->> 'state' = 'Enabled'\n and assessment -> 'properties' ->> 'storageContainerPath' is not null\n and assessment -> 'properties' -> 'recurringScans' ->> 'emailSubscriptionAdmins' = 'false'\n )\n then s.name || ' VA setting not configured to send email notifications to subscription admins and owners.'\n else s.name || ' VA setting configured to send email notifications to subscription admins and owners.'\n end as reason\n \n \n \nfrom\n azure_sql_server s,\n jsonb_array_elements(server_security_alert_policy) security,\n jsonb_array_elements(server_vulnerability_assessment) assessment,\n azure_subscription sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v130_4_3_3.yaml b/compliance/controls/pending/azure/azure_cis_v130_4_3_3.yaml index d1d49a66d..3732d2c4c 100755 --- a/compliance/controls/pending/azure/azure_cis_v130_4_3_3.yaml +++ b/compliance/controls/pending/azure/azure_cis_v130_4_3_3.yaml @@ -1,33 +1,13 @@ ID: azure_cis_v130_4_3_3 Title: "4.3.3 Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server" Description: "Enable log_checkpoints on PostgreSQL Servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then 'alarm' - else 'ok' - end as status, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then s.name || ' server parameter log_checkpoints off.' - else s.name || ' server parameter log_checkpoints on.' - end as reason - - - - from - azure_postgresql_server s, - jsonb_array_elements(server_configurations) config, - azure_subscription sub - where - config ->> 'Name' = 'log_checkpoints' - and sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then 'alarm'\n else 'ok'\n end as status,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then s.name || ' server parameter log_checkpoints off.'\n else s.name || ' server parameter log_checkpoints on.'\n end as reason\n \n \n \nfrom\n azure_postgresql_server s,\n jsonb_array_elements(server_configurations) config,\n azure_subscription sub\nwhere\n config ->> 'Name' = 'log_checkpoints'\n and sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v130_4_3_4.yaml b/compliance/controls/pending/azure/azure_cis_v130_4_3_4.yaml index 9a9e255b6..7e9608e31 100755 --- a/compliance/controls/pending/azure/azure_cis_v130_4_3_4.yaml +++ b/compliance/controls/pending/azure/azure_cis_v130_4_3_4.yaml @@ -1,33 +1,13 @@ ID: azure_cis_v130_4_3_4 Title: "4.3.4 Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server" Description: "Enable log_connections on PostgreSQL Servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then 'alarm' - else 'ok' - end as status, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then s.name || ' server parameter log_connections off.' - else s.name || ' server parameter log_connections on.' - end as reason - - - - from - azure_postgresql_server s, - jsonb_array_elements(server_configurations) config, - azure_subscription sub - where - config ->> 'Name' = 'log_connections' - and sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then 'alarm'\n else 'ok'\n end as status,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then s.name || ' server parameter log_connections off.'\n else s.name || ' server parameter log_connections on.'\n end as reason\n \n \n \nfrom\n azure_postgresql_server s,\n jsonb_array_elements(server_configurations) config,\n azure_subscription sub\nwhere\n config ->> 'Name' = 'log_connections'\n and sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v130_4_3_6.yaml b/compliance/controls/pending/azure/azure_cis_v130_4_3_6.yaml index 40a4faa79..3818e5240 100755 --- a/compliance/controls/pending/azure/azure_cis_v130_4_3_6.yaml +++ b/compliance/controls/pending/azure/azure_cis_v130_4_3_6.yaml @@ -1,33 +1,13 @@ ID: azure_cis_v130_4_3_6 Title: "4.3.6 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server" Description: "Enable connection_throttling on PostgreSQL Servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then 'alarm' - else 'ok' - end as status, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then s.name || ' server parameter connection_throttling off.' - else s.name || ' server parameter connection_throttling on.' - end as reason - - - - from - azure_postgresql_server s, - jsonb_array_elements(server_configurations) config, - azure_subscription sub - where - config ->> 'Name' = 'connection_throttling' - and sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then 'alarm'\n else 'ok'\n end as status,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then s.name || ' server parameter connection_throttling off.'\n else s.name || ' server parameter connection_throttling on.'\n end as reason\n \n \n \nfrom\n azure_postgresql_server s,\n jsonb_array_elements(server_configurations) config,\n azure_subscription sub\nwhere\n config ->> 'Name' = 'connection_throttling'\n and sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v130_4_3_7.yaml b/compliance/controls/pending/azure/azure_cis_v130_4_3_7.yaml index 21bb8c455..0db7e0597 100755 --- a/compliance/controls/pending/azure/azure_cis_v130_4_3_7.yaml +++ b/compliance/controls/pending/azure/azure_cis_v130_4_3_7.yaml @@ -1,33 +1,13 @@ ID: azure_cis_v130_4_3_7 Title: "4.3.7 Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server" Description: "Enable log_retention_days on PostgreSQL Servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when (config -> 'ConfigurationProperties' ->> 'value')::integer <= 3 then 'alarm' - else 'ok' - end as status, - case - when (config -> 'ConfigurationProperties' ->> 'value')::integer <= 3 then s.name || ' log files are retained for 3 days or lesser.' - else s.name || ' log files are retained for more than 3 days.' - end as reason - - - - from - azure_postgresql_server s, - jsonb_array_elements(server_configurations) as config, - azure_subscription sub - where - config ->> 'Name' = 'log_retention_days' - and sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when (config -> 'ConfigurationProperties' ->> 'value')::integer <= 3 then 'alarm'\n else 'ok'\n end as status,\n case\n when (config -> 'ConfigurationProperties' ->> 'value')::integer <= 3 then s.name || ' log files are retained for 3 days or lesser.'\n else s.name || ' log files are retained for more than 3 days.'\n end as reason\n \n \n \nfrom\n azure_postgresql_server s,\n jsonb_array_elements(server_configurations) as config,\n azure_subscription sub\nwhere\n config ->> 'Name' = 'log_retention_days'\n and sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v130_4_5.yaml b/compliance/controls/pending/azure/azure_cis_v130_4_5.yaml index 3004c4cc9..adb785288 100755 --- a/compliance/controls/pending/azure/azure_cis_v130_4_5.yaml +++ b/compliance/controls/pending/azure/azure_cis_v130_4_5.yaml @@ -1,32 +1,13 @@ ID: azure_cis_v130_4_5 Title: "4.5 Ensure SQL server's TDE protector is encrypted with Customer-managed key" Description: "Based on business needs or criticality of data/databases hosted a SQL server, it is recommended that the TDE protector is encrypted by a key that is managed by the data owner (Customer-managed key)" -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when encryption ->> 'kind' = 'servicemanaged' then 'alarm' - else 'ok' - end as status, - case - when encryption ->> 'kind' = 'servicemanaged' then s.name || ' TDE protector not encrypted with CMK.' - else s.name || ' TDE protector encrypted with CMK.' - end as reason - - - - from - azure_sql_server s, - jsonb_array_elements(encryption_protector) encryption, - azure_subscription sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when encryption ->> 'kind' = 'servicemanaged' then 'alarm'\n else 'ok'\n end as status,\n case\n when encryption ->> 'kind' = 'servicemanaged' then s.name || ' TDE protector not encrypted with CMK.'\n else s.name || ' TDE protector encrypted with CMK.'\n end as reason\n \n \n \nfrom\n azure_sql_server s,\n jsonb_array_elements(encryption_protector) encryption,\n azure_subscription sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v130_5_1_4.yaml b/compliance/controls/pending/azure/azure_cis_v130_5_1_4.yaml index 0cbd12f62..9c5dde26f 100755 --- a/compliance/controls/pending/azure/azure_cis_v130_5_1_4.yaml +++ b/compliance/controls/pending/azure/azure_cis_v130_5_1_4.yaml @@ -1,35 +1,13 @@ ID: azure_cis_v130_5_1_4 Title: "5.1.4 Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key)" Description: "The storage account with the activity log export container is configured to use BYOK (Use Your Own Key)." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - a.id as resource, - case - when a.encryption_key_source = 'Microsoft.Keyvault' then 'ok' - else 'alarm' - end as status, - case - when a.encryption_key_source = 'Microsoft.Keyvault' - then a.name || ' container insights-operational-logs encrypted with BYOK.' - else a.name || ' container insights-operational-logs not encrypted with BYOK.' - end as reason - - - - from - azure_storage_container c, - azure_storage_account a, - azure_subscription sub - where - c.name = 'insights-operational-logs' - and c.account_name = a.name - and sub.subscription_id = a.subscription_id; + QueryToExecute: "select\n a.id as resource,\n case\n when a.encryption_key_source = 'Microsoft.Keyvault' then 'ok'\n else 'alarm'\n end as status,\n case\n when a.encryption_key_source = 'Microsoft.Keyvault'\n then a.name || ' container insights-operational-logs encrypted with BYOK.'\n else a.name || ' container insights-operational-logs not encrypted with BYOK.'\n end as reason\n \n \n \nfrom\n azure_storage_container c,\n azure_storage_account a,\n azure_subscription sub\nwhere\n c.name = 'insights-operational-logs'\n and c.account_name = a.name\n and sub.subscription_id = a.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v130_6_4.yaml b/compliance/controls/pending/azure/azure_cis_v130_6_4.yaml index 0fd285bf7..55c1319a5 100755 --- a/compliance/controls/pending/azure/azure_cis_v130_6_4.yaml +++ b/compliance/controls/pending/azure/azure_cis_v130_6_4.yaml @@ -1,33 +1,13 @@ ID: azure_cis_v130_6_4 Title: "6.4 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'" Description: "Network Security Group Flow Logs should be enabled and the retention period is set to greater than or equal to 90 days." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - sg.id resource, - case - when fl.id is null or not fl.enabled or fl.retention_policy_days < 90 then 'alarm' - else 'ok' - end as status, - case - when fl.id is null or not fl.enabled - then sg.name || ' flowlog not enabled.' - when fl.retention_policy_days < 90 - then sg.name || ' flowlog ' || fl.title || ' retention period is less than 90 days.' - else sg.name || ' flowlog ' || fl.title || ' retention period is ' || fl.retention_policy_days || ' days.' - end as reason - - - - from - azure_network_security_group sg - left join azure_network_watcher_flow_log fl on sg.id = fl.target_resource_id - join azure_subscription sub on sub.subscription_id = sg.subscription_id; + QueryToExecute: "select\n sg.id resource,\n case\n when fl.id is null or not fl.enabled or fl.retention_policy_days < 90 then 'alarm'\n else 'ok'\n end as status,\n case\n when fl.id is null or not fl.enabled\n then sg.name || ' flowlog not enabled.'\n when fl.retention_policy_days < 90\n then sg.name || ' flowlog ' || fl.title || ' retention period is less than 90 days.'\n else sg.name || ' flowlog ' || fl.title || ' retention period is ' || fl.retention_policy_days || ' days.'\n end as reason\n \n \n \nfrom\n azure_network_security_group sg\n left join azure_network_watcher_flow_log fl on sg.id = fl.target_resource_id\n join azure_subscription sub on sub.subscription_id = sg.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v130_6_5.yaml b/compliance/controls/pending/azure/azure_cis_v130_6_5.yaml index 7b442867e..d101875b8 100755 --- a/compliance/controls/pending/azure/azure_cis_v130_6_5.yaml +++ b/compliance/controls/pending/azure/azure_cis_v130_6_5.yaml @@ -1,31 +1,13 @@ ID: azure_cis_v130_6_5 Title: "6.5 Ensure that Network Watcher is 'Enabled'" Description: "Enable Network Watcher for Azure subscriptions." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - loc.id resource, - case - when watcher.id is null then 'alarm' - else 'ok' - end as status, - case - when watcher.id is null then 'Network watcher not enabled in ' || loc.name || '.' - else 'Network watcher enabled in ' || loc.name || '.' - end as reason, - loc.name - - - - from - azure_location loc - left join azure_network_watcher watcher on watcher.region = loc.name - join azure_subscription sub on sub.subscription_id = loc.subscription_id; + QueryToExecute: "select\n loc.id resource,\n case\n when watcher.id is null then 'alarm'\n else 'ok'\n end as status,\n case\n when watcher.id is null then 'Network watcher not enabled in ' || loc.name || '.'\n else 'Network watcher enabled in ' || loc.name || '.'\n end as reason,\n loc.name\n \n \n \nfrom\n azure_location loc\n left join azure_network_watcher watcher on watcher.region = loc.name\n join azure_subscription sub on sub.subscription_id = loc.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v130_9_10.yaml b/compliance/controls/pending/azure/azure_cis_v130_9_10.yaml index 0afda0184..aab83d518 100755 --- a/compliance/controls/pending/azure/azure_cis_v130_9_10.yaml +++ b/compliance/controls/pending/azure/azure_cis_v130_9_10.yaml @@ -1,50 +1,13 @@ ID: azure_cis_v130_9_10 Title: "9.10 Ensure FTP deployments are disabled" Description: "By default, Azure Functions, Web and API Services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Service Apps and Functions." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - fa.id as resource, - case - when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then 'alarm' - else 'ok' - end as status, - case - when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then name || ' FTP deployments enabled.' - else name || ' FTP deployments disabled.' - end as reason - - - - from - azure_app_service_function_app fa, - azure_subscription sub - where - sub.subscription_id = fa.subscription_id - union - select - wa.id as resource, - case - when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then 'alarm' - else 'ok' - end as status, - case - when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then name || ' FTP deployments enabled.' - else name || ' FTP deployments disabled.' - end as reason - - - - from - azure_app_service_web_app as wa, - azure_subscription as sub - where - sub.subscription_id = wa.subscription_id; + QueryToExecute: "select\n fa.id as resource,\n case\n when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then 'alarm'\n else 'ok'\n end as status,\n case\n when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then name || ' FTP deployments enabled.'\n else name || ' FTP deployments disabled.'\n end as reason\n \n \n \n from\n azure_app_service_function_app fa,\n azure_subscription sub\n where\n sub.subscription_id = fa.subscription_id\nunion\n select\n wa.id as resource,\n case\n when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then 'alarm'\n else 'ok'\n end as status,\n case\n when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then name || ' FTP deployments enabled.'\n else name || ' FTP deployments disabled.'\n end as reason\n \n \n \n from\n azure_app_service_web_app as wa,\n azure_subscription as sub\n where\n sub.subscription_id = wa.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v140_1_6.yaml b/compliance/controls/pending/azure/azure_cis_v140_1_6.yaml index 75ec3b4ef..66a607494 100755 --- a/compliance/controls/pending/azure/azure_cis_v140_1_6.yaml +++ b/compliance/controls/pending/azure/azure_cis_v140_1_6.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_1_6 Title: "1.6 Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to \\\"0\\\"" Description: "Ensure that the number of days before users are asked to re-confirm their authentication information is not set to 0." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -15,3 +13,5 @@ Query: Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v140_1_8.yaml b/compliance/controls/pending/azure/azure_cis_v140_1_8.yaml index b0073a981..2ab6c564a 100755 --- a/compliance/controls/pending/azure/azure_cis_v140_1_8.yaml +++ b/compliance/controls/pending/azure/azure_cis_v140_1_8.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v140_1_8 Title: "1.8 Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes'" Description: "Ensure that all administrators are notified if any other administrator resets their password." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -15,3 +13,5 @@ Query: Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v140_3_5.yaml b/compliance/controls/pending/azure/azure_cis_v140_3_5.yaml index d8f0018ec..db97c9701 100755 --- a/compliance/controls/pending/azure/azure_cis_v140_3_5.yaml +++ b/compliance/controls/pending/azure/azure_cis_v140_3_5.yaml @@ -1,31 +1,13 @@ ID: azure_cis_v140_3_5 Title: "3.5 Ensure that 'Public access level' is set to Private for blob containers" Description: "Disable anonymous access to blob containers and disallow blob public access on storage account." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - container.id as resource, - case - when not account.allow_blob_public_access and container.public_access = 'None' then 'ok' - else 'alarm' - end as status, - case - when not account.allow_blob_public_access and container.public_access = 'None' - then account.name || ' container ' || container.name || ' doesn''t allow anonymous access.' - else account.name || ' container ' || container.name || ' allows anonymous access.' - end as reason - - - - from - azure_storage_container container - join azure_storage_account account on container.account_name = account.name - join azure_subscription sub on sub.subscription_id = account.subscription_id; + QueryToExecute: "select\n container.id as resource,\n case\n when not account.allow_blob_public_access and container.public_access = 'None' then 'ok'\n else 'alarm'\n end as status,\n case\n when not account.allow_blob_public_access and container.public_access = 'None'\n then account.name || ' container ' || container.name || ' doesn''t allow anonymous access.'\n else account.name || ' container ' || container.name || ' allows anonymous access.'\n end as reason\n \n \n \nfrom\n azure_storage_container container\n join azure_storage_account account on container.account_name = account.name\n join azure_subscription sub on sub.subscription_id = account.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v140_4_1_1.yaml b/compliance/controls/pending/azure/azure_cis_v140_4_1_1.yaml index f60e5b025..25bf931ec 100755 --- a/compliance/controls/pending/azure/azure_cis_v140_4_1_1.yaml +++ b/compliance/controls/pending/azure/azure_cis_v140_4_1_1.yaml @@ -1,32 +1,13 @@ ID: azure_cis_v140_4_1_1 Title: "4.1.1 Ensure that 'Auditing' is set to 'On'" Description: "Enable auditing on SQL Servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when audit -> 'properties' ->> 'state' = 'Disabled' then 'alarm' - else 'ok' - end as status, - case - when audit -> 'properties' ->> 'state' = 'Disabled' then name || ' auditing disabled.' - else name || ' auditing enabled.' - end as reason - - - - from - azure_sql_server s, - jsonb_array_elements(server_audit_policy) audit, - azure_subscription sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when audit -> 'properties' ->> 'state' = 'Disabled' then 'alarm'\n else 'ok'\n end as status,\n case\n when audit -> 'properties' ->> 'state' = 'Disabled' then name || ' auditing disabled.'\n else name || ' auditing enabled.'\n end as reason\n \n \n \nfrom\n azure_sql_server s,\n jsonb_array_elements(server_audit_policy) audit,\n azure_subscription sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v140_4_1_3.yaml b/compliance/controls/pending/azure/azure_cis_v140_4_1_3.yaml index 2cf91303e..870c6c0f4 100755 --- a/compliance/controls/pending/azure/azure_cis_v140_4_1_3.yaml +++ b/compliance/controls/pending/azure/azure_cis_v140_4_1_3.yaml @@ -1,34 +1,13 @@ ID: azure_cis_v140_4_1_3 Title: "4.1.3 Ensure that 'Auditing' Retention is 'greater than 90 days'" Description: "SQL Server Audit Retention should be configured to be greater than 90 days." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when (audit -> 'properties' ->> 'retentionDays')::integer = 0 then 'ok' - when (audit -> 'properties' ->> 'retentionDays')::integer >= 90 then 'ok' - else 'alarm' - end as status, - case - when (audit -> 'properties' ->> 'retentionDays')::integer = 0 then name || ' audit retention set to unlimited days.' - when (audit -> 'properties' ->> 'retentionDays')::integer >= 90 then name || ' audit retention greater than 90 days.' - else name || ' audit retention less than 90 days.' - end as reason - - - - from - azure_sql_server s, - jsonb_array_elements(server_audit_policy) audit, - azure_subscription sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when (audit -> 'properties' ->> 'retentionDays')::integer = 0 then 'ok'\n when (audit -> 'properties' ->> 'retentionDays')::integer >= 90 then 'ok'\n else 'alarm'\n end as status,\n case\n when (audit -> 'properties' ->> 'retentionDays')::integer = 0 then name || ' audit retention set to unlimited days.'\n when (audit -> 'properties' ->> 'retentionDays')::integer >= 90 then name || ' audit retention greater than 90 days.'\n else name || ' audit retention less than 90 days.'\n end as reason\n \n \n \nfrom\n azure_sql_server s,\n jsonb_array_elements(server_audit_policy) audit,\n azure_subscription sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v140_4_2_1.yaml b/compliance/controls/pending/azure/azure_cis_v140_4_2_1.yaml index f5627dd97..a86a5e87f 100755 --- a/compliance/controls/pending/azure/azure_cis_v140_4_2_1.yaml +++ b/compliance/controls/pending/azure/azure_cis_v140_4_2_1.yaml @@ -1,32 +1,13 @@ ID: azure_cis_v140_4_2_1 Title: "4.2.1 Ensure that Advanced Threat Protection (ATP) on a SQL server is set to 'Enabled'" Description: "Enable \\\"Azure Defender for SQL\\\" on critical SQL Servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when security -> 'properties' ->> 'state' = 'Disabled' then 'alarm' - else 'ok' - end as status, - case - when security -> 'properties' ->> 'state' = 'Disabled' then s.name || ' Azure defender disabled.' - else s.name || ' Azure defender enabled.' - end as reason - - - - from - azure_sql_server s, - jsonb_array_elements(server_security_alert_policy) security, - azure_subscription sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when security -> 'properties' ->> 'state' = 'Disabled' then 'alarm'\n else 'ok'\n end as status,\n case\n when security -> 'properties' ->> 'state' = 'Disabled' then s.name || ' Azure defender disabled.'\n else s.name || ' Azure defender enabled.'\n end as reason\n \n \n \nfrom\n azure_sql_server s,\n jsonb_array_elements(server_security_alert_policy) security,\n azure_subscription sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v140_4_2_2.yaml b/compliance/controls/pending/azure/azure_cis_v140_4_2_2.yaml index 8557f03f1..b99a04ee8 100755 --- a/compliance/controls/pending/azure/azure_cis_v140_4_2_2.yaml +++ b/compliance/controls/pending/azure/azure_cis_v140_4_2_2.yaml @@ -1,33 +1,13 @@ ID: azure_cis_v140_4_2_2 Title: "4.2.2 Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account" Description: "Enable Vulnerability Assessment (VA) service scans for critical SQL servers and corresponding SQL databases." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when security -> 'properties' ->> 'state' = 'Disabled' then 'alarm' - else 'ok' - end as status, - case - when security -> 'properties' ->> 'state' = 'Disabled' then s.name || ' VA setting disabled.' - else s.name || ' VA setting enabled.' - end as reason - - - - from - azure_sql_server s, - jsonb_array_elements(server_security_alert_policy) security, - jsonb_array_elements(server_vulnerability_assessment) assessment, - azure_subscription sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when security -> 'properties' ->> 'state' = 'Disabled' then 'alarm'\n else 'ok'\n end as status,\n case\n when security -> 'properties' ->> 'state' = 'Disabled' then s.name || ' VA setting disabled.'\n else s.name || ' VA setting enabled.'\n end as reason\n \n \n \nfrom\n azure_sql_server s,\n jsonb_array_elements(server_security_alert_policy) security,\n jsonb_array_elements(server_vulnerability_assessment) assessment,\n azure_subscription sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v140_4_2_3.yaml b/compliance/controls/pending/azure/azure_cis_v140_4_2_3.yaml index ac91c77e5..f7c0d7473 100755 --- a/compliance/controls/pending/azure/azure_cis_v140_4_2_3.yaml +++ b/compliance/controls/pending/azure/azure_cis_v140_4_2_3.yaml @@ -1,49 +1,13 @@ ID: azure_cis_v140_4_2_3 Title: "4.2.3 Ensure that VA setting Periodic Recurring Scans is enabled on a SQL server" Description: "Enable Vulnerability Assessment (VA) Periodic recurring scans for critical SQL servers and corresponding SQL databases." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when - security -> 'properties' ->> 'state' = 'Disabled' - or - ( - security -> 'properties' ->> 'state' = 'Enabled' - and assessment -> 'properties' ->> 'storageContainerPath' is not null - and assessment -> 'properties' -> 'recurringScans' ->> 'isEnabled' = 'false' - ) - then 'alarm' - else 'ok' - end as status, - case - when - security -> 'properties' ->> 'state' = 'Disabled' - or - ( - security -> 'properties' ->> 'state' = 'Enabled' - and assessment -> 'properties' ->> 'storageContainerPath' is not null - and assessment -> 'properties' -> 'recurringScans' ->> 'isEnabled' = 'false' - ) - then s.name || ' VA setting periodic recurring scans disabled.' - else s.name || ' VA setting periodic recurring scans enabled.' - end as reason - - - - from - azure_sql_server s, - jsonb_array_elements(server_security_alert_policy) security, - jsonb_array_elements(server_vulnerability_assessment) assessment, - azure_subscription sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when\n security -> 'properties' ->> 'state' = 'Disabled'\n or\n (\n security -> 'properties' ->> 'state' = 'Enabled'\n and assessment -> 'properties' ->> 'storageContainerPath' is not null\n and assessment -> 'properties' -> 'recurringScans' ->> 'isEnabled' = 'false'\n )\n then 'alarm'\n else 'ok'\n end as status,\n case\n when\n security -> 'properties' ->> 'state' = 'Disabled'\n or\n (\n security -> 'properties' ->> 'state' = 'Enabled'\n and assessment -> 'properties' ->> 'storageContainerPath' is not null\n and assessment -> 'properties' -> 'recurringScans' ->> 'isEnabled' = 'false'\n )\n then s.name || ' VA setting periodic recurring scans disabled.'\n else s.name || ' VA setting periodic recurring scans enabled.'\n end as reason\n \n \n \nfrom\n azure_sql_server s,\n jsonb_array_elements(server_security_alert_policy) security,\n jsonb_array_elements(server_vulnerability_assessment) assessment,\n azure_subscription sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v140_4_2_4.yaml b/compliance/controls/pending/azure/azure_cis_v140_4_2_4.yaml index 838a203a9..53fd6dd24 100755 --- a/compliance/controls/pending/azure/azure_cis_v140_4_2_4.yaml +++ b/compliance/controls/pending/azure/azure_cis_v140_4_2_4.yaml @@ -1,49 +1,13 @@ ID: azure_cis_v140_4_2_4 Title: "4.2.4 Ensure that VA setting 'Send scan reports to' is configured for a SQL server" Description: "Configure 'Send scan reports to' with email ids of concerned data owners/stakeholders for a critical SQL servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when - security -> 'properties' ->> 'state' = 'Disabled' - or - ( - security -> 'properties' ->> 'state' = 'Enabled' - and assessment -> 'properties' ->> 'storageContainerPath' is not null - and assessment -> 'properties' -> 'recurringScans' ->> 'emails' = '[]' - ) - then 'alarm' - else 'ok' - end as status, - case - when - security -> 'properties' ->> 'state' = 'Disabled' - or - ( - security -> 'properties' ->> 'state' = 'Enabled' - and assessment -> 'properties' ->> 'storageContainerPath' is not null - and assessment -> 'properties' -> 'recurringScans' ->> 'emails' = '[]' - ) - then s.name || ' VA scan reports and alerts not configured send email.' - else s.name || ' VA scan reports and alerts configured to send email.' - end as reason - - - - from - azure_sql_server s, - jsonb_array_elements(server_security_alert_policy) security, - jsonb_array_elements(server_vulnerability_assessment) assessment, - azure_subscription sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when\n security -> 'properties' ->> 'state' = 'Disabled'\n or\n (\n security -> 'properties' ->> 'state' = 'Enabled'\n and assessment -> 'properties' ->> 'storageContainerPath' is not null\n and assessment -> 'properties' -> 'recurringScans' ->> 'emails' = '[]'\n )\n then 'alarm'\n else 'ok'\n end as status,\n case\n when\n security -> 'properties' ->> 'state' = 'Disabled'\n or\n (\n security -> 'properties' ->> 'state' = 'Enabled'\n and assessment -> 'properties' ->> 'storageContainerPath' is not null\n and assessment -> 'properties' -> 'recurringScans' ->> 'emails' = '[]'\n )\n then s.name || ' VA scan reports and alerts not configured send email.'\n else s.name || ' VA scan reports and alerts configured to send email.'\n end as reason\n \n \n \nfrom\n azure_sql_server s,\n jsonb_array_elements(server_security_alert_policy) security,\n jsonb_array_elements(server_vulnerability_assessment) assessment,\n azure_subscription sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v140_4_2_5.yaml b/compliance/controls/pending/azure/azure_cis_v140_4_2_5.yaml index ad47e4c18..83ff51278 100755 --- a/compliance/controls/pending/azure/azure_cis_v140_4_2_5.yaml +++ b/compliance/controls/pending/azure/azure_cis_v140_4_2_5.yaml @@ -1,49 +1,13 @@ ID: azure_cis_v140_4_2_5 Title: "4.2.5 Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL server" Description: "Enable Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners'." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when - security -> 'properties' ->> 'state' = 'Disabled' - or - ( - security -> 'properties' ->> 'state' = 'Enabled' - and assessment -> 'properties' ->> 'storageContainerPath' is not null - and assessment -> 'properties' -> 'recurringScans' ->> 'emailSubscriptionAdmins' = 'false' - ) - then 'alarm' - else 'ok' - end as status, - case - when - security -> 'properties' ->> 'state' = 'Disabled' - or - ( - security -> 'properties' ->> 'state' = 'Enabled' - and assessment -> 'properties' ->> 'storageContainerPath' is not null - and assessment -> 'properties' -> 'recurringScans' ->> 'emailSubscriptionAdmins' = 'false' - ) - then s.name || ' VA setting not configured to send email notifications to subscription admins and owners.' - else s.name || ' VA setting configured to send email notifications to subscription admins and owners.' - end as reason - - - - from - azure_sql_server s, - jsonb_array_elements(server_security_alert_policy) security, - jsonb_array_elements(server_vulnerability_assessment) assessment, - azure_subscription sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when\n security -> 'properties' ->> 'state' = 'Disabled'\n or\n (\n security -> 'properties' ->> 'state' = 'Enabled'\n and assessment -> 'properties' ->> 'storageContainerPath' is not null\n and assessment -> 'properties' -> 'recurringScans' ->> 'emailSubscriptionAdmins' = 'false'\n )\n then 'alarm'\n else 'ok'\n end as status,\n case\n when\n security -> 'properties' ->> 'state' = 'Disabled'\n or\n (\n security -> 'properties' ->> 'state' = 'Enabled'\n and assessment -> 'properties' ->> 'storageContainerPath' is not null\n and assessment -> 'properties' -> 'recurringScans' ->> 'emailSubscriptionAdmins' = 'false'\n )\n then s.name || ' VA setting not configured to send email notifications to subscription admins and owners.'\n else s.name || ' VA setting configured to send email notifications to subscription admins and owners.'\n end as reason\n \n \n \nfrom\n azure_sql_server s,\n jsonb_array_elements(server_security_alert_policy) security,\n jsonb_array_elements(server_vulnerability_assessment) assessment,\n azure_subscription sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v140_4_3_2.yaml b/compliance/controls/pending/azure/azure_cis_v140_4_3_2.yaml index d64335455..f98fe190e 100755 --- a/compliance/controls/pending/azure/azure_cis_v140_4_3_2.yaml +++ b/compliance/controls/pending/azure/azure_cis_v140_4_3_2.yaml @@ -1,33 +1,13 @@ ID: azure_cis_v140_4_3_2 Title: "4.3.2 Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server" Description: "Enable log_checkpoints on PostgreSQL Servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then 'alarm' - else 'ok' - end as status, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then s.name || ' server parameter log_checkpoints off.' - else s.name || ' server parameter log_checkpoints on.' - end as reason - - - - from - azure_postgresql_server s, - jsonb_array_elements(server_configurations) config, - azure_subscription sub - where - config ->> 'Name' = 'log_checkpoints' - and sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then 'alarm'\n else 'ok'\n end as status,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then s.name || ' server parameter log_checkpoints off.'\n else s.name || ' server parameter log_checkpoints on.'\n end as reason\n \n \n \nfrom\n azure_postgresql_server s,\n jsonb_array_elements(server_configurations) config,\n azure_subscription sub\nwhere\n config ->> 'Name' = 'log_checkpoints'\n and sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v140_4_3_3.yaml b/compliance/controls/pending/azure/azure_cis_v140_4_3_3.yaml index a4e1ce020..fc6598102 100755 --- a/compliance/controls/pending/azure/azure_cis_v140_4_3_3.yaml +++ b/compliance/controls/pending/azure/azure_cis_v140_4_3_3.yaml @@ -1,33 +1,13 @@ ID: azure_cis_v140_4_3_3 Title: "4.3.3 Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server" Description: "Enable log_connections on PostgreSQL Servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then 'alarm' - else 'ok' - end as status, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then s.name || ' server parameter log_connections off.' - else s.name || ' server parameter log_connections on.' - end as reason - - - - from - azure_postgresql_server s, - jsonb_array_elements(server_configurations) config, - azure_subscription sub - where - config ->> 'Name' = 'log_connections' - and sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then 'alarm'\n else 'ok'\n end as status,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then s.name || ' server parameter log_connections off.'\n else s.name || ' server parameter log_connections on.'\n end as reason\n \n \n \nfrom\n azure_postgresql_server s,\n jsonb_array_elements(server_configurations) config,\n azure_subscription sub\nwhere\n config ->> 'Name' = 'log_connections'\n and sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v140_4_3_4.yaml b/compliance/controls/pending/azure/azure_cis_v140_4_3_4.yaml index 26c823867..3ab2b991c 100755 --- a/compliance/controls/pending/azure/azure_cis_v140_4_3_4.yaml +++ b/compliance/controls/pending/azure/azure_cis_v140_4_3_4.yaml @@ -1,33 +1,13 @@ ID: azure_cis_v140_4_3_4 Title: "4.3.4 Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server" Description: "Enable log_disconnections on PostgreSQL Servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then 'alarm' - else 'ok' - end as status, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then name || ' server parameter log_disconnections off.' - else name || ' server parameter log_disconnections on.' - end as reason - - - - from - azure_postgresql_server s, - jsonb_array_elements(server_configurations) config, - azure_subscription sub - where - config ->> 'Name' = 'log_disconnections' - and sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then 'alarm'\n else 'ok'\n end as status,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then name || ' server parameter log_disconnections off.'\n else name || ' server parameter log_disconnections on.'\n end as reason\n \n \n \nfrom\n azure_postgresql_server s,\n jsonb_array_elements(server_configurations) config,\n azure_subscription sub\nwhere\n config ->> 'Name' = 'log_disconnections'\n and sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v140_4_3_5.yaml b/compliance/controls/pending/azure/azure_cis_v140_4_3_5.yaml index 0fd126265..9bd20967e 100755 --- a/compliance/controls/pending/azure/azure_cis_v140_4_3_5.yaml +++ b/compliance/controls/pending/azure/azure_cis_v140_4_3_5.yaml @@ -1,33 +1,13 @@ ID: azure_cis_v140_4_3_5 Title: "4.3.5 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server" Description: "Enable connection_throttling on PostgreSQL Servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then 'alarm' - else 'ok' - end as status, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then s.name || ' server parameter connection_throttling off.' - else s.name || ' server parameter connection_throttling on.' - end as reason - - - - from - azure_postgresql_server s, - jsonb_array_elements(server_configurations) config, - azure_subscription sub - where - config ->> 'Name' = 'connection_throttling' - and sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then 'alarm'\n else 'ok'\n end as status,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then s.name || ' server parameter connection_throttling off.'\n else s.name || ' server parameter connection_throttling on.'\n end as reason\n \n \n \nfrom\n azure_postgresql_server s,\n jsonb_array_elements(server_configurations) config,\n azure_subscription sub\nwhere\n config ->> 'Name' = 'connection_throttling'\n and sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v140_4_3_6.yaml b/compliance/controls/pending/azure/azure_cis_v140_4_3_6.yaml index da4a8d12e..01a0643bb 100755 --- a/compliance/controls/pending/azure/azure_cis_v140_4_3_6.yaml +++ b/compliance/controls/pending/azure/azure_cis_v140_4_3_6.yaml @@ -1,33 +1,13 @@ ID: azure_cis_v140_4_3_6 Title: "4.3.6 Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server" Description: "Enable log_retention_days on PostgreSQL Servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when (config -> 'ConfigurationProperties' ->> 'value')::integer <= 3 then 'alarm' - else 'ok' - end as status, - case - when (config -> 'ConfigurationProperties' ->> 'value')::integer <= 3 then s.name || ' log files are retained for 3 days or lesser.' - else s.name || ' log files are retained for more than 3 days.' - end as reason - - - - from - azure_postgresql_server s, - jsonb_array_elements(server_configurations) as config, - azure_subscription sub - where - config ->> 'Name' = 'log_retention_days' - and sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when (config -> 'ConfigurationProperties' ->> 'value')::integer <= 3 then 'alarm'\n else 'ok'\n end as status,\n case\n when (config -> 'ConfigurationProperties' ->> 'value')::integer <= 3 then s.name || ' log files are retained for 3 days or lesser.'\n else s.name || ' log files are retained for more than 3 days.'\n end as reason\n \n \n \nfrom\n azure_postgresql_server s,\n jsonb_array_elements(server_configurations) as config,\n azure_subscription sub\nwhere\n config ->> 'Name' = 'log_retention_days'\n and sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v140_4_6.yaml b/compliance/controls/pending/azure/azure_cis_v140_4_6.yaml index 02965f0c9..fd9511fcd 100755 --- a/compliance/controls/pending/azure/azure_cis_v140_4_6.yaml +++ b/compliance/controls/pending/azure/azure_cis_v140_4_6.yaml @@ -1,32 +1,13 @@ ID: azure_cis_v140_4_6 Title: "4.6 Ensure SQL server's TDE protector is encrypted with Customer-managed key" Description: "Based on business needs or criticality of data/databases hosted a SQL server, it is recommended that the TDE protector is encrypted by a key that is managed by the data owner (Customer-managed key)" -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when encryption ->> 'kind' = 'servicemanaged' then 'alarm' - else 'ok' - end as status, - case - when encryption ->> 'kind' = 'servicemanaged' then s.name || ' TDE protector not encrypted with CMK.' - else s.name || ' TDE protector encrypted with CMK.' - end as reason - - - - from - azure_sql_server s, - jsonb_array_elements(encryption_protector) encryption, - azure_subscription sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when encryption ->> 'kind' = 'servicemanaged' then 'alarm'\n else 'ok'\n end as status,\n case\n when encryption ->> 'kind' = 'servicemanaged' then s.name || ' TDE protector not encrypted with CMK.'\n else s.name || ' TDE protector encrypted with CMK.'\n end as reason\n \n \n \nfrom\n azure_sql_server s,\n jsonb_array_elements(encryption_protector) encryption,\n azure_subscription sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v140_5_1_4.yaml b/compliance/controls/pending/azure/azure_cis_v140_5_1_4.yaml index 1c16b515c..11f2b7989 100755 --- a/compliance/controls/pending/azure/azure_cis_v140_5_1_4.yaml +++ b/compliance/controls/pending/azure/azure_cis_v140_5_1_4.yaml @@ -1,35 +1,13 @@ ID: azure_cis_v140_5_1_4 Title: "5.1.4 Ensure the storage account containing the container with activity logs is encrypted with BYOK (Use Your Own Key)" Description: "The storage account with the activity log export container is configured to use BYOK (Use Your Own Key)." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - a.id as resource, - case - when a.encryption_key_source = 'Microsoft.Keyvault' then 'ok' - else 'alarm' - end as status, - case - when a.encryption_key_source = 'Microsoft.Keyvault' - then a.name || ' container insights-operational-logs encrypted with BYOK.' - else a.name || ' container insights-operational-logs not encrypted with BYOK.' - end as reason - - - - from - azure_storage_container c, - azure_storage_account a, - azure_subscription sub - where - c.name = 'insights-operational-logs' - and c.account_name = a.name - and sub.subscription_id = a.subscription_id; + QueryToExecute: "select\n a.id as resource,\n case\n when a.encryption_key_source = 'Microsoft.Keyvault' then 'ok'\n else 'alarm'\n end as status,\n case\n when a.encryption_key_source = 'Microsoft.Keyvault'\n then a.name || ' container insights-operational-logs encrypted with BYOK.'\n else a.name || ' container insights-operational-logs not encrypted with BYOK.'\n end as reason\n \n \n \nfrom\n azure_storage_container c,\n azure_storage_account a,\n azure_subscription sub\nwhere\n c.name = 'insights-operational-logs'\n and c.account_name = a.name\n and sub.subscription_id = a.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v140_6_4.yaml b/compliance/controls/pending/azure/azure_cis_v140_6_4.yaml index d0ca0ac77..90608717c 100755 --- a/compliance/controls/pending/azure/azure_cis_v140_6_4.yaml +++ b/compliance/controls/pending/azure/azure_cis_v140_6_4.yaml @@ -1,33 +1,13 @@ ID: azure_cis_v140_6_4 Title: "6.4 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'" Description: "Network Security Group Flow Logs should be enabled and the retention period is set to greater than or equal to 90 days." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - sg.id resource, - case - when fl.id is null or not fl.enabled or fl.retention_policy_days < 90 then 'alarm' - else 'ok' - end as status, - case - when fl.id is null or not fl.enabled - then sg.name || ' flowlog not enabled.' - when fl.retention_policy_days < 90 - then sg.name || ' flowlog ' || fl.title || ' retention period is less than 90 days.' - else sg.name || ' flowlog ' || fl.title || ' retention period is ' || fl.retention_policy_days || ' days.' - end as reason - - - - from - azure_network_security_group sg - left join azure_network_watcher_flow_log fl on sg.id = fl.target_resource_id - join azure_subscription sub on sub.subscription_id = sg.subscription_id; + QueryToExecute: "select\n sg.id resource,\n case\n when fl.id is null or not fl.enabled or fl.retention_policy_days < 90 then 'alarm'\n else 'ok'\n end as status,\n case\n when fl.id is null or not fl.enabled\n then sg.name || ' flowlog not enabled.'\n when fl.retention_policy_days < 90\n then sg.name || ' flowlog ' || fl.title || ' retention period is less than 90 days.'\n else sg.name || ' flowlog ' || fl.title || ' retention period is ' || fl.retention_policy_days || ' days.'\n end as reason\n \n \n \nfrom\n azure_network_security_group sg\n left join azure_network_watcher_flow_log fl on sg.id = fl.target_resource_id\n join azure_subscription sub on sub.subscription_id = sg.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v140_6_5.yaml b/compliance/controls/pending/azure/azure_cis_v140_6_5.yaml index 58736815e..45fe26dcd 100755 --- a/compliance/controls/pending/azure/azure_cis_v140_6_5.yaml +++ b/compliance/controls/pending/azure/azure_cis_v140_6_5.yaml @@ -1,31 +1,13 @@ ID: azure_cis_v140_6_5 Title: "6.5 Ensure that Network Watcher is 'Enabled'" Description: "Enable Network Watcher for Azure subscriptions." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - loc.id resource, - case - when watcher.id is null then 'alarm' - else 'ok' - end as status, - case - when watcher.id is null then 'Network watcher not enabled in ' || loc.name || '.' - else 'Network watcher enabled in ' || loc.name || '.' - end as reason, - loc.name - - - - from - azure_location loc - left join azure_network_watcher watcher on watcher.region = loc.name - join azure_subscription sub on sub.subscription_id = loc.subscription_id; + QueryToExecute: "select\n loc.id resource,\n case\n when watcher.id is null then 'alarm'\n else 'ok'\n end as status,\n case\n when watcher.id is null then 'Network watcher not enabled in ' || loc.name || '.'\n else 'Network watcher enabled in ' || loc.name || '.'\n end as reason,\n loc.name\n \n \n \nfrom\n azure_location loc\n left join azure_network_watcher watcher on watcher.region = loc.name\n join azure_subscription sub on sub.subscription_id = loc.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v140_9_10.yaml b/compliance/controls/pending/azure/azure_cis_v140_9_10.yaml index 6e22dbdde..cd210c91f 100755 --- a/compliance/controls/pending/azure/azure_cis_v140_9_10.yaml +++ b/compliance/controls/pending/azure/azure_cis_v140_9_10.yaml @@ -1,50 +1,13 @@ ID: azure_cis_v140_9_10 Title: "9.10 Ensure FTP deployments are disabled" Description: "By default, Azure Functions, Web and API Services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Service Apps and Functions." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - fa.id as resource, - case - when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then 'alarm' - else 'ok' - end as status, - case - when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then name || ' FTP deployments enabled.' - else name || ' FTP deployments disabled.' - end as reason - - - - from - azure_app_service_function_app fa, - azure_subscription sub - where - sub.subscription_id = fa.subscription_id - union - select - wa.id as resource, - case - when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then 'alarm' - else 'ok' - end as status, - case - when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then name || ' FTP deployments enabled.' - else name || ' FTP deployments disabled.' - end as reason - - - - from - azure_app_service_web_app as wa, - azure_subscription as sub - where - sub.subscription_id = wa.subscription_id; + QueryToExecute: "select\n fa.id as resource,\n case\n when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then 'alarm'\n else 'ok'\n end as status,\n case\n when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then name || ' FTP deployments enabled.'\n else name || ' FTP deployments disabled.'\n end as reason\n \n \n \n from\n azure_app_service_function_app fa,\n azure_subscription sub\n where\n sub.subscription_id = fa.subscription_id\nunion\n select\n wa.id as resource,\n case\n when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then 'alarm'\n else 'ok'\n end as status,\n case\n when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then name || ' FTP deployments enabled.'\n else name || ' FTP deployments disabled.'\n end as reason\n \n \n \n from\n azure_app_service_web_app as wa,\n azure_subscription as sub\n where\n sub.subscription_id = wa.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v150_1_13.yaml b/compliance/controls/pending/azure/azure_cis_v150_1_13.yaml index b55c18957..6ae43688c 100755 --- a/compliance/controls/pending/azure/azure_cis_v150_1_13.yaml +++ b/compliance/controls/pending/azure/azure_cis_v150_1_13.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_1_13 Title: "1.13 Ensure that 'Users can add gallery apps to My Apps' is set to 'No'" Description: "Require administrators to provide consent for the apps before use." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -15,3 +13,5 @@ Query: Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v150_1_18.yaml b/compliance/controls/pending/azure/azure_cis_v150_1_18.yaml index f0f21c1d0..6e4aeb25a 100755 --- a/compliance/controls/pending/azure/azure_cis_v150_1_18.yaml +++ b/compliance/controls/pending/azure/azure_cis_v150_1_18.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v150_1_18 Title: "1.18 Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes'" Description: "Restricts group creation to administrators with permissions only." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -15,3 +13,5 @@ Query: Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v150_3_13.yaml b/compliance/controls/pending/azure/azure_cis_v150_3_13.yaml index 753091ef7..2e5159bf7 100755 --- a/compliance/controls/pending/azure/azure_cis_v150_3_13.yaml +++ b/compliance/controls/pending/azure/azure_cis_v150_3_13.yaml @@ -1,40 +1,13 @@ ID: azure_cis_v150_3_13 Title: "3.13 Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests" Description: "The Storage Blob service provides scalable, cost-efficient object storage in the cloud. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the blobs. Storage Logging log entries contain the following information about individual requests: timing information such as start time, end-to-end latency, and server latency; authentication details; concurrency information; and the sizes of the request and response messages." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - sa.id as resource, - case - when not (sa.blob_service_logging ->> 'Read') :: boolean - or not (sa.blob_service_logging ->> 'Write') :: boolean - or not (sa.blob_service_logging ->> 'Delete') :: boolean then 'alarm' - else 'ok' - end as status, - case - when not (sa.blob_service_logging ->> 'Read') :: boolean - or not (sa.blob_service_logging ->> 'Write') :: boolean - or not (sa.blob_service_logging ->> 'Delete') :: boolean then name || ' blob service logging not enabled for ' || - concat_ws(', ', - case when not (sa.blob_service_logging ->> 'Write') :: boolean then 'write' end, - case when not (sa.blob_service_logging ->> 'Read') :: boolean then 'read' end, - case when not (sa.blob_service_logging ->> 'Delete') :: boolean then 'delete' end - ) || ' requests.' - else name || ' blob service logging enabled for read, write, delete requests.' - end as reason - - - - from - azure_storage_account sa, - azure_subscription sub - where - sub.subscription_id = sa.subscription_id; + QueryToExecute: "select\n sa.id as resource,\n case\n when not (sa.blob_service_logging ->> 'Read') :: boolean\n or not (sa.blob_service_logging ->> 'Write') :: boolean\n or not (sa.blob_service_logging ->> 'Delete') :: boolean then 'alarm'\n else 'ok'\n end as status,\n case\n when not (sa.blob_service_logging ->> 'Read') :: boolean\n or not (sa.blob_service_logging ->> 'Write') :: boolean\n or not (sa.blob_service_logging ->> 'Delete') :: boolean then name || ' blob service logging not enabled for ' ||\n concat_ws(', ',\n case when not (sa.blob_service_logging ->> 'Write') :: boolean then 'write' end,\n case when not (sa.blob_service_logging ->> 'Read') :: boolean then 'read' end,\n case when not (sa.blob_service_logging ->> 'Delete') :: boolean then 'delete' end\n ) || ' requests.'\n else name || ' blob service logging enabled for read, write, delete requests.'\n end as reason\n \n \n \nfrom\n azure_storage_account sa,\n azure_subscription sub\nwhere\n sub.subscription_id = sa.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v150_4_1_1.yaml b/compliance/controls/pending/azure/azure_cis_v150_4_1_1.yaml index debcfd6d3..74b26c360 100755 --- a/compliance/controls/pending/azure/azure_cis_v150_4_1_1.yaml +++ b/compliance/controls/pending/azure/azure_cis_v150_4_1_1.yaml @@ -1,32 +1,13 @@ ID: azure_cis_v150_4_1_1 Title: "4.1.1 Ensure that 'Auditing' is set to 'On'" Description: "Enable auditing on SQL Servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when audit -> 'properties' ->> 'state' = 'Disabled' then 'alarm' - else 'ok' - end as status, - case - when audit -> 'properties' ->> 'state' = 'Disabled' then name || ' auditing disabled.' - else name || ' auditing enabled.' - end as reason - - - - from - azure_sql_server s, - jsonb_array_elements(server_audit_policy) audit, - azure_subscription sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when audit -> 'properties' ->> 'state' = 'Disabled' then 'alarm'\n else 'ok'\n end as status,\n case\n when audit -> 'properties' ->> 'state' = 'Disabled' then name || ' auditing disabled.'\n else name || ' auditing enabled.'\n end as reason\n \n \n \nfrom\n azure_sql_server s,\n jsonb_array_elements(server_audit_policy) audit,\n azure_subscription sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v150_4_1_3.yaml b/compliance/controls/pending/azure/azure_cis_v150_4_1_3.yaml index cb56fa8b6..7117bc0dc 100755 --- a/compliance/controls/pending/azure/azure_cis_v150_4_1_3.yaml +++ b/compliance/controls/pending/azure/azure_cis_v150_4_1_3.yaml @@ -1,32 +1,13 @@ ID: azure_cis_v150_4_1_3 Title: "4.1.3 Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key" Description: "Transparent Data Encryption (TDE) with Customer-managed key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when encryption ->> 'kind' = 'servicemanaged' then 'alarm' - else 'ok' - end as status, - case - when encryption ->> 'kind' = 'servicemanaged' then s.name || ' TDE protector not encrypted with CMK.' - else s.name || ' TDE protector encrypted with CMK.' - end as reason - - - - from - azure_sql_server s, - jsonb_array_elements(encryption_protector) encryption, - azure_subscription sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when encryption ->> 'kind' = 'servicemanaged' then 'alarm'\n else 'ok'\n end as status,\n case\n when encryption ->> 'kind' = 'servicemanaged' then s.name || ' TDE protector not encrypted with CMK.'\n else s.name || ' TDE protector encrypted with CMK.'\n end as reason\n \n \n \nfrom\n azure_sql_server s,\n jsonb_array_elements(encryption_protector) encryption,\n azure_subscription sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v150_4_1_6.yaml b/compliance/controls/pending/azure/azure_cis_v150_4_1_6.yaml index c4b3c7cb1..c4c63f5b2 100755 --- a/compliance/controls/pending/azure/azure_cis_v150_4_1_6.yaml +++ b/compliance/controls/pending/azure/azure_cis_v150_4_1_6.yaml @@ -1,34 +1,13 @@ ID: azure_cis_v150_4_1_6 Title: "4.1.6 Ensure that 'Auditing' Retention is 'greater than 90 days'" Description: "SQL Server Audit Retention should be configured to be greater than 90 days." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when (audit -> 'properties' ->> 'retentionDays')::integer = 0 then 'ok' - when (audit -> 'properties' ->> 'retentionDays')::integer >= 90 then 'ok' - else 'alarm' - end as status, - case - when (audit -> 'properties' ->> 'retentionDays')::integer = 0 then name || ' audit retention set to unlimited days.' - when (audit -> 'properties' ->> 'retentionDays')::integer >= 90 then name || ' audit retention greater than 90 days.' - else name || ' audit retention less than 90 days.' - end as reason - - - - from - azure_sql_server s, - jsonb_array_elements(server_audit_policy) audit, - azure_subscription sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when (audit -> 'properties' ->> 'retentionDays')::integer = 0 then 'ok'\n when (audit -> 'properties' ->> 'retentionDays')::integer >= 90 then 'ok'\n else 'alarm'\n end as status,\n case\n when (audit -> 'properties' ->> 'retentionDays')::integer = 0 then name || ' audit retention set to unlimited days.'\n when (audit -> 'properties' ->> 'retentionDays')::integer >= 90 then name || ' audit retention greater than 90 days.'\n else name || ' audit retention less than 90 days.'\n end as reason\n \n \n \nfrom\n azure_sql_server s,\n jsonb_array_elements(server_audit_policy) audit,\n azure_subscription sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v150_4_2_1.yaml b/compliance/controls/pending/azure/azure_cis_v150_4_2_1.yaml index 55bc427e6..b9f2604d5 100755 --- a/compliance/controls/pending/azure/azure_cis_v150_4_2_1.yaml +++ b/compliance/controls/pending/azure/azure_cis_v150_4_2_1.yaml @@ -1,32 +1,13 @@ ID: azure_cis_v150_4_2_1 Title: "4.2.1 Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers" Description: "Enable \\\"Azure Defender for SQL\\\" on critical SQL Servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when security -> 'properties' ->> 'state' = 'Disabled' then 'alarm' - else 'ok' - end as status, - case - when security -> 'properties' ->> 'state' = 'Disabled' then s.name || ' Azure defender disabled.' - else s.name || ' Azure defender enabled.' - end as reason - - - - from - azure_sql_server s, - jsonb_array_elements(server_security_alert_policy) security, - azure_subscription sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when security -> 'properties' ->> 'state' = 'Disabled' then 'alarm'\n else 'ok'\n end as status,\n case\n when security -> 'properties' ->> 'state' = 'Disabled' then s.name || ' Azure defender disabled.'\n else s.name || ' Azure defender enabled.'\n end as reason\n \n \n \nfrom\n azure_sql_server s,\n jsonb_array_elements(server_security_alert_policy) security,\n azure_subscription sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v150_4_2_2.yaml b/compliance/controls/pending/azure/azure_cis_v150_4_2_2.yaml index b143f4ddd..267ebe77e 100755 --- a/compliance/controls/pending/azure/azure_cis_v150_4_2_2.yaml +++ b/compliance/controls/pending/azure/azure_cis_v150_4_2_2.yaml @@ -1,33 +1,13 @@ ID: azure_cis_v150_4_2_2 Title: "4.2.2 Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account" Description: "Enable Vulnerability Assessment (VA) service scans for critical SQL servers and corresponding SQL databases." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when security -> 'properties' ->> 'state' = 'Disabled' then 'alarm' - else 'ok' - end as status, - case - when security -> 'properties' ->> 'state' = 'Disabled' then s.name || ' VA setting disabled.' - else s.name || ' VA setting enabled.' - end as reason - - - - from - azure_sql_server s, - jsonb_array_elements(server_security_alert_policy) security, - jsonb_array_elements(server_vulnerability_assessment) assessment, - azure_subscription sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when security -> 'properties' ->> 'state' = 'Disabled' then 'alarm'\n else 'ok'\n end as status,\n case\n when security -> 'properties' ->> 'state' = 'Disabled' then s.name || ' VA setting disabled.'\n else s.name || ' VA setting enabled.'\n end as reason\n \n \n \nfrom\n azure_sql_server s,\n jsonb_array_elements(server_security_alert_policy) security,\n jsonb_array_elements(server_vulnerability_assessment) assessment,\n azure_subscription sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v150_4_2_3.yaml b/compliance/controls/pending/azure/azure_cis_v150_4_2_3.yaml index c8f96a05c..50aeab3bc 100755 --- a/compliance/controls/pending/azure/azure_cis_v150_4_2_3.yaml +++ b/compliance/controls/pending/azure/azure_cis_v150_4_2_3.yaml @@ -1,49 +1,13 @@ ID: azure_cis_v150_4_2_3 Title: "4.2.3 Ensure that Vulnerability Assessment (VA) setting 'Periodic recurring scans' is set to 'on' for each SQL server" Description: "Enable Vulnerability Assessment (VA) Periodic recurring scans for critical SQL servers and corresponding SQL databases." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when - security -> 'properties' ->> 'state' = 'Disabled' - or - ( - security -> 'properties' ->> 'state' = 'Enabled' - and assessment -> 'properties' ->> 'storageContainerPath' is not null - and assessment -> 'properties' -> 'recurringScans' ->> 'isEnabled' = 'false' - ) - then 'alarm' - else 'ok' - end as status, - case - when - security -> 'properties' ->> 'state' = 'Disabled' - or - ( - security -> 'properties' ->> 'state' = 'Enabled' - and assessment -> 'properties' ->> 'storageContainerPath' is not null - and assessment -> 'properties' -> 'recurringScans' ->> 'isEnabled' = 'false' - ) - then s.name || ' VA setting periodic recurring scans disabled.' - else s.name || ' VA setting periodic recurring scans enabled.' - end as reason - - - - from - azure_sql_server s, - jsonb_array_elements(server_security_alert_policy) security, - jsonb_array_elements(server_vulnerability_assessment) assessment, - azure_subscription sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when\n security -> 'properties' ->> 'state' = 'Disabled'\n or\n (\n security -> 'properties' ->> 'state' = 'Enabled'\n and assessment -> 'properties' ->> 'storageContainerPath' is not null\n and assessment -> 'properties' -> 'recurringScans' ->> 'isEnabled' = 'false'\n )\n then 'alarm'\n else 'ok'\n end as status,\n case\n when\n security -> 'properties' ->> 'state' = 'Disabled'\n or\n (\n security -> 'properties' ->> 'state' = 'Enabled'\n and assessment -> 'properties' ->> 'storageContainerPath' is not null\n and assessment -> 'properties' -> 'recurringScans' ->> 'isEnabled' = 'false'\n )\n then s.name || ' VA setting periodic recurring scans disabled.'\n else s.name || ' VA setting periodic recurring scans enabled.'\n end as reason\n \n \n \nfrom\n azure_sql_server s,\n jsonb_array_elements(server_security_alert_policy) security,\n jsonb_array_elements(server_vulnerability_assessment) assessment,\n azure_subscription sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v150_4_2_4.yaml b/compliance/controls/pending/azure/azure_cis_v150_4_2_4.yaml index 81c0fbe6e..8a184aedf 100755 --- a/compliance/controls/pending/azure/azure_cis_v150_4_2_4.yaml +++ b/compliance/controls/pending/azure/azure_cis_v150_4_2_4.yaml @@ -1,49 +1,13 @@ ID: azure_cis_v150_4_2_4 Title: "4.2.4 Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server" Description: "Configure 'Send scan reports to' with email ids of concerned data owners/stakeholders for a critical SQL servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when - security -> 'properties' ->> 'state' = 'Disabled' - or - ( - security -> 'properties' ->> 'state' = 'Enabled' - and assessment -> 'properties' ->> 'storageContainerPath' is not null - and assessment -> 'properties' -> 'recurringScans' ->> 'emails' = '[]' - ) - then 'alarm' - else 'ok' - end as status, - case - when - security -> 'properties' ->> 'state' = 'Disabled' - or - ( - security -> 'properties' ->> 'state' = 'Enabled' - and assessment -> 'properties' ->> 'storageContainerPath' is not null - and assessment -> 'properties' -> 'recurringScans' ->> 'emails' = '[]' - ) - then s.name || ' VA scan reports and alerts not configured send email.' - else s.name || ' VA scan reports and alerts configured to send email.' - end as reason - - - - from - azure_sql_server s, - jsonb_array_elements(server_security_alert_policy) security, - jsonb_array_elements(server_vulnerability_assessment) assessment, - azure_subscription sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when\n security -> 'properties' ->> 'state' = 'Disabled'\n or\n (\n security -> 'properties' ->> 'state' = 'Enabled'\n and assessment -> 'properties' ->> 'storageContainerPath' is not null\n and assessment -> 'properties' -> 'recurringScans' ->> 'emails' = '[]'\n )\n then 'alarm'\n else 'ok'\n end as status,\n case\n when\n security -> 'properties' ->> 'state' = 'Disabled'\n or\n (\n security -> 'properties' ->> 'state' = 'Enabled'\n and assessment -> 'properties' ->> 'storageContainerPath' is not null\n and assessment -> 'properties' -> 'recurringScans' ->> 'emails' = '[]'\n )\n then s.name || ' VA scan reports and alerts not configured send email.'\n else s.name || ' VA scan reports and alerts configured to send email.'\n end as reason\n \n \n \nfrom\n azure_sql_server s,\n jsonb_array_elements(server_security_alert_policy) security,\n jsonb_array_elements(server_vulnerability_assessment) assessment,\n azure_subscription sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v150_4_2_5.yaml b/compliance/controls/pending/azure/azure_cis_v150_4_2_5.yaml index 491986272..25b9a5d06 100755 --- a/compliance/controls/pending/azure/azure_cis_v150_4_2_5.yaml +++ b/compliance/controls/pending/azure/azure_cis_v150_4_2_5.yaml @@ -1,49 +1,13 @@ ID: azure_cis_v150_4_2_5 Title: "4.2.5 Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server" Description: "Enable Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners'." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when - security -> 'properties' ->> 'state' = 'Disabled' - or - ( - security -> 'properties' ->> 'state' = 'Enabled' - and assessment -> 'properties' ->> 'storageContainerPath' is not null - and assessment -> 'properties' -> 'recurringScans' ->> 'emailSubscriptionAdmins' = 'false' - ) - then 'alarm' - else 'ok' - end as status, - case - when - security -> 'properties' ->> 'state' = 'Disabled' - or - ( - security -> 'properties' ->> 'state' = 'Enabled' - and assessment -> 'properties' ->> 'storageContainerPath' is not null - and assessment -> 'properties' -> 'recurringScans' ->> 'emailSubscriptionAdmins' = 'false' - ) - then s.name || ' VA setting not configured to send email notifications to subscription admins and owners.' - else s.name || ' VA setting configured to send email notifications to subscription admins and owners.' - end as reason - - - - from - azure_sql_server s, - jsonb_array_elements(server_security_alert_policy) security, - jsonb_array_elements(server_vulnerability_assessment) assessment, - azure_subscription sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when\n security -> 'properties' ->> 'state' = 'Disabled'\n or\n (\n security -> 'properties' ->> 'state' = 'Enabled'\n and assessment -> 'properties' ->> 'storageContainerPath' is not null\n and assessment -> 'properties' -> 'recurringScans' ->> 'emailSubscriptionAdmins' = 'false'\n )\n then 'alarm'\n else 'ok'\n end as status,\n case\n when\n security -> 'properties' ->> 'state' = 'Disabled'\n or\n (\n security -> 'properties' ->> 'state' = 'Enabled'\n and assessment -> 'properties' ->> 'storageContainerPath' is not null\n and assessment -> 'properties' -> 'recurringScans' ->> 'emailSubscriptionAdmins' = 'false'\n )\n then s.name || ' VA setting not configured to send email notifications to subscription admins and owners.'\n else s.name || ' VA setting configured to send email notifications to subscription admins and owners.'\n end as reason\n \n \n \nfrom\n azure_sql_server s,\n jsonb_array_elements(server_security_alert_policy) security,\n jsonb_array_elements(server_vulnerability_assessment) assessment,\n azure_subscription sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v150_4_3_2.yaml b/compliance/controls/pending/azure/azure_cis_v150_4_3_2.yaml index d289b6e28..67fbe9e04 100755 --- a/compliance/controls/pending/azure/azure_cis_v150_4_3_2.yaml +++ b/compliance/controls/pending/azure/azure_cis_v150_4_3_2.yaml @@ -1,33 +1,13 @@ ID: azure_cis_v150_4_3_2 Title: "4.3.2 Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server" Description: "Enable log_checkpoints on PostgreSQL Servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then 'alarm' - else 'ok' - end as status, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then s.name || ' server parameter log_checkpoints off.' - else s.name || ' server parameter log_checkpoints on.' - end as reason - - - - from - azure_postgresql_server s, - jsonb_array_elements(server_configurations) config, - azure_subscription sub - where - config ->> 'Name' = 'log_checkpoints' - and sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then 'alarm'\n else 'ok'\n end as status,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then s.name || ' server parameter log_checkpoints off.'\n else s.name || ' server parameter log_checkpoints on.'\n end as reason\n \n \n \nfrom\n azure_postgresql_server s,\n jsonb_array_elements(server_configurations) config,\n azure_subscription sub\nwhere\n config ->> 'Name' = 'log_checkpoints'\n and sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v150_4_3_3.yaml b/compliance/controls/pending/azure/azure_cis_v150_4_3_3.yaml index b7e6ec530..4fac4e866 100755 --- a/compliance/controls/pending/azure/azure_cis_v150_4_3_3.yaml +++ b/compliance/controls/pending/azure/azure_cis_v150_4_3_3.yaml @@ -1,33 +1,13 @@ ID: azure_cis_v150_4_3_3 Title: "4.3.3 Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server" Description: "Enable log_connections on PostgreSQL Servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then 'alarm' - else 'ok' - end as status, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then s.name || ' server parameter log_connections off.' - else s.name || ' server parameter log_connections on.' - end as reason - - - - from - azure_postgresql_server s, - jsonb_array_elements(server_configurations) config, - azure_subscription sub - where - config ->> 'Name' = 'log_connections' - and sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then 'alarm'\n else 'ok'\n end as status,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then s.name || ' server parameter log_connections off.'\n else s.name || ' server parameter log_connections on.'\n end as reason\n \n \n \nfrom\n azure_postgresql_server s,\n jsonb_array_elements(server_configurations) config,\n azure_subscription sub\nwhere\n config ->> 'Name' = 'log_connections'\n and sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v150_4_3_4.yaml b/compliance/controls/pending/azure/azure_cis_v150_4_3_4.yaml index 9f766ad8c..2804a6c71 100755 --- a/compliance/controls/pending/azure/azure_cis_v150_4_3_4.yaml +++ b/compliance/controls/pending/azure/azure_cis_v150_4_3_4.yaml @@ -1,33 +1,13 @@ ID: azure_cis_v150_4_3_4 Title: "4.3.4 Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server" Description: "Enable log_disconnections on PostgreSQL Servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then 'alarm' - else 'ok' - end as status, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then name || ' server parameter log_disconnections off.' - else name || ' server parameter log_disconnections on.' - end as reason - - - - from - azure_postgresql_server s, - jsonb_array_elements(server_configurations) config, - azure_subscription sub - where - config ->> 'Name' = 'log_disconnections' - and sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then 'alarm'\n else 'ok'\n end as status,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then name || ' server parameter log_disconnections off.'\n else name || ' server parameter log_disconnections on.'\n end as reason\n \n \n \nfrom\n azure_postgresql_server s,\n jsonb_array_elements(server_configurations) config,\n azure_subscription sub\nwhere\n config ->> 'Name' = 'log_disconnections'\n and sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v150_4_3_5.yaml b/compliance/controls/pending/azure/azure_cis_v150_4_3_5.yaml index 44398f83f..ad0943714 100755 --- a/compliance/controls/pending/azure/azure_cis_v150_4_3_5.yaml +++ b/compliance/controls/pending/azure/azure_cis_v150_4_3_5.yaml @@ -1,33 +1,13 @@ ID: azure_cis_v150_4_3_5 Title: "4.3.5 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server" Description: "Enable connection_throttling on PostgreSQL Servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then 'alarm' - else 'ok' - end as status, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then s.name || ' server parameter connection_throttling off.' - else s.name || ' server parameter connection_throttling on.' - end as reason - - - - from - azure_postgresql_server s, - jsonb_array_elements(server_configurations) config, - azure_subscription sub - where - config ->> 'Name' = 'connection_throttling' - and sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then 'alarm'\n else 'ok'\n end as status,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then s.name || ' server parameter connection_throttling off.'\n else s.name || ' server parameter connection_throttling on.'\n end as reason\n \n \n \nfrom\n azure_postgresql_server s,\n jsonb_array_elements(server_configurations) config,\n azure_subscription sub\nwhere\n config ->> 'Name' = 'connection_throttling'\n and sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v150_4_3_6.yaml b/compliance/controls/pending/azure/azure_cis_v150_4_3_6.yaml index a77d28fd3..f4d0c8a09 100755 --- a/compliance/controls/pending/azure/azure_cis_v150_4_3_6.yaml +++ b/compliance/controls/pending/azure/azure_cis_v150_4_3_6.yaml @@ -1,33 +1,13 @@ ID: azure_cis_v150_4_3_6 Title: "4.3.6 Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server" Description: "Enable log_retention_days on PostgreSQL Servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when (config -> 'ConfigurationProperties' ->> 'value')::integer <= 3 then 'alarm' - else 'ok' - end as status, - case - when (config -> 'ConfigurationProperties' ->> 'value')::integer <= 3 then s.name || ' log files are retained for 3 days or lesser.' - else s.name || ' log files are retained for more than 3 days.' - end as reason - - - - from - azure_postgresql_server s, - jsonb_array_elements(server_configurations) as config, - azure_subscription sub - where - config ->> 'Name' = 'log_retention_days' - and sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when (config -> 'ConfigurationProperties' ->> 'value')::integer <= 3 then 'alarm'\n else 'ok'\n end as status,\n case\n when (config -> 'ConfigurationProperties' ->> 'value')::integer <= 3 then s.name || ' log files are retained for 3 days or lesser.'\n else s.name || ' log files are retained for more than 3 days.'\n end as reason\n \n \n \nfrom\n azure_postgresql_server s,\n jsonb_array_elements(server_configurations) as config,\n azure_subscription sub\nwhere\n config ->> 'Name' = 'log_retention_days'\n and sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v150_4_4_4.yaml b/compliance/controls/pending/azure/azure_cis_v150_4_4_4.yaml index 1b3d3d196..18bb12582 100755 --- a/compliance/controls/pending/azure/azure_cis_v150_4_4_4.yaml +++ b/compliance/controls/pending/azure/azure_cis_v150_4_4_4.yaml @@ -1,33 +1,13 @@ ID: azure_cis_v150_4_4_4 Title: "4.4.4 Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL Database Server" Description: "Set audit_log_enabled to include CONNECTION on MySQL Servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') = 'connection' then 'ok' - else 'alarm' - end as status, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') = 'connection' then s.name || ' server parameter audit_log_events has connection set.' - else s.name || ' server parameter audit_log_events connection not set.' - end as reason - - - - from - azure_mysql_server as s, - jsonb_array_elements(server_configurations) config, - azure_subscription sub - where - config ->> 'Name' = 'audit_log_events' - and sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') = 'connection' then 'ok'\n else 'alarm'\n end as status,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') = 'connection' then s.name || ' server parameter audit_log_events has connection set.'\n else s.name || ' server parameter audit_log_events connection not set.'\n end as reason\n \n \n \nfrom\n azure_mysql_server as s,\n jsonb_array_elements(server_configurations) config,\n azure_subscription sub\nwhere\n config ->> 'Name' = 'audit_log_events'\n and sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v150_5_1_4.yaml b/compliance/controls/pending/azure/azure_cis_v150_5_1_4.yaml index 2303ca161..f603eabea 100755 --- a/compliance/controls/pending/azure/azure_cis_v150_5_1_4.yaml +++ b/compliance/controls/pending/azure/azure_cis_v150_5_1_4.yaml @@ -1,35 +1,13 @@ ID: azure_cis_v150_5_1_4 Title: "5.1.4 Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key" Description: "Storage accounts with the activity log exports can be configured to use Customer Managed Keys (CMK)." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - a.id as resource, - case - when a.encryption_key_source = 'Microsoft.Keyvault' then 'ok' - else 'alarm' - end as status, - case - when a.encryption_key_source = 'Microsoft.Keyvault' - then a.name || ' container insights-operational-logs encrypted with BYOK.' - else a.name || ' container insights-operational-logs not encrypted with BYOK.' - end as reason - - - - from - azure_storage_container c, - azure_storage_account a, - azure_subscription sub - where - c.name = 'insights-operational-logs' - and c.account_name = a.name - and sub.subscription_id = a.subscription_id; + QueryToExecute: "select\n a.id as resource,\n case\n when a.encryption_key_source = 'Microsoft.Keyvault' then 'ok'\n else 'alarm'\n end as status,\n case\n when a.encryption_key_source = 'Microsoft.Keyvault'\n then a.name || ' container insights-operational-logs encrypted with BYOK.'\n else a.name || ' container insights-operational-logs not encrypted with BYOK.'\n end as reason\n \n \n \nfrom\n azure_storage_container c,\n azure_storage_account a,\n azure_subscription sub\nwhere\n c.name = 'insights-operational-logs'\n and c.account_name = a.name\n and sub.subscription_id = a.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v150_6_5.yaml b/compliance/controls/pending/azure/azure_cis_v150_6_5.yaml index ab710808f..a526345e4 100755 --- a/compliance/controls/pending/azure/azure_cis_v150_6_5.yaml +++ b/compliance/controls/pending/azure/azure_cis_v150_6_5.yaml @@ -1,33 +1,13 @@ ID: azure_cis_v150_6_5 Title: "6.5 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'" Description: "Network Security Group Flow Logs should be enabled and the retention period is set to greater than or equal to 90 days." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - sg.id resource, - case - when fl.id is null or not fl.enabled or fl.retention_policy_days < 90 then 'alarm' - else 'ok' - end as status, - case - when fl.id is null or not fl.enabled - then sg.name || ' flowlog not enabled.' - when fl.retention_policy_days < 90 - then sg.name || ' flowlog ' || fl.title || ' retention period is less than 90 days.' - else sg.name || ' flowlog ' || fl.title || ' retention period is ' || fl.retention_policy_days || ' days.' - end as reason - - - - from - azure_network_security_group sg - left join azure_network_watcher_flow_log fl on sg.id = fl.target_resource_id - join azure_subscription sub on sub.subscription_id = sg.subscription_id; + QueryToExecute: "select\n sg.id resource,\n case\n when fl.id is null or not fl.enabled or fl.retention_policy_days < 90 then 'alarm'\n else 'ok'\n end as status,\n case\n when fl.id is null or not fl.enabled\n then sg.name || ' flowlog not enabled.'\n when fl.retention_policy_days < 90\n then sg.name || ' flowlog ' || fl.title || ' retention period is less than 90 days.'\n else sg.name || ' flowlog ' || fl.title || ' retention period is ' || fl.retention_policy_days || ' days.'\n end as reason\n \n \n \nfrom\n azure_network_security_group sg\n left join azure_network_watcher_flow_log fl on sg.id = fl.target_resource_id\n join azure_subscription sub on sub.subscription_id = sg.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v150_6_6.yaml b/compliance/controls/pending/azure/azure_cis_v150_6_6.yaml index 581eecfed..cd66062f9 100755 --- a/compliance/controls/pending/azure/azure_cis_v150_6_6.yaml +++ b/compliance/controls/pending/azure/azure_cis_v150_6_6.yaml @@ -1,31 +1,13 @@ ID: azure_cis_v150_6_6 Title: "6.6 Ensure that Network Watcher is 'Enabled'" Description: "Enable Network Watcher for Azure subscriptions." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - loc.id resource, - case - when watcher.id is null then 'alarm' - else 'ok' - end as status, - case - when watcher.id is null then 'Network watcher not enabled in ' || loc.name || '.' - else 'Network watcher enabled in ' || loc.name || '.' - end as reason, - loc.name - - - - from - azure_location loc - left join azure_network_watcher watcher on watcher.region = loc.name - join azure_subscription sub on sub.subscription_id = loc.subscription_id; + QueryToExecute: "select\n loc.id resource,\n case\n when watcher.id is null then 'alarm'\n else 'ok'\n end as status,\n case\n when watcher.id is null then 'Network watcher not enabled in ' || loc.name || '.'\n else 'Network watcher enabled in ' || loc.name || '.'\n end as reason,\n loc.name\n \n \n \nfrom\n azure_location loc\n left join azure_network_watcher watcher on watcher.region = loc.name\n join azure_subscription sub on sub.subscription_id = loc.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v150_8_7.yaml b/compliance/controls/pending/azure/azure_cis_v150_8_7.yaml index 95fd0634e..596e65517 100755 --- a/compliance/controls/pending/azure/azure_cis_v150_8_7.yaml +++ b/compliance/controls/pending/azure/azure_cis_v150_8_7.yaml @@ -1,37 +1,13 @@ ID: azure_cis_v150_8_7 Title: "8.7 Ensure that Private Endpoints are Used for Azure Key Vault" Description: "Private endpoints will secure network traffic from Azure Key Vault to the resources requesting secrets and keys." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - a.id as resource, - case - -- Having private_endpoint_connections will not permit vault to use the same. - -- In case'defaultAction' = 'Allow', All Network including internet is allowed, which will not satisfy the private endpoint connection. - -- Default All network will have not network_acls associated. - when network_acls is null or network_acls ->> 'defaultAction' = 'Allow' then 'alarm' - when private_endpoint_connections is null then 'info' - when private_endpoint_connections @> '[{"PrivateLinkServiceConnectionStateStatus": "Approved"}]' then 'ok' - else 'alarm' - end as status, - case - when network_acls is null or network_acls ->> 'defaultAction' = 'Allow' then a.name || ' using public networks.' - when private_endpoint_connections is null then a.name || ' no private link exists.' - when private_endpoint_connections @> '[{"PrivateLinkServiceConnectionStateStatus": "Approved"}]' - then a.name || ' using private link.' - else a.name || ' private link not enabled.' - end as reason - - - - from - azure_key_vault a, - azure_subscription sub; + QueryToExecute: "select\n a.id as resource,\n case\n -- Having private_endpoint_connections will not permit vault to use the same.\n -- In case'defaultAction' = 'Allow', All Network including internet is allowed, which will not satisfy the private endpoint connection.\n -- Default All network will have not network_acls associated.\n when network_acls is null or network_acls ->> 'defaultAction' = 'Allow' then 'alarm'\n when private_endpoint_connections is null then 'info'\n when private_endpoint_connections @> '[{\"PrivateLinkServiceConnectionStateStatus\": \"Approved\"}]' then 'ok'\n else 'alarm'\n end as status,\n case\n when network_acls is null or network_acls ->> 'defaultAction' = 'Allow' then a.name || ' using public networks.'\n when private_endpoint_connections is null then a.name || ' no private link exists.'\n when private_endpoint_connections @> '[{\"PrivateLinkServiceConnectionStateStatus\": \"Approved\"}]'\n then a.name || ' using private link.'\n else a.name || ' private link not enabled.'\n end as reason\n \n \n \nfrom\n azure_key_vault a,\n azure_subscription sub;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v150_9_10.yaml b/compliance/controls/pending/azure/azure_cis_v150_9_10.yaml index e28db2e13..90892206a 100755 --- a/compliance/controls/pending/azure/azure_cis_v150_9_10.yaml +++ b/compliance/controls/pending/azure/azure_cis_v150_9_10.yaml @@ -1,50 +1,13 @@ ID: azure_cis_v150_9_10 Title: "9.10 Ensure FTP deployments are disabled" Description: "By default, Azure Functions, Web and API Services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Service Apps and Functions." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - fa.id as resource, - case - when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then 'alarm' - else 'ok' - end as status, - case - when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then name || ' FTP deployments enabled.' - else name || ' FTP deployments disabled.' - end as reason - - - - from - azure_app_service_function_app fa, - azure_subscription sub - where - sub.subscription_id = fa.subscription_id - union - select - wa.id as resource, - case - when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then 'alarm' - else 'ok' - end as status, - case - when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then name || ' FTP deployments enabled.' - else name || ' FTP deployments disabled.' - end as reason - - - - from - azure_app_service_web_app as wa, - azure_subscription as sub - where - sub.subscription_id = wa.subscription_id; + QueryToExecute: "select\n fa.id as resource,\n case\n when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then 'alarm'\n else 'ok'\n end as status,\n case\n when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then name || ' FTP deployments enabled.'\n else name || ' FTP deployments disabled.'\n end as reason\n \n \n \n from\n azure_app_service_function_app fa,\n azure_subscription sub\n where\n sub.subscription_id = fa.subscription_id\nunion\n select\n wa.id as resource,\n case\n when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then 'alarm'\n else 'ok'\n end as status,\n case\n when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then name || ' FTP deployments enabled.'\n else name || ' FTP deployments disabled.'\n end as reason\n \n \n \n from\n azure_app_service_web_app as wa,\n azure_subscription as sub\n where\n sub.subscription_id = wa.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v150_9_3.yaml b/compliance/controls/pending/azure/azure_cis_v150_9_3.yaml index 92d75aa55..923a0d562 100755 --- a/compliance/controls/pending/azure/azure_cis_v150_9_3.yaml +++ b/compliance/controls/pending/azure/azure_cis_v150_9_3.yaml @@ -1,31 +1,13 @@ ID: azure_cis_v150_9_3 Title: "9.3 Ensure web app is using the latest version of TLS encryption" Description: "The TLS(Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS. App service allows TLS 1.2 by default, which is the recommended TLS level by industry standards, such as PCI DSS." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - app.id as resource, - case - when configuration -> 'properties' ->> 'minTlsVersion' < '1.2' then 'alarm' - else 'ok' - end as status, - case - when configuration -> 'properties' ->> 'minTlsVersion' < '1.2' then name || ' not using the latest version of TLS encryption.' - else name || ' using the latest version of TLS encryption.' - end as reason - - - - from - azure_app_service_web_app as app, - azure_subscription as sub - where - sub.subscription_id = app.subscription_id; + QueryToExecute: "select\n app.id as resource,\n case\n when configuration -> 'properties' ->> 'minTlsVersion' < '1.2' then 'alarm'\n else 'ok'\n end as status,\n case\n when configuration -> 'properties' ->> 'minTlsVersion' < '1.2' then name || ' not using the latest version of TLS encryption.'\n else name || ' using the latest version of TLS encryption.'\n end as reason\n \n \n \nfrom\n azure_app_service_web_app as app,\n azure_subscription as sub\nwhere\n sub.subscription_id = app.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v200_1_11.yaml b/compliance/controls/pending/azure/azure_cis_v200_1_11.yaml index 726e24ef5..f53ff90d1 100755 --- a/compliance/controls/pending/azure/azure_cis_v200_1_11.yaml +++ b/compliance/controls/pending/azure/azure_cis_v200_1_11.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v200_1_11 Title: "1.11 Ensure 'User consent for applications' is set to 'Do not allow user consent'" Description: "Require administrators to provide consent for applications before use." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -15,3 +13,5 @@ Query: Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v200_2_1_10.yaml b/compliance/controls/pending/azure/azure_cis_v200_2_1_10.yaml index 16ea3708e..b6d92e145 100755 --- a/compliance/controls/pending/azure/azure_cis_v200_2_1_10.yaml +++ b/compliance/controls/pending/azure/azure_cis_v200_2_1_10.yaml @@ -1,30 +1,13 @@ ID: azure_cis_v200_2_1_10 Title: "2.1.10 Ensure That Microsoft Defender for Key Vault Is Set To 'On'" Description: "Turning on Microsoft Defender for Key Vault enables threat detection for Key Vault, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - sub_pricing.id as resource, - case - when pricing_tier = 'Standard' then 'ok' - else 'alarm' - end as status, - case - when pricing_tier = 'Standard' then 'Azure Defender on for Key Vaults.' - else 'Azure Defender off for Key Vaults.' - end as reason - - - from - azure_security_center_subscription_pricing sub_pricing - right join azure_subscription sub on sub_pricing.subscription_id = sub.subscription_id - where - name = 'KeyVaults'; + QueryToExecute: "select\n sub_pricing.id as resource,\n case\n when pricing_tier = 'Standard' then 'ok'\n else 'alarm'\n end as status,\n case\n when pricing_tier = 'Standard' then 'Azure Defender on for Key Vaults.'\n else 'Azure Defender off for Key Vaults.'\n end as reason\n \n \nfrom\n azure_security_center_subscription_pricing sub_pricing\n right join azure_subscription sub on sub_pricing.subscription_id = sub.subscription_id\nwhere\n name = 'KeyVaults';\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v200_3_13.yaml b/compliance/controls/pending/azure/azure_cis_v200_3_13.yaml index 52feb0443..10e689afd 100755 --- a/compliance/controls/pending/azure/azure_cis_v200_3_13.yaml +++ b/compliance/controls/pending/azure/azure_cis_v200_3_13.yaml @@ -1,40 +1,13 @@ ID: azure_cis_v200_3_13 Title: "3.13 Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests" Description: "The Storage Blob service provides scalable, cost-efficient object storage in the cloud. Storage Logging happens server-side and allows details for both successful and failed requests to be recorded in the storage account. These logs allow users to see the details of read, write, and delete operations against the blobs. Storage Logging log entries contain the following information about individual requests: timing information such as start time, end-to-end latency, and server latency; authentication details; concurrency information; and the sizes of the request and response messages." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - sa.id as resource, - case - when not (sa.blob_service_logging ->> 'Read') :: boolean - or not (sa.blob_service_logging ->> 'Write') :: boolean - or not (sa.blob_service_logging ->> 'Delete') :: boolean then 'alarm' - else 'ok' - end as status, - case - when not (sa.blob_service_logging ->> 'Read') :: boolean - or not (sa.blob_service_logging ->> 'Write') :: boolean - or not (sa.blob_service_logging ->> 'Delete') :: boolean then name || ' blob service logging not enabled for ' || - concat_ws(', ', - case when not (sa.blob_service_logging ->> 'Write') :: boolean then 'write' end, - case when not (sa.blob_service_logging ->> 'Read') :: boolean then 'read' end, - case when not (sa.blob_service_logging ->> 'Delete') :: boolean then 'delete' end - ) || ' requests.' - else name || ' blob service logging enabled for read, write, delete requests.' - end as reason - - - - from - azure_storage_account sa, - azure_subscription sub - where - sub.subscription_id = sa.subscription_id; + QueryToExecute: "select\n sa.id as resource,\n case\n when not (sa.blob_service_logging ->> 'Read') :: boolean\n or not (sa.blob_service_logging ->> 'Write') :: boolean\n or not (sa.blob_service_logging ->> 'Delete') :: boolean then 'alarm'\n else 'ok'\n end as status,\n case\n when not (sa.blob_service_logging ->> 'Read') :: boolean\n or not (sa.blob_service_logging ->> 'Write') :: boolean\n or not (sa.blob_service_logging ->> 'Delete') :: boolean then name || ' blob service logging not enabled for ' ||\n concat_ws(', ',\n case when not (sa.blob_service_logging ->> 'Write') :: boolean then 'write' end,\n case when not (sa.blob_service_logging ->> 'Read') :: boolean then 'read' end,\n case when not (sa.blob_service_logging ->> 'Delete') :: boolean then 'delete' end\n ) || ' requests.'\n else name || ' blob service logging enabled for read, write, delete requests.'\n end as reason\n \n \n \nfrom\n azure_storage_account sa,\n azure_subscription sub\nwhere\n sub.subscription_id = sa.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v200_3_7.yaml b/compliance/controls/pending/azure/azure_cis_v200_3_7.yaml index 6908b6196..5fa49f4c7 100755 --- a/compliance/controls/pending/azure/azure_cis_v200_3_7.yaml +++ b/compliance/controls/pending/azure/azure_cis_v200_3_7.yaml @@ -1,31 +1,13 @@ ID: azure_cis_v200_3_7 Title: "3.7 Ensure that 'Public access level' is disabled for storage accounts with blob containers" Description: "Disallowing public access for a storage account overrides the public access settings for individual containers in that storage account." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - container.id as resource, - case - when not account.allow_blob_public_access and container.public_access = 'None' then 'ok' - else 'alarm' - end as status, - case - when not account.allow_blob_public_access and container.public_access = 'None' - then account.name || ' container ' || container.name || ' doesn''t allow anonymous access.' - else account.name || ' container ' || container.name || ' allows anonymous access.' - end as reason - - - - from - azure_storage_container container - join azure_storage_account account on container.account_name = account.name - join azure_subscription sub on sub.subscription_id = account.subscription_id; + QueryToExecute: "select\n container.id as resource,\n case\n when not account.allow_blob_public_access and container.public_access = 'None' then 'ok'\n else 'alarm'\n end as status,\n case\n when not account.allow_blob_public_access and container.public_access = 'None'\n then account.name || ' container ' || container.name || ' doesn''t allow anonymous access.'\n else account.name || ' container ' || container.name || ' allows anonymous access.'\n end as reason\n \n \n \nfrom\n azure_storage_container container\n join azure_storage_account account on container.account_name = account.name\n join azure_subscription sub on sub.subscription_id = account.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v200_4_1_1.yaml b/compliance/controls/pending/azure/azure_cis_v200_4_1_1.yaml index 2e88dda27..96e8903fc 100755 --- a/compliance/controls/pending/azure/azure_cis_v200_4_1_1.yaml +++ b/compliance/controls/pending/azure/azure_cis_v200_4_1_1.yaml @@ -1,32 +1,13 @@ ID: azure_cis_v200_4_1_1 Title: "4.1.1 Ensure that 'Auditing' is set to 'On'" Description: "Enable auditing on SQL Servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when audit -> 'properties' ->> 'state' = 'Disabled' then 'alarm' - else 'ok' - end as status, - case - when audit -> 'properties' ->> 'state' = 'Disabled' then name || ' auditing disabled.' - else name || ' auditing enabled.' - end as reason - - - - from - azure_sql_server s, - jsonb_array_elements(server_audit_policy) audit, - azure_subscription sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when audit -> 'properties' ->> 'state' = 'Disabled' then 'alarm'\n else 'ok'\n end as status,\n case\n when audit -> 'properties' ->> 'state' = 'Disabled' then name || ' auditing disabled.'\n else name || ' auditing enabled.'\n end as reason\n \n \n \nfrom\n azure_sql_server s,\n jsonb_array_elements(server_audit_policy) audit,\n azure_subscription sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v200_4_1_3.yaml b/compliance/controls/pending/azure/azure_cis_v200_4_1_3.yaml index 2b547b2a1..7efc204d3 100755 --- a/compliance/controls/pending/azure/azure_cis_v200_4_1_3.yaml +++ b/compliance/controls/pending/azure/azure_cis_v200_4_1_3.yaml @@ -1,32 +1,13 @@ ID: azure_cis_v200_4_1_3 Title: "4.1.3 Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key" Description: "Transparent Data Encryption (TDE) with Customer-managed key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when encryption ->> 'kind' = 'servicemanaged' then 'alarm' - else 'ok' - end as status, - case - when encryption ->> 'kind' = 'servicemanaged' then s.name || ' TDE protector not encrypted with CMK.' - else s.name || ' TDE protector encrypted with CMK.' - end as reason - - - - from - azure_sql_server s, - jsonb_array_elements(encryption_protector) encryption, - azure_subscription sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when encryption ->> 'kind' = 'servicemanaged' then 'alarm'\n else 'ok'\n end as status,\n case\n when encryption ->> 'kind' = 'servicemanaged' then s.name || ' TDE protector not encrypted with CMK.'\n else s.name || ' TDE protector encrypted with CMK.'\n end as reason\n \n \n \nfrom\n azure_sql_server s,\n jsonb_array_elements(encryption_protector) encryption,\n azure_subscription sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v200_4_1_5.yaml b/compliance/controls/pending/azure/azure_cis_v200_4_1_5.yaml index e7a534388..9629f0b5d 100755 --- a/compliance/controls/pending/azure/azure_cis_v200_4_1_5.yaml +++ b/compliance/controls/pending/azure/azure_cis_v200_4_1_5.yaml @@ -1,32 +1,13 @@ ID: azure_cis_v200_4_1_5 Title: "4.1.5 Ensure that 'Data encryption' is set to 'On' on a SQL Database" Description: "Enable Transparent Data Encryption on every SQL server." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.database_id resource, - case - when transparent_data_encryption ->> 'status' = 'Enabled' or transparent_data_encryption ->> 'state' = 'Enabled' then 'ok' - else 'alarm' - end as status, - case - when transparent_data_encryption ->> 'status' = 'Enabled' or transparent_data_encryption ->> 'state' = 'Enabled' then s.title || ' transparent data encryption enabled.' - else s.title || ' transparent data encryption disabled.' - end as reason - - - - from - azure_sql_database as s, - azure_subscription as sub - where - sub.subscription_id = s.subscription_id - and s.name <> 'master'; + QueryToExecute: "select\n s.database_id resource,\n case\n when transparent_data_encryption ->> 'status' = 'Enabled' or transparent_data_encryption ->> 'state' = 'Enabled' then 'ok'\n else 'alarm'\n end as status,\n case\n when transparent_data_encryption ->> 'status' = 'Enabled' or transparent_data_encryption ->> 'state' = 'Enabled' then s.title || ' transparent data encryption enabled.'\n else s.title || ' transparent data encryption disabled.'\n end as reason\n \n \n \nfrom\n azure_sql_database as s,\n azure_subscription as sub\nwhere\n sub.subscription_id = s.subscription_id\n and s.name <> 'master';\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v200_4_1_6.yaml b/compliance/controls/pending/azure/azure_cis_v200_4_1_6.yaml index af5624642..e8192d0cb 100755 --- a/compliance/controls/pending/azure/azure_cis_v200_4_1_6.yaml +++ b/compliance/controls/pending/azure/azure_cis_v200_4_1_6.yaml @@ -1,34 +1,13 @@ ID: azure_cis_v200_4_1_6 Title: "4.1.6 Ensure that 'Auditing' Retention is 'greater than 90 days'" Description: "SQL Server Audit Retention should be configured to be greater than 90 days." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when (audit -> 'properties' ->> 'retentionDays')::integer = 0 then 'ok' - when (audit -> 'properties' ->> 'retentionDays')::integer >= 90 then 'ok' - else 'alarm' - end as status, - case - when (audit -> 'properties' ->> 'retentionDays')::integer = 0 then name || ' audit retention set to unlimited days.' - when (audit -> 'properties' ->> 'retentionDays')::integer >= 90 then name || ' audit retention greater than 90 days.' - else name || ' audit retention less than 90 days.' - end as reason - - - - from - azure_sql_server s, - jsonb_array_elements(server_audit_policy) audit, - azure_subscription sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when (audit -> 'properties' ->> 'retentionDays')::integer = 0 then 'ok'\n when (audit -> 'properties' ->> 'retentionDays')::integer >= 90 then 'ok'\n else 'alarm'\n end as status,\n case\n when (audit -> 'properties' ->> 'retentionDays')::integer = 0 then name || ' audit retention set to unlimited days.'\n when (audit -> 'properties' ->> 'retentionDays')::integer >= 90 then name || ' audit retention greater than 90 days.'\n else name || ' audit retention less than 90 days.'\n end as reason\n \n \n \nfrom\n azure_sql_server s,\n jsonb_array_elements(server_audit_policy) audit,\n azure_subscription sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v200_4_2_1.yaml b/compliance/controls/pending/azure/azure_cis_v200_4_2_1.yaml index a4f660d25..340b23551 100755 --- a/compliance/controls/pending/azure/azure_cis_v200_4_2_1.yaml +++ b/compliance/controls/pending/azure/azure_cis_v200_4_2_1.yaml @@ -1,32 +1,13 @@ ID: azure_cis_v200_4_2_1 Title: "4.2.1 Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers" Description: "Enable \\\"Azure Defender for SQL\\\" on critical SQL Servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when security -> 'properties' ->> 'state' = 'Disabled' then 'alarm' - else 'ok' - end as status, - case - when security -> 'properties' ->> 'state' = 'Disabled' then s.name || ' Azure defender disabled.' - else s.name || ' Azure defender enabled.' - end as reason - - - - from - azure_sql_server s, - jsonb_array_elements(server_security_alert_policy) security, - azure_subscription sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when security -> 'properties' ->> 'state' = 'Disabled' then 'alarm'\n else 'ok'\n end as status,\n case\n when security -> 'properties' ->> 'state' = 'Disabled' then s.name || ' Azure defender disabled.'\n else s.name || ' Azure defender enabled.'\n end as reason\n \n \n \nfrom\n azure_sql_server s,\n jsonb_array_elements(server_security_alert_policy) security,\n azure_subscription sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v200_4_2_2.yaml b/compliance/controls/pending/azure/azure_cis_v200_4_2_2.yaml index 963296468..443aff527 100755 --- a/compliance/controls/pending/azure/azure_cis_v200_4_2_2.yaml +++ b/compliance/controls/pending/azure/azure_cis_v200_4_2_2.yaml @@ -1,33 +1,13 @@ ID: azure_cis_v200_4_2_2 Title: "4.2.2 Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account" Description: "Enable Vulnerability Assessment (VA) service scans for critical SQL servers and corresponding SQL databases." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when security -> 'properties' ->> 'state' = 'Disabled' then 'alarm' - else 'ok' - end as status, - case - when security -> 'properties' ->> 'state' = 'Disabled' then s.name || ' VA setting disabled.' - else s.name || ' VA setting enabled.' - end as reason - - - - from - azure_sql_server s, - jsonb_array_elements(server_security_alert_policy) security, - jsonb_array_elements(server_vulnerability_assessment) assessment, - azure_subscription sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when security -> 'properties' ->> 'state' = 'Disabled' then 'alarm'\n else 'ok'\n end as status,\n case\n when security -> 'properties' ->> 'state' = 'Disabled' then s.name || ' VA setting disabled.'\n else s.name || ' VA setting enabled.'\n end as reason\n \n \n \nfrom\n azure_sql_server s,\n jsonb_array_elements(server_security_alert_policy) security,\n jsonb_array_elements(server_vulnerability_assessment) assessment,\n azure_subscription sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v200_4_2_3.yaml b/compliance/controls/pending/azure/azure_cis_v200_4_2_3.yaml index d4f964ad6..dc74b7ff6 100755 --- a/compliance/controls/pending/azure/azure_cis_v200_4_2_3.yaml +++ b/compliance/controls/pending/azure/azure_cis_v200_4_2_3.yaml @@ -1,49 +1,13 @@ ID: azure_cis_v200_4_2_3 Title: "4.2.3 Ensure that Vulnerability Assessment (VA) setting 'Periodic recurring scans' is set to 'on' for each SQL server" Description: "Enable Vulnerability Assessment (VA) Periodic recurring scans for critical SQL servers and corresponding SQL databases." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when - security -> 'properties' ->> 'state' = 'Disabled' - or - ( - security -> 'properties' ->> 'state' = 'Enabled' - and assessment -> 'properties' ->> 'storageContainerPath' is not null - and assessment -> 'properties' -> 'recurringScans' ->> 'isEnabled' = 'false' - ) - then 'alarm' - else 'ok' - end as status, - case - when - security -> 'properties' ->> 'state' = 'Disabled' - or - ( - security -> 'properties' ->> 'state' = 'Enabled' - and assessment -> 'properties' ->> 'storageContainerPath' is not null - and assessment -> 'properties' -> 'recurringScans' ->> 'isEnabled' = 'false' - ) - then s.name || ' VA setting periodic recurring scans disabled.' - else s.name || ' VA setting periodic recurring scans enabled.' - end as reason - - - - from - azure_sql_server s, - jsonb_array_elements(server_security_alert_policy) security, - jsonb_array_elements(server_vulnerability_assessment) assessment, - azure_subscription sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when\n security -> 'properties' ->> 'state' = 'Disabled'\n or\n (\n security -> 'properties' ->> 'state' = 'Enabled'\n and assessment -> 'properties' ->> 'storageContainerPath' is not null\n and assessment -> 'properties' -> 'recurringScans' ->> 'isEnabled' = 'false'\n )\n then 'alarm'\n else 'ok'\n end as status,\n case\n when\n security -> 'properties' ->> 'state' = 'Disabled'\n or\n (\n security -> 'properties' ->> 'state' = 'Enabled'\n and assessment -> 'properties' ->> 'storageContainerPath' is not null\n and assessment -> 'properties' -> 'recurringScans' ->> 'isEnabled' = 'false'\n )\n then s.name || ' VA setting periodic recurring scans disabled.'\n else s.name || ' VA setting periodic recurring scans enabled.'\n end as reason\n \n \n \nfrom\n azure_sql_server s,\n jsonb_array_elements(server_security_alert_policy) security,\n jsonb_array_elements(server_vulnerability_assessment) assessment,\n azure_subscription sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v200_4_2_4.yaml b/compliance/controls/pending/azure/azure_cis_v200_4_2_4.yaml index fdb6e46c6..0743c78a7 100755 --- a/compliance/controls/pending/azure/azure_cis_v200_4_2_4.yaml +++ b/compliance/controls/pending/azure/azure_cis_v200_4_2_4.yaml @@ -1,49 +1,13 @@ ID: azure_cis_v200_4_2_4 Title: "4.2.4 Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server" Description: "Configure 'Send scan reports to' with email ids of concerned data owners/stakeholders for a critical SQL servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when - security -> 'properties' ->> 'state' = 'Disabled' - or - ( - security -> 'properties' ->> 'state' = 'Enabled' - and assessment -> 'properties' ->> 'storageContainerPath' is not null - and assessment -> 'properties' -> 'recurringScans' ->> 'emails' = '[]' - ) - then 'alarm' - else 'ok' - end as status, - case - when - security -> 'properties' ->> 'state' = 'Disabled' - or - ( - security -> 'properties' ->> 'state' = 'Enabled' - and assessment -> 'properties' ->> 'storageContainerPath' is not null - and assessment -> 'properties' -> 'recurringScans' ->> 'emails' = '[]' - ) - then s.name || ' VA scan reports and alerts not configured send email.' - else s.name || ' VA scan reports and alerts configured to send email.' - end as reason - - - - from - azure_sql_server s, - jsonb_array_elements(server_security_alert_policy) security, - jsonb_array_elements(server_vulnerability_assessment) assessment, - azure_subscription sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when\n security -> 'properties' ->> 'state' = 'Disabled'\n or\n (\n security -> 'properties' ->> 'state' = 'Enabled'\n and assessment -> 'properties' ->> 'storageContainerPath' is not null\n and assessment -> 'properties' -> 'recurringScans' ->> 'emails' = '[]'\n )\n then 'alarm'\n else 'ok'\n end as status,\n case\n when\n security -> 'properties' ->> 'state' = 'Disabled'\n or\n (\n security -> 'properties' ->> 'state' = 'Enabled'\n and assessment -> 'properties' ->> 'storageContainerPath' is not null\n and assessment -> 'properties' -> 'recurringScans' ->> 'emails' = '[]'\n )\n then s.name || ' VA scan reports and alerts not configured send email.'\n else s.name || ' VA scan reports and alerts configured to send email.'\n end as reason\n \n \n \nfrom\n azure_sql_server s,\n jsonb_array_elements(server_security_alert_policy) security,\n jsonb_array_elements(server_vulnerability_assessment) assessment,\n azure_subscription sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v200_4_2_5.yaml b/compliance/controls/pending/azure/azure_cis_v200_4_2_5.yaml index 7e8a4c193..77b16640f 100755 --- a/compliance/controls/pending/azure/azure_cis_v200_4_2_5.yaml +++ b/compliance/controls/pending/azure/azure_cis_v200_4_2_5.yaml @@ -1,49 +1,13 @@ ID: azure_cis_v200_4_2_5 Title: "4.2.5 Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server" Description: "Enable Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners'." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when - security -> 'properties' ->> 'state' = 'Disabled' - or - ( - security -> 'properties' ->> 'state' = 'Enabled' - and assessment -> 'properties' ->> 'storageContainerPath' is not null - and assessment -> 'properties' -> 'recurringScans' ->> 'emailSubscriptionAdmins' = 'false' - ) - then 'alarm' - else 'ok' - end as status, - case - when - security -> 'properties' ->> 'state' = 'Disabled' - or - ( - security -> 'properties' ->> 'state' = 'Enabled' - and assessment -> 'properties' ->> 'storageContainerPath' is not null - and assessment -> 'properties' -> 'recurringScans' ->> 'emailSubscriptionAdmins' = 'false' - ) - then s.name || ' VA setting not configured to send email notifications to subscription admins and owners.' - else s.name || ' VA setting configured to send email notifications to subscription admins and owners.' - end as reason - - - - from - azure_sql_server s, - jsonb_array_elements(server_security_alert_policy) security, - jsonb_array_elements(server_vulnerability_assessment) assessment, - azure_subscription sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when\n security -> 'properties' ->> 'state' = 'Disabled'\n or\n (\n security -> 'properties' ->> 'state' = 'Enabled'\n and assessment -> 'properties' ->> 'storageContainerPath' is not null\n and assessment -> 'properties' -> 'recurringScans' ->> 'emailSubscriptionAdmins' = 'false'\n )\n then 'alarm'\n else 'ok'\n end as status,\n case\n when\n security -> 'properties' ->> 'state' = 'Disabled'\n or\n (\n security -> 'properties' ->> 'state' = 'Enabled'\n and assessment -> 'properties' ->> 'storageContainerPath' is not null\n and assessment -> 'properties' -> 'recurringScans' ->> 'emailSubscriptionAdmins' = 'false'\n )\n then s.name || ' VA setting not configured to send email notifications to subscription admins and owners.'\n else s.name || ' VA setting configured to send email notifications to subscription admins and owners.'\n end as reason\n \n \n \nfrom\n azure_sql_server s,\n jsonb_array_elements(server_security_alert_policy) security,\n jsonb_array_elements(server_vulnerability_assessment) assessment,\n azure_subscription sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v200_4_3_2.yaml b/compliance/controls/pending/azure/azure_cis_v200_4_3_2.yaml index 559642097..533b1c0dd 100755 --- a/compliance/controls/pending/azure/azure_cis_v200_4_3_2.yaml +++ b/compliance/controls/pending/azure/azure_cis_v200_4_3_2.yaml @@ -1,33 +1,13 @@ ID: azure_cis_v200_4_3_2 Title: "4.3.2 Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server" Description: "Enable log_checkpoints on PostgreSQL Servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then 'alarm' - else 'ok' - end as status, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then s.name || ' server parameter log_checkpoints off.' - else s.name || ' server parameter log_checkpoints on.' - end as reason - - - - from - azure_postgresql_server s, - jsonb_array_elements(server_configurations) config, - azure_subscription sub - where - config ->> 'Name' = 'log_checkpoints' - and sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then 'alarm'\n else 'ok'\n end as status,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then s.name || ' server parameter log_checkpoints off.'\n else s.name || ' server parameter log_checkpoints on.'\n end as reason\n \n \n \nfrom\n azure_postgresql_server s,\n jsonb_array_elements(server_configurations) config,\n azure_subscription sub\nwhere\n config ->> 'Name' = 'log_checkpoints'\n and sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v200_4_3_3.yaml b/compliance/controls/pending/azure/azure_cis_v200_4_3_3.yaml index ed7c6a7d3..802f53873 100755 --- a/compliance/controls/pending/azure/azure_cis_v200_4_3_3.yaml +++ b/compliance/controls/pending/azure/azure_cis_v200_4_3_3.yaml @@ -1,33 +1,13 @@ ID: azure_cis_v200_4_3_3 Title: "4.3.3 Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server" Description: "Enable log_connections on PostgreSQL Servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then 'alarm' - else 'ok' - end as status, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then s.name || ' server parameter log_connections off.' - else s.name || ' server parameter log_connections on.' - end as reason - - - - from - azure_postgresql_server s, - jsonb_array_elements(server_configurations) config, - azure_subscription sub - where - config ->> 'Name' = 'log_connections' - and sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then 'alarm'\n else 'ok'\n end as status,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then s.name || ' server parameter log_connections off.'\n else s.name || ' server parameter log_connections on.'\n end as reason\n \n \n \nfrom\n azure_postgresql_server s,\n jsonb_array_elements(server_configurations) config,\n azure_subscription sub\nwhere\n config ->> 'Name' = 'log_connections'\n and sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v200_4_3_4.yaml b/compliance/controls/pending/azure/azure_cis_v200_4_3_4.yaml index 463a66855..026c42915 100755 --- a/compliance/controls/pending/azure/azure_cis_v200_4_3_4.yaml +++ b/compliance/controls/pending/azure/azure_cis_v200_4_3_4.yaml @@ -1,33 +1,13 @@ ID: azure_cis_v200_4_3_4 Title: "4.3.4 Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server" Description: "Enable log_disconnections on PostgreSQL Servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then 'alarm' - else 'ok' - end as status, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then name || ' server parameter log_disconnections off.' - else name || ' server parameter log_disconnections on.' - end as reason - - - - from - azure_postgresql_server s, - jsonb_array_elements(server_configurations) config, - azure_subscription sub - where - config ->> 'Name' = 'log_disconnections' - and sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then 'alarm'\n else 'ok'\n end as status,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then name || ' server parameter log_disconnections off.'\n else name || ' server parameter log_disconnections on.'\n end as reason\n \n \n \nfrom\n azure_postgresql_server s,\n jsonb_array_elements(server_configurations) config,\n azure_subscription sub\nwhere\n config ->> 'Name' = 'log_disconnections'\n and sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v200_4_3_6.yaml b/compliance/controls/pending/azure/azure_cis_v200_4_3_6.yaml index dc2ba3406..110d8dfb1 100755 --- a/compliance/controls/pending/azure/azure_cis_v200_4_3_6.yaml +++ b/compliance/controls/pending/azure/azure_cis_v200_4_3_6.yaml @@ -1,33 +1,13 @@ ID: azure_cis_v200_4_3_6 Title: "4.3.6 Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server" Description: "Ensure log_retention_days on PostgreSQL Servers is set to an appropriate value." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when (config -> 'ConfigurationProperties' ->> 'value')::integer <= 3 then 'alarm' - else 'ok' - end as status, - case - when (config -> 'ConfigurationProperties' ->> 'value')::integer <= 3 then s.name || ' log files are retained for 3 days or lesser.' - else s.name || ' log files are retained for more than 3 days.' - end as reason - - - - from - azure_postgresql_server s, - jsonb_array_elements(server_configurations) as config, - azure_subscription sub - where - config ->> 'Name' = 'log_retention_days' - and sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when (config -> 'ConfigurationProperties' ->> 'value')::integer <= 3 then 'alarm'\n else 'ok'\n end as status,\n case\n when (config -> 'ConfigurationProperties' ->> 'value')::integer <= 3 then s.name || ' log files are retained for 3 days or lesser.'\n else s.name || ' log files are retained for more than 3 days.'\n end as reason\n \n \n \nfrom\n azure_postgresql_server s,\n jsonb_array_elements(server_configurations) as config,\n azure_subscription sub\nwhere\n config ->> 'Name' = 'log_retention_days'\n and sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v200_4_4_3.yaml b/compliance/controls/pending/azure/azure_cis_v200_4_4_3.yaml index ae8409cb1..28836cb26 100755 --- a/compliance/controls/pending/azure/azure_cis_v200_4_4_3.yaml +++ b/compliance/controls/pending/azure/azure_cis_v200_4_4_3.yaml @@ -1,33 +1,13 @@ ID: azure_cis_v200_4_4_3 Title: "4.4.3 Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL Database Server" Description: "Enable audit_log_enabled on MySQL Servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then 'alarm' - else 'ok' - end as status, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then s.name || ' server parameter audit_log_enabled off.' - else s.name || ' server parameter audit_log_enabled on.' - end as reason - - - - from - azure_mysql_server as s, - jsonb_array_elements(server_configurations) config, - azure_subscription sub - where - config ->> 'Name' = 'audit_log_enabled' - and sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then 'alarm'\n else 'ok'\n end as status,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then s.name || ' server parameter audit_log_enabled off.'\n else s.name || ' server parameter audit_log_enabled on.'\n end as reason\n \n \n \nfrom\n azure_mysql_server as s,\n jsonb_array_elements(server_configurations) config,\n azure_subscription sub\nwhere\n config ->> 'Name' = 'audit_log_enabled'\n and sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v200_4_4_4.yaml b/compliance/controls/pending/azure/azure_cis_v200_4_4_4.yaml index 79b9842a2..922041b31 100755 --- a/compliance/controls/pending/azure/azure_cis_v200_4_4_4.yaml +++ b/compliance/controls/pending/azure/azure_cis_v200_4_4_4.yaml @@ -1,33 +1,13 @@ ID: azure_cis_v200_4_4_4 Title: "4.4.4 Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL Database Server" Description: "Set audit_log_enabled to include CONNECTION on MySQL Servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') = 'connection' then 'ok' - else 'alarm' - end as status, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') = 'connection' then s.name || ' server parameter audit_log_events has connection set.' - else s.name || ' server parameter audit_log_events connection not set.' - end as reason - - - - from - azure_mysql_server as s, - jsonb_array_elements(server_configurations) config, - azure_subscription sub - where - config ->> 'Name' = 'audit_log_events' - and sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') = 'connection' then 'ok'\n else 'alarm'\n end as status,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') = 'connection' then s.name || ' server parameter audit_log_events has connection set.'\n else s.name || ' server parameter audit_log_events connection not set.'\n end as reason\n \n \n \nfrom\n azure_mysql_server as s,\n jsonb_array_elements(server_configurations) config,\n azure_subscription sub\nwhere\n config ->> 'Name' = 'audit_log_events'\n and sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v200_5_1_4.yaml b/compliance/controls/pending/azure/azure_cis_v200_5_1_4.yaml index 00f09f0c5..e7615acae 100755 --- a/compliance/controls/pending/azure/azure_cis_v200_5_1_4.yaml +++ b/compliance/controls/pending/azure/azure_cis_v200_5_1_4.yaml @@ -1,35 +1,13 @@ ID: azure_cis_v200_5_1_4 Title: "5.1.4 Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key" Description: "Storage accounts with the activity log exports can be configured to use Customer Managed Keys (CMK)." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - a.id as resource, - case - when a.encryption_key_source = 'Microsoft.Keyvault' then 'ok' - else 'alarm' - end as status, - case - when a.encryption_key_source = 'Microsoft.Keyvault' - then a.name || ' container insights-activity-logs encrypted with BYOK.' - else a.name || ' container insights-activity-logs not encrypted with BYOK.' - end as reason - - - - from - azure_storage_container c, - azure_storage_account a, - azure_subscription sub - where - c.name = 'insights-activity-logs' - and c.account_name = a.name - and sub.subscription_id = a.subscription_id; + QueryToExecute: "select\n a.id as resource,\n case\n when a.encryption_key_source = 'Microsoft.Keyvault' then 'ok'\n else 'alarm'\n end as status,\n case\n when a.encryption_key_source = 'Microsoft.Keyvault'\n then a.name || ' container insights-activity-logs encrypted with BYOK.'\n else a.name || ' container insights-activity-logs not encrypted with BYOK.'\n end as reason\n \n \n \nfrom\n azure_storage_container c,\n azure_storage_account a,\n azure_subscription sub\nwhere\n c.name = 'insights-activity-logs'\n and c.account_name = a.name\n and sub.subscription_id = a.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v200_6_5.yaml b/compliance/controls/pending/azure/azure_cis_v200_6_5.yaml index dbbe2df13..10995ec33 100755 --- a/compliance/controls/pending/azure/azure_cis_v200_6_5.yaml +++ b/compliance/controls/pending/azure/azure_cis_v200_6_5.yaml @@ -1,33 +1,13 @@ ID: azure_cis_v200_6_5 Title: "6.5 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'" Description: "Network Security Group Flow Logs should be enabled and the retention period set to greater than or equal to 90 days." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - sg.id resource, - case - when fl.id is null or not fl.enabled or fl.retention_policy_days < 90 then 'alarm' - else 'ok' - end as status, - case - when fl.id is null or not fl.enabled - then sg.name || ' flowlog not enabled.' - when fl.retention_policy_days < 90 - then sg.name || ' flowlog ' || fl.title || ' retention period is less than 90 days.' - else sg.name || ' flowlog ' || fl.title || ' retention period is ' || fl.retention_policy_days || ' days.' - end as reason - - - - from - azure_network_security_group sg - left join azure_network_watcher_flow_log fl on sg.id = fl.target_resource_id - join azure_subscription sub on sub.subscription_id = sg.subscription_id; + QueryToExecute: "select\n sg.id resource,\n case\n when fl.id is null or not fl.enabled or fl.retention_policy_days < 90 then 'alarm'\n else 'ok'\n end as status,\n case\n when fl.id is null or not fl.enabled\n then sg.name || ' flowlog not enabled.'\n when fl.retention_policy_days < 90\n then sg.name || ' flowlog ' || fl.title || ' retention period is less than 90 days.'\n else sg.name || ' flowlog ' || fl.title || ' retention period is ' || fl.retention_policy_days || ' days.'\n end as reason\n \n \n \nfrom\n azure_network_security_group sg\n left join azure_network_watcher_flow_log fl on sg.id = fl.target_resource_id\n join azure_subscription sub on sub.subscription_id = sg.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v200_6_6.yaml b/compliance/controls/pending/azure/azure_cis_v200_6_6.yaml index 03747a9ec..291dedf8d 100755 --- a/compliance/controls/pending/azure/azure_cis_v200_6_6.yaml +++ b/compliance/controls/pending/azure/azure_cis_v200_6_6.yaml @@ -1,31 +1,13 @@ ID: azure_cis_v200_6_6 Title: "6.6 Ensure that Network Watcher is 'Enabled'" Description: "Enable Network Watcher for Azure subscriptions." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - loc.id resource, - case - when watcher.id is null then 'alarm' - else 'ok' - end as status, - case - when watcher.id is null then 'Network watcher not enabled in ' || loc.name || '.' - else 'Network watcher enabled in ' || loc.name || '.' - end as reason, - loc.name - - - - from - azure_location loc - left join azure_network_watcher watcher on watcher.region = loc.name - join azure_subscription sub on sub.subscription_id = loc.subscription_id; + QueryToExecute: "select\n loc.id resource,\n case\n when watcher.id is null then 'alarm'\n else 'ok'\n end as status,\n case\n when watcher.id is null then 'Network watcher not enabled in ' || loc.name || '.'\n else 'Network watcher enabled in ' || loc.name || '.'\n end as reason,\n loc.name\n \n \n \nfrom\n azure_location loc\n left join azure_network_watcher watcher on watcher.region = loc.name\n join azure_subscription sub on sub.subscription_id = loc.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v200_8_7.yaml b/compliance/controls/pending/azure/azure_cis_v200_8_7.yaml index 604d333e0..53d1aa02b 100755 --- a/compliance/controls/pending/azure/azure_cis_v200_8_7.yaml +++ b/compliance/controls/pending/azure/azure_cis_v200_8_7.yaml @@ -1,37 +1,13 @@ ID: azure_cis_v200_8_7 Title: "8.7 Ensure that Private Endpoints are Used for Azure Key Vault" Description: "Private endpoints will secure network traffic from Azure Key Vault to the resources requesting secrets and keys." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - a.id as resource, - case - -- Having private_endpoint_connections will not permit vault to use the same. - -- In case'defaultAction' = 'Allow', All Network including internet is allowed, which will not satisfy the private endpoint connection. - -- Default All network will have not network_acls associated. - when network_acls is null or network_acls ->> 'defaultAction' = 'Allow' then 'alarm' - when private_endpoint_connections is null then 'info' - when private_endpoint_connections @> '[{"PrivateLinkServiceConnectionStateStatus": "Approved"}]' then 'ok' - else 'alarm' - end as status, - case - when network_acls is null or network_acls ->> 'defaultAction' = 'Allow' then a.name || ' using public networks.' - when private_endpoint_connections is null then a.name || ' no private link exists.' - when private_endpoint_connections @> '[{"PrivateLinkServiceConnectionStateStatus": "Approved"}]' - then a.name || ' using private link.' - else a.name || ' private link not enabled.' - end as reason - - - - from - azure_key_vault a, - azure_subscription sub; + QueryToExecute: "select\n a.id as resource,\n case\n -- Having private_endpoint_connections will not permit vault to use the same.\n -- In case'defaultAction' = 'Allow', All Network including internet is allowed, which will not satisfy the private endpoint connection.\n -- Default All network will have not network_acls associated.\n when network_acls is null or network_acls ->> 'defaultAction' = 'Allow' then 'alarm'\n when private_endpoint_connections is null then 'info'\n when private_endpoint_connections @> '[{\"PrivateLinkServiceConnectionStateStatus\": \"Approved\"}]' then 'ok'\n else 'alarm'\n end as status,\n case\n when network_acls is null or network_acls ->> 'defaultAction' = 'Allow' then a.name || ' using public networks.'\n when private_endpoint_connections is null then a.name || ' no private link exists.'\n when private_endpoint_connections @> '[{\"PrivateLinkServiceConnectionStateStatus\": \"Approved\"}]'\n then a.name || ' using private link.'\n else a.name || ' private link not enabled.'\n end as reason\n \n \n \nfrom\n azure_key_vault a,\n azure_subscription sub;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v200_9_10.yaml b/compliance/controls/pending/azure/azure_cis_v200_9_10.yaml index 72848f58a..05354f05c 100755 --- a/compliance/controls/pending/azure/azure_cis_v200_9_10.yaml +++ b/compliance/controls/pending/azure/azure_cis_v200_9_10.yaml @@ -1,50 +1,13 @@ ID: azure_cis_v200_9_10 Title: "9.10 Ensure FTP deployments are Disabled" Description: "By default, Azure Functions, Web, and API Services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Service Apps and Functions." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - fa.id as resource, - case - when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then 'alarm' - else 'ok' - end as status, - case - when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then name || ' FTP deployments enabled.' - else name || ' FTP deployments disabled.' - end as reason - - - - from - azure_app_service_function_app fa, - azure_subscription sub - where - sub.subscription_id = fa.subscription_id - union - select - wa.id as resource, - case - when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then 'alarm' - else 'ok' - end as status, - case - when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then name || ' FTP deployments enabled.' - else name || ' FTP deployments disabled.' - end as reason - - - - from - azure_app_service_web_app as wa, - azure_subscription as sub - where - sub.subscription_id = wa.subscription_id; + QueryToExecute: "select\n fa.id as resource,\n case\n when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then 'alarm'\n else 'ok'\n end as status,\n case\n when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then name || ' FTP deployments enabled.'\n else name || ' FTP deployments disabled.'\n end as reason\n \n \n \n from\n azure_app_service_function_app fa,\n azure_subscription sub\n where\n sub.subscription_id = fa.subscription_id\nunion\n select\n wa.id as resource,\n case\n when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then 'alarm'\n else 'ok'\n end as status,\n case\n when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then name || ' FTP deployments enabled.'\n else name || ' FTP deployments disabled.'\n end as reason\n \n \n \n from\n azure_app_service_web_app as wa,\n azure_subscription as sub\n where\n sub.subscription_id = wa.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v210_1_3.yaml b/compliance/controls/pending/azure/azure_cis_v210_1_3.yaml index 9bc1926d8..7c1ab52b6 100755 --- a/compliance/controls/pending/azure/azure_cis_v210_1_3.yaml +++ b/compliance/controls/pending/azure/azure_cis_v210_1_3.yaml @@ -1,8 +1,6 @@ ID: azure_cis_v210_1_3 Title: "1.3 Ensure that 'Restrict non-admin users from creating tenants' is set to 'Yes'" Description: "Require administrators or appropriately delegated users to create new tenants." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 QueryToExecute: | @@ -15,3 +13,5 @@ Query: Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v210_2_1_9.yaml b/compliance/controls/pending/azure/azure_cis_v210_2_1_9.yaml index 2854ac8b5..f3b0efbca 100755 --- a/compliance/controls/pending/azure/azure_cis_v210_2_1_9.yaml +++ b/compliance/controls/pending/azure/azure_cis_v210_2_1_9.yaml @@ -1,30 +1,13 @@ ID: azure_cis_v210_2_1_9 Title: "2.1.9 Ensure That Microsoft Defender for Key Vault Is Set To 'On'" Description: "Turning on Microsoft Defender for Key Vault enables threat detection for Key Vault, providing threat intelligence, anomaly detection, and behavior analytics in the Microsoft Defender for Cloud." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - sub_pricing.id as resource, - case - when pricing_tier = 'Standard' then 'ok' - else 'alarm' - end as status, - case - when pricing_tier = 'Standard' then 'Azure Defender on for Key Vaults.' - else 'Azure Defender off for Key Vaults.' - end as reason - - - from - azure_security_center_subscription_pricing sub_pricing - right join azure_subscription sub on sub_pricing.subscription_id = sub.subscription_id - where - name = 'KeyVaults'; + QueryToExecute: "select\n sub_pricing.id as resource,\n case\n when pricing_tier = 'Standard' then 'ok'\n else 'alarm'\n end as status,\n case\n when pricing_tier = 'Standard' then 'Azure Defender on for Key Vaults.'\n else 'Azure Defender off for Key Vaults.'\n end as reason\n \n \nfrom\n azure_security_center_subscription_pricing sub_pricing\n right join azure_subscription sub on sub_pricing.subscription_id = sub.subscription_id\nwhere\n name = 'KeyVaults';\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v210_3_17.yaml b/compliance/controls/pending/azure/azure_cis_v210_3_17.yaml index 27e1b3b7b..870bf8e2a 100755 --- a/compliance/controls/pending/azure/azure_cis_v210_3_17.yaml +++ b/compliance/controls/pending/azure/azure_cis_v210_3_17.yaml @@ -1,31 +1,13 @@ ID: azure_cis_v210_3_17 Title: "3.17 Ensure that `Allow Blob Anonymous Access` is set to `Disabled`" Description: "The Azure Storage setting 'Allow Blob Anonymous Access' (aka 'allowBlobPublicAccess') controls whether anonymous access is allowed for blob data in a storage account. When this property is set to True, it enables public read access to blob data, which can be convenient for sharing data but may carry security risks. When set to False, it disallows public access to blob data, providing a more secure storage environment." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - container.id as resource, - case - when not account.allow_blob_public_access and container.public_access = 'None' then 'ok' - else 'alarm' - end as status, - case - when not account.allow_blob_public_access and container.public_access = 'None' - then account.name || ' container ' || container.name || ' doesn''t allow anonymous access.' - else account.name || ' container ' || container.name || ' allows anonymous access.' - end as reason - - - - from - azure_storage_container container - join azure_storage_account account on container.account_name = account.name - join azure_subscription sub on sub.subscription_id = account.subscription_id; + QueryToExecute: "select\n container.id as resource,\n case\n when not account.allow_blob_public_access and container.public_access = 'None' then 'ok'\n else 'alarm'\n end as status,\n case\n when not account.allow_blob_public_access and container.public_access = 'None'\n then account.name || ' container ' || container.name || ' doesn''t allow anonymous access.'\n else account.name || ' container ' || container.name || ' allows anonymous access.'\n end as reason\n \n \n \nfrom\n azure_storage_container container\n join azure_storage_account account on container.account_name = account.name\n join azure_subscription sub on sub.subscription_id = account.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v210_4_1_1.yaml b/compliance/controls/pending/azure/azure_cis_v210_4_1_1.yaml index d58664316..fa5320f12 100755 --- a/compliance/controls/pending/azure/azure_cis_v210_4_1_1.yaml +++ b/compliance/controls/pending/azure/azure_cis_v210_4_1_1.yaml @@ -1,32 +1,13 @@ ID: azure_cis_v210_4_1_1 Title: "4.1.1 Ensure that 'Auditing' is set to 'On'" Description: "Enable auditing on SQL Servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when audit -> 'properties' ->> 'state' = 'Disabled' then 'alarm' - else 'ok' - end as status, - case - when audit -> 'properties' ->> 'state' = 'Disabled' then name || ' auditing disabled.' - else name || ' auditing enabled.' - end as reason - - - - from - azure_sql_server s, - jsonb_array_elements(server_audit_policy) audit, - azure_subscription sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when audit -> 'properties' ->> 'state' = 'Disabled' then 'alarm'\n else 'ok'\n end as status,\n case\n when audit -> 'properties' ->> 'state' = 'Disabled' then name || ' auditing disabled.'\n else name || ' auditing enabled.'\n end as reason\n \n \n \nfrom\n azure_sql_server s,\n jsonb_array_elements(server_audit_policy) audit,\n azure_subscription sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v210_4_1_3.yaml b/compliance/controls/pending/azure/azure_cis_v210_4_1_3.yaml index 6c99a95bb..336e0ea77 100755 --- a/compliance/controls/pending/azure/azure_cis_v210_4_1_3.yaml +++ b/compliance/controls/pending/azure/azure_cis_v210_4_1_3.yaml @@ -1,32 +1,13 @@ ID: azure_cis_v210_4_1_3 Title: "4.1.3 Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key" Description: "Transparent Data Encryption (TDE) with Customer-managed key support provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when encryption ->> 'kind' = 'servicemanaged' then 'alarm' - else 'ok' - end as status, - case - when encryption ->> 'kind' = 'servicemanaged' then s.name || ' TDE protector not encrypted with CMK.' - else s.name || ' TDE protector encrypted with CMK.' - end as reason - - - - from - azure_sql_server s, - jsonb_array_elements(encryption_protector) encryption, - azure_subscription sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when encryption ->> 'kind' = 'servicemanaged' then 'alarm'\n else 'ok'\n end as status,\n case\n when encryption ->> 'kind' = 'servicemanaged' then s.name || ' TDE protector not encrypted with CMK.'\n else s.name || ' TDE protector encrypted with CMK.'\n end as reason\n \n \n \nfrom\n azure_sql_server s,\n jsonb_array_elements(encryption_protector) encryption,\n azure_subscription sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v210_4_1_6.yaml b/compliance/controls/pending/azure/azure_cis_v210_4_1_6.yaml index 9a460a9d6..ca4fcb7cd 100755 --- a/compliance/controls/pending/azure/azure_cis_v210_4_1_6.yaml +++ b/compliance/controls/pending/azure/azure_cis_v210_4_1_6.yaml @@ -1,34 +1,13 @@ ID: azure_cis_v210_4_1_6 Title: "4.1.6 Ensure that 'Auditing' Retention is 'greater than 90 days'" Description: "SQL Server Audit Retention should be configured to be greater than 90 days." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when (audit -> 'properties' ->> 'retentionDays')::integer = 0 then 'ok' - when (audit -> 'properties' ->> 'retentionDays')::integer >= 90 then 'ok' - else 'alarm' - end as status, - case - when (audit -> 'properties' ->> 'retentionDays')::integer = 0 then name || ' audit retention set to unlimited days.' - when (audit -> 'properties' ->> 'retentionDays')::integer >= 90 then name || ' audit retention greater than 90 days.' - else name || ' audit retention less than 90 days.' - end as reason - - - - from - azure_sql_server s, - jsonb_array_elements(server_audit_policy) audit, - azure_subscription sub - where - sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when (audit -> 'properties' ->> 'retentionDays')::integer = 0 then 'ok'\n when (audit -> 'properties' ->> 'retentionDays')::integer >= 90 then 'ok'\n else 'alarm'\n end as status,\n case\n when (audit -> 'properties' ->> 'retentionDays')::integer = 0 then name || ' audit retention set to unlimited days.'\n when (audit -> 'properties' ->> 'retentionDays')::integer >= 90 then name || ' audit retention greater than 90 days.'\n else name || ' audit retention less than 90 days.'\n end as reason\n \n \n \nfrom\n azure_sql_server s,\n jsonb_array_elements(server_audit_policy) audit,\n azure_subscription sub\nwhere\n sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v210_4_3_2.yaml b/compliance/controls/pending/azure/azure_cis_v210_4_3_2.yaml index bc717e7e4..d0f773eb2 100755 --- a/compliance/controls/pending/azure/azure_cis_v210_4_3_2.yaml +++ b/compliance/controls/pending/azure/azure_cis_v210_4_3_2.yaml @@ -1,33 +1,13 @@ ID: azure_cis_v210_4_3_2 Title: "4.3.2 Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server" Description: "Enable log_checkpoints on PostgreSQL Servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then 'alarm' - else 'ok' - end as status, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then s.name || ' server parameter log_checkpoints off.' - else s.name || ' server parameter log_checkpoints on.' - end as reason - - - - from - azure_postgresql_server s, - jsonb_array_elements(server_configurations) config, - azure_subscription sub - where - config ->> 'Name' = 'log_checkpoints' - and sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then 'alarm'\n else 'ok'\n end as status,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then s.name || ' server parameter log_checkpoints off.'\n else s.name || ' server parameter log_checkpoints on.'\n end as reason\n \n \n \nfrom\n azure_postgresql_server s,\n jsonb_array_elements(server_configurations) config,\n azure_subscription sub\nwhere\n config ->> 'Name' = 'log_checkpoints'\n and sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v210_4_3_3.yaml b/compliance/controls/pending/azure/azure_cis_v210_4_3_3.yaml index bc39911ff..8b9af337a 100755 --- a/compliance/controls/pending/azure/azure_cis_v210_4_3_3.yaml +++ b/compliance/controls/pending/azure/azure_cis_v210_4_3_3.yaml @@ -1,33 +1,13 @@ ID: azure_cis_v210_4_3_3 Title: "4.3.3 Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server" Description: "Enable log_connections on PostgreSQL Servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then 'alarm' - else 'ok' - end as status, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then s.name || ' server parameter log_connections off.' - else s.name || ' server parameter log_connections on.' - end as reason - - - - from - azure_postgresql_server s, - jsonb_array_elements(server_configurations) config, - azure_subscription sub - where - config ->> 'Name' = 'log_connections' - and sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then 'alarm'\n else 'ok'\n end as status,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then s.name || ' server parameter log_connections off.'\n else s.name || ' server parameter log_connections on.'\n end as reason\n \n \n \nfrom\n azure_postgresql_server s,\n jsonb_array_elements(server_configurations) config,\n azure_subscription sub\nwhere\n config ->> 'Name' = 'log_connections'\n and sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v210_4_3_4.yaml b/compliance/controls/pending/azure/azure_cis_v210_4_3_4.yaml index 5de625628..d92a95c7c 100755 --- a/compliance/controls/pending/azure/azure_cis_v210_4_3_4.yaml +++ b/compliance/controls/pending/azure/azure_cis_v210_4_3_4.yaml @@ -1,33 +1,13 @@ ID: azure_cis_v210_4_3_4 Title: "4.3.4 Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server" Description: "Enable log_disconnections on PostgreSQL Servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then 'alarm' - else 'ok' - end as status, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then name || ' server parameter log_disconnections off.' - else name || ' server parameter log_disconnections on.' - end as reason - - - - from - azure_postgresql_server s, - jsonb_array_elements(server_configurations) config, - azure_subscription sub - where - config ->> 'Name' = 'log_disconnections' - and sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then 'alarm'\n else 'ok'\n end as status,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then name || ' server parameter log_disconnections off.'\n else name || ' server parameter log_disconnections on.'\n end as reason\n \n \n \nfrom\n azure_postgresql_server s,\n jsonb_array_elements(server_configurations) config,\n azure_subscription sub\nwhere\n config ->> 'Name' = 'log_disconnections'\n and sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v210_4_3_5.yaml b/compliance/controls/pending/azure/azure_cis_v210_4_3_5.yaml index cf41cb587..fce95596f 100755 --- a/compliance/controls/pending/azure/azure_cis_v210_4_3_5.yaml +++ b/compliance/controls/pending/azure/azure_cis_v210_4_3_5.yaml @@ -1,33 +1,13 @@ ID: azure_cis_v210_4_3_5 Title: "4.3.5 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server" Description: "Enable connection_throttling on PostgreSQL Servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then 'alarm' - else 'ok' - end as status, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then s.name || ' server parameter connection_throttling off.' - else s.name || ' server parameter connection_throttling on.' - end as reason - - - - from - azure_postgresql_server s, - jsonb_array_elements(server_configurations) config, - azure_subscription sub - where - config ->> 'Name' = 'connection_throttling' - and sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then 'alarm'\n else 'ok'\n end as status,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then s.name || ' server parameter connection_throttling off.'\n else s.name || ' server parameter connection_throttling on.'\n end as reason\n \n \n \nfrom\n azure_postgresql_server s,\n jsonb_array_elements(server_configurations) config,\n azure_subscription sub\nwhere\n config ->> 'Name' = 'connection_throttling'\n and sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v210_4_3_6.yaml b/compliance/controls/pending/azure/azure_cis_v210_4_3_6.yaml index 0779628da..d8fffc637 100755 --- a/compliance/controls/pending/azure/azure_cis_v210_4_3_6.yaml +++ b/compliance/controls/pending/azure/azure_cis_v210_4_3_6.yaml @@ -1,33 +1,13 @@ ID: azure_cis_v210_4_3_6 Title: "4.3.6 Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server" Description: "Ensure log_retention_days on PostgreSQL Servers is set to an appropriate value." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when (config -> 'ConfigurationProperties' ->> 'value')::integer <= 3 then 'alarm' - else 'ok' - end as status, - case - when (config -> 'ConfigurationProperties' ->> 'value')::integer <= 3 then s.name || ' log files are retained for 3 days or lesser.' - else s.name || ' log files are retained for more than 3 days.' - end as reason - - - - from - azure_postgresql_server s, - jsonb_array_elements(server_configurations) as config, - azure_subscription sub - where - config ->> 'Name' = 'log_retention_days' - and sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when (config -> 'ConfigurationProperties' ->> 'value')::integer <= 3 then 'alarm'\n else 'ok'\n end as status,\n case\n when (config -> 'ConfigurationProperties' ->> 'value')::integer <= 3 then s.name || ' log files are retained for 3 days or lesser.'\n else s.name || ' log files are retained for more than 3 days.'\n end as reason\n \n \n \nfrom\n azure_postgresql_server s,\n jsonb_array_elements(server_configurations) as config,\n azure_subscription sub\nwhere\n config ->> 'Name' = 'log_retention_days'\n and sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v210_4_4_3.yaml b/compliance/controls/pending/azure/azure_cis_v210_4_4_3.yaml index 6b8a28f7a..7aeea2d23 100755 --- a/compliance/controls/pending/azure/azure_cis_v210_4_4_3.yaml +++ b/compliance/controls/pending/azure/azure_cis_v210_4_4_3.yaml @@ -1,33 +1,13 @@ ID: azure_cis_v210_4_4_3 Title: "4.4.3 Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL Database Server" Description: "Enable audit_log_enabled on MySQL Servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then 'alarm' - else 'ok' - end as status, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then s.name || ' server parameter audit_log_enabled off.' - else s.name || ' server parameter audit_log_enabled on.' - end as reason - - - - from - azure_mysql_server as s, - jsonb_array_elements(server_configurations) config, - azure_subscription sub - where - config ->> 'Name' = 'audit_log_enabled' - and sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then 'alarm'\n else 'ok'\n end as status,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then s.name || ' server parameter audit_log_enabled off.'\n else s.name || ' server parameter audit_log_enabled on.'\n end as reason\n \n \n \nfrom\n azure_mysql_server as s,\n jsonb_array_elements(server_configurations) config,\n azure_subscription sub\nwhere\n config ->> 'Name' = 'audit_log_enabled'\n and sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v210_4_4_4.yaml b/compliance/controls/pending/azure/azure_cis_v210_4_4_4.yaml index 6238a2fd8..fbb7391d2 100755 --- a/compliance/controls/pending/azure/azure_cis_v210_4_4_4.yaml +++ b/compliance/controls/pending/azure/azure_cis_v210_4_4_4.yaml @@ -1,33 +1,13 @@ ID: azure_cis_v210_4_4_4 Title: "4.4.4 Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL Database Server" Description: "Set audit_log_enabled to include CONNECTION on MySQL Servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') = 'connection' then 'ok' - else 'alarm' - end as status, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') = 'connection' then s.name || ' server parameter audit_log_events has connection set.' - else s.name || ' server parameter audit_log_events connection not set.' - end as reason - - - - from - azure_mysql_server as s, - jsonb_array_elements(server_configurations) config, - azure_subscription sub - where - config ->> 'Name' = 'audit_log_events' - and sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') = 'connection' then 'ok'\n else 'alarm'\n end as status,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') = 'connection' then s.name || ' server parameter audit_log_events has connection set.'\n else s.name || ' server parameter audit_log_events connection not set.'\n end as reason\n \n \n \nfrom\n azure_mysql_server as s,\n jsonb_array_elements(server_configurations) config,\n azure_subscription sub\nwhere\n config ->> 'Name' = 'audit_log_events'\n and sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v210_6_5.yaml b/compliance/controls/pending/azure/azure_cis_v210_6_5.yaml index 7d4c9bbda..16e1dc3d8 100755 --- a/compliance/controls/pending/azure/azure_cis_v210_6_5.yaml +++ b/compliance/controls/pending/azure/azure_cis_v210_6_5.yaml @@ -1,33 +1,13 @@ ID: azure_cis_v210_6_5 Title: "6.5 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days'" Description: "Network Security Group Flow Logs should be enabled and the retention period set to greater than or equal to 90 days." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - sg.id resource, - case - when fl.id is null or not fl.enabled or fl.retention_policy_days < 90 then 'alarm' - else 'ok' - end as status, - case - when fl.id is null or not fl.enabled - then sg.name || ' flowlog not enabled.' - when fl.retention_policy_days < 90 - then sg.name || ' flowlog ' || fl.title || ' retention period is less than 90 days.' - else sg.name || ' flowlog ' || fl.title || ' retention period is ' || fl.retention_policy_days || ' days.' - end as reason - - - - from - azure_network_security_group sg - left join azure_network_watcher_flow_log fl on sg.id = fl.target_resource_id - join azure_subscription sub on sub.subscription_id = sg.subscription_id; + QueryToExecute: "select\n sg.id resource,\n case\n when fl.id is null or not fl.enabled or fl.retention_policy_days < 90 then 'alarm'\n else 'ok'\n end as status,\n case\n when fl.id is null or not fl.enabled\n then sg.name || ' flowlog not enabled.'\n when fl.retention_policy_days < 90\n then sg.name || ' flowlog ' || fl.title || ' retention period is less than 90 days.'\n else sg.name || ' flowlog ' || fl.title || ' retention period is ' || fl.retention_policy_days || ' days.'\n end as reason\n \n \n \nfrom\n azure_network_security_group sg\n left join azure_network_watcher_flow_log fl on sg.id = fl.target_resource_id\n join azure_subscription sub on sub.subscription_id = sg.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v210_8_7.yaml b/compliance/controls/pending/azure/azure_cis_v210_8_7.yaml index 47530aca6..13e86477d 100755 --- a/compliance/controls/pending/azure/azure_cis_v210_8_7.yaml +++ b/compliance/controls/pending/azure/azure_cis_v210_8_7.yaml @@ -1,37 +1,13 @@ ID: azure_cis_v210_8_7 Title: "8.7 Ensure that Private Endpoints are Used for Azure Key Vault" Description: "Private endpoints will secure network traffic from Azure Key Vault to the resources requesting secrets and keys." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - a.id as resource, - case - -- Having private_endpoint_connections will not permit vault to use the same. - -- In case'defaultAction' = 'Allow', All Network including internet is allowed, which will not satisfy the private endpoint connection. - -- Default All network will have not network_acls associated. - when network_acls is null or network_acls ->> 'defaultAction' = 'Allow' then 'alarm' - when private_endpoint_connections is null then 'info' - when private_endpoint_connections @> '[{"PrivateLinkServiceConnectionStateStatus": "Approved"}]' then 'ok' - else 'alarm' - end as status, - case - when network_acls is null or network_acls ->> 'defaultAction' = 'Allow' then a.name || ' using public networks.' - when private_endpoint_connections is null then a.name || ' no private link exists.' - when private_endpoint_connections @> '[{"PrivateLinkServiceConnectionStateStatus": "Approved"}]' - then a.name || ' using private link.' - else a.name || ' private link not enabled.' - end as reason - - - - from - azure_key_vault a, - azure_subscription sub; + QueryToExecute: "select\n a.id as resource,\n case\n -- Having private_endpoint_connections will not permit vault to use the same.\n -- In case'defaultAction' = 'Allow', All Network including internet is allowed, which will not satisfy the private endpoint connection.\n -- Default All network will have not network_acls associated.\n when network_acls is null or network_acls ->> 'defaultAction' = 'Allow' then 'alarm'\n when private_endpoint_connections is null then 'info'\n when private_endpoint_connections @> '[{\"PrivateLinkServiceConnectionStateStatus\": \"Approved\"}]' then 'ok'\n else 'alarm'\n end as status,\n case\n when network_acls is null or network_acls ->> 'defaultAction' = 'Allow' then a.name || ' using public networks.'\n when private_endpoint_connections is null then a.name || ' no private link exists.'\n when private_endpoint_connections @> '[{\"PrivateLinkServiceConnectionStateStatus\": \"Approved\"}]'\n then a.name || ' using private link.'\n else a.name || ' private link not enabled.'\n end as reason\n \n \n \nfrom\n azure_key_vault a,\n azure_subscription sub;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_cis_v210_9_9.yaml b/compliance/controls/pending/azure/azure_cis_v210_9_9.yaml index 5bfd0f550..a74044016 100755 --- a/compliance/controls/pending/azure/azure_cis_v210_9_9.yaml +++ b/compliance/controls/pending/azure/azure_cis_v210_9_9.yaml @@ -1,50 +1,13 @@ ID: azure_cis_v210_9_9 Title: "9.9 Ensure FTP deployments are Disabled" Description: "By default, Azure Functions, Web, and API Services can be deployed over FTP. If FTP is required for an essential deployment workflow, FTPS should be required for FTP login for all App Service Apps and Functions." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - fa.id as resource, - case - when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then 'alarm' - else 'ok' - end as status, - case - when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then name || ' FTP deployments enabled.' - else name || ' FTP deployments disabled.' - end as reason - - - - from - azure_app_service_function_app fa, - azure_subscription sub - where - sub.subscription_id = fa.subscription_id - union - select - wa.id as resource, - case - when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then 'alarm' - else 'ok' - end as status, - case - when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then name || ' FTP deployments enabled.' - else name || ' FTP deployments disabled.' - end as reason - - - - from - azure_app_service_web_app as wa, - azure_subscription as sub - where - sub.subscription_id = wa.subscription_id; + QueryToExecute: "select\n fa.id as resource,\n case\n when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then 'alarm'\n else 'ok'\n end as status,\n case\n when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then name || ' FTP deployments enabled.'\n else name || ' FTP deployments disabled.'\n end as reason\n \n \n \n from\n azure_app_service_function_app fa,\n azure_subscription sub\n where\n sub.subscription_id = fa.subscription_id\nunion\n select\n wa.id as resource,\n case\n when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then 'alarm'\n else 'ok'\n end as status,\n case\n when configuration -> 'properties' ->> 'ftpsState' = 'AllAllowed' then name || ' FTP deployments enabled.'\n else name || ' FTP deployments disabled.'\n end as reason\n \n \n \n from\n azure_app_service_web_app as wa,\n azure_subscription as sub\n where\n sub.subscription_id = wa.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_compute_windows_vm_secure_boot_enabled.yaml b/compliance/controls/pending/azure/azure_compute_windows_vm_secure_boot_enabled.yaml index ac0e4151c..5da58c3b2 100755 --- a/compliance/controls/pending/azure/azure_compute_windows_vm_secure_boot_enabled.yaml +++ b/compliance/controls/pending/azure/azure_compute_windows_vm_secure_boot_enabled.yaml @@ -1,33 +1,13 @@ ID: azure_compute_windows_vm_secure_boot_enabled Title: "Secure Boot should be enabled on supported Windows virtual machines" Description: "Enable Secure Boot on supported Windows virtual machines to mitigate against malicious and unauthorized changes to the boot chain. Once enabled, only trusted bootloaders, kernel and kernel drivers will be allowed to run. This assessment applies to Trusted Launch and Confidential Windows virtual machines." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - a.id as resource, - case - when image_offer not like '%Windows%' or os_type not like 'Windows%' then 'skip' - when security_profile ->> 'securityType' in ('TrustedLaunch','ConfidentialVM') and security_profile ->> 'uefiSettings' is not null and security_profile -> 'uefiSettings' ->> 'secureBootEnabled' = 'true' then 'ok' - else 'alarm' - end as status, - case - when image_offer not like '%Windows%' or os_type not like 'Windows%' then a.title || ' is not a windows VM.' - when security_profile ->> 'securityType' in ('TrustedLaunch','ConfidentialVM') and security_profile ->> 'uefiSettings' is not null and security_profile -> 'uefiSettings' ->> 'secureBootEnabled' = 'true' then a.title || ' secure boot enabled.' - else a.title || ' secure boot disabled.' - end as reason - - - - from - azure_compute_virtual_machine as a, - azure_subscription as sub - where - sub.subscription_id = a.subscription_id + QueryToExecute: "select\n a.id as resource,\n case\n when image_offer not like '%Windows%' or os_type not like 'Windows%' then 'skip'\n when security_profile ->> 'securityType' in ('TrustedLaunch','ConfidentialVM') and security_profile ->> 'uefiSettings' is not null and security_profile -> 'uefiSettings' ->> 'secureBootEnabled' = 'true' then 'ok'\n else 'alarm'\n end as status,\n case\n when image_offer not like '%Windows%' or os_type not like 'Windows%' then a.title || ' is not a windows VM.'\n when security_profile ->> 'securityType' in ('TrustedLaunch','ConfidentialVM') and security_profile ->> 'uefiSettings' is not null and security_profile -> 'uefiSettings' ->> 'secureBootEnabled' = 'true' then a.title || ' secure boot enabled.'\n else a.title || ' secure boot disabled.'\n end as reason\n \n \n \nfrom\n azure_compute_virtual_machine as a,\n azure_subscription as sub\nwhere\n sub.subscription_id = a.subscription_id\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_iot_hub_private_link_used.yaml b/compliance/controls/pending/azure/azure_iot_hub_private_link_used.yaml index 29ba19299..388f47051 100755 --- a/compliance/controls/pending/azure/azure_iot_hub_private_link_used.yaml +++ b/compliance/controls/pending/azure/azure_iot_hub_private_link_used.yaml @@ -1,35 +1,13 @@ ID: azure_iot_hub_private_link_used Title: "IoT Hub device provisioning service instances should use private link" Description: "Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to the IoT Hub device provisioning service, data leakage risks are reduced." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - a.id as resource, - case - -- Only applicable to standard tier - when sku_tier = 'Basic' then 'skip' - when pec -> 'properties' -> 'privateLinkServiceConnectionState' ->> 'status' = 'Approved' then 'ok' - else 'alarm' - end as status, - case - when sku_tier = 'Basic' then a.name || ' is of ' || sku_tier || ' tier.' - when pec -> 'properties' -> 'privateLinkServiceConnectionState' ->> 'status' = 'Approved' then a.name || ' using private link.' - else a.name || ' not using private link.' - end as reason - - - - from - azure_iothub a, - jsonb_array_elements(private_endpoint_connections) as pec, - azure_subscription sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "select\n a.id as resource,\n case\n -- Only applicable to standard tier\n when sku_tier = 'Basic' then 'skip'\n when pec -> 'properties' -> 'privateLinkServiceConnectionState' ->> 'status' = 'Approved' then 'ok'\n else 'alarm'\n end as status,\n case\n when sku_tier = 'Basic' then a.name || ' is of ' || sku_tier || ' tier.'\n when pec -> 'properties' -> 'privateLinkServiceConnectionState' ->> 'status' = 'Approved' then a.name || ' using private link.'\n else a.name || ' not using private link.'\n end as reason\n \n \n \nfrom\n azure_iothub a,\n jsonb_array_elements(private_endpoint_connections) as pec,\n azure_subscription sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_mariadb_server_private_link_used.yaml b/compliance/controls/pending/azure/azure_mariadb_server_private_link_used.yaml index c1ea9da55..20f491397 100755 --- a/compliance/controls/pending/azure/azure_mariadb_server_private_link_used.yaml +++ b/compliance/controls/pending/azure/azure_mariadb_server_private_link_used.yaml @@ -1,34 +1,13 @@ ID: azure_mariadb_server_private_link_used Title: "Private endpoint should be enabled for MariaDB servers" Description: "Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - a.id as resource, - case - -- Only applicable to standard tier - when sku_tier = 'Basic' then 'skip' - when private_endpoint_connections @> '[{"privateLinkServiceConnectionStateStatus": "Approved"}]'::jsonb then 'ok' - else 'alarm' - end as status, - case - when sku_tier = 'Basic' then a.name || ' is of ' || sku_tier || ' tier.' - when private_endpoint_connections @> '[{"privateLinkServiceConnectionStateStatus": "Approved"}]'::jsonb then a.name || ' using private link.' - else a.name || ' not using private link.' - end as reason - - - - from - azure_mariadb_server a, - azure_subscription sub - where - sub.subscription_id = a.subscription_id; + QueryToExecute: "select\n a.id as resource,\n case\n -- Only applicable to standard tier\n when sku_tier = 'Basic' then 'skip'\n when private_endpoint_connections @> '[{\"privateLinkServiceConnectionStateStatus\": \"Approved\"}]'::jsonb then 'ok'\n else 'alarm'\n end as status,\n case\n when sku_tier = 'Basic' then a.name || ' is of ' || sku_tier || ' tier.'\n when private_endpoint_connections @> '[{\"privateLinkServiceConnectionStateStatus\": \"Approved\"}]'::jsonb then a.name || ' using private link.'\n else a.name || ' not using private link.'\n end as reason\n \n \n \nfrom\n azure_mariadb_server a,\n azure_subscription sub\nwhere\n sub.subscription_id = a.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_monitor_logs_storage_container_insights_activity_logs_encrypted_with_byok.yaml b/compliance/controls/pending/azure/azure_monitor_logs_storage_container_insights_activity_logs_encrypted_with_byok.yaml index c39dc8a37..804919548 100755 --- a/compliance/controls/pending/azure/azure_monitor_logs_storage_container_insights_activity_logs_encrypted_with_byok.yaml +++ b/compliance/controls/pending/azure/azure_monitor_logs_storage_container_insights_activity_logs_encrypted_with_byok.yaml @@ -1,35 +1,13 @@ ID: azure_monitor_logs_storage_container_insights_activity_logs_encrypted_with_byok Title: "Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key" Description: "Storage accounts with the activity log exports can be configured to use Customer Managed Keys (CMK)." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - a.id as resource, - case - when a.encryption_key_source = 'Microsoft.Keyvault' then 'ok' - else 'alarm' - end as status, - case - when a.encryption_key_source = 'Microsoft.Keyvault' - then a.name || ' container insights-activity-logs encrypted with BYOK.' - else a.name || ' container insights-activity-logs not encrypted with BYOK.' - end as reason - - - - from - azure_storage_container c, - azure_storage_account a, - azure_subscription sub - where - c.name = 'insights-activity-logs' - and c.account_name = a.name - and sub.subscription_id = a.subscription_id; + QueryToExecute: "select\n a.id as resource,\n case\n when a.encryption_key_source = 'Microsoft.Keyvault' then 'ok'\n else 'alarm'\n end as status,\n case\n when a.encryption_key_source = 'Microsoft.Keyvault'\n then a.name || ' container insights-activity-logs encrypted with BYOK.'\n else a.name || ' container insights-activity-logs not encrypted with BYOK.'\n end as reason\n \n \n \nfrom\n azure_storage_container c,\n azure_storage_account a,\n azure_subscription sub\nwhere\n c.name = 'insights-activity-logs'\n and c.account_name = a.name\n and sub.subscription_id = a.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_monitor_logs_storage_container_insights_operational_logs_encrypted_with_byok.yaml b/compliance/controls/pending/azure/azure_monitor_logs_storage_container_insights_operational_logs_encrypted_with_byok.yaml index 6defecdd8..de82cfef8 100755 --- a/compliance/controls/pending/azure/azure_monitor_logs_storage_container_insights_operational_logs_encrypted_with_byok.yaml +++ b/compliance/controls/pending/azure/azure_monitor_logs_storage_container_insights_operational_logs_encrypted_with_byok.yaml @@ -1,35 +1,13 @@ ID: azure_monitor_logs_storage_container_insights_operational_logs_encrypted_with_byok Title: "Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key" Description: "Storage accounts with the activity log exports can be configured to use Customer Managed Keys (CMK)." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - a.id as resource, - case - when a.encryption_key_source = 'Microsoft.Keyvault' then 'ok' - else 'alarm' - end as status, - case - when a.encryption_key_source = 'Microsoft.Keyvault' - then a.name || ' container insights-operational-logs encrypted with BYOK.' - else a.name || ' container insights-operational-logs not encrypted with BYOK.' - end as reason - - - - from - azure_storage_container c, - azure_storage_account a, - azure_subscription sub - where - c.name = 'insights-operational-logs' - and c.account_name = a.name - and sub.subscription_id = a.subscription_id; + QueryToExecute: "select\n a.id as resource,\n case\n when a.encryption_key_source = 'Microsoft.Keyvault' then 'ok'\n else 'alarm'\n end as status,\n case\n when a.encryption_key_source = 'Microsoft.Keyvault'\n then a.name || ' container insights-operational-logs encrypted with BYOK.'\n else a.name || ' container insights-operational-logs not encrypted with BYOK.'\n end as reason\n \n \n \nfrom\n azure_storage_container c,\n azure_storage_account a,\n azure_subscription sub\nwhere\n c.name = 'insights-operational-logs'\n and c.account_name = a.name\n and sub.subscription_id = a.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_postgres_db_server_log_duration_on.yaml b/compliance/controls/pending/azure/azure_postgres_db_server_log_duration_on.yaml index a8ac2448a..b711acf08 100755 --- a/compliance/controls/pending/azure/azure_postgres_db_server_log_duration_on.yaml +++ b/compliance/controls/pending/azure/azure_postgres_db_server_log_duration_on.yaml @@ -1,33 +1,13 @@ ID: azure_postgres_db_server_log_duration_on Title: "Ensure server parameter 'log_duration' is set to 'ON' for PostgreSQL Database Server" Description: "Enable log_duration on PostgreSQL Servers." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - s.id as resource, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then 'alarm' - else 'ok' - end as status, - case - when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then name || ' server parameter log_duration off.' - else name || ' server parameter log_duration on.' - end as reason - - - - from - azure_postgresql_server s, - jsonb_array_elements(server_configurations) config, - azure_subscription sub - where - config ->> 'Name' = 'log_duration' - and sub.subscription_id = s.subscription_id; + QueryToExecute: "select\n s.id as resource,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then 'alarm'\n else 'ok'\n end as status,\n case\n when lower(config -> 'ConfigurationProperties' ->> 'value') != 'on' then name || ' server parameter log_duration off.'\n else name || ' server parameter log_duration on.'\n end as reason\n \n \n \nfrom\n azure_postgresql_server s,\n jsonb_array_elements(server_configurations) config,\n azure_subscription sub\nwhere\n config ->> 'Name' = 'log_duration'\n and sub.subscription_id = s.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_storage_account_containing_vhd_os_disk_cmk_encrypted.yaml b/compliance/controls/pending/azure/azure_storage_account_containing_vhd_os_disk_cmk_encrypted.yaml index 22894769c..cfc299a74 100755 --- a/compliance/controls/pending/azure/azure_storage_account_containing_vhd_os_disk_cmk_encrypted.yaml +++ b/compliance/controls/pending/azure/azure_storage_account_containing_vhd_os_disk_cmk_encrypted.yaml @@ -1,36 +1,13 @@ ID: azure_storage_account_containing_vhd_os_disk_cmk_encrypted Title: "Storage account containing VHD OS disk not encrypted with CMK" Description: "This policy identifies Azure Storage account containing VHD OS disk which are not encrypted with CMK. VHD's attached to Virtual Machines are stored in Azure storage. By default Azure Storage account is encrypted using Microsoft Managed Keys. It is recommended to use Customer Managed Keys to encrypt data in Azure Storage accounts for better control on the data." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - sa.id as resource, - case - when sa.encryption_key_source = 'Microsoft.Storage' - and vm.os_disk_vhd_uri is not null then 'alarm' - else 'ok' - end as status, - case - when sa.encryption_key_source = 'Microsoft.Storage' - and vm.os_disk_vhd_uri is not null then sa.name || ' storage account containing VHD OS disk not encrypted with CMK.' - else sa.name || ' storage account containing VHD OS disk encrypted with CMK.' - end as reason - - - - - from - azure_storage_account sa, - azure_compute_virtual_machine vm, - azure_subscription sub - where - sub.subscription_id = sa.subscription_id - and vm.os_disk_vhd_uri like '%' || sa.name || '%'; + QueryToExecute: "select\n sa.id as resource,\n case\n when sa.encryption_key_source = 'Microsoft.Storage'\n and vm.os_disk_vhd_uri is not null then 'alarm'\n else 'ok'\n end as status,\n case\n when sa.encryption_key_source = 'Microsoft.Storage'\n and vm.os_disk_vhd_uri is not null then sa.name || ' storage account containing VHD OS disk not encrypted with CMK.'\n else sa.name || ' storage account containing VHD OS disk encrypted with CMK.'\n end as reason\n \n \n \n \nfrom\n azure_storage_account sa,\n azure_compute_virtual_machine vm,\n azure_subscription sub\nwhere\n sub.subscription_id = sa.subscription_id\n and vm.os_disk_vhd_uri like '%' || sa.name || '%';\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/pending/azure/azure_storage_account_queues_logging_enabled.yaml b/compliance/controls/pending/azure/azure_storage_account_queues_logging_enabled.yaml index 7470df499..b27b36712 100755 --- a/compliance/controls/pending/azure/azure_storage_account_queues_logging_enabled.yaml +++ b/compliance/controls/pending/azure/azure_storage_account_queues_logging_enabled.yaml @@ -1,39 +1,13 @@ ID: azure_storage_account_queues_logging_enabled Title: "Storage account logging (Classic Diagnostic Setting) for queues should be enabled" Description: "Storage Logging records details of requests (read, write, and delete operations) against your Azure queues. This policy identifies Azure storage accounts that do not have logging enabled for queues. As a best practice, enable logging for read, write, and delete request types on queues." -Connector: -- azure Query: Engine: CloudQL-v0.0.1 - QueryToExecute: | - select - sa.id as resource, - case - when lower(sa.sku_tier) = 'standard' - and (queue_logging_write and queue_logging_read and queue_logging_delete) then 'ok' - else 'alarm' - end as status, - case - when lower(sa.sku_tier) = 'standard' - and (queue_logging_write and queue_logging_read and queue_logging_delete) - then sa.name || ' storage account logging for queues is enabled.' - else sa.name || ' storage account logging for queues is disabled for ' || - concat_ws(', ', - case when not queue_logging_write then 'write' end, - case when not queue_logging_read then 'read' end, - case when not queue_logging_delete then 'delete' end - ) || ' requests.' - end as reason - - - - from - azure_storage_account sa, - azure_subscription sub - where - sub.subscription_id = sa.subscription_id; + QueryToExecute: "select\n sa.id as resource,\n case\n when lower(sa.sku_tier) = 'standard'\n and (queue_logging_write and queue_logging_read and queue_logging_delete) then 'ok'\n else 'alarm'\n end as status,\n case\n when lower(sa.sku_tier) = 'standard'\n and (queue_logging_write and queue_logging_read and queue_logging_delete)\n then sa.name || ' storage account logging for queues is enabled.'\n else sa.name || ' storage account logging for queues is disabled for ' ||\n concat_ws(', ',\n case when not queue_logging_write then 'write' end,\n case when not queue_logging_read then 'read' end,\n case when not queue_logging_delete then 'delete' end\n ) || ' requests.'\n end as reason\n \n \n \nfrom\n azure_storage_account sa,\n azure_subscription sub\nwhere\n sub.subscription_id = sa.subscription_id;\n" PrimaryTable: "" ListOfTables: [] Parameters: [] Severity: low Tags: {} +IntegrationTypeName: + - azure_subscription diff --git a/compliance/controls/processed_files.log b/compliance/controls/processed_files.log new file mode 100644 index 000000000..451323102 --- /dev/null +++ b/compliance/controls/processed_files.log @@ -0,0 +1,2846 @@ +./azure/azure_cis_v130_1_4.yaml processed successfully. +./azure/azure_cis_v130_1_15.yaml processed successfully. +./azure/azure_cis_v210_3_13.yaml processed successfully. +./azure/azure_monitor_log_profile_retention_365_days.yaml processed successfully. +./azure/azure_cis_v210_7_5.yaml processed successfully. +./azure/azure_network_security_group_restrict_inbound_tcp_port_4333.yaml processed successfully. +./azure/azure_cis_v140_1_3.yaml processed successfully. +./azure/azure_log_analytics_workspace_block_log_ingestion_and_querying_from_public.yaml processed successfully. +./azure/azure_synapse_workspace_encryption_at_rest_using_cmk.yaml processed successfully. +./azure/azure_cis_v150_2_1_5.yaml processed successfully. +./azure/azure_cis_v150_5_2_7.yaml processed successfully. +./azure/azure_cis_v200_4_4_2.yaml processed successfully. +./azure/azure_cis_v130_5_3.yaml processed successfully. +./azure/azure_iam_subscription_owner_max_3.yaml processed successfully. +./azure/azure_monitor_logs_storage_container_not_public_accessible.yaml processed successfully. +./azure/azure_keyvault_with_rbac_secret_expiration_set.yaml processed successfully. +./azure/azure_data_factory_uses_git_repository.yaml processed successfully. +./azure/azure_cis_v200_2_1_12.yaml processed successfully. +./azure/azure_cis_v210_3_2.yaml processed successfully. +./azure/azure_monitor_log_alert_delete_public_ip_address.yaml processed successfully. +./azure/azure_cis_v130_9_3.yaml processed successfully. +./azure/azure_cis_v150_1_9.yaml processed successfully. +./azure/azure_cis_v200_5_1_1.yaml processed successfully. +./azure/azure_network_interface_ip_forwarding_disabled.yaml processed successfully. +./azure/azure_securitycenter_security_alerts_to_owner_enabled.yaml processed successfully. +./azure/azure_cis_v140_9_4.yaml processed successfully. +./azure/azure_cis_v210_6_1.yaml processed successfully. +./azure/azure_postgres_sql_ssl_enabled.yaml processed successfully. +./azure/azure_keyvault_with_non_rbac_key_expiration_set.yaml processed successfully. +./azure/azure_cis_v200_3_8.yaml processed successfully. +./azure/azure_appservice_api_app_cors_no_star.yaml processed successfully. +./azure/azure_cis_v130_2_13.yaml processed successfully. +./azure/azure_container_registry_use_virtual_service_endpoint.yaml processed successfully. +./azure/azure_log_profile_enabled_for_all_subscription.yaml processed successfully. +./azure/azure_cis_v210_5_4.yaml processed successfully. +./azure/azure_cis_v140_3_2.yaml processed successfully. +./azure/azure_storage_sync_private_link_used.yaml processed successfully. +./azure/azure_cis_v150_4_4_1.yaml processed successfully. +./azure/azure_sql_server_transparent_data_encryption_enabled.yaml processed successfully. +./azure/azure_cis_v200_2_1_6.yaml processed successfully. +./azure/azure_cis_v200_5_2_4.yaml processed successfully. +./azure/azure_network_security_group_restrict_inbound_tcp_port_25.yaml processed successfully. +./azure/azure_kubernetes_cluster_node_restrict_public_access.yaml processed successfully. +./azure/azure_storage_account_tables_logging_enabled.yaml processed successfully. +./azure/azure_iot_hub_encrypted_with_cmk.yaml processed successfully. +./azure/azure_cis_v210_1_14.yaml processed successfully. +./azure/azure_mandatory_sql_resource_group_app_service_web_app_mandatory.yaml processed successfully. +./azure/azure_cis_v140_7_5.yaml processed successfully. +./azure/azure_compute_vm_scale_set_system_updates_installed.yaml processed successfully. +./azure/azure_cognitive_service_local_auth_disabled.yaml processed successfully. +./azure/azure_mysql_server_audit_logging_enabled.yaml processed successfully. +./azure/azure_cis_v130_7_2.yaml processed successfully. +./azure/azure_compute_vm_disaster_recovery_enabled.yaml processed successfully. +./azure/azure_cis_v140_2_6.yaml processed successfully. +./azure/azure_kubernetes_cluster_http_application_routing_disabled.yaml processed successfully. +./azure/azure_appservice_api_app_use_https.yaml processed successfully. +./azure/azure_monitor_log_alert_create_update_public_ip_address.yaml processed successfully. +./azure/azure_cis_v150_1_21.yaml processed successfully. +./azure/azure_mandatory_sql_resource_group_postgresql_server_mandatory.yaml processed successfully. +./azure/azure_cis_v130_2_1.yaml processed successfully. +./azure/azure_cis_v150_3_8.yaml processed successfully. +./azure/azure_cosmosdb_account_uses_aad_and_rbac.yaml processed successfully. +./azure/azure_appservice_plan_minimum_sku.yaml processed successfully. +./azure/azure_cis_v210_1_2_3.yaml processed successfully. +./azure/azure_cis_v210_9_4.yaml processed successfully. +./azure/azure_cis_v140_6_1.yaml processed successfully. +./azure/azure_databox_edge_device_double_encryption_enabled.yaml processed successfully. +./azure/azure_kubernetes_cluster_container_use_allowed_images.yaml processed successfully. +./azure/azure_cis_v150_4_1_2.yaml processed successfully. +./azure/azure_cis_v130_6_6.yaml processed successfully. +./azure/azure_cis_v200_1_9.yaml processed successfully. +./azure/azure_cis_v150_5_1_2.yaml processed successfully. +./azure/azure_kubernetes_cluster_container_use_allowed_capabilities.yaml processed successfully. +./azure/azure_kubernetes_cluster_key_vault_secret_rotation_enabled.yaml processed successfully. +./azure/azure_cis_v210_7_9.yaml processed successfully. +./azure/azure_compute_vm_remote_access_restricted_all_ports.yaml processed successfully. +./azure/azure_keyvault_vault_private_link_used.yaml processed successfully. +./azure/azure_cis_v150_9_2.yaml processed successfully. +./azure/azure_cis_v200_6_7.yaml processed successfully. +./azure/azure_cis_v130_1_19.yaml processed successfully. +./azure/azure_cis_v130_1_8.yaml processed successfully. +./azure/azure_cis_v210_1_22.yaml processed successfully. +./azure/azure_mandatory_sql_resource_group_log_alert_mandatory.yaml processed successfully. +./azure/azure_compute_vm_max_password_age_70_days_windows.yaml processed successfully. +./azure/azure_cis_v140_1_12.yaml processed successfully. +./azure/azure_appservice_authentication_enabled.yaml processed successfully. +./azure/azure_cis_v210_2_1_3.yaml processed successfully. +./azure/azure_cis_v210_5_2_1.yaml processed successfully. +./azure/azure_container_registry_trust_policy_enabled.yaml processed successfully. +./azure/azure_cis_v150_2_1_9.yaml processed successfully. +./azure/azure_search_service_uses_private_link.yaml processed successfully. +./azure/azure_mysql_server_encrypted_at_rest_using_cmk.yaml processed successfully. +./azure/azure_appservice_function_app_cors_no_star.yaml processed successfully. +./azure/azure_cis_v140_9_8.yaml processed successfully. +./azure/azure_mandatory_sql_resource_group_app_service_environment_mandatory.yaml processed successfully. +./azure/azure_cis_v200_1_2_6.yaml processed successfully. +./azure/azure_cis_v140_2_14.yaml processed successfully. +./azure/azure_cis_v150_1_5.yaml processed successfully. +./azure/azure_cis_v200_7_3.yaml processed successfully. +./azure/azure_cis_v150_8_6.yaml processed successfully. +./azure/azure_signalr_service_private_link_used.yaml processed successfully. +./azure/azure_network_security_group_not_configured_gateway_subnets.yaml processed successfully. +./azure/azure_mandatory_sql_resource_group_data_factory_mandatory.yaml processed successfully. +./azure/azure_cis_v150_1_17.yaml processed successfully. +./azure/azure_batch_account_encrypted_with_cmk.yaml processed successfully. +./azure/azure_apimanagement_service_with_virtual_network.yaml processed successfully. +./azure/azure_cis_v210_2_1_13.yaml processed successfully. +./azure/azure_search_service_public_network_access_disabled.yaml processed successfully. +./azure/azure_cis_v200_3_4.yaml processed successfully. +./azure/azure_sql_server_auditing_storage_account_destination_retention_90_days.yaml processed successfully. +./azure/azure_cis_v200_1_1_3.yaml processed successfully. +./azure/azure_cis_v200_5_2_8.yaml processed successfully. +./azure/azure_cis_v130_5_2_1.yaml processed successfully. +./azure/azure_cis_v130_3_9.yaml processed successfully. +./azure/azure_cis_v140_5_2_2.yaml processed successfully. +./azure/azure_cis_v150_2_1_10.yaml processed successfully. +./azure/azure_cis_v200_9_2.yaml processed successfully. +./azure/azure_synapse_workspace_vulnerability_assessment_enabled.yaml processed successfully. +./azure/azure_cis_v210_1_18.yaml processed successfully. +./azure/azure_cis_v150_10_1.yaml processed successfully. +./azure/azure_cis_v130_1_23.yaml processed successfully. +./azure/azure_sql_server_va_setting_scan_reports_configured.yaml processed successfully. +./azure/azure_cis_v150_3_4.yaml processed successfully. +./azure/azure_cis_v130_4_3_5.yaml processed successfully. +./azure/azure_cis_v150_3_10.yaml processed successfully. +./azure/azure_container_registry_admin_user_disabled.yaml processed successfully. +./azure/azure_cis_v210_4_5_3.yaml processed successfully. +./azure/azure_compute_vm_scale_set_logging_enabled.yaml processed successfully. +./azure/azure_cis_v200_1_5.yaml processed successfully. +./azure/azure_cosmosdb_account_key_based_metadata_write_access_disabled.yaml processed successfully. +./azure/azure_cis_v150_7_3.yaml processed successfully. +./azure/azure_appservice_web_app_ftps_enabled.yaml processed successfully. +./azure/azure_cis_v200_8_6.yaml processed successfully. +./azure/azure_compute_vm_scale_set_endpoint_protection_solution_installed.yaml processed successfully. +./azure/azure_cis_v150_1_2_5.yaml processed successfully. +./azure/azure_cis_v210_9_8.yaml processed successfully. +./azure/azure_compute_unattached_disk_encrypted_with_cmk.yaml processed successfully. +./azure/azure_cis_v210_5_1_4.yaml processed successfully. +./azure/azure_cis_v210_4_1_4.yaml processed successfully. +./azure/azure_postgresql_server_infrastructure_encryption_enabled.yaml processed successfully. +./azure/azure_cis_v210_5_1_5.yaml processed successfully. +./azure/azure_mandatory_sql_resource_group_mssql_elasticpool_mandatory.yaml processed successfully. +./azure/azure_cis_v210_4_1_5.yaml processed successfully. +./azure/azure_cis_v200_1_4.yaml processed successfully. +./azure/azure_kubernetes_cluster_container_cpu_and_memory_resource_limit.yaml processed successfully. +./azure/azure_cis_v150_7_2.yaml processed successfully. +./azure/azure_appservice_web_app_register_with_active_directory_enabled.yaml processed successfully. +./azure/azure_cis_v150_1_2_4.yaml processed successfully. +./azure/azure_kubernetes_cluster_max_pod_50.yaml processed successfully. +./azure/azure_cis_v210_4_5_2.yaml processed successfully. +./azure/azure_cis_v140_4_3_7.yaml processed successfully. +./azure/azure_cis_v150_3_5.yaml processed successfully. +./azure/azure_cis_v150_3_11.yaml processed successfully. +./azure/azure_cis_v150_5_2_10.yaml processed successfully. +./azure/azure_monitor_log_cluster_encrypted_with_cmk.yaml processed successfully. +./azure/azure_cis_v210_1_19.yaml processed successfully. +./azure/azure_appservice_function_app_uses_managed_identity.yaml processed successfully. +./azure/azure_network_security_group_subnet_associated.yaml processed successfully. +./azure/azure_cis_v130_1_22.yaml processed successfully. +./azure/azure_cis_v150_2_1_11.yaml processed successfully. +./azure/azure_kubernetes_cluster_container_host_process_id_not_shared.yaml processed successfully. +./azure/azure_appservice_web_app_cors_no_star.yaml processed successfully. +./azure/azure_cis_v200_9_3.yaml processed successfully. +./azure/azure_apimanagement_service_client_certificate_enabled.yaml processed successfully. +./azure/azure_mandatory_sql_resource_group_data_lake_store_mandatory.yaml processed successfully. +./azure/azure_cis_v140_5_2_3.yaml processed successfully. +./azure/azure_network_security_group_restrict_inbound_udp_port_1434.yaml processed successfully. +./azure/azure_cis_v200_1_1_2.yaml processed successfully. +./azure/azure_compute_vm_scale_set_automatic_upgrade_enabled.yaml processed successfully. +./azure/azure_cis_v200_5_2_9.yaml processed successfully. +./azure/azure_cis_v130_3_8.yaml processed successfully. +./azure/azure_cis_v200_9_11.yaml processed successfully. +./azure/azure_cis_v210_2_1_12.yaml processed successfully. +./azure/azure_cis_v200_3_5.yaml processed successfully. +./azure/azure_cis_v150_5_3.yaml processed successfully. +./azure/azure_network_security_group_restrict_inbound_tcp_port_53.yaml processed successfully. +./azure/azure_cis_v150_1_16.yaml processed successfully. +./azure/azure_securitycenter_azure_defender_on_for_resource_manager.yaml processed successfully. +./azure/azure_cis_v140_2_15.yaml processed successfully. +./azure/azure_cis_v130_5_1_5.yaml processed successfully. +./azure/azure_cis_v150_1_4.yaml processed successfully. +./azure/azure_network_security_group_restrict_inbound_udp_port_53.yaml processed successfully. +./azure/azure_cis_v200_7_2.yaml processed successfully. +./azure/azure_compute_vm_non_internet_facing_protected_with_nsg.yaml processed successfully. +./azure/azure_cognitive_account_public_network_access_disabled.yaml processed successfully. +./azure/azure_cis_v140_9_9.yaml processed successfully. +./azure/azure_monitor_logs_storage_container_encryptes_with_byok.yaml processed successfully. +./azure/azure_securitycenter_mcas_integration.yaml processed successfully. +./azure/azure_cis_v150_2_1_8.yaml processed successfully. +./azure/azure_cis_v150_1_1_1.yaml processed successfully. +./azure/azure_network_sg_flowlog_retention_period_greater_than_90.yaml processed successfully. +./azure/azure_cis_v140_1_13.yaml processed successfully. +./azure/azure_eventhub_namespace_use_virtual_service_endpoint.yaml processed successfully. +./azure/azure_kubernetes_cluster_pod_host_path_volume_use_allowed_host_path.yaml processed successfully. +./azure/azure_cis_v210_2_1_2.yaml processed successfully. +./azure/azure_mandatory_sql_resource_group_virtual_network_gateway_mandatory.yaml processed successfully. +./azure/azure_cis_v130_1_18.yaml processed successfully. +./azure/azure_cis_v130_1_9.yaml processed successfully. +./azure/azure_cis_v210_1_23.yaml processed successfully. +./azure/azure_log_analytics_workspace_block_non_azure_ingestion.yaml processed successfully. +./azure/azure_kubernetes_cluster_container_privilege_escalation_restricted.yaml processed successfully. +./azure/azure_cis_v210_7_8.yaml processed successfully. +./azure/azure_mandatory_sql_resource_group_cosmosdb_mongo_database_mandatory.yaml processed successfully. +./azure/azure_mandatory_sql_resource_group_data_lake_analytics_account_mandatory.yaml processed successfully. +./azure/azure_appservice_api_app_latest_tls_version.yaml processed successfully. +./azure/azure_appservice_api_app_client_certificates_on.yaml processed successfully. +./azure/azure_appservice_function_app_ftps_enabled.yaml processed successfully. +./azure/azure_appservice_web_app_latest_java_version.yaml processed successfully. +./azure/azure_storage_account_infrastructure_encryption_enabled.yaml processed successfully. +./azure/azure_cis_v150_5_1_3.yaml processed successfully. +./azure/azure_cis_v200_1_8.yaml processed successfully. +./azure/azure_cis_v150_2_2_1.yaml processed successfully. +./azure/azure_cis_v210_1_2_2.yaml processed successfully. +./azure/azure_cis_v210_9_5.yaml processed successfully. +./azure/azure_cis_v200_1_10.yaml processed successfully. +./azure/azure_cis_v150_1_20.yaml processed successfully. +./azure/azure_cis_v130_4_3_8.yaml processed successfully. +./azure/azure_cis_v200_4_3_1.yaml processed successfully. +./azure/azure_cis_v150_3_9.yaml processed successfully. +./azure/azure_cis_v200_5_3_1.yaml processed successfully. +./azure/azure_mandatory_sql_resource_group_application_security_group_mandatory.yaml processed successfully. +./azure/azure_logic_app_integration_service_environment_encrypted_with_cmk.yaml processed successfully. +./azure/azure_network_security_group_restrict_inbound_tcp_port_135.yaml processed successfully. +./azure/azure_cis_v140_2_7.yaml processed successfully. +./azure/azure_kubernetes_cluster_authorized_ip_range_defined.yaml processed successfully. +./azure/azure_securitycenter_azure_defender_on_for_appservice.yaml processed successfully. +./azure/azure_compute_vm_scale_set_boot_diagnostics_enabled.yaml processed successfully. +./azure/azure_logic_app_workflow_logging_enabled.yaml processed successfully. +./azure/azure_mandatory_sql_resource_group_storage_account_mandatory.yaml processed successfully. +./azure/azure_cis_v130_7_3.yaml processed successfully. +./azure/azure_container_registry_quarantine_policy_enabled.yaml processed successfully. +./azure/azure_cis_v210_1_15.yaml processed successfully. +./azure/azure_storage_account_queue_services_logging_enabled.yaml processed successfully. +./azure/azure_cis_v210_8_1.yaml processed successfully. +./azure/azure_cis_v140_7_4.yaml processed successfully. +./azure/azure_cis_v130_3_4.yaml processed successfully. +./azure/azure_cosmosdb_use_virtual_service_endpoint.yaml processed successfully. +./azure/azure_cis_v200_2_1_7.yaml processed successfully. +./azure/azure_cis_v200_5_2_5.yaml processed successfully. +./azure/azure_cis_v140_3_3.yaml processed successfully. +./azure/azure_monitor_log_alert_delete_policy_assignment.yaml processed successfully. +./azure/azure_cis_v210_4_3_8.yaml processed successfully. +./azure/azure_cis_v130_2_12.yaml processed successfully. +./azure/azure_network_security_group_restrict_inbound_tcp_port_1433.yaml processed successfully. +./azure/azure_compute_vm_administrators_group_with_extra_accounts_windows.yaml processed successfully. +./azure/azure_cis_v200_3_9.yaml processed successfully. +./azure/azure_securitycenter_notify_alerts_configured.yaml processed successfully. +./azure/azure_cis_v140_9_5.yaml processed successfully. +./azure/azure_keyvault_certificate_validity_12_months.yaml processed successfully. +./azure/azure_cis_v130_9_2.yaml processed successfully. +./azure/azure_cis_v150_1_8.yaml processed successfully. +./azure/azure_cis_v200_2_1_13.yaml processed successfully. +./azure/azure_cis_v210_3_3.yaml processed successfully. +./azure/azure_appservice_api_app_ftps_enabled.yaml processed successfully. +./azure/azure_storage_account_blob_containers_public_access_private.yaml processed successfully. +./azure/azure_iam_deprecated_account.yaml processed successfully. +./azure/azure_appservice_web_app_remote_debugging_disabled.yaml processed successfully. +./azure/azure_cis_v150_2_1_4.yaml processed successfully. +./azure/azure_mandatory_sql_resource_group_log_profile_mandatory.yaml processed successfully. +./azure/azure_cis_v150_5_2_6.yaml processed successfully. +./azure/azure_cognitive_account_private_link_used.yaml processed successfully. +./azure/azure_cis_v140_8_1.yaml processed successfully. +./azure/azure_cis_v210_7_4.yaml processed successfully. +./azure/azure_keyvault_logging_enabled.yaml processed successfully. +./azure/azure_cis_v140_1_2.yaml processed successfully. +./azure/azure_container_instance_container_group_identity_provider_enabled.yaml processed successfully. +./azure/azure_securitycenter_azure_defender_on_for_storage.yaml processed successfully. +./azure/azure_cis_v130_1_5.yaml processed successfully. +./azure/azure_cis_v130_1_14.yaml processed successfully. +./azure/azure_sql_server_tde_protector_cmk_encrypted.yaml processed successfully. +./azure/azure_keyvault_rbac_enabled.yaml processed successfully. +./azure/azure_cis_v210_3_12.yaml processed successfully. +./azure/azure_sql_database_vulnerability_findings_resolved.yaml processed successfully. +./azure/azure_cis_v140_1_9.yaml processed successfully. +./azure/azure_network_security_group_remote_access_restricted.yaml processed successfully. +./azure/azure_kubernetes_cluster_sku_standard.yaml processed successfully. +./azure/azure_storage_account_use_virtual_service_endpoint.yaml processed successfully. +./azure/azure_keyvault_with_non_rbac_secret_expiration_set.yaml processed successfully. +./azure/azure_mariadb_server_public_network_access_disabled.yaml processed successfully. +./azure/azure_cis_v150_9_4.yaml processed successfully. +./azure/azure_cis_v200_6_1.yaml processed successfully. +./azure/azure_hdinsight_cluster_encryption_in_transit_enabled.yaml processed successfully. +./azure/azure_cis_v210_1_24.yaml processed successfully. +./azure/azure_search_service_uses_sku_supporting_private_link.yaml processed successfully. +./azure/azure_cis_v200_2_1_18.yaml processed successfully. +./azure/azure_keyvault_managed_hms_purge_protection_enabled.yaml processed successfully. +./azure/azure_cis_v210_3_8.yaml processed successfully. +./azure/azure_cis_v140_1_14.yaml processed successfully. +./azure/azure_cis_v140_4_4_2.yaml processed successfully. +./azure/azure_cis_v210_5_2_7.yaml processed successfully. +./azure/azure_cis_v210_2_1_5.yaml processed successfully. +./azure/azure_kubernetes_cluster_container_use_allowed_apparmor_profile.yaml processed successfully. +./azure/azure_postgres_db_server_log_checkpoints_on.yaml processed successfully. +./azure/azure_authorize_access_to_security_functions_and_information.yaml processed successfully. +./azure/azure_healthcare_fhir_azure_api_encrypted_at_rest_with_cmk.yaml processed successfully. +./azure/azure_network_watcher_flow_log_traffic_analytics_enabled.yaml processed successfully. +./azure/azure_cis_v140_5_1_1.yaml processed successfully. +./azure/azure_compute_vm_malware_agent_automatic_upgrade_enabled.yaml processed successfully. +./azure/azure_cis_v140_2_12.yaml processed successfully. +./azure/azure_appservice_function_app_client_certificates_on.yaml processed successfully. +./azure/azure_cis_v200_1_21.yaml processed successfully. +./azure/azure_compute_vm_meet_security_option_audit_requirement_windows.yaml processed successfully. +./azure/azure_cis_v130_4_1_2.yaml processed successfully. +./azure/azure_cis_v130_9_9.yaml processed successfully. +./azure/azure_cis_v200_7_5.yaml processed successfully. +./azure/azure_audit_diagnostic_setting.yaml processed successfully. +./azure/azure_cis_v130_5_1_2.yaml processed successfully. +./azure/azure_cis_v150_1_3.yaml processed successfully. +./azure/azure_cosmosdb_account_encryption_at_rest_using_cmk.yaml processed successfully. +./azure/azure_cis_v150_1_11.yaml processed successfully. +./azure/azure_compute_vm_administrators_group_with_specified_members_windows.yaml processed successfully. +./azure/azure_kusto_cluster_disk_encryption_enabled.yaml processed successfully. +./azure/azure_cis_v210_2_1_15.yaml processed successfully. +./azure/azure_keyvault_key_expiration_set.yaml processed successfully. +./azure/azure_sql_db_active_directory_admin_configured.yaml processed successfully. +./azure/azure_cis_v200_3_2.yaml processed successfully. +./azure/azure_mandatory_sql_resource_group_mssql_managed_instance_mandatory.yaml processed successfully. +./azure/azure_cis_v200_2_1_22.yaml processed successfully. +./azure/azure_cis_v130_5_2_7.yaml processed successfully. +./azure/azure_cis_v150_2_6.yaml processed successfully. +./azure/azure_network_lb_no_basic_sku.yaml processed successfully. +./azure/azure_cis_v140_5_2_4.yaml processed successfully. +./azure/azure_cis_v210_4_4_1.yaml processed successfully. +./azure/azure_cis_v140_3_8.yaml processed successfully. +./azure/azuread_spn_with_more_than_one_active_client_secret_created_x_days_ago.yaml processed successfully. +./azure/azure_application_gateway_waf_enabled.yaml processed successfully. +./azure/azure_compute_vm_log_analytics_agent_installed_windows.yaml processed successfully. +./azure/azure_cis_v200_9_4.yaml processed successfully. +./azure/azure_cis_v150_6_1.yaml processed successfully. +./azure/azure_compute_vm_scale_set_uses_managed_disks.yaml processed successfully. +./azure/azure_container_registry_geo_replication_enabled.yaml processed successfully. +./azure/azure_cis_v210_1_9.yaml processed successfully. +./azure/azure_eventhub_namespace_logging_enabled.yaml processed successfully. +./azure/azure_cis_v200_5_4.yaml processed successfully. +./azure/azure_compute_disk_access_uses_private_link.yaml processed successfully. +./azure/azure_cis_v150_3_2.yaml processed successfully. +./azure/azure_cosmosdb_account_with_firewall_rules.yaml processed successfully. +./azure/azure_machine_learning_workspace_encrypted_with_cmk.yaml processed successfully. +./azure/azure_compute_vm_windows_defender_exploit_guard_enabled.yaml processed successfully. +./azure/azure_postgres_db_server_log_retention_days_3.yaml processed successfully. +./azure/azure_cis_v150_7_5.yaml processed successfully. +./azure/azure_redis_cache_uses_private_link.yaml processed successfully. +./azure/azure_cis_v200_1_3.yaml processed successfully. +./azure/azure_databox_job_double_encryption_enabled.yaml processed successfully. +./azure/azure_cis_v150_1_2_3.yaml processed successfully. +./azure/azure_mandatory_sql_resource_group_app_service_function_app_mandatory.yaml processed successfully. +./azure/azure_compute_vm_restrict_previous_24_passwords_resuse_windows.yaml processed successfully. +./azure/azure_eventgrid_domain_private_link_used.yaml processed successfully. +./azure/azure_cis_v210_4_1_2.yaml processed successfully. +./azure/azure_compute_vm_vulnerability_assessment_solution_enabled.yaml processed successfully. +./azure/azure_securitycenter_additional_email_configured.yaml processed successfully. +./azure/azure_cis_v210_5_1_2.yaml processed successfully. +./azure/azure_mandatory_sql_resource_group_mysql_server_mandatory.yaml processed successfully. +./azure/azure_cis_v130_8_1.yaml processed successfully. +./azure/azure_cis_v150_9_8.yaml processed successfully. +./azure/azure_cis_v130_1_2.yaml processed successfully. +./azure/azure_cis_v130_1_13.yaml processed successfully. +./azure/azure_cis_v210_3_15.yaml processed successfully. +./azure/azure_storage_account_encryption_at_rest_using_cmk.yaml processed successfully. +./azure/azure_mandatory_sql_resource_group_compute_availability_set_mandatory.yaml processed successfully. +./azure/azure_compute_vm_password_complexity_setting_enabled_windows.yaml processed successfully. +./azure/azure_cis_v140_1_5.yaml processed successfully. +./azure/azure_cis_v210_7_3.yaml processed successfully. +./azure/azure_cis_v140_8_6.yaml processed successfully. +./azure/azure_monitor_application_insights_configured.yaml processed successfully. +./azure/azure_frontdoor_waf_enabled.yaml processed successfully. +./azure/azure_appservice_web_app_latest_dotnet_framework_version.yaml processed successfully. +./azure/azure_cis_v150_5_2_1.yaml processed successfully. +./azure/azure_cis_v150_2_1_3.yaml processed successfully. +./azure/azure_appservice_web_app_latest_http_version.yaml processed successfully. +./azure/azure_cis_v140_1_18.yaml processed successfully. +./azure/azure_cis_v210_3_4.yaml processed successfully. +./azure/azure_cis_v200_10_1.yaml processed successfully. +./azure/azure_cis_v200_2_1_14.yaml processed successfully. +./azure/azure_cis_v200_3_10.yaml processed successfully. +./azure/azure_cis_v200_5_1_7.yaml processed successfully. +./azure/azure_cis_v130_9_5.yaml processed successfully. +./azure/azure_appservice_web_app_http_logs_enabled.yaml processed successfully. +./azure/azure_cis_v140_9_2.yaml processed successfully. +./azure/azure_cis_v210_6_7.yaml processed successfully. +./azure/azure_mariadb_server_geo_redundant_backup_enabled.yaml processed successfully. +./azure/azure_kubernetes_cluster_network_policy_enabled.yaml processed successfully. +./azure/azure_postgres_db_server_log_connections_on.yaml processed successfully. +./azure/azure_compute_vm_secure_communication_protocols_configured.yaml processed successfully. +./azure/azure_compute_vm_min_password_age_1_day_windows.yaml processed successfully. +./azure/azure_cis_v210_2_1_19.yaml processed successfully. +./azure/azure_cis_v130_2_15.yaml processed successfully. +./azure/azure_sql_database_allow_internet_access.yaml processed successfully. +./azure/azure_cis_v140_5_2_8.yaml processed successfully. +./azure/azure_cis_v140_3_4.yaml processed successfully. +./azure/azure_cis_v140_1_22.yaml processed successfully. +./azure/azure_cis_v130_3_3.yaml processed successfully. +./azure/azure_cis_v200_5_2_2.yaml processed successfully. +./azure/azure_network_security_group_restrict_inbound_tcp_port_23.yaml processed successfully. +./azure/azure_appservice_web_app_uses_managed_identity.yaml processed successfully. +./azure/azure_cis_v210_1_12.yaml processed successfully. +./azure/azure_iam_user_no_built_in_contributor_role.yaml processed successfully. +./azure/azure_monitor_log_profile_enabled_for_all_categories.yaml processed successfully. +./azure/azure_cis_v210_1_5.yaml processed successfully. +./azure/azure_cis_v140_7_3.yaml processed successfully. +./azure/azure_cis_v210_8_6.yaml processed successfully. +./azure/azure_compute_vm_meet_security_option_requirement_windows.yaml processed successfully. +./azure/azure_cis_v200_9_8.yaml processed successfully. +./azure/azure_cis_v130_7_4.yaml processed successfully. +./azure/azure_cis_v150_2_3_2.yaml processed successfully. +./azure/azure_mandatory_sql_resource_group_mariadb_server_mandatory.yaml processed successfully. +./azure/azure_securitycenter_azure_defender_on_for_keyvault.yaml processed successfully. +./azure/azure_compute_vm_meet_security_options_network_access_requirement_windows.yaml processed successfully. +./azure/azure_monitor_logs_storage_container_insights_operational_logs_not_public_accessible.yaml processed successfully. +./azure/azure_automation_account_variable_encryption_enabled.yaml processed successfully. +./azure/azure_sql_server_va_setting_reports_notify_admins.yaml processed successfully. +./azure/azure_securitycenter_azure_defender_on_for_containerregistry.yaml processed successfully. +./azure/azure_compute_vm_with_no_specified_certificates_in_trusted_root_windows.yaml processed successfully. +./azure/azure_app_service_environment_internal_encryption_enabled.yaml processed successfully. +./azure/azure_cis_v130_2_7.yaml processed successfully. +./azure/azure_mandatory_sql_resource_group_servicebus_namespace_mandatory.yaml processed successfully. +./azure/azure_network_security_group_https_access_restricted.yaml processed successfully. +./azure/azure_cis_v210_9_2.yaml processed successfully. +./azure/azure_cis_v210_1_2_5.yaml processed successfully. +./azure/azure_securitycenter_azure_defender_on_for_sqldb.yaml processed successfully. +./azure/azure_cis_v200_1_17.yaml processed successfully. +./azure/azure_cis_v150_4_1_4.yaml processed successfully. +./azure/azure_compute_vm_utilizing_managed_disk.yaml processed successfully. +./azure/azure_cis_v150_5_1_5.yaml processed successfully. +./azure/azure_compute_vm_network_traffic_data_collection_linux_agent_installed.yaml processed successfully. +./azure/azure_cis_v150_9_11.yaml processed successfully. +./azure/azure_cis_v130_6_1.yaml processed successfully. +./azure/azure_cis_v150_4_1_5.yaml processed successfully. +./azure/azure_monitor_log_alert_create_policy_assignment.yaml processed successfully. +./azure/azure_cis_v140_6_6.yaml processed successfully. +./azure/azure_cis_v210_9_3.yaml processed successfully. +./azure/azure_eventhub_namespace_private_link_used.yaml processed successfully. +./azure/azure_cis_v210_1_2_4.yaml processed successfully. +./azure/azure_cis_v200_1_16.yaml processed successfully. +./azure/azure_cis_v150_4_5_2.yaml processed successfully. +./azure/azure_cis_v130_2_6.yaml processed successfully. +./azure/azure_sql_db_public_network_access_disabled.yaml processed successfully. +./azure/azure_network_public_ip_no_basic_sku.yaml processed successfully. +./azure/azure_cis_v200_4_3_7.yaml processed successfully. +./azure/azure_data_factory_encrypted_with_cmk.yaml processed successfully. +./azure/azure_cis_v140_2_1.yaml processed successfully. +./azure/azure_cognitive_account_encrypted_with_cmk.yaml processed successfully. +./azure/azure_mandatory_sql_resource_group_firewall_mandatory.yaml processed successfully. +./azure/azure_eventgrid_topic_identity_provider_enabled.yaml processed successfully. +./azure/azure_cis_v210_2_1_22.yaml processed successfully. +./azure/azure_storage_account_blob_service_logging_enabled.yaml processed successfully. +./azure/azure_signalr_service_no_free_tier_sku.yaml processed successfully. +./azure/azure_cis_v200_9_9.yaml processed successfully. +./azure/azure_cis_v130_7_5.yaml processed successfully. +./azure/azure_batch_account_identity_provider_enabled.yaml processed successfully. +./azure/azure_cis_v150_2_3_3.yaml processed successfully. +./azure/azure_cis_v210_1_13.yaml processed successfully. +./azure/azure_kubernetes_cluster_addon_azure_policy_enabled.yaml processed successfully. +./azure/azure_network_bastion_host_min_1.yaml processed successfully. +./azure/azure_cis_v210_1_4.yaml processed successfully. +./azure/azure_cis_v140_7_2.yaml processed successfully. +./azure/azure_compute_vm_passwords_stored_using_reversible_encryption_windows.yaml processed successfully. +./azure/azure_servicebus_namespace_no_overly_permissive_network_access.yaml processed successfully. +./azure/azure_cis_v130_3_2.yaml processed successfully. +./azure/azure_cis_v200_5_2_3.yaml processed successfully. +./azure/azure_cis_v200_2_1_1.yaml processed successfully. +./azure/azure_storage_account_min_tls_1_2.yaml processed successfully. +./azure/azure_cis_v140_5_2_9.yaml processed successfully. +./azure/azure_recovery_service_vault_encrypted_with_cmk.yaml processed successfully. +./azure/azure_cis_v130_2_14.yaml processed successfully. +./azure/azure_mandatory_sql_resource_group_cosmosdb_account_mandatory.yaml processed successfully. +./azure/azure_network_ddos_enabled.yaml processed successfully. +./azure/azure_cis_v210_2_1_18.yaml processed successfully. +./azure/azure_appservice_web_app_failed_request_tracing_enabled.yaml processed successfully. +./azure/azure_cis_v200_4_5_1.yaml processed successfully. +./azure/azure_sql_server_uses_private_link.yaml processed successfully. +./azure/azure_network_security_group_restrict_inbound_udp_port_138.yaml processed successfully. +./azure/azure_cis_v210_6_6.yaml processed successfully. +./azure/azure_cis_v140_9_3.yaml processed successfully. +./azure/azure_appservice_web_app_client_certificates_on.yaml processed successfully. +./azure/azure_cis_v200_3_11.yaml processed successfully. +./azure/azure_kubernetes_cluster_privilege_containers_restricted.yaml processed successfully. +./azure/azure_cis_v200_5_1_6.yaml processed successfully. +./azure/azure_cis_v150_2_4_1.yaml processed successfully. +./azure/azure_cis_v130_9_4.yaml processed successfully. +./azure/azure_iam_user_not_allowed_to_create_security_group.yaml processed successfully. +./azure/azure_compute_vm_container_security_configurations_vulnerabilities_remediated.yaml processed successfully. +./azure/azure_cis_v210_1_1_1.yaml processed successfully. +./azure/azure_cis_v140_1_19.yaml processed successfully. +./azure/azure_cis_v210_3_5.yaml processed successfully. +./azure/azure_cis_v140_5_3.yaml processed successfully. +./azure/azure_cis_v200_2_1_15.yaml processed successfully. +./azure/azure_cis_v210_2_1_8.yaml processed successfully. +./azure/azure_mandatory_sql_resource_group_network_interface_mandatory.yaml processed successfully. +./azure/azure_cis_v150_2_1_2.yaml processed successfully. +./azure/azure_monitor_diagnostic_settings_captures_proper_categories.yaml processed successfully. +./azure/azure_cis_v140_1_4.yaml processed successfully. +./azure/azure_cis_v140_8_7.yaml processed successfully. +./azure/azure_cis_v210_7_2.yaml processed successfully. +./azure/azure_compute_vm_and_sacle_set_encryption_at_host_enabled.yaml processed successfully. +./azure/azure_cis_v150_9_9.yaml processed successfully. +./azure/azure_appservice_function_app_remote_debugging_disabled.yaml processed successfully. +./azure/azure_cis_v130_1_3.yaml processed successfully. +./azure/azure_cis_v130_1_12.yaml processed successfully. +./azure/azure_mysql_ssl_enabled.yaml processed successfully. +./azure/azure_cis_v210_3_14.yaml processed successfully. +./azure/azure_network_security_group_outbound_access_restricted.yaml processed successfully. +./azure/azure_compute_vm_temp_disks_cache_and_data_flows_encrypted.yaml processed successfully. +./azure/azure_mysql_server_infrastructure_encryption_enabled.yaml processed successfully. +./azure/azure_cis_v210_2_2_1.yaml processed successfully. +./azure/azure_cis_v210_5_1_3.yaml processed successfully. +./azure/azure_mysql_server_min_tls_1_2.yaml processed successfully. +./azure/azure_cis_v200_8_1.yaml processed successfully. +./azure/azure_cis_v150_7_4.yaml processed successfully. +./azure/azure_eventgrid_domain_restrict_public_access.yaml processed successfully. +./azure/azure_compute_vm_log_analytics_agent_installed.yaml processed successfully. +./azure/azure_cis_v150_1_2_2.yaml processed successfully. +./azure/azure_securitycenter_automatic_provisioning_monitoring_agent_on.yaml processed successfully. +./azure/azure_servicebus_use_virtual_service_endpoint.yaml processed successfully. +./azure/azure_postgres_db_server_log_disconnections_on.yaml processed successfully. +./azure/azure_cis_v140_4_3_1.yaml processed successfully. +./azure/azure_monitor_log_alert_create_update_security_solution.yaml processed successfully. +./azure/azure_cis_v130_4_3_2.yaml processed successfully. +./azure/azure_cis_v150_3_3.yaml processed successfully. +./azure/azure_container_registry_encrypted_with_cmk.yaml processed successfully. +./azure/azure_cosmosdb_account_uses_private_link.yaml processed successfully. +./azure/azure_kusto_cluster_sku_with_sla.yaml processed successfully. +./azure/azure_cis_v210_1_8.yaml processed successfully. +./azure/azure_network_security_group_udp_service_restricted.yaml processed successfully. +./azure/azure_application_insights_block_log_ingestion_and_querying_from_public.yaml processed successfully. +./azure/azure_data_factory_uses_private_link.yaml processed successfully. +./azure/azure_cis_v200_9_5.yaml processed successfully. +./azure/azure_cis_v140_5_2_5.yaml processed successfully. +./azure/azure_kubernetes_cluster_upgraded_with_non_vulnerable_version.yaml processed successfully. +./azure/azure_network_security_group_restrict_inbound_tcp_port_3306.yaml processed successfully. +./azure/azure_cis_v140_3_9.yaml processed successfully. +./azure/azure_sql_database_long_term_geo_redundant_backup_enabled.yaml processed successfully. +./azure/azure_compute_vm_guest_configuration_installed.yaml processed successfully. +./azure/azure_cis_v200_1_1_4.yaml processed successfully. +./azure/azure_cis_v130_5_2_6.yaml processed successfully. +./azure/azure_cis_v140_3_12.yaml processed successfully. +./azure/azure_cis_v210_2_1_14.yaml processed successfully. +./azure/azure_storage_account_uses_private_link.yaml processed successfully. +./azure/azure_appservice_web_app_latest_tls_version.yaml processed successfully. +./azure/azure_iam_no_custom_subscription_owner_roles_created.yaml processed successfully. +./azure/azure_compute_vm_security_configuration_vulnerabilities_remediated.yaml processed successfully. +./azure/azure_mariadb_server_ssl_enabled.yaml processed successfully. +./azure/azure_cis_v150_4_3_8.yaml processed successfully. +./azure/azure_cis_v200_3_3.yaml processed successfully. +./azure/azure_compute_vm_guest_configuration_with_no_managed_identity.yaml processed successfully. +./azure/azure_iam_user_not_allowed_to_register_application.yaml processed successfully. +./azure/azure_cis_v150_1_10.yaml processed successfully. +./azure/azure_recovery_service_vault_uses_private_link.yaml processed successfully. +./azure/azure_cis_v140_2_13.yaml processed successfully. +./azure/azure_cis_v200_1_2_1.yaml processed successfully. +./azure/azure_cis_v200_1_20.yaml processed successfully. +./azure/azure_cis_v130_9_8.yaml processed successfully. +./azure/azure_datalake_analytics_account_logging_enabled.yaml processed successfully. +./azure/azure_cis_v150_8_1.yaml processed successfully. +./azure/azure_cis_v200_7_4.yaml processed successfully. +./azure/azure_cis_v130_5_1_3.yaml processed successfully. +./azure/azure_batch_account_logging_enabled.yaml processed successfully. +./azure/azure_mandatory_sql_resource_group_batch_account_mandatory.yaml processed successfully. +./azure/azure_compute_vm_scale_set_ssh_key_authentication_linux.yaml processed successfully. +./azure/azure_monitor_log_alert_delete_security_solution.yaml processed successfully. +./azure/azure_compute_vm_meet_security_baseline_requirements_windows.yaml processed successfully. +./azure/azure_cis_v200_2_1_19.yaml processed successfully. +./azure/azure_cis_v210_3_9.yaml processed successfully. +./azure/azure_cis_v140_1_15.yaml processed successfully. +./azure/azure_cis_v210_5_2_6.yaml processed successfully. +./azure/azure_cis_v210_2_1_4.yaml processed successfully. +./azure/azure_cis_v150_9_5.yaml processed successfully. +./azure/azure_compute_disk_unattached_encrypted_with_cmk.yaml processed successfully. +./azure/azure_mandatory_sql_resource_group_key_vault_mandatory.yaml processed successfully. +./azure/azure_mandatory_sql_resource_group_logic_app_workflow_mandatory.yaml processed successfully. +./azure/azure_cis_v210_1_25.yaml processed successfully. +./azure/azure_compute_vm_password_file_permissions_0644_linux.yaml processed successfully. +./azure/azure_storage_account_block_public_access.yaml processed successfully. +./azure/azure_arc_compute_machine_windows_log_analytics_agent_installed.yaml processed successfully. +./azure/azure_cis_v200_1_19.yaml processed successfully. +./azure/azure_securitycenter_azure_defender_on_for_containers.yaml processed successfully. +./azure/azure_redis_cache_ssl_enabled.yaml processed successfully. +./azure/azure_mandatory_sql_resource_group_container_registry_mandatory.yaml processed successfully. +./azure/azure_cis_v150_1_2_1.yaml processed successfully. +./azure/azure_cis_v200_8_2.yaml processed successfully. +./azure/azure_securitycenter_container_image_scan_enabled.yaml processed successfully. +./azure/azure_compute_vm_guest_configuration_with_user_and_system_assigned_managed_identity.yaml processed successfully. +./azure/azure_machine_learning_workspace_private_link_used.yaml processed successfully. +./azure/azure_cis_v130_2_9.yaml processed successfully. +./azure/azure_cis_v150_3_14.yaml processed successfully. +./azure/azure_cis_v130_4_3_1.yaml processed successfully. +./azure/azure_cis_v200_4_3_8.yaml processed successfully. +./azure/azure_cis_v210_8_8.yaml processed successfully. +./azure/azure_compute_vm_malware_agent_installed.yaml processed successfully. +./azure/azure_mandatory_sql_resource_group_key_vault_key_mandatory.yaml processed successfully. +./azure/azure_cis_v150_6_3.yaml processed successfully. +./azure/azure_cis_v200_9_6.yaml processed successfully. +./azure/azure_container_instance_container_group_in_virtual_network.yaml processed successfully. +./azure/azure_cis_v140_5_2_6.yaml processed successfully. +./azure/azure_iot_hub_logging_enabled.yaml processed successfully. +./azure/azure_cis_v140_3_11.yaml processed successfully. +./azure/azure_cis_v200_2_1_20.yaml processed successfully. +./azure/azure_cis_v130_5_2_5.yaml processed successfully. +./azure/azure_mandatory_sql_resource_group_route_table_mandatory.yaml processed successfully. +./azure/azure_automation_account_encrypted_with_cmk.yaml processed successfully. +./azure/azure_mandatory_sql_resource_group_network_security_group_mandatory.yaml processed successfully. +./azure/azure_cis_v210_2_1_17.yaml processed successfully. +./azure/azure_eventhub_namespace_cmk_encryption_enabled.yaml processed successfully. +./azure/azure_cis_v210_5_3_1.yaml processed successfully. +./azure/azure_cis_v210_4_3_1.yaml processed successfully. +./azure/azure_securitycenter_azure_defender_on_for_k8s.yaml processed successfully. +./azure/azure_container_registry_uses_private_link.yaml processed successfully. +./azure/azure_cis_v150_8_2.yaml processed successfully. +./azure/azure_cis_v200_7_7.yaml processed successfully. +./azure/azure_cis_v140_2_10.yaml processed successfully. +./azure/azure_cis_v200_1_2_2.yaml processed successfully. +./azure/azure_cis_v200_1_23.yaml processed successfully. +./azure/azure_web_pub_sub_private_link_used.yaml processed successfully. +./azure/azure_securitycenter_wdatp_integration.yaml processed successfully. +./azure/azure_sql_server_azure_defender_enabled.yaml processed successfully. +./azure/azure_network_security_group_restrict_inbound_udp_port_137.yaml processed successfully. +./azure/azure_cis_v140_5_1_3.yaml processed successfully. +./azure/azure_kusto_cluster_double_encryption_enabled.yaml processed successfully. +./azure/azure_cis_v150_1_1_4.yaml processed successfully. +./azure/azure_keyvault_with_rbac_key_expiration_set.yaml processed successfully. +./azure/azure_compute_vm_guest_configuration_installed_linux.yaml processed successfully. +./azure/azure_compute_vm_allowlist_rules_in_adaptive_application_control_policy_updated.yaml processed successfully. +./azure/azure_cis_v210_5_2_5.yaml processed successfully. +./azure/azure_cis_v210_2_1_7.yaml processed successfully. +./azure/azure_cis_v140_1_16.yaml processed successfully. +./azure/azure_postgres_sql_server_encrypted_at_rest_using_cmk.yaml processed successfully. +./azure/azure_cis_v200_6_3.yaml processed successfully. +./azure/azure_cis_v150_9_6.yaml processed successfully. +./azure/azure_mandatory_sql_resource_group_api_management_mandatory.yaml processed successfully. +./azure/azure_appservice_function_app_latest_http_version.yaml processed successfully. +./azure/azure_spring_cloud_service_network_injection_enabled.yaml processed successfully. +./azure/azure_mandatory_sql_resource_group_network_watcher_flow_log_mandatory.yaml processed successfully. +./azure/azure_compute_vm_vulnerability_findings_resolved_for_sql_server.yaml processed successfully. +./azure/azure_cis_v130_6_2.yaml processed successfully. +./azure/azure_cis_v150_5_1_6.yaml processed successfully. +./azure/azure_cis_v200_1_15.yaml processed successfully. +./azure/azure_monitor_log_alert_for_administrative_operations.yaml processed successfully. +./azure/azure_search_service_uses_managed_identity.yaml processed successfully. +./azure/azure_iam_deprecated_account_with_owner_roles.yaml processed successfully. +./azure/azure_cis_v210_1_2_7.yaml processed successfully. +./azure/azure_compute_vm_data_and_os_disk_uses_managed_disk.yaml processed successfully. +./azure/azure_sql_server_auditing_retention_period_90.yaml processed successfully. +./azure/azure_cis_v150_1_25.yaml processed successfully. +./azure/azure_cis_v150_4_5_1.yaml processed successfully. +./azure/azure_cis_v130_2_5.yaml processed successfully. +./azure/azure_cis_v210_2_1_21.yaml processed successfully. +./azure/azure_securitycenter_azure_defender_on_for_server.yaml processed successfully. +./azure/azure_cis_v140_2_2.yaml processed successfully. +./azure/azure_eventgrid_domain_identity_provider_enabled.yaml processed successfully. +./azure/azure_cis_v130_7_6.yaml processed successfully. +./azure/azure_container_registry_retention_policy_enabled.yaml processed successfully. +./azure/azure_cis_v210_8_4.yaml processed successfully. +./azure/azure_arc_compute_machine_linux_log_analytics_agent_installed.yaml processed successfully. +./azure/azure_cis_v140_7_1.yaml processed successfully. +./azure/azure_cis_v210_1_7.yaml processed successfully. +./azure/azure_bot_service_encrypted_with_cmk.yaml processed successfully. +./azure/azure_monitor_log_alert_delete_nsg_rule.yaml processed successfully. +./azure/azure_storage_account_blobs_logging_enabled.yaml processed successfully. +./azure/azure_cis_v210_1_10.yaml processed successfully. +./azure/azure_securitycenter_pricing_standard.yaml processed successfully. +./azure/azure_mandatory_sql_resource_group_compute_disk_encryption_set_mandatory.yaml processed successfully. +./azure/azure_cis_v130_3_1.yaml processed successfully. +./azure/azure_storage_account_secure_transfer_required_enabled.yaml processed successfully. +./azure/azure_network_security_group_restrict_inbound_tcp_port_21.yaml processed successfully. +./azure/azure_cis_v130_5_2_9.yaml processed successfully. +./azure/azure_cis_v200_2_1_2.yaml processed successfully. +./azure/azure_cis_v140_1_20.yaml processed successfully. +./azure/azure_postgres_db_server_allow_access_to_azure_services_disabled.yaml processed successfully. +./azure/azure_monitor_log_cluster_infrastructure_encryption_enabled.yaml processed successfully. +./azure/azure_cis_v140_3_6.yaml processed successfully. +./azure/azure_keyvault_vault_use_virtual_service_endpoint.yaml processed successfully. +./azure/azure_securitycenter_asc_default_setting_not_disabled.yaml processed successfully. +./azure/azure_app_configuration_private_link_used.yaml processed successfully. +./azure/azure_cis_v150_4_3_7.yaml processed successfully. +./azure/azure_securitycenter_azure_defender_on_for_opensource_relational_db.yaml processed successfully. +./azure/azure_cis_v200_4_5_2.yaml processed successfully. +./azure/azure_network_security_group_ssh_access_restricted.yaml processed successfully. +./azure/azure_sql_server_use_virtual_service_endpoint.yaml processed successfully. +./azure/azure_compute_vm_meet_security_options_user_account_control_requirement_windows.yaml processed successfully. +./azure/azure_monitor_logs_storage_container_insights_activity_logs_not_public_accessible.yaml processed successfully. +./azure/azure_compute_vm_scale_set_log_analytics_agent_installed.yaml processed successfully. +./azure/azure_cis_v130_9_7.yaml processed successfully. +./azure/azure_cis_v150_2_4_2.yaml processed successfully. +./azure/azure_eventgrid_topic_private_link_used.yaml processed successfully. +./azure/azure_cis_v200_5_1_5.yaml processed successfully. +./azure/azure_cis_v200_3_12.yaml processed successfully. +./azure/azure_compute_vm_azure_backup_enabled.yaml processed successfully. +./azure/azure_cis_v210_5_2_9.yaml processed successfully. +./azure/azure_cis_v200_2_1_16.yaml processed successfully. +./azure/azure_cis_v210_1_1_2.yaml processed successfully. +./azure/azure_cis_v210_3_6.yaml processed successfully. +./azure/azure_appservice_web_app_latest_python_version.yaml processed successfully. +./azure/azure_cis_v150_5_2_3.yaml processed successfully. +./azure/azure_cis_v150_2_1_1.yaml processed successfully. +./azure/azure_securitycenter_azure_defender_on_for_sqlservervm.yaml processed successfully. +./azure/azure_cis_v140_8_4.yaml processed successfully. +./azure/azure_cis_v210_7_1.yaml processed successfully. +./azure/azure_cis_v140_1_7.yaml processed successfully. +./azure/azure_cis_v130_1_11.yaml processed successfully. +./azure/azure_cis_v130_8_3.yaml processed successfully. +./azure/azure_compute_os_and_data_disk_encrypted_with_cmk.yaml processed successfully. +./azure/azure_cis_v210_3_16.yaml processed successfully. +./azure/azure_cis_v130_1_1.yaml processed successfully. +./azure/azure_storage_account_table_service_logging_enabled.yaml processed successfully. +./azure/azure_cis_v130_1_10.yaml processed successfully. +./azure/azure_cis_v130_8_2.yaml processed successfully. +./azure/azure_cis_v140_8_5.yaml processed successfully. +./azure/azure_appservice_web_app_always_on.yaml processed successfully. +./azure/azure_mandatory_sql_resource_group_sql_database_mandatory.yaml processed successfully. +./azure/azure_compute_vm_meet_security_baseline_requirements_linux.yaml processed successfully. +./azure/azure_cosmosdb_account_virtual_network_filter_enabled.yaml processed successfully. +./azure/azure_cis_v150_5_2_2.yaml processed successfully. +./azure/azure_mandatory_sql_resource_group_public_ip_mandatory.yaml processed successfully. +./azure/azure_mandatory_sql_resource_group_key_vault_managed_hardware_security_module_mandatory.yaml processed successfully. +./azure/azure_keyvault_soft_delete_enabled.yaml processed successfully. +./azure/azure_cis_v210_5_2_8.yaml processed successfully. +./azure/azure_container_instance_container_group_secured_environment_variable.yaml processed successfully. +./azure/azure_network_network_peering_connected.yaml processed successfully. +./azure/azure_postgres_db_server_geo_redundant_backup_enabled.yaml processed successfully. +./azure/azure_cis_v200_2_1_17.yaml processed successfully. +./azure/azure_cis_v210_1_1_3.yaml processed successfully. +./azure/azure_monitor_log_alert_sql_firewall_rule.yaml processed successfully. +./azure/azure_cis_v210_3_7.yaml processed successfully. +./azure/azure_cis_v130_9_6.yaml processed successfully. +./azure/azure_cis_v200_4_1_4.yaml processed successfully. +./azure/azure_postgres_db_server_latest_tls_version.yaml processed successfully. +./azure/azure_cis_v140_9_1.yaml processed successfully. +./azure/azure_cis_v210_6_4.yaml processed successfully. +./azure/azure_mandatory_sql_resource_group_compute_virtual_machine_scale_set_mandatory.yaml processed successfully. +./azure/azure_compute_vm_uses_azure_resource_manager.yaml processed successfully. +./azure/azure_compute_vm_adaptive_application_controls_enabled.yaml processed successfully. +./azure/azure_cis_v200_4_5_3.yaml processed successfully. +./azure/azure_container_instance_container_group_encrypted_using_cmk.yaml processed successfully. +./azure/azure_storage_account_restrict_network_access.yaml processed successfully. +./azure/azure_cis_v140_4_5.yaml processed successfully. +./azure/azure_storage_account_uses_azure_resource_manager.yaml processed successfully. +./azure/azure_appservice_function_app_latest_tls_version.yaml processed successfully. +./azure/azure_cis_v140_3_7.yaml processed successfully. +./azure/azure_cis_v200_5_2_1.yaml processed successfully. +./azure/azure_cis_v130_5_2_8.yaml processed successfully. +./azure/azure_network_security_group_restrict_inbound_tcp_port_20.yaml processed successfully. +./azure/azure_cis_v200_2_1_3.yaml processed successfully. +./azure/azure_cis_v140_1_21.yaml processed successfully. +./azure/azure_mandatory_sql_resource_group_compute_virtual_machine_mandatory.yaml processed successfully. +./azure/azure_cis_v210_8_5.yaml processed successfully. +./azure/azure_cis_v210_1_6.yaml processed successfully. +./azure/azure_compute_vm_adaptive_network_hardening_recommendation_applied.yaml processed successfully. +./azure/azure_cis_v210_1_11.yaml processed successfully. +./azure/azure_cis_v150_2_3_1.yaml processed successfully. +./azure/azure_hdinsight_cluster_encrypted_at_rest_with_cmk.yaml processed successfully. +./azure/azure_cis_v130_7_7.yaml processed successfully. +./azure/azure_network_watcher_enabled.yaml processed successfully. +./azure/azure_postgres_server_private_link_used.yaml processed successfully. +./azure/azure_cis_v210_2_1_20.yaml processed successfully. +./azure/azure_cis_v140_2_3.yaml processed successfully. +./azure/azure_app_configuration_encryption_enabled.yaml processed successfully. +./azure/azure_cis_v200_4_3_5.yaml processed successfully. +./azure/azure_cis_v150_1_24.yaml processed successfully. +./azure/azure_cis_v130_2_4.yaml processed successfully. +./azure/azure_cis_v200_1_14.yaml processed successfully. +./azure/azure_cis_v210_1_2_6.yaml processed successfully. +./azure/azure_keyvault_vault_recoverable.yaml processed successfully. +./azure/azure_cis_v210_9_1.yaml processed successfully. +./azure/azure_mandatory_sql_resource_group_stream_analytics_job_mandatory.yaml processed successfully. +./azure/azure_network_sg_flowlog_enabled.yaml processed successfully. +./azure/azure_cis_v130_6_3.yaml processed successfully. +./azure/azure_cis_v150_5_1_7.yaml processed successfully. +./azure/azure_monitor_log_profile_enabled_for_all_regions.yaml processed successfully. +./azure/azure_cis_v150_9_7.yaml processed successfully. +./azure/azure_cis_v200_6_2.yaml processed successfully. +./azure/azure_healthcare_fhir_uses_private_link.yaml processed successfully. +./azure/azure_monitor_log_alert_create_update_sql_servers_firewall_rule.yaml processed successfully. +./azure/azure_kubernetes_cluster_pods_and_containers_uses_approved_user_and_group_id.yaml processed successfully. +./azure/azure_cis_v140_4_4_1.yaml processed successfully. +./azure/azure_cis_v210_5_2_4.yaml processed successfully. +./azure/azure_cis_v210_2_1_6.yaml processed successfully. +./azure/azure_network_watcher_in_regions_with_virtual_network.yaml processed successfully. +./azure/azure_cis_v140_1_17.yaml processed successfully. +./azure/azure_cis_v210_9_10.yaml processed successfully. +./azure/azure_compute_vm_ssh_key_authentication_linux.yaml processed successfully. +./azure/azure_hdinsight_cluster_encryption_at_host_enabled.yaml processed successfully. +./azure/azure_cis_v140_5_1_2.yaml processed successfully. +./azure/azure_ad_guest_user_reviewed_monthly.yaml processed successfully. +./azure/azure_cis_v140_4_1_2.yaml processed successfully. +./azure/azure_monitor_log_alert_create_update_nsg.yaml processed successfully. +./azure/azure_cis_v130_5_1_1.yaml processed successfully. +./azure/azure_securitycenter_azure_defender_on_for_dns.yaml processed successfully. +./azure/azure_cis_v200_7_6.yaml processed successfully. +./azure/azure_cis_v150_8_3.yaml processed successfully. +./azure/azure_securitycenter_email_configured.yaml processed successfully. +./azure/azure_cis_v140_2_11.yaml processed successfully. +./azure/azure_network_security_group_restrict_inbound_tcp_port_445.yaml processed successfully. +./azure/azure_cis_v200_1_2_3.yaml processed successfully. +./azure/azure_cis_v200_1_22.yaml processed successfully. +./azure/azure_compute_vm_account_with_password_linux.yaml processed successfully. +./azure/azure_cis_v150_1_12.yaml processed successfully. +./azure/azure_compute_vm_endpoint_protection_agent_installed.yaml processed successfully. +./azure/azure_servicebus_premium_namespace_cmk_encrypted.yaml processed successfully. +./azure/azure_cis_v200_3_1.yaml processed successfully. +./azure/azure_compute_vm_network_traffic_data_collection_windows_agent_installed.yaml processed successfully. +./azure/azure_cis_v210_2_1_16.yaml processed successfully. +./azure/azure_cis_v140_3_10.yaml processed successfully. +./azure/azure_cis_v200_2_1_21.yaml processed successfully. +./azure/azure_cis_v130_5_2_4.yaml processed successfully. +./azure/azure_eventgrid_topic_local_auth_enabled.yaml processed successfully. +./azure/azure_cis_v150_2_5.yaml processed successfully. +./azure/azure_synapse_workspace_private_link_used.yaml processed successfully. +./azure/azure_mysql_server_public_network_access_disabled.yaml processed successfully. +./azure/azure_cis_v130_9_11.yaml processed successfully. +./azure/azure_cis_v140_5_2_7.yaml processed successfully. +./azure/azure_cis_v210_4_4_2.yaml processed successfully. +./azure/azure_cis_v200_9_7.yaml processed successfully. +./azure/azure_cis_v150_6_2.yaml processed successfully. +./azure/azure_network_security_group_diagnostic_setting_deployed.yaml processed successfully. +./azure/azure_iam_subscription_owner_more_than_1.yaml processed successfully. +./azure/azure_kubernetes_cluster_https_enabled.yaml processed successfully. +./azure/azure_mssql_managed_instance_encryption_at_rest_using_cmk.yaml processed successfully. +./azure/azure_cis_v130_2_8.yaml processed successfully. +./azure/azure_cis_v150_3_1.yaml processed successfully. +./azure/azure_mandatory_sql_resource_group_search_service_mandatory.yaml processed successfully. +./azure/azure_cis_v150_3_15.yaml processed successfully. +./azure/azure_cis_v150_7_6.yaml processed successfully. +./azure/azure_cis_v200_8_3.yaml processed successfully. +./azure/azure_cis_v210_5_1_1.yaml processed successfully. +./azure/azure_cis_v200_1_18.yaml processed successfully. +./azure/azure_application_gateway_waf_uses_specified_mode.yaml processed successfully. +./azure/azure_compute_vm_guest_configuration_with_system_assigned_managed_identity.yaml processed successfully. +./azure/azure_cis_v150_2_2_2.yaml processed successfully. +./azure/azure_cis_v200_8_8.yaml processed successfully. +./azure/azure_mandatory_sql_resource_group_lb_mandatory.yaml processed successfully. +./azure/azure_cis_v200_1_13.yaml processed successfully. +./azure/azure_cis_v140_6_3.yaml processed successfully. +./azure/azure_cis_v210_9_6.yaml processed successfully. +./azure/azure_cis_v210_1_2_1.yaml processed successfully. +./azure/azure_keyvault_purge_protection_enabled.yaml processed successfully. +./azure/azure_cis_v130_2_3.yaml processed successfully. +./azure/azure_kubernetes_cluster_add_on_azure_policy_enabled.yaml processed successfully. +./azure/azure_network_security_group_restrict_inbound_udp_port_445.yaml processed successfully. +./azure/azure_cis_v150_1_23.yaml processed successfully. +./azure/azure_storage_account_soft_delete_enabled.yaml processed successfully. +./azure/azure_cis_v140_4_3_8.yaml processed successfully. +./azure/azure_mssql_managed_instance_vulnerability_assessment_enabled.yaml processed successfully. +./azure/azure_mandatory_sql_resource_group_app_service_plan_mandatory.yaml processed successfully. +./azure/azure_cis_v140_2_4.yaml processed successfully. +./azure/azure_monitor_log_alert_delete_nsg.yaml processed successfully. +./azure/azure_search_service_replica_count_3.yaml processed successfully. +./azure/azure_cis_v140_9_11.yaml processed successfully. +./azure/azure_cis_v130_3_10.yaml processed successfully. +./azure/azure_cis_v210_8_2.yaml processed successfully. +./azure/azure_cis_v140_7_7.yaml processed successfully. +./azure/azure_sql_server_auditing_on.yaml processed successfully. +./azure/azure_cis_v210_1_16.yaml processed successfully. +./azure/azure_cis_v150_4_4_3.yaml processed successfully. +./azure/azure_cis_v130_3_7.yaml processed successfully. +./azure/azure_cis_v200_2_1_4.yaml processed successfully. +./azure/azure_cis_v200_5_2_6.yaml processed successfully. +./azure/azure_mandatory_sql_resource_group_network_watcher_mandatory.yaml processed successfully. +./azure/azure_appservice_function_app_restrict_public_acces.yaml processed successfully. +./azure/azure_cis_v150_1_19.yaml processed successfully. +./azure/azure_cis_v130_2_11.yaml processed successfully. +./azure/azure_recovery_service_vault_uses_managed_identity.yaml processed successfully. +./azure/azure_cis_v150_4_3_1.yaml processed successfully. +./azure/azure_network_watcher_flow_log_enabled.yaml processed successfully. +./azure/azure_iam_user_with_owner_permission_on_subscription_mfa_enabled.yaml processed successfully. +./azure/azure_cis_v210_6_3.yaml processed successfully. +./azure/azure_cis_v140_9_6.yaml processed successfully. +./azure/azure_mandatory_sql_resource_group_compute_snapshot_mandatory.yaml processed successfully. +./azure/azure_appservice_web_app_incoming_client_cert_on.yaml processed successfully. +./azure/azure_postgresql_server_public_network_access_disabled.yaml processed successfully. +./azure/azure_cis_v200_5_1_3.yaml processed successfully. +./azure/azure_cis_v200_2_2_1.yaml processed successfully. +./azure/azure_cis_v130_9_1.yaml processed successfully. +./azure/azure_cis_v150_8_8.yaml processed successfully. +./azure/azure_appservice_ftp_deployment_disabled.yaml processed successfully. +./azure/azure_compute_vm_guest_configuration_installed_windows.yaml processed successfully. +./azure/azure_cis_v200_3_14.yaml processed successfully. +./azure/azure_network_security_group_restrict_inbound_tcp_port_5432.yaml processed successfully. +./azure/azure_databox_job_unlock_password_encrypted_with_cmk.yaml processed successfully. +./azure/azure_sql_server_and_databases_va_enabled.yaml processed successfully. +./azure/azure_monitor_log_alert_create_update_nsg_rule.yaml processed successfully. +./azure/azure_cis_v210_1_1_4.yaml processed successfully. +./azure/azure_sql_database_transparent_data_encryption_enabled.yaml processed successfully. +./azure/azure_kubernetes_cluster_restrict_public_access.yaml processed successfully. +./azure/azure_cis_v150_2_1_7.yaml processed successfully. +./azure/azure_cis_v150_5_2_5.yaml processed successfully. +./azure/azure_cis_v140_1_1.yaml processed successfully. +./azure/azure_cis_v140_8_2.yaml processed successfully. +./azure/azure_cis_v210_7_7.yaml processed successfully. +./azure/azure_sql_server_va_setting_periodic_scan_enabled.yaml processed successfully. +./azure/azure_container_registry_vulnerabilities_remediated.yaml processed successfully. +./azure/azure_compute_os_and_data_disk_encrypted_with_cmk_and_platform_managed.yaml processed successfully. +./azure/azure_cis_v210_3_11.yaml processed successfully. +./azure/azure_iam_external_user_with_read_permission.yaml processed successfully. +./azure/azure_cis_v130_8_5.yaml processed successfully. +./azure/azure_cis_v130_1_6.yaml processed successfully. +./azure/azure_cis_v130_1_17.yaml processed successfully. +./azure/azure_search_service_logging_enabled.yaml processed successfully. +./azure/azure_mandatory_sql_resource_group_compute_image_mandatory.yaml processed successfully. +./azure/azure_cis_v210_5_1_6.yaml processed successfully. +./azure/azure_cis_v200_8_4.yaml processed successfully. +./azure/azure_compute_vm_tcp_udp_access_restricted_internet.yaml processed successfully. +./azure/azure_cis_v150_7_1.yaml processed successfully. +./azure/azure_cis_v200_1_7.yaml processed successfully. +./azure/azure_cis_v210_4_5_1.yaml processed successfully. +./azure/azure_cis_v140_2_8.yaml processed successfully. +./azure/azure_network_security_group_restrict_inbound_tcp_port_5500.yaml processed successfully. +./azure/azure_synapse_workspace_data_exfiltration_protection_enabled.yaml processed successfully. +./azure/azure_appservice_web_app_diagnostic_logs_enabled.yaml processed successfully. +./azure/azure_cis_v150_3_12.yaml processed successfully. +./azure/azure_network_virtual_network_gateway_no_basic_sku.yaml processed successfully. +./azure/azure_appservice_web_app_slot_use_https.yaml processed successfully. +./azure/azure_keyvault_firewall_enabled.yaml processed successfully. +./azure/azure_cis_v150_3_6.yaml processed successfully. +./azure/azure_cis_v130_1_21.yaml processed successfully. +./azure/azure_datalake_store_account_logging_enabled.yaml processed successfully. +./azure/azure_cis_v150_2_1_12.yaml processed successfully. +./azure/azure_storage_account_geo_redundant_enabled.yaml processed successfully. +./azure/azure_network_security_group_restrict_inbound_tcp_port_5900.yaml processed successfully. +./azure/azure_mandatory_sql_resource_group_eventhub_namespace_mandatory.yaml processed successfully. +./azure/azure_sql_server_azure_ad_authentication_enabled.yaml processed successfully. +./azure/azure_mandatory_sql_resource_group_sql_server_mandatory.yaml processed successfully. +./azure/azure_cis_v130_5_2_3.yaml processed successfully. +./azure/azure_cis_v200_2_1_8.yaml processed successfully. +./azure/azure_stream_analytics_job_logging_enabled.yaml processed successfully. +./azure/azure_network_security_group_rdp_access_restricted.yaml processed successfully. +./azure/azure_cis_v200_1_1_1.yaml processed successfully. +./azure/azure_network_subnet_protected_by_firewall.yaml processed successfully. +./azure/azure_cis_v200_3_6.yaml processed successfully. +./azure/azure_cis_v210_2_1_11.yaml processed successfully. +./azure/azure_cis_v150_1_15.yaml processed successfully. +./azure/azure_compute_vm_attached_with_network.yaml processed successfully. +./azure/azure_cis_v210_4_3_7.yaml processed successfully. +./azure/azure_cis_v150_8_4.yaml processed successfully. +./azure/azure_cis_v200_7_1.yaml processed successfully. +./azure/azure_cis_v150_1_7.yaml processed successfully. +./azure/azure_cis_v200_1_2_4.yaml processed successfully. +./azure/azure_iam_external_user_with_write_permission.yaml processed successfully. +./azure/azure_appservice_web_app_use_https.yaml processed successfully. +./azure/azure_cis_v200_1_25.yaml processed successfully. +./azure/azure_compute_vm_system_updates_installed.yaml processed successfully. +./azure/azure_cis_v140_5_1_5.yaml processed successfully. +./azure/azure_servicebus_name_space_private_link_used.yaml processed successfully. +./azure/azure_cis_v150_1_1_2.yaml processed successfully. +./azure/azure_cis_v150_5_2_9.yaml processed successfully. +./azure/azure_iam_external_user_with_owner_role.yaml processed successfully. +./azure/azure_kubernetes_cluster_logging_enabled.yaml processed successfully. +./azure/azure_cis_v210_2_1_1.yaml processed successfully. +./azure/azure_cis_v210_5_2_3.yaml processed successfully. +./azure/azure_mandatory_sql_subscription_resource_group_mandatory.yaml processed successfully. +./azure/azure_cis_v140_1_10.yaml processed successfully. +./azure/azure_monitor_log_analytics_workspace_integrated_with_encrypted_storage_account.yaml processed successfully. +./azure/azure_cis_v210_1_20.yaml processed successfully. +./azure/azure_cis_v210_5_2_10.yaml processed successfully. +./azure/azure_app_configuration_sku_standard.yaml processed successfully. +./azure/azure_mandatory_sql_resource_group_redis_cache_mandatory.yaml processed successfully. +./azure/azure_mandatory_sql_resource_group_virtual_network_mandatory.yaml processed successfully. +./azure/azure_iam_user_not_allowed_to_create_tenants.yaml processed successfully. +./azure/azure_appservice_web_app_latest_php_version.yaml processed successfully. +./azure/azure_mandatory_sql_resource_group_express_route_circuit_mandatory.yaml processed successfully. +./azure/azure_cis_v210_1_21.yaml processed successfully. +./azure/azure_network_security_group_restrict_inbound_icmp_port.yaml processed successfully. +./azure/azure_mandatory_sql_resource_group_key_vault_deleted_vault_mandatory.yaml processed successfully. +./azure/azure_cis_v150_9_1.yaml processed successfully. +./azure/azure_cis_v200_6_4.yaml processed successfully. +./azure/azure_keyvault_vault_public_network_access_disabled.yaml processed successfully. +./azure/azure_cis_v210_5_2_2.yaml processed successfully. +./azure/azure_kubernetes_cluster_network_plugin_azure.yaml processed successfully. +./azure/azure_cis_v140_1_11.yaml processed successfully. +./azure/azure_appservice_function_app_latest_python_version.yaml processed successfully. +./azure/azure_cis_v150_1_1_3.yaml processed successfully. +./azure/azure_cis_v150_5_2_8.yaml processed successfully. +./azure/azure_servicebus_namespace_azure_ad_authentication_enabled.yaml processed successfully. +./azure/azure_kubernetes_cluster_pod_use_approved_host_network_and_port_range.yaml processed successfully. +./azure/azure_compute_vm_jit_access_protected.yaml processed successfully. +./azure/azure_cis_v150_8_5.yaml processed successfully. +./azure/azure_compute_vm_monitor_missing_endpoint_protection_in_asc.yaml processed successfully. +./azure/azure_keyvault_managed_hms_logging_enabled.yaml processed successfully. +./azure/azure_compute_vm_restrict_remote_connection_from_accounts_without_password_linux.yaml processed successfully. +./azure/azure_cis_v150_1_6.yaml processed successfully. +./azure/azure_cis_v200_1_2_5.yaml processed successfully. +./azure/azure_cis_v200_1_24.yaml processed successfully. +./azure/azure_securitycenter_azure_defender_on_for_cosmosdb.yaml processed successfully. +./azure/azure_iam_subscriptions_with_custom_roles_no_overly_permissive.yaml processed successfully. +./azure/azure_cis_v150_1_14.yaml processed successfully. +./azure/azure_monitor_log_alert_delete_sql_servers_firewall_rule.yaml processed successfully. +./azure/azure_servicebus_namespace_logging_enabled.yaml processed successfully. +./azure/azure_cis_v210_2_1_10.yaml processed successfully. +./azure/azure_cis_v130_5_2_2.yaml processed successfully. +./azure/azure_servicefabric_cluster_active_directory_authentication_enabled.yaml processed successfully. +./azure/azure_cis_v200_2_1_9.yaml processed successfully. +./azure/azure_sql_server_threat_detection_all_enabled.yaml processed successfully. +./azure/azure_mandatory_sql_resource_group_iothub_mandatory.yaml processed successfully. +./azure/azure_compute_vm_meet_security_options_requirement_windows.yaml processed successfully. +./azure/azure_storage_account_default_network_access_rule_denied.yaml processed successfully. +./azure/azure_kubernetes_cluster_temp_disks_and_agent_node_pool_cache_encrypted_at_host.yaml processed successfully. +./azure/azure_cis_v140_5_2_1.yaml processed successfully. +./azure/azure_securitycenter_azure_defender_on_for_database.yaml processed successfully. +./azure/azure_compute_vm_meet_system_audit_policies_requirement_windows.yaml processed successfully. +./azure/azure_cis_v200_9_1.yaml processed successfully. +./azure/azure_cis_v150_6_4.yaml processed successfully. +./azure/azure_cis_v150_2_1_13.yaml processed successfully. +./azure/azure_iam_no_custom_role.yaml processed successfully. +./azure/azure_cis_v130_1_20.yaml processed successfully. +./azure/azure_redis_cache_no_basic_sku.yaml processed successfully. +./azure/azure_kubernetes_cluster_os_and_data_disks_encrypted_with_cmk.yaml processed successfully. +./azure/azure_data_factory_public_network_access_disabled.yaml processed successfully. +./azure/azure_keyvault_secret_expiration_set.yaml processed successfully. +./azure/azure_compute_vm_image_builder_uses_private_link.yaml processed successfully. +./azure/azure_cis_v150_3_7.yaml processed successfully. +./azure/azure_stream_analytics_job_encrypted_with_cmk.yaml processed successfully. +./azure/azuread_user_should_have_mfa_enabled_with_azure_subscription_role_assignment.yaml processed successfully. +./azure/azure_cis_v140_2_9.yaml processed successfully. +./azure/azure_appservice_api_app_uses_managed_identity.yaml processed successfully. +./azure/azure_cis_v150_1_2_6.yaml processed successfully. +./azure/azure_cis_v200_8_5.yaml processed successfully. +./azure/azure_container_registry_public_network_access_disabled.yaml processed successfully. +./azure/azure_iam_user_with_write_permission_on_subscription_mfa_enabled.yaml processed successfully. +./azure/azure_compute_vm_meet_firewall_properties_windows.yaml processed successfully. +./azure/azure_compute_vm_scale_set_security_configuration_vulnerabilities_remediated.yaml processed successfully. +./azure/azure_cis_v200_1_6.yaml processed successfully. +./azure/azure_mysql_server_audit_logging_events_connection_set.yaml processed successfully. +./azure/azure_mysql_server_private_link_used.yaml processed successfully. +./azure/azure_appservice_web_app_use_virtual_service_endpoint.yaml processed successfully. +./azure/azure_cis_v210_3_10.yaml processed successfully. +./azure/azure_cis_v130_8_4.yaml processed successfully. +./azure/azure_cis_v130_1_7.yaml processed successfully. +./azure/azure_cis_v130_1_16.yaml processed successfully. +./azure/azure_redis_cache_min_tls_1_2.yaml processed successfully. +./azure/azure_recovery_service_vault_uses_private_link_for_backup.yaml processed successfully. +./azure/azure_cognitive_account_restrict_public_access.yaml processed successfully. +./azure/azure_compute_vm_min_password_length_14_windows.yaml processed successfully. +./azure/azure_cis_v210_7_6.yaml processed successfully. +./azure/azure_cis_v140_8_3.yaml processed successfully. +./azure/azure_iam_user_with_read_permission_on_subscription_mfa_enabled.yaml processed successfully. +./azure/azure_cis_v150_2_1_6.yaml processed successfully. +./azure/azure_appservice_function_app_latest_java_version.yaml processed successfully. +./azure/azure_cis_v150_5_2_4.yaml processed successfully. +./azure/azure_cis_v200_4_4_1.yaml processed successfully. +./azure/azure_kubernetes_instance_rbac_enabled.yaml processed successfully. +./azure/azure_cis_v210_3_1.yaml processed successfully. +./azure/azure_cis_v200_2_1_11.yaml processed successfully. +./azure/azure_cis_v200_5_1_2.yaml processed successfully. +./azure/azure_arc_kubernetes_cluster_azure_defender_extension_installed.yaml processed successfully. +./azure/azure_storage_account_encryption_scopes_encrypted_at_rest_with_cmk.yaml processed successfully. +./azure/azure_cis_v200_4_1_2.yaml processed successfully. +./azure/azure_kubernetes_cluster_upgrade_channel.yaml processed successfully. +./azure/azure_cis_v200_3_15.yaml processed successfully. +./azure/azure_datalake_store_account_encryption_enabled.yaml processed successfully. +./azure/azure_cis_v140_9_7.yaml processed successfully. +./azure/azure_cis_v210_6_2.yaml processed successfully. +./azure/azure_cis_v200_5_2_10.yaml processed successfully. +./azure/azure_mandatory_sql_resource_group_key_vault_secret_mandatory.yaml processed successfully. +./azure/azure_cis_v130_4_4.yaml processed successfully. +./azure/azure_cis_v210_10_1.yaml processed successfully. +./azure/azure_mandatory_sql_resource_group_kubernetes_cluster_mandatory.yaml processed successfully. +./azure/azure_cis_v130_2_10.yaml processed successfully. +./azure/azure_iam_conditional_access_mfa_enabled.yaml processed successfully. +./azure/azure_mandatory_sql_resource_group_recovery_services_vault_mandatory.yaml processed successfully. +./azure/azure_cis_v140_3_1.yaml processed successfully. +./azure/azure_appservice_function_app_authentication_on.yaml processed successfully. +./azure/azure_appservice_function_app_only_https_accessible.yaml processed successfully. +./azure/azure_appservice_web_app_health_check_enabled.yaml processed successfully. +./azure/azure_servicefabric_cluster_protection_level_as_encrypt_and_sign.yaml processed successfully. +./azure/azure_cis_v130_3_6.yaml processed successfully. +./azure/azure_cis_v150_4_4_2.yaml processed successfully. +./azure/azure_cis_v200_2_1_5.yaml processed successfully. +./azure/azure_cis_v200_5_2_7.yaml processed successfully. +./azure/azure_mandatory_sql_resource_group_compute_disk_mandatory.yaml processed successfully. +./azure/azure_appservice_api_app_remote_debugging_disabled.yaml processed successfully. +./azure/azure_hpc_cache_encrypted_with_cmk.yaml processed successfully. +./azure/azure_cis_v130_3_11.yaml processed successfully. +./azure/azure_cis_v140_7_6.yaml processed successfully. +./azure/azure_cis_v210_8_3.yaml processed successfully. +./azure/azure_cis_v210_1_17.yaml processed successfully. +./azure/azure_cis_v130_7_1.yaml processed successfully. +./azure/azure_sql_server_atp_enabled.yaml processed successfully. +./azure/azure_postgres_db_server_connection_throttling_on.yaml processed successfully. +./azure/azure_cis_v140_2_5.yaml processed successfully. +./azure/azure_compute_vm_administrators_group_with_no_specified_members_windows.yaml processed successfully. +./azure/azure_cis_v130_2_2.yaml processed successfully. +./azure/azure_redis_cache_in_virtual_network.yaml processed successfully. +./azure/azure_kusto_cluster_encrypted_at_rest_with_cmk.yaml processed successfully. +./azure/azure_cis_v150_1_22.yaml processed successfully. +./azure/azure_mandatory_sql_resource_group_cosmosdb_sql_database_mandatory.yaml processed successfully. +./azure/azure_cis_v200_1_12.yaml processed successfully. +./azure/azure_mysql_db_server_geo_redundant_backup_enabled.yaml processed successfully. +./azure/azure_cis_v210_9_7.yaml processed successfully. +./azure/azure_cis_v140_6_2.yaml processed successfully. +./azure/azure_container_registry_restrict_public_access.yaml processed successfully. +./azure/azure_kubernetes_cluster_service_listen_to_allowed_ports.yaml processed successfully. +./azure/azure_cis_v150_5_1_1.yaml processed successfully. +./azure/azure_cis_v150_2_2_3.yaml processed successfully. +./azure/azure_storage_account_trusted_microsoft_services_enabled.yaml processed successfully. +./azure/azure_kubernetes_cluster_container_with_read_only_root_file_system.yaml processed successfully. +./baseline/azure/storage_account/azure_disable_public_access_to_storage_accounts_with_blob_containers.yaml processed successfully. +./baseline/azure/storage_account/azure_enable_trusted_microsoft_services_for_storage_account_access.yaml processed successfully. +./baseline/azure/storage_account/azure_private_endpoint_in_use.yaml processed successfully. +./baseline/azure/storage_account/azure_enable_blob_storage_lifecycle_management.yaml processed successfully. +./baseline/azure/storage_account/azure_disable_anonymous_access_to_blob_containers.yaml processed successfully. +./baseline/azure/storage_account/azure_enable_logging_for_azure_storage_table_service.yaml processed successfully. +./baseline/azure/storage_account/azure_enable_immutable_blob_storage.yaml processed successfully. +./baseline/azure/storage_account/azure_enable_infrastructure_encryption.yaml processed successfully. +./baseline/azure/storage_account/azure_storage_account_encryption_using_customer_managed_keys.yaml processed successfully. +./baseline/azure/storage_account/azure_enable_soft_delete_for_azure_blob_storage.yaml processed successfully. +./baseline/azure/storage_account/azure_enable_logging_for_azure_storage_queue_service.yaml processed successfully. +./baseline/azure/storage_account/azure_check_for_sufficient_soft_deleted_data_retention_period.yaml processed successfully. +./baseline/azure/storage_account/azure_enable_secure_transfer_in_azure_storage.yaml processed successfully. +./baseline/azure/storage_account/azure_configure_minimum_tls_version.yaml processed successfully. +./baseline/azure/storage_account/azure_use_byok_for_storage_account_encryption.yaml processed successfully. +./baseline/azure/storage_account/azure_check_for_publicly_accessible_web_containers.yaml processed successfully. +./baseline/azure/storage_account/azure_enable_logging_for_azure_storage_blob_service.yaml processed successfully. +./baseline/azure/storage_account/azure_limit_storage_account_access_by_ip_address.yaml processed successfully. +./baseline/azure/storage_account/azure_restrict_default_network_access_for_storage_accounts.yaml processed successfully. +./baseline/azure/monitor/azure_monitor_log_all_activities.yaml processed successfully. +./baseline/azure/recovery_service/azure_recovery_service_vault_not_publicly_accessible_and_not_encrypted.yaml processed successfully. +./baseline/azure/recovery_service/azure_recovery_service_vault_alert_for_job_failures_enabled.yaml processed successfully. +./baseline/azure/KeyVault/azure_set_azure_secret_key_expiration.yaml processed successfully. +./baseline/azure/KeyVault/azure_app_tier_customer_managed_key_in_use.yaml processed successfully. +./baseline/azure/KeyVault/azure_enable_auditevent_logging_for_azure_key_vaults.yaml processed successfully. +./baseline/azure/KeyVault/azure_web_tier_customer_managed_key_in_use.yaml processed successfully. +./baseline/azure/KeyVault/azure_set_encryption_key_expiration.yaml processed successfully. +./baseline/azure/KeyVault/azure_enable_trusted_microsoft_services_for_key_vault_access.yaml processed successfully. +./baseline/azure/KeyVault/azure_check_for_allowed_certificate_key_types.yaml processed successfully. +./baseline/azure/KeyVault/azure_database_tier_customer_managed_key_in_use.yaml processed successfully. +./baseline/azure/KeyVault/azure_enable_ssl_certificate_auto_renewal.yaml processed successfully. +./baseline/azure/KeyVault/azure_enable_certificate_transparency.yaml processed successfully. +./baseline/azure/KeyVault/azure_restrict_default_network_access_for_azure_key_vaults.yaml processed successfully. +./baseline/azure/KeyVault/azure_check_for_azure_key_vault_secrets_expiration_date.yaml processed successfully. +./baseline/azure/KeyVault/azure_check_for_sufficient_certificate_auto_renewal_period.yaml processed successfully. +./baseline/azure/KeyVault/azure_check_for_azure_key_vault_keys_expiration_date.yaml processed successfully. +./baseline/azure/KeyVault/azure_enable_key_vault_recoverability.yaml processed successfully. +./baseline/azure/KeyVault/azure_check_for_key_vault_full_administrator_permissions.yaml processed successfully. +./baseline/azure/KeyVault/azure_check_for_certificate_minimum_key_size.yaml processed successfully. +./baseline/azure/virtual_machine/azure_check_for_accelerated_networking_for_virtual_machines.yaml processed successfully. +./baseline/azure/virtual_machine/azure_disk_encryption_for_boot_disk_volumes.yaml processed successfully. +./baseline/azure/virtual_machine/azure_check_for_backups_for_azure_virtual_machines.yaml processed successfully. +./baseline/azure/virtual_machine/azure_server_side_encryption_for_unattached_disk_using_cmk.yaml processed successfully. +./baseline/azure/virtual_machine/azure_check_for_usage_of_customer_managed_keys_for_virtual_hard_disk_encryption.yaml processed successfully. +./baseline/azure/virtual_machine/azure_check_for_encryption_for_web_tier_disk_volumes.yaml processed successfully. +./baseline/azure/virtual_machine/azure_approved_azure_machine_image_in_use.yaml processed successfully. +./baseline/azure/virtual_machine/azure_check_for_old_virtual_machine_disk_snapshots.yaml processed successfully. +./baseline/azure/virtual_machine/azure_check_for_guest_level_diagnostics_for_virtual_machines.yaml processed successfully. +./baseline/azure/virtual_machine/azure_check_for_usage_of_managed_disk_volumes_for_virtual_machines.yaml processed successfully. +./baseline/azure/virtual_machine/azure_check_for_sufficient_instant_restore_retention_period.yaml processed successfully. +./baseline/azure/virtual_machine/azure_check_for_usage_of_approved_extensions_only.yaml processed successfully. +./baseline/azure/virtual_machine/azure_check_for_installataion_for_latest_os_patches.yaml processed successfully. +./baseline/azure/virtual_machine/azure_check_for_autoscale_notifications.yaml processed successfully. +./baseline/azure/virtual_machine/azure_check_for_sufficient_daily_backup_retention_period.yaml processed successfully. +./baseline/azure/virtual_machine/azure_check_for_performance_diagnostics_for_azure_virtual_machines.yaml processed successfully. +./baseline/azure/virtual_machine/azure_check_for_ssh_authentication_type.yaml processed successfully. +./baseline/azure/virtual_machine/azure_disk_encryption_for_non_boot_disk_volumes.yaml processed successfully. +./baseline/azure/virtual_machine/azure_check_for_unattached_virtual_machine_disk_volumes.yaml processed successfully. +./baseline/azure/virtual_machine/azure_disks_should_use_standard_snapshots.yaml processed successfully. +./baseline/azure/virtual_machine/azure_check_for_virtual_machine_boot_diagnostics.yaml processed successfully. +./baseline/azure/virtual_machine/azure_check_for_unused_load_balancers.yaml processed successfully. +./baseline/azure/virtual_machine/azure_check_for_automatic_os_upgrades.yaml processed successfully. +./baseline/azure/virtual_machine/azure_check_for_zone_redundant_virtual_machine_scale_sets.yaml processed successfully. +./baseline/azure/virtual_machine/azure_check_for_associated_load_balancers.yaml processed successfully. +./baseline/azure/virtual_machine/azure_check_for_virtual_machine_access_using_microsoft_entra_id_authentication.yaml processed successfully. +./baseline/azure/virtual_machine/azure_check_for_instance_termination_notifications_for_virtual_machine_scale_sets.yaml processed successfully. +./baseline/azure/virtual_machine/azure_check_for_system_assigned_managed_identities.yaml processed successfully. +./baseline/azure/virtual_machine/azure_check_for_usage_of_byok_for_disk_volumes_encryption.yaml processed successfully. +./baseline/azure/virtual_machine/azure_check_for_usage_of_endpoint_protection.yaml processed successfully. +./baseline/azure/virtual_machine/azure_server_side_encryption_for_boot_disk_using_cmk.yaml processed successfully. +./baseline/azure/virtual_machine/azure_disk_encryption_for_unattached_disk_volumes.yaml processed successfully. +./baseline/azure/virtual_machine/azure_check_for_just_in_time_access_for_virtual_machines.yaml processed successfully. +./baseline/azure/virtual_machine/azure_check_for_desired_vm_sku_sizes.yaml processed successfully. +./baseline/azure/virtual_machine/azure_check_for_configure_health_monitoring.yaml processed successfully. +./baseline/azure/virtual_machine/azure_server_side_encryption_for_non_boot_disk_using_cmk.yaml processed successfully. +./baseline/azure/virtual_machine/azure_check_for_automatic_instance_repairs.yaml processed successfully. +./baseline/azure/network/azure_check_for_unrestricted_ssh_access.yaml processed successfully. +./baseline/azure/network/azure_check_for_unrestricted_telnet_access.yaml processed successfully. +./baseline/azure/network/azure_check_for_unrestricted_postgresql_database_access.yaml processed successfully. +./baseline/azure/network/azure_check_for_unrestricted_smtp_access.yaml processed successfully. +./baseline/azure/network/azure_check_for_unrestricted_oracle_database_access.yaml processed successfully. +./baseline/azure/network/azure_review_network_interfaces_with_ip_forwarding_enabled.yaml processed successfully. +./baseline/azure/network/azure_check_for_unrestricted_mysql_database_access.yaml processed successfully. +./baseline/azure/network/azure_check_for_unrestricted_netbios_access.yaml processed successfully. +./baseline/azure/network/azure_check_for_unrestricted_rdp_access.yaml processed successfully. +./baseline/azure/network/azure_check_for_unrestricted_mongodb_access.yaml processed successfully. +./baseline/azure/network/azure_check_for_unrestricted_udp_access.yaml processed successfully. +./baseline/azure/network/azure_enable_azure_network_watcher.yaml processed successfully. +./baseline/azure/network/azure_check_for_unrestricted_mssql_access.yaml processed successfully. +./baseline/azure/network/azure_check_for_unrestricted_rpc_access.yaml processed successfully. +./baseline/azure/network/azure_enable_ddos_standard_protection_for_virtual_networks.yaml processed successfully. +./baseline/azure/aks/azure_secure_access_to_kubernetes_api_server_using_authorized_ip_address_ranges.yaml processed successfully. +./baseline/azure/aks/azure_enable_defender_for_cloud_for_aks_clusters.yaml processed successfully. +./baseline/azure/aks/azure_check_for_kubernetes_version.yaml processed successfully. +./baseline/azure/aks/azure_use_azure_cni_add_on_for_managing_network_resources.yaml processed successfully. +./baseline/azure/aks/azure_use_user_assigned_managed_identities_for_aks_clusters.yaml processed successfully. +./baseline/azure/aks/azure_enable_kubernetes_role_based_access_control.yaml processed successfully. +./baseline/azure/aks/azure_use_microsoft_entra_id_integration_for_aks_clusters.yaml processed successfully. +./baseline/azure/aks/azure_kubernetes_api_version.yaml processed successfully. +./baseline/azure/aks/azure_use_network_contributor_role_for_managing_azure_network_resources.yaml processed successfully. +./baseline/azure/aks/azure_use_system_assigned_managed_identities_for_aks_clusters.yaml processed successfully. +./baseline/azure/cosmosdb/azure_enable_automatic_failover.yaml processed successfully. +./baseline/azure/app_services/azure_disable_plain_ftp_deployment.yaml processed successfully. +./baseline/azure/sql/azure_enable_auditing_for_sql_servers.yaml processed successfully. +./baseline/azure/sql/azure_check_for_unrestricted_sql_database_access.yaml processed successfully. +./baseline/azure/sql/azure_enable_vulnerability_assessment_email_notifications_for_admins_and_subscription_owners.yaml processed successfully. +./baseline/azure/sql/azure_check_for_sufficient_point_in_time_restore_pitr_backup_retention_period.yaml processed successfully. +./baseline/azure/sql/azure_enable_in_transit_encryption_for_mysql_servers.yaml processed successfully. +./baseline/azure/sql/azure_enable_auto_failover_groups.yaml processed successfully. +./baseline/azure/sql/azure_enable_transparent_data_encryption_for_sql_managed_instance_using_customer_managed_keys.yaml processed successfully. +./baseline/azure/sql/azure_enable_all_types_of_threat_detection_on_sql_servers.yaml processed successfully. +./baseline/azure/sql/azure_sql_auditing_retention.yaml processed successfully. +./baseline/azure/sql/azure_enable_vulnerability_assessment_periodic_recurring_scans.yaml processed successfully. +./baseline/azure/sql/azure_enable_automatic_tuning_for_sql_database_servers.yaml processed successfully. +./baseline/azure/sql/azure_configure_emails_for_vulnerability_assessment_scan_reports_and_alerts.yaml processed successfully. +./baseline/azure/sql/azure_check_for_publicly_accessible_sql_servers.yaml processed successfully. +./baseline/azure/sql/azure_use_microsoft_entra_admin_for_sql_authentication.yaml processed successfully. +./baseline/azure/sql/azure_use_byok_for_transparent_data_encryption.yaml processed successfully. +./baseline/azure/sql/azure_enable_vulnerability_assessment_for_microsoft_sql_servers.yaml processed successfully. +./baseline/azure/sql/azure_restrict_default_network_access_for_azure_cosmos_db_accounts.yaml processed successfully. +./baseline/azure/sql/azure_configure_audit_action_group_for_sql_server_auditing.yaml processed successfully. +./baseline/azure/sql/azure_advanced_data_security_for_sql_servers.yaml processed successfully. +./baseline/shared/cost/kaytu_mom_cost_growth_15.yaml processed successfully. +./baseline/shared/cost/kaytu_connection_mom_cost_growth.yaml processed successfully. +./baseline/aws/acm_certificate/aws_acm_certificates_with_wildcard_domain_names.yaml processed successfully. +./baseline/aws/acm_certificate/aws_acm_certificates_renewal_7_days_before_expiration.yaml processed successfully. +./baseline/aws/acm_certificate/aws_acm_certificates_validity.yaml processed successfully. +./baseline/aws/acm_certificate/aws_acm_certificate_expired.yaml processed successfully. +./baseline/aws/load_balancer/aws_elbv2_glb_minimum_number_of_ec2_target_instances.yaml processed successfully. +./baseline/aws/load_balancer/aws_unused_elastic_load_balancers.yaml processed successfully. +./baseline/aws/load_balancer/aws_internet_facing_elbs.yaml processed successfully. +./baseline/aws/load_balancer/aws_elbv2_alb_security_group.yaml processed successfully. +./baseline/aws/load_balancer/aws_enable_amazon_waf_integration_for_application_load_balancers.yaml processed successfully. +./baseline/aws/load_balancer/aws_enable_support_for_grpc_protocol.yaml processed successfully. +./baseline/aws/load_balancer/aws_elbv2_access_log.yaml processed successfully. +./baseline/aws/load_balancer/aws_configure_multiple_availability_zones_for_load_balancers.yaml processed successfully. +./baseline/aws/load_balancer/aws_elbv2_alb_security_policy.yaml processed successfully. +./baseline/aws/load_balancer/aws_elb_access_log.yaml processed successfully. +./baseline/aws/load_balancer/aws_elb_cross_zone_load_balancing_enabled.yaml processed successfully. +./baseline/aws/load_balancer/aws_enable_cross_zone_load_balancing.yaml processed successfully. +./baseline/aws/load_balancer/aws_internet_facing_elbv2s.yaml processed successfully. +./baseline/aws/load_balancer/aws_elbv2_alb_listener_security.yaml processed successfully. +./baseline/aws/load_balancer/aws_unused_application_load_balancers.yaml processed successfully. +./baseline/aws/load_balancer/aws_elbv2_elastic_load_balancing_deletion_protection.yaml processed successfully. +./baseline/aws/load_balancer/aws_enable_http_to_https_redirect_for_application_load_balancers.yaml processed successfully. +./baseline/aws/load_balancer/aws_unused_gateway_load_balancers.yaml processed successfully. +./baseline/aws/load_balancer/aws_configure_http_desync_mitigation_mode_for_application_load_balancers.yaml processed successfully. +./baseline/aws/load_balancer/aws_elb_connection_draining_enabled.yaml processed successfully. +./baseline/aws/load_balancer/aws_enable_deletion_protection.yaml processed successfully. +./baseline/aws/load_balancer/aws_elbv2_nlb_listener_security.yaml processed successfully. +./baseline/aws/load_balancer/aws_elbv2_alb_minimum_number_of_ec2_target_instances.yaml processed successfully. +./baseline/aws/load_balancer/aws_elb_insecure_ssl_protocols.yaml processed successfully. +./baseline/aws/opensearch/aws_encryption_at_rest.yaml processed successfully. +./baseline/aws/opensearch/aws_enable_audit_logs.yaml processed successfully. +./baseline/aws/opensearch/aws_opensearch_version.yaml processed successfully. +./baseline/aws/opensearch/aws_opensearch_domain_in_vpc.yaml processed successfully. +./baseline/aws/opensearch/aws_opensearch_domain_encrypted_with_kms_cmks.yaml processed successfully. +./baseline/aws/opensearch/aws_enable_in_transit_encryption.yaml processed successfully. +./baseline/aws/opensearch/aws_tls_security_policy_version.yaml processed successfully. +./baseline/aws/opensearch/aws_opensearch_slow_logs.yaml processed successfully. +./baseline/aws/opensearch/aws_opensearch_node_to_node_encryption.yaml processed successfully. +./baseline/aws/opensearch/aws_opensearch_zone_awareness_enabled.yaml processed successfully. +./baseline/aws/opensearch/aws_opensearch_dedicated_master_enabled.yaml processed successfully. +./baseline/aws/opensearch/aws_opensearch_domain_exposed.yaml processed successfully. +./baseline/aws/opensearch/aws_opensearch_accessible_only_from_safelisted_ip_addresses.yaml processed successfully. +./baseline/aws/ecr/aws_ecr_repository_exposed.yaml processed successfully. +./baseline/aws/ecr/aws_lifecycle_policy_in_use.yaml processed successfully. +./baseline/aws/ecr/aws_enable_scan_on_push_for_ecr_container_images.yaml processed successfully. +./baseline/aws/ecr/aws_enable_cross_region_replication.yaml processed successfully. +./baseline/aws/dynamoDb/aws_unused_dynamodb_table.yaml processed successfully. +./baseline/aws/ecs/aws_ecs_task_log_driver_in_use.yaml processed successfully. +./baseline/aws/ecs/aws_enable_cloudwatch_container_insights.yaml processed successfully. +./baseline/aws/ecs/aws_check_for_amazon_ecs_service_placement_strategy.yaml processed successfully. +./baseline/aws/ecs/aws_check_for_ecs_container_instance_agent_version.yaml processed successfully. +./baseline/aws/ecs/aws_check_for_fargate_platform_version.yaml processed successfully. +./baseline/aws/fsx/aws_use_kms_customer_master_keys_for_fsx_windows_file_server_file_systems.yaml processed successfully. +./baseline/aws/ebs/aws_use_io2_not_io1.yaml processed successfully. +./baseline/aws/ebs/aws_ebs_encrypted.yaml processed successfully. +./baseline/aws/ebs/aws_ebs_snapshot_encrypted.yaml processed successfully. +./baseline/aws/ebs/aws_ebs_volume_unused.yaml processed successfully. +./baseline/aws/ebs/aws_ebs_public_snapshots.yaml processed successfully. +./baseline/aws/ebs/aws_use_gp3_not_gp2.yaml processed successfully. +./baseline/aws/ebs/aws_ebs_volumes_too_old_snapshots.yaml processed successfully. +./baseline/aws/ebs/aws_ebs_volumes_attached_to_stopped_ec2_instances.yaml processed successfully. +./baseline/aws/ebs/aws_ebs_encrypted_with_kms_customer_master_keys.yaml processed successfully. +./baseline/aws/IAM/aws_ssh_public_keys_rotated_45_days.yaml processed successfully. +./baseline/aws/IAM/aws_iam_user_policies.yaml processed successfully. +./baseline/aws/IAM/aws_root_mfa_enabled.yaml processed successfully. +./baseline/aws/IAM/aws_iam_policies_with_effect_set_to_allow_and_notaction.yaml processed successfully. +./baseline/aws/IAM/aws_iam_users_with_administrative_privileges.yaml processed successfully. +./baseline/aws/IAM/aws_iam_group_with_inline_policies.yaml processed successfully. +./baseline/aws/IAM/aws_iam_access_analyzer_in_use.yaml processed successfully. +./baseline/aws/IAM/aws_mfa_device_deactivated.yaml processed successfully. +./baseline/aws/IAM/aws_inactive_iam_console_user.yaml processed successfully. +./baseline/aws/IAM/aws_iam_users_unauthorized_to_edit_access_policies.yaml processed successfully. +./baseline/aws/IAM/aws_root_account_access_keys_present.yaml processed successfully. +./baseline/aws/IAM/aws_check_for_overly_permissive_iam_group_policies.yaml processed successfully. +./baseline/aws/IAM/aws_enforce_infrastructure_as_code_using_iam_policies.yaml processed successfully. +./baseline/aws/IAM/aws_credentials_last_used.yaml processed successfully. +./baseline/aws/IAM/aws_allow_iam_users_to_change_their_own_password.yaml processed successfully. +./baseline/aws/IAM/aws_check_for_individual_iam_users.yaml processed successfully. +./baseline/aws/IAM/aws_unnecessary_ssh_public_keys.yaml processed successfully. +./baseline/aws/IAM/aws_unnecessary_access_keys.yaml processed successfully. +./baseline/aws/IAM/aws_expired_ssl_tls_certificate.yaml processed successfully. +./baseline/aws/IAM/aws_access_keys_during_initial_iam_user_setup.yaml processed successfully. +./baseline/aws/IAM/aws_iam_user_password_expiry_30_days.yaml processed successfully. +./baseline/aws/IAM/aws_iam_password_policy.yaml processed successfully. +./baseline/aws/IAM/aws_approved_ecs_execute_command_access.yaml processed successfully. +./baseline/aws/IAM/aws_ssl_tls_certificate_expiry_30_days.yaml processed successfully. +./baseline/aws/IAM/aws_unapproved_iam_policy_in_use.yaml processed successfully. +./baseline/aws/IAM/aws_iam_support_role.yaml processed successfully. +./baseline/aws/IAM/aws_enable_mfa_for_iam_users_with_console_password.yaml processed successfully. +./baseline/aws/IAM/aws_ssl_tls_certificate_expiry_x_days.yaml processed successfully. +./baseline/aws/IAM/aws_unused_iam_group.yaml processed successfully. +./baseline/aws/IAM/aws_canary_access_token.yaml processed successfully. +./baseline/aws/IAM/aws_check_for_untrusted_cross_account_iam_roles.yaml processed successfully. +./baseline/aws/IAM/aws_multi_account_centralized_management.yaml processed successfully. +./baseline/aws/IAM/aws_iam_user_with_password_and_access_keys.yaml processed successfully. +./baseline/aws/IAM/aws_root_account_credentials_usage.yaml processed successfully. +./baseline/aws/IAM/aws_iam_groups_with_administrative_privileges.yaml processed successfully. +./baseline/aws/IAM/aws_ec2_purchase_restriction.yaml processed successfully. +./baseline/aws/IAM/aws_pre_heartbleed_server_certificates.yaml processed successfully. +./baseline/aws/IAM/aws_cross_account_access_lacks_external_id_and_mfa.yaml processed successfully. +./baseline/aws/IAM/aws_access_keys_rotated_x_days.yaml processed successfully. +./baseline/aws/IAM/aws_iam_server_certificate_size.yaml processed successfully. +./baseline/aws/IAM/aws_check_for_iam_user_group_membership.yaml processed successfully. +./baseline/aws/IAM/aws_iam_access_analyzer_findings.yaml processed successfully. +./baseline/aws/IAM/aws_valid_iam_identity_providers.yaml processed successfully. +./baseline/aws/IAM/aws_access_keys_rotated_45_days.yaml processed successfully. +./baseline/aws/IAM/aws_iam_user_password_expiry_x_days.yaml processed successfully. +./baseline/aws/IAM/aws_root_account_active_signing_certificates.yaml processed successfully. +./baseline/aws/IAM/aws_check_that_only_safelisted_iam_users_exist.yaml processed successfully. +./baseline/aws/IAM/aws_account_alternate_contacts.yaml processed successfully. +./baseline/aws/IAM/aws_hardware_mfa_for_aws_root_account.yaml processed successfully. +./baseline/aws/IAM/aws_iam_role_policy_too_permissive.yaml processed successfully. +./baseline/aws/IAM/aws_ssh_public_keys_rotated_x_days.yaml processed successfully. +./baseline/aws/IAM/aws_iam_policies_with_full_administrative_privileges.yaml processed successfully. +./baseline/aws/IAM/aws_iam_user_password_expiry_7_days.yaml processed successfully. +./baseline/aws/IAM/aws_attach_policy_to_iam_roles_associated_with_app_tier_ec2_instances.yaml processed successfully. +./baseline/aws/IAM/aws_ssh_public_keys_rotated_90_days.yaml processed successfully. +./baseline/aws/IAM/aws_iam_user_no_policies.yaml processed successfully. +./baseline/aws/eks/aws_enable_envelope_encryption_for_eks_kubernetes_secrets.yaml processed successfully. +./baseline/aws/eks/aws_eks_cluster_endpoint_public_access.yaml processed successfully. +./baseline/aws/eks/aws_enable_cloudtrail_logging_for_kubernetes_api_calls.yaml processed successfully. +./baseline/aws/eks/aws_kubernetes_cluster_version.yaml processed successfully. +./baseline/aws/eks/aws_use_aws_managed_policy_to_manage_networking_resources.yaml processed successfully. +./baseline/aws/eks/aws_kubernetes_cluster_logging.yaml processed successfully. +./baseline/aws/eks/aws_disable_remote_access_to_eks_cluster_node_groups.yaml processed successfully. +./baseline/aws/eks/aws_eks_security_groups.yaml processed successfully. +./baseline/aws/eks/aws_eks_cluster_node_group_iam_role_policies.yaml processed successfully. +./baseline/aws/eks/aws_use_aws_managed_policy_to_access_amazon_ecr_repositories.yaml processed successfully. +./baseline/aws/eks/aws_use_oidc_provider_for_authenticating_kubernetes_api_calls.yaml processed successfully. +./baseline/aws/eks/aws_use_aws_managed_policy_to_manage_aws_resources.yaml processed successfully. +./baseline/aws/vpc/aws_managed_nat_gateway_in_use.yaml processed successfully. +./baseline/aws/vpc/aws_unrestricted_network_acl_outbound_traffic.yaml processed successfully. +./baseline/aws/vpc/aws_vpc_endpoint_cross_account_access.yaml processed successfully. +./baseline/aws/vpc/aws_unrestricted_network_acl_inbound_traffic.yaml processed successfully. +./baseline/aws/vpc/aws_vpc_flow_logs_enabled.yaml processed successfully. +./baseline/aws/vpc/aws_vpc_peering_connections_to_accounts_outside_aws_organization.yaml processed successfully. +./baseline/aws/vpc/aws_unrestricted_inbound_traffic_on_remote_server_administration_ports.yaml processed successfully. +./baseline/aws/vpc/aws_vpc_endpoints_in_use.yaml processed successfully. +./baseline/aws/vpc/aws_vpc_endpoint_exposed.yaml processed successfully. +./baseline/aws/backup/aws_dynamodb_instances_have_backup_withing_48_hours.yaml processed successfully. +./baseline/aws/backup/aws_ec2_instances_have_backup_with_lifecyclepolicy_above_35_days.yaml processed successfully. +./baseline/aws/backup/aws_check_for_protected_amazon_backup_resource_types.yaml processed successfully. +./baseline/aws/backup/aws_efs_files_have_backup_with_lifecyclepolicy_above_35_days.yaml processed successfully. +./baseline/aws/backup/aws_efs_files_have_backup_withing_48_hours.yaml processed successfully. +./baseline/aws/backup/aws_use_kms_customer_master_keys_for_aws_backup.yaml processed successfully. +./baseline/aws/backup/aws_enable_alert_notifications_for_failed_backup_jobs.yaml processed successfully. +./baseline/aws/backup/aws_backup_service_lifecycle_configuration.yaml processed successfully. +./baseline/aws/backup/aws_rds_database_instances_must_have_a_minimum_acceptable_restore_time.yaml processed successfully. +./baseline/aws/backup/aws_configure_aws_backup_vault_access_policy.yaml processed successfully. +./baseline/aws/backup/aws_ebs_instances_have_backup_with_lifecyclepolicy_above_35_days.yaml processed successfully. +./baseline/aws/backup/aws_ec2_instances_have_backup_withing_48_hours.yaml processed successfully. +./baseline/aws/backup/aws_dynamodb_instances_have_backup_with_lifecyclepolicy_above_35_days.yaml processed successfully. +./baseline/aws/backup/aws_rds_database_instances_have_a_minimum_acceptable_backup_policy.yaml processed successfully. +./baseline/aws/backup/aws_ebs_instances_have_backup_withing_rpo_period.yaml processed successfully. +./baseline/aws/rds/aws_rds_default_port.yaml processed successfully. +./baseline/aws/rds/aws_rds_instance_counts.yaml processed successfully. +./baseline/aws/rds/aws_rds_public_snapshots.yaml processed successfully. +./baseline/aws/rds/aws_instance_deletion_protection.yaml processed successfully. +./baseline/aws/rds/aws_rds_desired_instance_type.yaml processed successfully. +./baseline/aws/rds/aws_rds_encrypted_with_kms_customer_master_keys.yaml processed successfully. +./baseline/aws/rds/aws_rotate_ssltls_certificates_for_database_instances.yaml processed successfully. +./baseline/aws/rds/aws_rds_encryption_enabled.yaml processed successfully. +./baseline/aws/rds/aws_aurora_database_cluster_activity_streams.yaml processed successfully. +./baseline/aws/rds/aws_enable_rds_snapshot_encryption.yaml processed successfully. +./baseline/aws/rds/aws_enable_aurora_cluster_copy_tags_to_snapshots.yaml processed successfully. +./baseline/aws/rds/aws_db_instance_generation.yaml processed successfully. +./baseline/aws/rds/aws_aurora_database_instance_accessibility.yaml processed successfully. +./baseline/aws/rds/aws_log_exports.yaml processed successfully. +./baseline/aws/rds/aws_instance_level_events_subscriptions.yaml processed successfully. +./baseline/aws/rds/aws_rds_db_instance_no_public_subnet.yaml processed successfully. +./baseline/aws/rds/aws_rds_multi_az.yaml processed successfully. +./baseline/aws/rds/aws_security_groups_events_subscriptions.yaml processed successfully. +./baseline/aws/rds/aws_backtrack.yaml processed successfully. +./baseline/aws/rds/aws_enable_instance_storage_auto_scaling.yaml processed successfully. +./baseline/aws/rds/aws_enable_serverless_log_exports.yaml processed successfully. +./baseline/aws/rds/aws_rds_publicly_accessible.yaml processed successfully. +./baseline/aws/rds/aws_cluster_deletion_protection.yaml processed successfully. +./baseline/aws/rds/aws_performance_insights.yaml processed successfully. +./baseline/aws/rds/aws_rds_automated_backups_enabled.yaml processed successfully. +./baseline/aws/rds/aws_use_aws_backup_service_in_use_for_amazon_rds.yaml processed successfully. +./baseline/aws/rds/aws_enable_aws_rds_transport_encryption.yaml processed successfully. +./baseline/aws/rds/aws_rds_event_notifications.yaml processed successfully. +./baseline/aws/efs/aws_kms_customer_master_keys_for_efs_encryption.yaml processed successfully. +./baseline/aws/efs/aws_efs_encryption_enabled.yaml processed successfully. +./baseline/aws/ec2/aws_unused_aws_ec2_key_pairs.yaml processed successfully. +./baseline/aws/ec2/aws_ec2_instance_in_vpc.yaml processed successfully. +./baseline/aws/ec2/aws_default_security_group_unrestricted.yaml processed successfully. +./baseline/aws/ec2/aws_ec2_ami_too_old.yaml processed successfully. +./baseline/aws/ec2/aws_unrestricted_ssh_access.yaml processed successfully. +./baseline/aws/ec2/aws_unrestricted_oracle_access.yaml processed successfully. +./baseline/aws/ec2/aws_require_imdsv2_for_ec2_instances.yaml processed successfully. +./baseline/aws/ec2/aws_disable_public_ip_address_assignment_for_ec2_instances.yaml processed successfully. +./baseline/aws/ec2/aws_unused_elastic_network_interfaces.yaml processed successfully. +./baseline/aws/ec2/aws_ami_encryption.yaml processed successfully. +./baseline/aws/ec2/aws_ec2_desired_instance_type.yaml processed successfully. +./baseline/aws/ec2/aws_unrestricted_mongodb_access.yaml processed successfully. +./baseline/aws/ec2/aws_unrestricted_cifs_access.yaml processed successfully. +./baseline/aws/ec2/aws_security_group_name_prefixed_with_launch_wizard.yaml processed successfully. +./baseline/aws/ec2/aws_unrestricted_icmp_access.yaml processed successfully. +./baseline/aws/ec2/aws_unrestricted_opensearch_access.yaml processed successfully. +./baseline/aws/ec2/aws_security_group_port_range.yaml processed successfully. +./baseline/aws/ec2/aws_unrestricted_netbios_access.yaml processed successfully. +./baseline/aws/ec2/aws_ec2_instance_not_in_public_subnet.yaml processed successfully. +./baseline/aws/ec2/aws_unused_ami.yaml processed successfully. +./baseline/aws/ec2/aws_unrestricted_mysql_access.yaml processed successfully. +./baseline/aws/ec2/aws_ec2_instances_with_multiple_elastic_network_interfaces.yaml processed successfully. +./baseline/aws/ec2/aws_unrestricted_mssql_access.yaml processed successfully. +./baseline/aws/ec2/aws_unrestricted_security_group_ingress_on_uncommon_ports.yaml processed successfully. +./baseline/aws/ec2/aws_ec2_instance_naming_conventions.yaml processed successfully. +./baseline/aws/ec2/aws_unrestricted_rpc_access.yaml processed successfully. +./baseline/aws/ec2/aws_default_security_groups_in_use.yaml processed successfully. +./baseline/aws/ec2/aws_unrestricted_smtp_access.yaml processed successfully. +./baseline/aws/ec2/aws_ec2_instance_termination_protection.yaml processed successfully. +./baseline/aws/ec2/aws_ec2_instance_too_old.yaml processed successfully. +./baseline/aws/ec2/aws_unassociated_elastic_ip_addresses.yaml processed successfully. +./baseline/aws/ec2/aws_publicly_shared_ami.yaml processed successfully. +./aws/aws_foundational_security_opensearch_1.yaml processed successfully. +./aws/aws_cis_v140_3_9.yaml processed successfully. +./aws/aws_foundational_security_cloudfront_8.yaml processed successfully. +./aws/aws_cis_v200_2_1_2.yaml processed successfully. +./aws/aws_ec2_instance_in_vpc.yaml processed successfully. +./aws/aws_foundational_security_dynamodb_1.yaml processed successfully. +./aws/aws_autoscaling_use_multiple_instance_types_in_multiple_az.yaml processed successfully. +./aws/aws_cis_v130_3_11.yaml processed successfully. +./aws/aws_cis_compute_service_v100_2_2_1.yaml processed successfully. +./aws/aws_cis_v300_1_7.yaml processed successfully. +./aws/aws_cis_compute_service_v100_3_8.yaml processed successfully. +./aws/aws_ec2_network_interface_unused.yaml processed successfully. +./aws/aws_foundational_security_s3_19.yaml processed successfully. +./aws/aws_ec2_instance_no_iam_role_with_write_permission_on_critical_s3_configuration.yaml processed successfully. +./aws/aws_opensearch_domain_audit_logging_enabled.yaml processed successfully. +./aws/aws_redshift_cluster_no_default_admin_name.yaml processed successfully. +./aws/aws_iam_account_password_policy_min_length_14.yaml processed successfully. +./aws/aws_secretsmanager_secret_encrypted_with_kms_cmk.yaml processed successfully. +./aws/aws_mandatory_sql_ebs_volume_mandatory.yaml processed successfully. +./aws/aws_iam_user_console_access_mfa_enabled.yaml processed successfully. +./aws/aws_cis_compute_service_v100_2_10.yaml processed successfully. +./aws/aws_cis_v200_5_5.yaml processed successfully. +./aws/aws_es_domain_dedicated_master_nodes_min_3.yaml processed successfully. +./aws/aws_cis_v150_3_3.yaml processed successfully. +./aws/aws_iam_access_analyzer_enabled.yaml processed successfully. +./aws/aws_cis_v200_1_12.yaml processed successfully. +./aws/aws_account_part_of_organizations.yaml processed successfully. +./aws/aws_vpc_security_group_restrict_ingress_redis_port.yaml processed successfully. +./aws/aws_cis_v120_3_14.yaml processed successfully. +./aws/aws_cis_v300_1_21.yaml processed successfully. +./aws/aws_cis_v200_2_4_1.yaml processed successfully. +./aws/aws_lambda_function_dead_letter_queue_configured.yaml processed successfully. +./aws/aws_backup_vault_region_configured.yaml processed successfully. +./aws/aws_ec2_instance_no_iam_role_with_cloud_log_tampering_access.yaml processed successfully. +./aws/aws_iam_user_unused_credentials_45.yaml processed successfully. +./aws/aws_cis_v200_1_2.yaml processed successfully. +./aws/aws_foundational_security_ecs_4.yaml processed successfully. +./aws/aws_cis_v200_2_3_3.yaml processed successfully. +./aws/aws_networkfirewall_firewall_policy_default_stateless_action_check_full_packets.yaml processed successfully. +./aws/aws_iam_account_password_policy_strong_min_reuse_24.yaml processed successfully. +./aws/aws_elb_application_lb_waf_enabled.yaml processed successfully. +./aws/aws_cis_compute_service_v100_3_11.yaml processed successfully. +./aws/aws_cis_v130_1_16.yaml processed successfully. +./aws/aws_foundational_security_docdb_1.yaml processed successfully. +./aws/aws_kinesis_stream_server_side_encryption_enabled.yaml processed successfully. +./aws/aws_cis_v150_2_1_1.yaml processed successfully. +./aws/aws_cis_v300_3_6.yaml processed successfully. +./aws/aws_s3_bucket_lifecycle_policy_enabled.yaml processed successfully. +./aws/aws_foundational_security_s3_6.yaml processed successfully. +./aws/aws_lambda_function_cloudtrail_logging_enabled.yaml processed successfully. +./aws/aws_foundational_security_iam_21.yaml processed successfully. +./aws/aws_ebs_volume_encryption_at_rest_enabled.yaml processed successfully. +./aws/aws_cis_v120_1_13.yaml processed successfully. +./aws/aws_foundational_security_redshift_2.yaml processed successfully. +./aws/aws_cis_v150_1_2.yaml processed successfully. +./aws/aws_mandatory_sql_accessanalyzer_analyzer_mandatory.yaml processed successfully. +./aws/aws_vpc_security_group_allows_ingress_authorized_ports.yaml processed successfully. +./aws/aws_athena_workgroup_encryption_at_rest_enabled.yaml processed successfully. +./aws/aws_iam_user_group_role_cloudshell_fullaccess_restricted.yaml processed successfully. +./aws/aws_config_enabled_all_regions.yaml processed successfully. +./aws/aws_iam_user_unused_credentials_90.yaml processed successfully. +./aws/aws_foundational_security_redshift_10.yaml processed successfully. +./aws/aws_mandatory_sql_ssm_parameter_mandatory.yaml processed successfully. +./aws/aws_s3_bucket_default_encryption_enabled_kms.yaml processed successfully. +./aws/aws_cis_v150_5_5.yaml processed successfully. +./aws/aws_s3_bucket_event_notifications_enabled.yaml processed successfully. +./aws/aws_cis_v200_3_3.yaml processed successfully. +./aws/aws_ec2_instance_publicly_accessible_iam_profile_attached.yaml processed successfully. +./aws/aws_foundational_security_rds_10.yaml processed successfully. +./aws/aws_cloudfront_distribution_use_secure_cipher.yaml processed successfully. +./aws/aws_cis_v150_1_18.yaml processed successfully. +./aws/aws_cis_compute_service_v100_2_1_4.yaml processed successfully. +./aws/aws_cis_v130_3_2.yaml processed successfully. +./aws/aws_foundational_security_elb_2.yaml processed successfully. +./aws/aws_autoscaling_ec2_launch_configuration_no_sensitive_data.yaml processed successfully. +./aws/aws_foundational_security_iam_2.yaml processed successfully. +./aws/aws_cis_v140_3_5.yaml processed successfully. +./aws/aws_cloudformation_stack_output_no_secrets.yaml processed successfully. +./aws/aws_cis_v140_2_1_4.yaml processed successfully. +./aws/aws_foundational_security_cloudfront_4.yaml processed successfully. +./aws/aws_mandatory_sql_codecommit_repository_mandatory.yaml processed successfully. +./aws/aws_foundational_security_es_6.yaml processed successfully. +./aws/aws_ec2_instance_uses_imdsv2.yaml processed successfully. +./aws/aws_mandatory_sql_eventbridge_rule_mandatory.yaml processed successfully. +./aws/aws_mandatory_sql_cloudfront_distribution_mandatory.yaml processed successfully. +./aws/aws_cis_v130_1_20.yaml processed successfully. +./aws/aws_ec2_instance_no_iam_role_with_new_group_creation_with_attached_policy_access.yaml processed successfully. +./aws/aws_foundational_security_neptune_3.yaml processed successfully. +./aws/aws_cis_v300_4_14.yaml processed successfully. +./aws/aws_opensearch_domain_encryption_at_rest_enabled.yaml processed successfully. +./aws/aws_foundational_security_rds_8.yaml processed successfully. +./aws/aws_cloudtrail_trail_logs_encrypted_with_kms_cmk.yaml processed successfully. +./aws/aws_elb_application_lb_redirect_http_request_to_https.yaml processed successfully. +./aws/aws_cis_v300_2_1_3.yaml processed successfully. +./aws/aws_mandatory_sql_redshift_cluster_mandatory.yaml processed successfully. +./aws/aws_foundational_security_ecs_8.yaml processed successfully. +./aws/aws_foundational_security_codebuild_1.yaml processed successfully. +./aws/aws_foundational_security_sns_2.yaml processed successfully. +./aws/aws_ec2_classic_lb_connection_draining_enabled.yaml processed successfully. +./aws/aws_vpc_in_more_than_one_region.yaml processed successfully. +./aws/aws_cloudtrail_trail_integrated_with_logs.yaml processed successfully. +./aws/aws_sagemaker_endpoint_configuration_encryption_at_rest_enabled.yaml processed successfully. +./aws/aws_cloudfront_distribution_custom_origins_encryption_in_transit_enabled.yaml processed successfully. +./aws/aws_foundational_security_elasticbeanstalk_1.yaml processed successfully. +./aws/aws_cis_v140_1_4.yaml processed successfully. +./aws/aws_docdb_cluster_encryption_at_rest_enabled.yaml processed successfully. +./aws/aws_redshift_cluster_maintenance_settings_check.yaml processed successfully. +./aws/aws_mandatory_sql_eks_cluster_mandatory.yaml processed successfully. +./aws/aws_opensearch_domain_updated_with_latest_service_software_version.yaml processed successfully. +./aws/aws_rds_db_instance_postgres_not_exposed_to_local_file_read_vulnerability.yaml processed successfully. +./aws/aws_es_domain_error_logging_enabled.yaml processed successfully. +./aws/aws_foundational_security_autoscaling_3.yaml processed successfully. +./aws/aws_mandatory_sql_kinesis_firehose_delivery_stream_mandatory.yaml processed successfully. +./aws/aws_cis_v130_1_3.yaml processed successfully. +./aws/aws_cis_compute_service_v100_5_2.yaml processed successfully. +./aws/aws_gatewayv2_stage_access_logging_enabled.yaml processed successfully. +./aws/aws_cis_v140_1_11.yaml processed successfully. +./aws/aws_elasticache_cluster_auto_minor_version_upgrade_enabled.yaml processed successfully. +./aws/aws_s3_bucket_logging_enabled.yaml processed successfully. +./aws/aws_foundational_security_elasticache_6.yaml processed successfully. +./aws/aws_cis_v130_5_4.yaml processed successfully. +./aws/aws_iam_policy_no_full_access_to_cloudtrail.yaml processed successfully. +./aws/aws_backup_plan_region_configured.yaml processed successfully. +./aws/aws_cis_v140_2_2_1.yaml processed successfully. +./aws/aws_cis_v300_2_3_2.yaml processed successfully. +./aws/aws_rds_db_cluster_multiple_az_enabled.yaml processed successfully. +./aws/aws_cis_compute_service_v100_4_6.yaml processed successfully. +./aws/aws_cis_v300_1_17.yaml processed successfully. +./aws/aws_glue_job_bookmarks_encryption_enabled.yaml processed successfully. +./aws/aws_cis_v140_4_7.yaml processed successfully. +./aws/aws_cis_v150_1_14.yaml processed successfully. +./aws/aws_ec2_instance_no_iam_role_with_data_destruction_access.yaml processed successfully. +./aws/aws_mandatory_sql_vpc_network_acl_mandatory.yaml processed successfully. +./aws/aws_foundational_security_waf_1.yaml processed successfully. +./aws/aws_iam_policy_no_star_star.yaml processed successfully. +./aws/aws_cloudfront_distribution_sni_enabled.yaml processed successfully. +./aws/aws_vpc_subnet_auto_assign_public_ip_disabled.yaml processed successfully. +./aws/aws_codebuild_project_environment_privileged_mode_disabled.yaml processed successfully. +./aws/aws_lambda_function_restrict_public_access.yaml processed successfully. +./aws/aws_foundational_security_ecs_12.yaml processed successfully. +./aws/aws_cis_v150_1_15.yaml processed successfully. +./aws/aws_cloudfront_distribution_logging_enabled.yaml processed successfully. +./aws/aws_mandatory_sql_codebuild_project_mandatory.yaml processed successfully. +./aws/aws_vpc_security_group_allows_ingress_to_cassandra_ports.yaml processed successfully. +./aws/aws_efs_access_point_enforce_root_directory.yaml processed successfully. +./aws/aws_cis_v300_1_16.yaml processed successfully. +./aws/aws_cis_compute_service_v100_4_7.yaml processed successfully. +./aws/aws_log_metric_filter_iam_policy.yaml processed successfully. +./aws/aws_ecr_repository_prohibit_public_access.yaml processed successfully. +./aws/aws_foundational_security_acm_1.yaml processed successfully. +./aws/aws_log_metric_filter_route_table.yaml processed successfully. +./aws/aws_cis_v120_1_8.yaml processed successfully. +./aws/aws_cis_v300_2_3_3.yaml processed successfully. +./aws/aws_mandatory_sql_kms_key_mandatory.yaml processed successfully. +./aws/aws_redshift_cluster_enhanced_vpc_routing_enabled.yaml processed successfully. +./aws/aws_s3_bucket_restrict_public_read_access.yaml processed successfully. +./aws/aws_ecs_cluster_no_registered_container_instance.yaml processed successfully. +./aws/aws_foundational_security_kms_3.yaml processed successfully. +./aws/aws_elb_application_classic_network_lb_prohibit_public_access.yaml processed successfully. +./aws/aws_foundational_security_elasticache_7.yaml processed successfully. +./aws/aws_ec2_instance_no_iam_passrole_and_lambda_invoke_function_access.yaml processed successfully. +./aws/aws_sns_topic_policy_prohibit_subscription_access.yaml processed successfully. +./aws/aws_emr_cluster_kerberos_enabled.yaml processed successfully. +./aws/aws_cis_v140_5_2.yaml processed successfully. +./aws/aws_cis_v140_1_10.yaml processed successfully. +./aws/aws_foundational_security_autoscaling_2.yaml processed successfully. +./aws/aws_cloudformation_stack_termination_protection_enabled.yaml processed successfully. +./aws/aws_dms_endpoint_ssl_configured.yaml processed successfully. +./aws/aws_s3_bucket_restrict_public_write_access.yaml processed successfully. +./aws/aws_elasticache_replication_group_encryption_in_transit_enabled.yaml processed successfully. +./aws/aws_cis_v130_1_2.yaml processed successfully. +./aws/aws_log_metric_filter_root_login.yaml processed successfully. +./aws/aws_foundational_security_ec2_7.yaml processed successfully. +./aws/aws_mandatory_sql_cloudwatch_alarm_mandatory.yaml processed successfully. +./aws/aws_elasticache_cluster_no_default_subnet_group.yaml processed successfully. +./aws/aws_rds_db_cluster_iam_authentication_enabled.yaml processed successfully. +./aws/aws_elb_application_gateway_network_lb_multiple_az_configured.yaml processed successfully. +./aws/aws_cis_v140_1_5.yaml processed successfully. +./aws/aws_foundational_security_secretsmanager_4.yaml processed successfully. +./aws/aws_ec2_instance_not_use_multiple_enis.yaml processed successfully. +./aws/aws_cis_v150_4_16.yaml processed successfully. +./aws/aws_ec2_instance_attached_ebs_volume_delete_on_termination_enabled.yaml processed successfully. +./aws/aws_elb_network_lb_tls_listener_security_policy_configured.yaml processed successfully. +./aws/aws_neptune_db_cluster_automated_backup_enabled.yaml processed successfully. +./aws/aws_foundational_security_ecs_9.yaml processed successfully. +./aws/aws_foundational_security_rds_9.yaml processed successfully. +./aws/aws_dynamodb_table_encrypted_with_kms.yaml processed successfully. +./aws/aws_api_gateway_method_request_parameter_validated.yaml processed successfully. +./aws/aws_ec2_instance_not_older_than_180_days.yaml processed successfully. +./aws/aws_wafv2_web_acl_rule_attached.yaml processed successfully. +./aws/aws_mandatory_sql_wafv2_ip_set_mandatory.yaml processed successfully. +./aws/aws_foundational_security_rds_27.yaml processed successfully. +./aws/aws_foundational_security_elb_12.yaml processed successfully. +./aws/aws_cis_v300_2_1_2.yaml processed successfully. +./aws/aws_foundational_security_ec2_51.yaml processed successfully. +./aws/aws_directory_service_certificate_expires_90_days.yaml processed successfully. +./aws/aws_vpc_network_acl_unused.yaml processed successfully. +./aws/aws_cis_v130_1_21.yaml processed successfully. +./aws/aws_sagemaker_notebook_instance_in_vpc.yaml processed successfully. +./aws/aws_cis_v300_2_4_1.yaml processed successfully. +./aws/aws_foundational_security_neptune_2.yaml processed successfully. +./aws/aws_foundational_security_fsx_1.yaml processed successfully. +./aws/aws_cis_compute_service_v100_3_5.yaml processed successfully. +./aws/aws_elb_classic_lb_cross_zone_load_balancing_enabled.yaml processed successfully. +./aws/aws_foundational_security_es_7.yaml processed successfully. +./aws/aws_opensearch_domain_node_to_node_encryption_enabled.yaml processed successfully. +./aws/aws_redshift_cluster_encryption_in_transit_enabled.yaml processed successfully. +./aws/aws_apigateway_stage_logging_enabled.yaml processed successfully. +./aws/aws_foundational_security_iam_3.yaml processed successfully. +./aws/aws_cis_v140_3_4.yaml processed successfully. +./aws/aws_ecs_service_load_balancer_attached.yaml processed successfully. +./aws/aws_foundational_security_cloudfront_5.yaml processed successfully. +./aws/aws_cis_v130_3_3.yaml processed successfully. +./aws/aws_neptune_db_cluster_snapshot_prohibit_public_access.yaml processed successfully. +./aws/aws_foundational_security_dms_1.yaml processed successfully. +./aws/aws_rds_db_instance_backup_retention_period_less_than_7.yaml processed successfully. +./aws/aws_foundational_security_eks_8.yaml processed successfully. +./aws/aws_sns_topic_policy_prohibit_public_access.yaml processed successfully. +./aws/aws_iam_user_in_group.yaml processed successfully. +./aws/aws_cis_v150_1_19.yaml processed successfully. +./aws/aws_rds_db_cluster_encryption_at_rest_enabled.yaml processed successfully. +./aws/aws_rds_db_cluster_aurora_postgres_not_exposed_to_local_file_read_vulnerability.yaml processed successfully. +./aws/aws_cis_compute_service_v100_10_1.yaml processed successfully. +./aws/aws_cis_compute_service_v100_2_1_5.yaml processed successfully. +./aws/aws_cloudfront_distribution_use_custom_ssl_certificate.yaml processed successfully. +./aws/aws_cis_v150_5_4.yaml processed successfully. +./aws/aws_cis_v200_3_2.yaml processed successfully. +./aws/aws_iam_policy_unused.yaml processed successfully. +./aws/aws_foundational_security_rds_11.yaml processed successfully. +./aws/aws_vpc_gateway_endpoint_restrict_public_access.yaml processed successfully. +./aws/aws_neptune_db_cluster_copy_tags_to_snapshot_enabled.yaml processed successfully. +./aws/aws_acm_certificate_no_wildcard_domain_name.yaml processed successfully. +./aws/aws_cis_v120_1_4.yaml processed successfully. +./aws/aws_foundational_security_ssm_4.yaml processed successfully. +./aws/aws_elb_application_classic_lb_logging_enabled.yaml processed successfully. +./aws/aws_ecr_repository_image_scan_on_push_enabled.yaml processed successfully. +./aws/aws_cis_v120_1_12.yaml processed successfully. +./aws/aws_foundational_security_redshift_3.yaml processed successfully. +./aws/aws_cis_v150_1_3.yaml processed successfully. +./aws/aws_glacier_vault_restrict_public_access.yaml processed successfully. +./aws/aws_mandatory_sql_ec2_classic_load_balancer_mandatory.yaml processed successfully. +./aws/aws_ec2_instance_no_amazon_key_pair.yaml processed successfully. +./aws/aws_efs_file_system_enforces_ssl.yaml processed successfully. +./aws/aws_codebuild_project_source_repo_oauth_configured.yaml processed successfully. +./aws/aws_ecs_task_definition_logging_enabled.yaml processed successfully. +./aws/aws_eks_cluster_with_latest_kubernetes_version.yaml processed successfully. +./aws/aws_foundational_security_networkfirewall_6.yaml processed successfully. +./aws/aws_ec2_stopped_instance_30_days.yaml processed successfully. +./aws/aws_kms_cmk_rotation_enabled.yaml processed successfully. +./aws/aws_ec2_ami_restrict_public_access.yaml processed successfully. +./aws/aws_mandatory_sql_inspector_assessment_template_mandatory.yaml processed successfully. +./aws/aws_fsx_file_system_copy_tags_to_backup_and_volume_enabled.yaml processed successfully. +./aws/aws_cloudfront_distribution_default_root_object_configured.yaml processed successfully. +./aws/aws_sns_topic_policy_prohibit_publishing_access.yaml processed successfully. +./aws/aws_organizational_tag_policies_enabled.yaml processed successfully. +./aws/aws_vpc_security_group_restrict_ingress_rdp_all.yaml processed successfully. +./aws/aws_mandatory_sql_wafv2_web_acl_mandatory.yaml processed successfully. +./aws/aws_cis_v200_2_3_2.yaml processed successfully. +./aws/aws_cloudwatch_log_group_retention_period_365.yaml processed successfully. +./aws/aws_es_domain_audit_logging_enabled.yaml processed successfully. +./aws/aws_cis_compute_service_v100_3_10.yaml processed successfully. +./aws/aws_cis_v130_1_17.yaml processed successfully. +./aws/aws_kms_key_not_pending_deletion.yaml processed successfully. +./aws/aws_elb_classic_lb_with_inbound_rule.yaml processed successfully. +./aws/aws_cis_v200_1_3.yaml processed successfully. +./aws/aws_foundational_security_ecs_5.yaml processed successfully. +./aws/aws_cis_v200_1_13.yaml processed successfully. +./aws/aws_acm_certificate_no_failed_certificate.yaml processed successfully. +./aws/aws_vpc_security_group_allows_ingress_to_memcached_port.yaml processed successfully. +./aws/aws_cis_v300_1_20.yaml processed successfully. +./aws/aws_foundational_security_account_1.yaml processed successfully. +./aws/aws_elb_listener_use_secure_ssl_cipher.yaml processed successfully. +./aws/aws_cis_compute_service_v100_2_11.yaml processed successfully. +./aws/aws_cis_v200_5_4.yaml processed successfully. +./aws/aws_foundational_security_sfn_1.yaml processed successfully. +./aws/aws_dms_replication_instance_not_publicly_accessible.yaml processed successfully. +./aws/aws_s3_bucket_policy_restricts_cross_account_permission_changes.yaml processed successfully. +./aws/aws_cis_v150_3_2.yaml processed successfully. +./aws/aws_elb_application_network_lb_use_listeners.yaml processed successfully. +./aws/aws_route53_domain_privacy_protection_enabled.yaml processed successfully. +./aws/aws_foundational_security_rds_5.yaml processed successfully. +./aws/aws_log_metric_filter_disable_or_delete_cmk.yaml processed successfully. +./aws/aws_cis_v120_3_5.yaml processed successfully. +./aws/aws_foundational_security_ecr_1.yaml processed successfully. +./aws/aws_cis_v300_1_6.yaml processed successfully. +./aws/aws_cis_compute_service_v100_3_9.yaml processed successfully. +./aws/aws_secretsmanager_secret_unused_90_day.yaml processed successfully. +./aws/aws_cis_v150_2_3_1.yaml processed successfully. +./aws/aws_api_gatewayv2_route_authorization_type_configured.yaml processed successfully. +./aws/aws_networkfirewall_stateless_rule_group_not_empty.yaml processed successfully. +./aws/aws_cis_v130_3_10.yaml processed successfully. +./aws/aws_mandatory_sql_rds_db_parameter_group_mandatory.yaml processed successfully. +./aws/aws_cis_v200_2_1_3.yaml processed successfully. +./aws/aws_docdb_cluster_instance_encryption_at_rest_enabled.yaml processed successfully. +./aws/aws_kms_key_decryption_restricted_in_iam_inline_policy.yaml processed successfully. +./aws/aws_foundational_security_waf_10.yaml processed successfully. +./aws/aws_rds_db_instance_events_subscription.yaml processed successfully. +./aws/aws_cis_v140_3_8.yaml processed successfully. +./aws/aws_cis_v140_3_10.yaml processed successfully. +./aws/aws_cis_v130_3_4.yaml processed successfully. +./aws/aws_autoscaling_launch_config_hop_limit.yaml processed successfully. +./aws/aws_cloudfront_distribution_waf_enabled.yaml processed successfully. +./aws/aws_lambda_function_use_latest_runtime.yaml processed successfully. +./aws/aws_foundational_security_dms_6.yaml processed successfully. +./aws/aws_appstream_fleet_idle_disconnect_timeout_600_seconds.yaml processed successfully. +./aws/aws_cis_v130_2_1_1.yaml processed successfully. +./aws/aws_foundational_security_ec2_17.yaml processed successfully. +./aws/aws_foundational_security_elb_4.yaml processed successfully. +./aws/aws_sns_topic_encrypted_at_rest.yaml processed successfully. +./aws/aws_cloudtrail_trail_enabled.yaml processed successfully. +./aws/aws_cis_v140_2_1_2.yaml processed successfully. +./aws/aws_cis_v140_3_3.yaml processed successfully. +./aws/aws_foundational_security_iam_4.yaml processed successfully. +./aws/aws_cloudformation_stack_notifications_enabled.yaml processed successfully. +./aws/aws_foundational_security_s3_13.yaml processed successfully. +./aws/aws_cis_compute_service_v100_3_2.yaml processed successfully. +./aws/aws_foundational_security_config_1.yaml processed successfully. +./aws/aws_mandatory_sql_elastic_beanstalk_application_mandatory.yaml processed successfully. +./aws/aws_s3_bucket_enforces_ssl.yaml processed successfully. +./aws/aws_cis_v140_4_14.yaml processed successfully. +./aws/aws_rds_db_instance_multiple_az_enabled.yaml processed successfully. +./aws/aws_ec2_instance_no_iam_role_with_management_level_access.yaml processed successfully. +./aws/aws_vpc_security_group_restrict_ingress_kibana_port.yaml processed successfully. +./aws/aws_dax_cluster_encryption_at_rest_enabled.yaml processed successfully. +./aws/aws_foundational_security_sagemaker_3.yaml processed successfully. +./aws/aws_rds_db_instance_in_vpc.yaml processed successfully. +./aws/aws_ec2_instance_no_iam_role_with_privilege_escalation_risk_access.yaml processed successfully. +./aws/aws_foundational_security_neptune_5.yaml processed successfully. +./aws/aws_foundational_security_emr_2.yaml processed successfully. +./aws/aws_cis_v300_4_12.yaml processed successfully. +./aws/aws_cis_v150_3_9.yaml processed successfully. +./aws/aws_cis_compute_service_v100_6_1.yaml processed successfully. +./aws/aws_foundational_security_rds_20.yaml processed successfully. +./aws/aws_emr_account_public_access_blocked.yaml processed successfully. +./aws/aws_s3_bucket_protected_by_macie.yaml processed successfully. +./aws/aws_cis_compute_service_v100_2_6.yaml processed successfully. +./aws/aws_rds_db_security_group_events_subscription.yaml processed successfully. +./aws/aws_cis_v200_1_8.yaml processed successfully. +./aws/aws_cis_v200_1_18.yaml processed successfully. +./aws/aws_foundational_security_secretsmanager_3.yaml processed successfully. +./aws/aws_cis_v140_1_2.yaml processed successfully. +./aws/aws_foundational_security_autoscaling_5.yaml processed successfully. +./aws/aws_acm_certificate_transparency_logging_enabled.yaml processed successfully. +./aws/aws_es_domain_internal_user_database_enabled.yaml processed successfully. +./aws/aws_foundational_security_apigateway_1.yaml processed successfully. +./aws/aws_ecr_repository_lifecycle_policy_configured.yaml processed successfully. +./aws/aws_cis_v130_1_5.yaml processed successfully. +./aws/aws_foundational_security_cloudformation_1.yaml processed successfully. +./aws/aws_efs_file_system_encrypted_with_cmk.yaml processed successfully. +./aws/aws_eks_cluster_control_plane_audit_logging_enabled.yaml processed successfully. +./aws/aws_route53_domain_expires_30_days.yaml processed successfully. +./aws/aws_vpc_security_group_restrict_ingress_ssh_all.yaml processed successfully. +./aws/aws_cis_v140_1_17.yaml processed successfully. +./aws/aws_cis_v130_5_2.yaml processed successfully. +./aws/aws_redshift_cluster_kms_enabled.yaml processed successfully. +./aws/aws_iam_users_with_console_access_are_requried_to_have_MFA.yaml processed successfully. +./aws/aws_cis_v120_1_19.yaml processed successfully. +./aws/aws_foundational_security_redshift_8.yaml processed successfully. +./aws/aws_cis_v150_1_8.yaml processed successfully. +./aws/aws_cis_v300_1_11.yaml processed successfully. +./aws/aws_rds_db_cluster_deletion_protection_enabled.yaml processed successfully. +./aws/aws_ssm_managed_instance_compliance_association_compliant.yaml processed successfully. +./aws/aws_cloudtrail_security_trail_enabled.yaml processed successfully. +./aws/aws_cis_v150_1_12.yaml processed successfully. +./aws/aws_rds_db_instance_backup_enabled.yaml processed successfully. +./aws/aws_foundational_security_waf_7.yaml processed successfully. +./aws/aws_iam_user_with_administrator_access_mfa_enabled.yaml processed successfully. +./aws/aws_iam_managed_policy_attached_to_role.yaml processed successfully. +./aws/aws_securityhub_enabled.yaml processed successfully. +./aws/aws_cloudtrail_s3_data_events_enabled.yaml processed successfully. +./aws/aws_log_metric_filter_network_acl.yaml processed successfully. +./aws/aws_cis_v200_3_9.yaml processed successfully. +./aws/aws_kinesis_firehose_delivery_stream_server_side_encryption_enabled.yaml processed successfully. +./aws/aws_ec2_transit_gateway_auto_cross_account_attachment_disabled.yaml processed successfully. +./aws/aws_foundational_security_opensearch_7.yaml processed successfully. +./aws/aws_cloudtrail_multi_region_read_write_enabled.yaml processed successfully. +./aws/aws_cis_v120_2_6.yaml processed successfully. +./aws/aws_log_metric_filter_unauthorized_api.yaml processed successfully. +./aws/aws_foundational_security_iam_8.yaml processed successfully. +./aws/aws_mandatory_sql_route53_domain_mandatory.yaml processed successfully. +./aws/aws_rds_db_instance_ca_certificate_expires_7_days.yaml processed successfully. +./aws/aws_vpc_configured_to_use_vpc_endpoints.yaml processed successfully. +./aws/aws_s3_bucket_mfa_delete_enabled.yaml processed successfully. +./aws/aws_cis_v130_4_13.yaml processed successfully. +./aws/aws_cis_v300_5_6.yaml processed successfully. +./aws/aws_cis_v130_3_8.yaml processed successfully. +./aws/aws_cis_v140_1_21.yaml processed successfully. +./aws/aws_autoscaling_group_multiple_az_configured.yaml processed successfully. +./aws/aws_cis_v200_2_1_4.yaml processed successfully. +./aws/aws_rds_db_instance_cloudwatch_logs_enabled.yaml processed successfully. +./aws/aws_rds_db_cluster_aurora_mysql_audit_logging_enabled.yaml processed successfully. +./aws/aws_cis_v300_1_1.yaml processed successfully. +./aws/aws_foundational_security_rds_2.yaml processed successfully. +./aws/aws_mandatory_sql_vpc_vpn_connection_mandatory.yaml processed successfully. +./aws/aws_kinesis_stream_encrypted_with_kms_cmk.yaml processed successfully. +./aws/aws_cloudfront_distribution_origin_access_identity_enabled.yaml processed successfully. +./aws/aws_guardduty_enabled.yaml processed successfully. +./aws/aws_cis_v150_3_5.yaml processed successfully. +./aws/aws_eks_cluster_endpoint_restrict_public_access.yaml processed successfully. +./aws/aws_cis_v200_5_3.yaml processed successfully. +./aws/aws_vpc_security_group_restricted_common_ports.yaml processed successfully. +./aws/aws_cis_v200_1_14.yaml processed successfully. +./aws/aws_cis_v120_3_12.yaml processed successfully. +./aws/aws_foundational_security_ecs_2.yaml processed successfully. +./aws/aws_cis_v200_1_4.yaml processed successfully. +./aws/aws_sagemaker_model_in_vpc.yaml processed successfully. +./aws/aws_iam_support_role.yaml processed successfully. +./aws/aws_foundational_security_autoscaling_9.yaml processed successfully. +./aws/aws_cis_v130_1_10.yaml processed successfully. +./aws/aws_foundational_security_route53_2.yaml processed successfully. +./aws/aws_ebs_snapshot_encryption_enabled.yaml processed successfully. +./aws/aws_iam_policy_no_full_access_to_kms.yaml processed successfully. +./aws/aws_ec2_launch_template_not_publicly_accessible.yaml processed successfully. +./aws/aws_foundational_security_cloudtrail_1.yaml processed successfully. +./aws/aws_sagemaker_training_job_in_vpc.yaml processed successfully. +./aws/aws_appstream_fleet_max_user_duration_36000_seconds.yaml processed successfully. +./aws/aws_networkfirewall_firewall_deletion_protection_enabled.yaml processed successfully. +./aws/aws_cis_v150_4_7.yaml processed successfully. +./aws/aws_dms_replication_instance_automatic_minor_version_upgrade_enabled.yaml processed successfully. +./aws/aws_vpc_security_group_restrict_ingress_common_ports_all.yaml processed successfully. +./aws/aws_efs_file_system_restrict_public_access.yaml processed successfully. +./aws/aws_emr_cluster_local_disk_encrypted_with_cmk.yaml processed successfully. +./aws/aws_elastic_beanstalk_environment_logs_to_cloudwatch.yaml processed successfully. +./aws/aws_cis_v150_1_4.yaml processed successfully. +./aws/aws_dynamodb_table_point_in_time_recovery_enabled.yaml processed successfully. +./aws/aws_cis_v120_1_15.yaml processed successfully. +./aws/aws_foundational_security_redshift_4.yaml processed successfully. +./aws/aws_cis_v200_2_2_1.yaml processed successfully. +./aws/aws_s3_bucket_acls_should_prohibit_user_access.yaml processed successfully. +./aws/aws_ebs_volume_unused.yaml processed successfully. +./aws/aws_foundational_security_ssm_3.yaml processed successfully. +./aws/aws_es_domain_node_to_node_encryption_enabled.yaml processed successfully. +./aws/aws_cis_v120_1_3.yaml processed successfully. +./aws/aws_foundational_security_efs_1.yaml processed successfully. +./aws/aws_cis_v200_3_5.yaml processed successfully. +./aws/aws_cis_v150_5_3.yaml processed successfully. +./aws/aws_ebs_attached_volume_encryption_enabled.yaml processed successfully. +./aws/aws_foundational_security_rds_16.yaml processed successfully. +./aws/aws_cis_compute_service_v100_2_1_2.yaml processed successfully. +./aws/aws_ec2_stopped_instance_90_days.yaml processed successfully. +./aws/aws_lambda_function_encryption_enabled.yaml processed successfully. +./aws/aws_sqs_queue_encrypted_at_rest.yaml processed successfully. +./aws/aws_iam_user_access_keys_and_password_at_setup.yaml processed successfully. +./aws/aws_cis_compute_service_v100_2_1_3.yaml processed successfully. +./aws/aws_rds_db_cluster_events_subscription.yaml processed successfully. +./aws/aws_cis_v200_3_4.yaml processed successfully. +./aws/aws_cis_v150_5_2.yaml processed successfully. +./aws/aws_foundational_security_rds_17.yaml processed successfully. +./aws/aws_s3_bucket_versioning_and_lifecycle_policy_enabled.yaml processed successfully. +./aws/aws_log_metric_filter_cloudtrail_configuration.yaml processed successfully. +./aws/aws_foundational_security_ssm_2.yaml processed successfully. +./aws/aws_cis_v120_1_2.yaml processed successfully. +./aws/aws_ebs_volume_in_backup_plan.yaml processed successfully. +./aws/aws_api_gateway_rest_api_public_endpoint_with_authorizer.yaml processed successfully. +./aws/aws_cis_v150_1_5.yaml processed successfully. +./aws/aws_fsx_file_system_protected_by_backup_plan.yaml processed successfully. +./aws/aws_directory_service_directory_sns_notifications_enabled.yaml processed successfully. +./aws/aws_iam_root_last_used.yaml processed successfully. +./aws/aws_codebuild_project_artifact_encryption_enabled.yaml processed successfully. +./aws/aws_foundational_security_ec2_20.yaml processed successfully. +./aws/aws_foundational_security_s3_1.yaml processed successfully. +./aws/aws_cis_compute_service_v100_4_12.yaml processed successfully. +./aws/aws_cis_v120_4_1.yaml processed successfully. +./aws/aws_sfn_state_machine_logging_enabled.yaml processed successfully. +./aws/aws_s3_bucket_policy_restrict_public_access.yaml processed successfully. +./aws/aws_route53_domain_auto_renew_enabled.yaml processed successfully. +./aws/aws_es_domain_in_vpc.yaml processed successfully. +./aws/aws_cis_v130_1_11.yaml processed successfully. +./aws/aws_cis_v130_1_8.yaml processed successfully. +./aws/aws_rds_db_cluster_automatic_minor_version_upgrade_enabled.yaml processed successfully. +./aws/aws_vpc_security_group_allows_ingress_to_oracle_ports.yaml processed successfully. +./aws/aws_drs_job_enabled.yaml processed successfully. +./aws/aws_foundational_security_ecs_3.yaml processed successfully. +./aws/aws_cis_v200_1_5.yaml processed successfully. +./aws/aws_cis_v200_1_15.yaml processed successfully. +./aws/aws_cloudtrail_s3_logging_enabled.yaml processed successfully. +./aws/aws_cis_v120_3_13.yaml processed successfully. +./aws/aws_mandatory_sql_wafv2_rule_group_mandatory.yaml processed successfully. +./aws/aws_networkfirewall_firewall_policy_default_stateless_action_check_fragmented_packets.yaml processed successfully. +./aws/aws_cis_v150_3_4.yaml processed successfully. +./aws/aws_elasticache_redis_cluster_automatic_backup_retention_15_days.yaml processed successfully. +./aws/aws_cis_v200_5_2.yaml processed successfully. +./aws/aws_foundational_security_rds_3.yaml processed successfully. +./aws/aws_es_domain_logs_to_cloudwatch.yaml processed successfully. +./aws/aws_rds_db_instance_connections_encryption_enabled.yaml processed successfully. +./aws/aws_apigateway_rest_api_stage_use_ssl_certificate.yaml processed successfully. +./aws/aws_docdb_cluster_instance_logging_enabled.yaml processed successfully. +./aws/aws_foundational_security_neptune_8.yaml processed successfully. +./aws/aws_foundational_security_cloudfront_12.yaml processed successfully. +./aws/aws_cis_v200_4_6.yaml processed successfully. +./aws/aws_cis_v140_1_20.yaml processed successfully. +./aws/aws_foundational_security_elb_9.yaml processed successfully. +./aws/aws_foundational_security_dynamodb_6.yaml processed successfully. +./aws/aws_foundational_security_opensearch_6.yaml processed successfully. +./aws/aws_cis_v120_2_7.yaml processed successfully. +./aws/aws_mandatory_sql_efs_file_system_mandatory.yaml processed successfully. +./aws/aws_eks_cluster_no_multiple_security_groups.yaml processed successfully. +./aws/aws_vpc_security_group_remote_administration.yaml processed successfully. +./aws/aws_codebuild_project_plaintext_env_variables_no_sensitive_aws_values.yaml processed successfully. +./aws/aws_cis_v200_3_8.yaml processed successfully. +./aws/aws_ec2_client_vpn_endpoint_client_connection_logging_enabled.yaml processed successfully. +./aws/aws_foundational_security_eks_2.yaml processed successfully. +./aws/aws_cis_v150_1_13.yaml processed successfully. +./aws/aws_log_metric_filter_network_gateway.yaml processed successfully. +./aws/aws_foundational_security_waf_6.yaml processed successfully. +./aws/aws_dynamodb_table_protected_by_backup_plan.yaml processed successfully. +./aws/aws_cis_v120_1_18.yaml processed successfully. +./aws/aws_foundational_security_redshift_9.yaml processed successfully. +./aws/aws_networkfirewall_firewall_logging_enabled.yaml processed successfully. +./aws/aws_cis_v150_1_9.yaml processed successfully. +./aws/aws_cis_v300_1_10.yaml processed successfully. +./aws/aws_cis_compute_service_v100_4_1.yaml processed successfully. +./aws/aws_iam_server_certificate_not_expired.yaml processed successfully. +./aws/aws_iam_user_console_access_unused_45.yaml processed successfully. +./aws/aws_ec2_instance_no_iam_role_with_destruction_kms_access.yaml processed successfully. +./aws/aws_mandatory_sql_sagemaker_model_mandatory.yaml processed successfully. +./aws/aws_foundational_security_elasticache_1.yaml processed successfully. +./aws/aws_rds_db_cluster_aurora_backtracking_enabled.yaml processed successfully. +./aws/aws_apigateway_rest_api_authorizers_configured.yaml processed successfully. +./aws/aws_mandatory_sql_vpc_security_group_mandatory.yaml processed successfully. +./aws/aws_mandatory_sql_lambda_function_mandatory.yaml processed successfully. +./aws/aws_cis_v140_1_16.yaml processed successfully. +./aws/aws_cis_v140_5_4.yaml processed successfully. +./aws/aws_autoscaling_group_propagate_tags_to_ec2_instance_enabled.yaml processed successfully. +./aws/aws_sagemaker_notebook_instance_encryption_at_rest_enabled.yaml processed successfully. +./aws/aws_appstream_fleet_default_internet_access_disabled.yaml processed successfully. +./aws/aws_foundational_security_autoscaling_4.yaml processed successfully. +./aws/aws_cis_v130_1_4.yaml processed successfully. +./aws/aws_rds_db_instance_deletion_protection_enabled.yaml processed successfully. +./aws/aws_rds_db_instance_in_backup_plan.yaml processed successfully. +./aws/aws_ebs_snapshot_not_publicly_restorable.yaml processed successfully. +./aws/aws_elb_classic_lb_no_registered_instance.yaml processed successfully. +./aws/aws_sagemaker_training_job_inter_container_traffic_encryption_enabled.yaml processed successfully. +./aws/aws_foundational_security_ec2_1.yaml processed successfully. +./aws/aws_iam_user_no_inline_attached_policies.yaml processed successfully. +./aws/aws_foundational_security_opensearch_10.yaml processed successfully. +./aws/aws_elb_application_lb_desync_mitigation_mode.yaml processed successfully. +./aws/aws_cis_v140_1_3.yaml processed successfully. +./aws/aws_ec2_instance_no_iam_role_with_destruction_rds_access.yaml processed successfully. +./aws/aws_cis_v300_2_2_1.yaml processed successfully. +./aws/aws_foundational_security_secretsmanager_2.yaml processed successfully. +./aws/aws_cis_v200_1_19.yaml processed successfully. +./aws/aws_cis_v120_1_22.yaml processed successfully. +./aws/aws_opensearch_domain_in_vpc.yaml processed successfully. +./aws/aws_cis_v150_4_10.yaml processed successfully. +./aws/aws_s3_bucket_not_accessible_to_all_authenticated_user.yaml processed successfully. +./aws/aws_mandatory_sql_cloudtrail_trail_mandatory.yaml processed successfully. +./aws/aws_opensearch_domain_data_node_fault_tolerance.yaml processed successfully. +./aws/aws_foundational_security_rds_21.yaml processed successfully. +./aws/aws_eks_cluster_secrets_encrypted.yaml processed successfully. +./aws/aws_foundational_security_elb_14.yaml processed successfully. +./aws/aws_vpc_security_group_remote_administration_ipv4.yaml processed successfully. +./aws/aws_msk_cluster_encryption_in_transit_with_tls_enabled.yaml processed successfully. +./aws/aws_mandatory_sql_eks_addon_mandatory.yaml processed successfully. +./aws/aws_mandatory_sql_elastic_beanstalk_environment_mandatory.yaml processed successfully. +./aws/aws_foundational_security_kinesis_1.yaml processed successfully. +./aws/aws_s3_bucket_cross_region_replication_enabled.yaml processed successfully. +./aws/aws_redshift_cluster_encryption_logging_enabled.yaml processed successfully. +./aws/aws_foundational_security_lambda_1.yaml processed successfully. +./aws/aws_cis_v150_3_8.yaml processed successfully. +./aws/aws_cloudformation_stack_drift_detection_check.yaml processed successfully. +./aws/aws_appsync_graphql_api_field_level_logging_enabled.yaml processed successfully. +./aws/aws_foundational_security_sagemaker_2.yaml processed successfully. +./aws/aws_mandatory_sql_iam_server_certificate_mandatory.yaml processed successfully. +./aws/aws_foundational_security_neptune_4.yaml processed successfully. +./aws/aws_ecs_task_definition_no_host_pid_mode.yaml processed successfully. +./aws/aws_dynamodb_table_encryption_enabled.yaml processed successfully. +./aws/aws_vpc_flow_logs_enabled.yaml processed successfully. +./aws/aws_eventbridge_custom_bus_resource_based_policy_attached.yaml processed successfully. +./aws/aws_elasticache_cluster_no_public_subnet.yaml processed successfully. +./aws/aws_iam_role_no_administrator_access_policy_attached.yaml processed successfully. +./aws/aws_foundational_security_s3_12.yaml processed successfully. +./aws/aws_cis_compute_service_v100_3_3.yaml processed successfully. +./aws/aws_rds_db_instance_prohibit_public_access.yaml processed successfully. +./aws/aws_docdb_cluster_deletion_protection_enabled.yaml processed successfully. +./aws/aws_foundational_security_es_1.yaml processed successfully. +./aws/aws_apigateway_stage_cache_encryption_at_rest_enabled.yaml processed successfully. +./aws/aws_cis_v140_2_1_3.yaml processed successfully. +./aws/aws_cis_v140_3_2.yaml processed successfully. +./aws/aws_foundational_security_iam_5.yaml processed successfully. +./aws/aws_foundational_security_cloudfront_3.yaml processed successfully. +./aws/aws_cis_v140_3_11.yaml processed successfully. +./aws/aws_cis_v130_3_5.yaml processed successfully. +./aws/aws_rds_db_cluster_copy_tags_to_snapshot_enabled.yaml processed successfully. +./aws/aws_foundational_security_ec2_16.yaml processed successfully. +./aws/aws_mandatory_sql_ec2_instance_mandatory.yaml processed successfully. +./aws/aws_cloudfront_distribution_configured_with_origin_failover.yaml processed successfully. +./aws/aws_foundational_security_rds_18.yaml processed successfully. +./aws/aws_sagemaker_training_job_network_isolation_enabled.yaml processed successfully. +./aws/aws_cis_v150_1_10.yaml processed successfully. +./aws/aws_foundational_security_eks_1.yaml processed successfully. +./aws/aws_cis_v200_1_20.yaml processed successfully. +./aws/aws_ecr_repository_tag_immutability_enabled.yaml processed successfully. +./aws/aws_cis_compute_service_v100_4_2.yaml processed successfully. +./aws/aws_rds_db_parameter_group_events_subscription.yaml processed successfully. +./aws/aws_cloudtrail_bucket_not_public.yaml processed successfully. +./aws/aws_foundational_security_elasticache_2.yaml processed successfully. +./aws/aws_iam_role_unused_60.yaml processed successfully. +./aws/aws_cis_v140_1_15.yaml processed successfully. +./aws/aws_ec2_instance_no_iam_role_with_security_group_write_access.yaml processed successfully. +./aws/aws_rds_db_instance_logging_enabled.yaml processed successfully. +./aws/aws_foundational_security_apigateway_3.yaml processed successfully. +./aws/aws_sso_users_with_permission_assignments_are_required_to_have_MFA_on_AzureAD.yaml processed successfully. +./aws/aws_cis_v130_1_7.yaml processed successfully. +./aws/aws_lambda_function_tracing_enabled.yaml processed successfully. +./aws/aws_ecs_cluster_container_instance_agent_connected.yaml processed successfully. +./aws/aws_cloudtrail_trail_bucket_mfa_enabled.yaml processed successfully. +./aws/aws_neptune_db_cluster_encryption_at_rest_enabled.yaml processed successfully. +./aws/aws_cis_v140_2_3_1.yaml processed successfully. +./aws/aws_s3_bucket_static_website_hosting_disabled.yaml processed successfully. +./aws/aws_waf_regional_web_acl_rule_attached.yaml processed successfully. +./aws/aws_mandatory_sql_rds_db_cluster_parameter_group_mandatory.yaml processed successfully. +./aws/aws_foundational_security_ec2_2.yaml processed successfully. +./aws/aws_cis_v120_1_21.yaml processed successfully. +./aws/aws_mandatory_sql_dms_replication_instance_mandatory.yaml processed successfully. +./aws/aws_vpc_endpoint_service_acceptance_required_enabled.yaml processed successfully. +./aws/aws_foundational_security_secretsmanager_1.yaml processed successfully. +./aws/aws_mandatory_sql_ecs_service_mandatory.yaml processed successfully. +./aws/aws_cloudfront_distribution_no_non_existent_s3_origin.yaml processed successfully. +./aws/aws_iam_root_user_no_access_keys.yaml processed successfully. +./aws/aws_foundational_security_codebuild_5.yaml processed successfully. +./aws/aws_iam_user_access_key_age_90.yaml processed successfully. +./aws/aws_cis_compute_service_v100_2_4.yaml processed successfully. +./aws/aws_api_gatewayv2_route_authorizer_configured.yaml processed successfully. +./aws/aws_rds_db_instance_protected_by_backup_plan.yaml processed successfully. +./aws/aws_vpc_route_table_restrict_public_access_to_igw.yaml processed successfully. +./aws/aws_foundational_security_rds_22.yaml processed successfully. +./aws/aws_foundational_security_lambda_2.yaml processed successfully. +./aws/aws_cis_compute_service_v100_6_3.yaml processed successfully. +./aws/aws_vpc_network_acl_remote_administration.yaml processed successfully. +./aws/aws_s3_public_access_block_account.yaml processed successfully. +./aws/aws_redshift_cluster_no_default_database_name.yaml processed successfully. +./aws/aws_foundational_security_sagemaker_1.yaml processed successfully. +./aws/aws_foundational_security_neptune_7.yaml processed successfully. +./aws/aws_ec2_instance_termination_protection_enabled.yaml processed successfully. +./aws/aws_foundational_security_rds_34.yaml processed successfully. +./aws/aws_ec2_instance_user_data_no_secrets.yaml processed successfully. +./aws/aws_foundational_security_es_2.yaml processed successfully. +./aws/aws_mandatory_sql_rds_db_cluster_mandatory.yaml processed successfully. +./aws/aws_foundational_security_s3_11.yaml processed successfully. +./aws/aws_neptune_db_cluster_snapshot_encryption_at_rest_enabled.yaml processed successfully. +./aws/aws_cloudfront_distribution_geo_restrictions_enabled.yaml processed successfully. +./aws/aws_dynamodb_table_deletion_protection_enabled.yaml processed successfully. +./aws/aws_cis_v120_2_8.yaml processed successfully. +./aws/aws_foundational_security_elb_6.yaml processed successfully. +./aws/aws_rds_db_instance_encryption_at_rest_enabled.yaml processed successfully. +./aws/aws_foundational_security_ec2_15.yaml processed successfully. +./aws/aws_vpc_security_group_allows_ingress_to_mongodb_ports.yaml processed successfully. +./aws/aws_s3_bucket_versioning_enabled.yaml processed successfully. +./aws/aws_iam_policy_all_attached_no_star_star.yaml processed successfully. +./aws/aws_cis_v130_3_6.yaml processed successfully. +./aws/aws_autoscaling_group_with_lb_use_health_check.yaml processed successfully. +./aws/aws_dynamodb_table_auto_scaling_enabled.yaml processed successfully. +./aws/aws_codebuild_project_with_user_controlled_buildspec.yaml processed successfully. +./aws/aws_neptune_db_cluster_iam_authentication_enabled.yaml processed successfully. +./aws/aws_foundational_security_rds_14.yaml processed successfully. +./aws/aws_acm_certificate_not_expired.yaml processed successfully. +./aws/aws_lightsail_instance_ipv6_networking_disabled.yaml processed successfully. +./aws/aws_vpc_default_security_group_restricts_all_traffic.yaml processed successfully. +./aws/aws_cis_v130_4_8.yaml processed successfully. +./aws/aws_foundational_security_efs_3.yaml processed successfully. +./aws/aws_cis_v200_3_7.yaml processed successfully. +./aws/aws_mandatory_sql_rds_db_subnet_group_mandatory.yaml processed successfully. +./aws/aws_mandatory_sql_config_rule_mandatory.yaml processed successfully. +./aws/aws_iam_root_user_mfa_enabled.yaml processed successfully. +./aws/aws_foundational_security_ssm_1.yaml processed successfully. +./aws/aws_cis_v120_1_1.yaml processed successfully. +./aws/aws_waf_rule_group_rule_attached.yaml processed successfully. +./aws/aws_cis_v200_3_11.yaml processed successfully. +./aws/aws_foundational_security_redshift_6.yaml processed successfully. +./aws/aws_neptune_db_cluster_deletion_protection_enabled.yaml processed successfully. +./aws/aws_cis_v120_1_17.yaml processed successfully. +./aws/aws_ecs_cluster_container_insights_enabled.yaml processed successfully. +./aws/aws_cis_compute_service_v100_4_11.yaml processed successfully. +./aws/aws_cis_v140_1_19.yaml processed successfully. +./aws/aws_cis_v120_4_2.yaml processed successfully. +./aws/aws_foundational_security_networkfirewall_3.yaml processed successfully. +./aws/aws_log_group_encryption_at_rest_enabled.yaml processed successfully. +./aws/aws_ecs_task_definition_container_non_privileged.yaml processed successfully. +./aws/aws_es_domain_encryption_at_rest_enabled.yaml processed successfully. +./aws/aws_foundational_security_ec2_23.yaml processed successfully. +./aws/aws_cis_v300_3_2.yaml processed successfully. +./aws/aws_cis_v150_4_5.yaml processed successfully. +./aws/aws_mandatory_sql_ecs_container_instance_mandatory.yaml processed successfully. +./aws/aws_foundational_security_appsync_2.yaml processed successfully. +./aws/aws_iam_account_password_policy_one_symbol.yaml processed successfully. +./aws/aws_mandatory_sql_directory_service_directory_mandatory.yaml processed successfully. +./aws/aws_iam_account_password_policy_one_lowercase_letter.yaml processed successfully. +./aws/aws_foundational_security_docdb_5.yaml processed successfully. +./aws/aws_vpc_security_group_restrict_ingress_kafka_port.yaml processed successfully. +./aws/aws_cis_v130_1_12.yaml processed successfully. +./aws/aws_elb_tls_listener_protocol_version.yaml processed successfully. +./aws/aws_cloudwatch_alarm_action_enabled_check.yaml processed successfully. +./aws/aws_mandatory_sql_dax_cluster_mandatory.yaml processed successfully. +./aws/aws_cloudtrail_multi_region_trail_enabled.yaml processed successfully. +./aws/aws_cis_compute_service_v100_2_8.yaml processed successfully. +./aws/aws_iam_user_one_active_key.yaml processed successfully. +./aws/aws_waf_regional_rule_group_rule_attached.yaml processed successfully. +./aws/aws_rds_db_instance_iam_authentication_enabled.yaml processed successfully. +./aws/aws_log_metric_filter_vpc.yaml processed successfully. +./aws/aws_vpc_security_group_restrict_ingress_tcp_udp_all.yaml processed successfully. +./aws/aws_mandatory_sql_sagemaker_notebook_instance_mandatory.yaml processed successfully. +./aws/aws_mandatory_sql_dynamodb_table_mandatory.yaml processed successfully. +./aws/aws_sagemaker_training_job_volume_and_data_encryption_enabled.yaml processed successfully. +./aws/aws_iam_role_should_not_have_trust_to_cognito_full_access.yaml processed successfully. +./aws/aws_wafv2_rule_group_logging_enabled.yaml processed successfully. +./aws/aws_cis_v200_1_16.yaml processed successfully. +./aws/aws_mandatory_sql_iam_user_mandatory.yaml processed successfully. +./aws/aws_cis_v150_3_7.yaml processed successfully. +./aws/aws_cis_compute_service_v100_2_14.yaml processed successfully. +./aws/aws_es_domain_cognito_authentication_enabled.yaml processed successfully. +./aws/aws_secretsmanager_secret_last_used_1_day.yaml processed successfully. +./aws/aws_log_metric_filter_security_group.yaml processed successfully. +./aws/aws_iam_group_not_empty.yaml processed successfully. +./aws/aws_cis_v300_1_3.yaml processed successfully. +./aws/aws_iam_users_with_api_keys_should_have_keys_rotated_every_x_days.yaml processed successfully. +./aws/aws_backup_recovery_point_min_retention_35_days.yaml processed successfully. +./aws/aws_foundational_security_dms_8.yaml processed successfully. +./aws/aws_foundational_security_ec2_19.yaml processed successfully. +./aws/aws_ec2_instance_ssm_managed.yaml processed successfully. +./aws/aws_sagemaker_notebook_instance_direct_internet_access_disabled.yaml processed successfully. +./aws/aws_es_domain_encrypted_using_tls_1_2.yaml processed successfully. +./aws/aws_redshift_cluster_automatic_upgrade_major_versions_enabled.yaml processed successfully. +./aws/aws_foundational_security_opensearch_5.yaml processed successfully. +./aws/aws_eks_cluster_endpoint_public_access_restricted.yaml processed successfully. +./aws/aws_cis_v120_2_4.yaml processed successfully. +./aws/aws_iam_custom_policy_unattached_no_star_star.yaml processed successfully. +./aws/aws_route53_zone_query_logging_enabled.yaml processed successfully. +./aws/aws_apigateway_rest_api_endpoint_restrict_public_access.yaml processed successfully. +./aws/aws_ec2_instance_detailed_monitoring_enabled.yaml processed successfully. +./aws/aws_s3_bucket_default_encryption_enabled.yaml processed successfully. +./aws/aws_foundational_security_opensearch_4.yaml processed successfully. +./aws/aws_cis_v120_2_5.yaml processed successfully. +./aws/aws_foundational_security_dms_9.yaml processed successfully. +./aws/aws_foundational_security_ec2_18.yaml processed successfully. +./aws/aws_foundational_security_sqs_1.yaml processed successfully. +./aws/aws_elastic_beanstalk_enhanced_health_reporting_enabled.yaml processed successfully. +./aws/aws_ssm_managed_instance_compliance_patch_compliant.yaml processed successfully. +./aws/aws_foundational_security_cloudfront_10.yaml processed successfully. +./aws/aws_mandatory_sql_ec2_network_load_balancer_mandatory.yaml processed successfully. +./aws/aws_rds_db_snapshot_encrypted_at_rest.yaml processed successfully. +./aws/aws_cis_v300_5_5.yaml processed successfully. +./aws/aws_sagemaker_model_network_isolation_enabled.yaml processed successfully. +./aws/aws_cis_compute_service_v100_2_2_4.yaml processed successfully. +./aws/aws_autoscaling_group_no_suspended_process.yaml processed successfully. +./aws/aws_rds_db_instance_and_cluster_no_default_port.yaml processed successfully. +./aws/aws_mandatory_sql_rds_db_cluster_snapshot_mandatory.yaml processed successfully. +./aws/aws_cis_v300_1_2.yaml processed successfully. +./aws/aws_iam_inline_policy_no_administrative_privileges.yaml processed successfully. +./aws/aws_ssm_document_prohibit_public_access.yaml processed successfully. +./aws/aws_appstream_fleet_session_disconnect_timeout_300_seconds.yaml processed successfully. +./aws/aws_opensearch_domain_cognito_authentication_enabled_for_kibana.yaml processed successfully. +./aws/aws_cis_v150_3_6.yaml processed successfully. +./aws/aws_mandatory_sql_secretsmanager_secret_mandatory.yaml processed successfully. +./aws/aws_cis_v120_3_11.yaml processed successfully. +./aws/aws_neptune_db_cluster_audit_logging_enabled.yaml processed successfully. +./aws/aws_cis_v200_1_17.yaml processed successfully. +./aws/aws_cis_compute_service_v100_2_9.yaml processed successfully. +./aws/aws_elb_application_lb_drop_http_headers.yaml processed successfully. +./aws/aws_ssm_parameter_encryption_enabled.yaml processed successfully. +./aws/aws_cis_v200_1_7.yaml processed successfully. +./aws/aws_foundational_security_ecs_1.yaml processed successfully. +./aws/aws_cis_v150_2_2_1.yaml processed successfully. +./aws/aws_ebs_volume_protected_by_backup_plan.yaml processed successfully. +./aws/aws_iam_user_access_key_unused_45.yaml processed successfully. +./aws/aws_cis_v130_1_13.yaml processed successfully. +./aws/aws_guardduty_finding_archived.yaml processed successfully. +./aws/aws_cloudtrail_trail_insight_selectors_and_logging_enabled.yaml processed successfully. +./aws/aws_ec2_instance_no_launch_wizard_security_group.yaml processed successfully. +./aws/aws_foundational_security_docdb_4.yaml processed successfully. +./aws/aws_cis_v300_3_3.yaml processed successfully. +./aws/aws_cis_v150_2_1_4.yaml processed successfully. +./aws/aws_elasticache_replication_group_auto_failover_enabled.yaml processed successfully. +./aws/aws_foundational_security_cloudtrail_2.yaml processed successfully. +./aws/aws_cis_compute_service_v100_4_10.yaml processed successfully. +./aws/aws_foundational_security_networkfirewall_2.yaml processed successfully. +./aws/aws_cis_v140_1_18.yaml processed successfully. +./aws/aws_mandatory_sql_rds_db_instance_mandatory.yaml processed successfully. +./aws/aws_cis_compute_service_v100_11_1.yaml processed successfully. +./aws/aws_cis_v200_3_10.yaml processed successfully. +./aws/aws_foundational_security_redshift_7.yaml processed successfully. +./aws/aws_cis_v120_1_16.yaml processed successfully. +./aws/aws_cis_v150_1_7.yaml processed successfully. +./aws/aws_log_metric_filter_console_login_mfa.yaml processed successfully. +./aws/aws_cloudwatch_alarm_action_enabled.yaml processed successfully. +./aws/aws_ebs_volume_snapshot_exists.yaml processed successfully. +./aws/aws_cloudtrail_multi_region_trail_integrated_with_logs.yaml processed successfully. +./aws/aws_foundational_security_rds_15.yaml processed successfully. +./aws/aws_log_metric_filter_organization.yaml processed successfully. +./aws/aws_foundational_security_efs_2.yaml processed successfully. +./aws/aws_cis_v200_3_6.yaml processed successfully. +./aws/aws_foundational_security_waf_8.yaml processed successfully. +./aws/aws_cis_compute_service_v100_2_1_1.yaml processed successfully. +./aws/aws_foundational_security_elb_7.yaml processed successfully. +./aws/aws_root_accounts_needs_to_have_mfa.yaml processed successfully. +./aws/aws_cis_v130_2_1_2.yaml processed successfully. +./aws/aws_cis_v130_3_7.yaml processed successfully. +./aws/aws_foundational_security_cloudfront_1.yaml processed successfully. +./aws/aws_mandatory_sql_wafv2_regex_pattern_set_mandatory.yaml processed successfully. +./aws/aws_cis_v120_2_9.yaml processed successfully. +./aws/aws_foundational_security_opensearch_8.yaml processed successfully. +./aws/aws_iam_security_audit_role.yaml processed successfully. +./aws/aws_iam_policy_custom_no_assume_role.yaml processed successfully. +./aws/aws_cis_v140_2_1_1.yaml processed successfully. +./aws/aws_acm_certificate_no_pending_validation_certificate.yaml processed successfully. +./aws/aws_foundational_security_es_3.yaml processed successfully. +./aws/aws_foundational_security_s3_10.yaml processed successfully. +./aws/aws_cis_compute_service_v100_3_1.yaml processed successfully. +./aws/aws_foundational_security_neptune_6.yaml processed successfully. +./aws/aws_foundational_security_rds_35.yaml processed successfully. +./aws/aws_codebuild_project_logging_enabled.yaml processed successfully. +./aws/aws_mandatory_sql_ec2_gateway_load_balancer_mandatory.yaml processed successfully. +./aws/aws_cis_v300_4_11.yaml processed successfully. +./aws/aws_cis_compute_service_v100_6_2.yaml processed successfully. +./aws/aws_elb_classic_lb_multiple_az_configured.yaml processed successfully. +./aws/aws_foundational_security_emr_1.yaml processed successfully. +./aws/aws_vpc_security_group_remote_administration_ipv6.yaml processed successfully. +./aws/aws_foundational_security_codebuild_4.yaml processed successfully. +./aws/aws_vpc_security_group_associated_to_eni.yaml processed successfully. +./aws/aws_cis_compute_service_v100_2_5.yaml processed successfully. +./aws/aws_mandatory_sql_vpc_nat_gateway_mandatory.yaml processed successfully. +./aws/aws_opensearch_domain_logs_to_cloudwatch.yaml processed successfully. +./aws/aws_cloudfront_distribution_no_deprecated_ssl_protocol.yaml processed successfully. +./aws/aws_cis_v120_1_20.yaml processed successfully. +./aws/aws_cloudformation_stack_rollback_enabled.yaml processed successfully. +./aws/aws_vpc_security_group_unused.yaml processed successfully. +./aws/aws_iam_account_password_policy_one_number.yaml processed successfully. +./aws/aws_cis_v140_1_1.yaml processed successfully. +./aws/aws_foundational_security_ec2_3.yaml processed successfully. +./aws/aws_backup_recovery_point_manual_deletion_disabled.yaml processed successfully. +./aws/aws_foundational_security_apigateway_2.yaml processed successfully. +./aws/aws_vpc_peering_connection_no_cross_account_access.yaml processed successfully. +./aws/aws_foundational_security_autoscaling_6.yaml processed successfully. +./aws/aws_ec2_ebs_default_encryption_enabled.yaml processed successfully. +./aws/aws_vpc_peering_connection_route_table_least_privilege.yaml processed successfully. +./aws/aws_cis_v140_1_14.yaml processed successfully. +./aws/aws_rds_db_instance_no_default_admin_name.yaml processed successfully. +./aws/aws_ecs_task_definition_no_root_user.yaml processed successfully. +./aws/aws_foundational_security_elasticache_3.yaml processed successfully. +./aws/aws_cis_v150_4_8.yaml processed successfully. +./aws/aws_rds_db_snapshot_prohibit_public_access.yaml processed successfully. +./aws/aws_apigateway_stage_use_waf_web_acl.yaml processed successfully. +./aws/aws_autoscaling_group_uses_ec2_launch_template.yaml processed successfully. +./aws/aws_networkfirewall_firewall_in_vpc.yaml processed successfully. +./aws/aws_cis_v200_1_21.yaml processed successfully. +./aws/aws_guardduty_no_high_severity_findings.yaml processed successfully. +./aws/aws_cis_compute_service_v100_4_3.yaml processed successfully. +./aws/aws_cis_v300_1_12.yaml processed successfully. +./aws/aws_iam_account_password_policy_reuse_24.yaml processed successfully. +./aws/aws_foundational_security_waf_4.yaml processed successfully. +./aws/aws_cis_v150_1_11.yaml processed successfully. +./aws/aws_vpc_not_in_use.yaml processed successfully. +./aws/aws_ec2_instance_virtualization_type_no_paravirtual.yaml processed successfully. +./aws/aws_foundational_security_rds_19.yaml processed successfully. +./aws/aws_kms_cmk_policy_prohibit_public_access.yaml processed successfully. +./aws/aws_directory_service_directory_snapshots_limit_2.yaml processed successfully. +./aws/aws_waf_web_acl_logging_enabled.yaml processed successfully. +./aws/aws_elb_classic_lb_with_outbound_rule.yaml processed successfully. +./aws/aws_foundational_security_rds_12.yaml processed successfully. +./aws/aws_s3_public_access_block_bucket_account.yaml processed successfully. +./aws/aws_efs_file_system_protected_by_backup_plan.yaml processed successfully. +./aws/aws_cloudfront_distribution_latest_tls_version.yaml processed successfully. +./aws/aws_apigateway_rest_api_stage_xray_tracing_enabled.yaml processed successfully. +./aws/aws_elb_classic_lb_use_tls_https_listeners.yaml processed successfully. +./aws/aws_acmpca_root_certificate_authority_disabled.yaml processed successfully. +./aws/aws_elb_classic_lb_desync_mitigation_mode.yaml processed successfully. +./aws/aws_elasticache_replication_group_encryption_at_rest_enabled.yaml processed successfully. +./aws/aws_cis_compute_service_v100_4_8.yaml processed successfully. +./aws/aws_cis_v300_1_19.yaml processed successfully. +./aws/aws_cis_v120_1_11.yaml processed successfully. +./aws/aws_kms_cmk_unused.yaml processed successfully. +./aws/aws_vpc_vpn_tunnel_up.yaml processed successfully. +./aws/aws_mandatory_sql_s3_bucket_mandatory.yaml processed successfully. +./aws/aws_ecs_cluster_no_active_services_count.yaml processed successfully. +./aws/aws_cis_v120_4_4.yaml processed successfully. +./aws/aws_foundational_security_networkfirewall_5.yaml processed successfully. +./aws/aws_ec2_instance_ebs_optimized.yaml processed successfully. +./aws/aws_ec2_instance_protected_by_backup_plan.yaml processed successfully. +./aws/aws_cis_v150_4_3.yaml processed successfully. +./aws/aws_cis_v300_3_4.yaml processed successfully. +./aws/aws_sns_topic_notification_delivery_status_enabled.yaml processed successfully. +./aws/aws_foundational_security_cloudtrail_5.yaml processed successfully. +./aws/aws_mandatory_sql_ec2_application_load_balancer_mandatory.yaml processed successfully. +./aws/aws_cis_v150_2_1_3.yaml processed successfully. +./aws/aws_backup_recovery_point_encryption_enabled.yaml processed successfully. +./aws/aws_route53_domain_not_expired.yaml processed successfully. +./aws/aws_mandatory_sql_elasticache_cluster_mandatory.yaml processed successfully. +./aws/aws_foundational_security_ec2_8.yaml processed successfully. +./aws/aws_cis_v130_1_14.yaml processed successfully. +./aws/aws_foundational_security_apigateway_9.yaml processed successfully. +./aws/aws_cis_v200_2_3_1.yaml processed successfully. +./aws/aws_glue_connection_ssl_enabled.yaml processed successfully. +./aws/aws_iam_policy_custom_attached_no_star_star.yaml processed successfully. +./aws/aws_codebuild_project_build_greater_then_90_days.yaml processed successfully. +./aws/aws_rds_db_cluster_aurora_protected_by_backup_plan.yaml processed successfully. +./aws/aws_cis_v200_1_10.yaml processed successfully. +./aws/aws_s3_public_access_block_bucket.yaml processed successfully. +./aws/aws_cis_compute_service_v100_2_12.yaml processed successfully. +./aws/aws_ec2_instance_no_iam_role_with_elastic_ip_hijacking_access.yaml processed successfully. +./aws/aws_backup_plan_min_retention_35_days.yaml processed successfully. +./aws/aws_es_domain_data_nodes_min_3.yaml processed successfully. +./aws/aws_mandatory_sql_ecr_repository_mandatory.yaml processed successfully. +./aws/aws_foundational_security_es_8.yaml processed successfully. +./aws/aws_elb_application_lb_with_outbound_rule.yaml processed successfully. +./aws/aws_cis_v150_2_3_2.yaml processed successfully. +./aws/aws_ec2_instance_no_iam_role_attached_with_credentials_exposure_access.yaml processed successfully. +./aws/aws_elb_application_network_lb_use_ssl_certificate.yaml processed successfully. +./aws/aws_foundational_security_ecr_2.yaml processed successfully. +./aws/aws_cis_v300_1_5.yaml processed successfully. +./aws/aws_mandatory_sql_sagemaker_endpoint_configuration_mandatory.yaml processed successfully. +./aws/aws_cis_compute_service_v100_2_2_3.yaml processed successfully. +./aws/aws_ebs_attached_volume_delete_on_termination_enabled.yaml processed successfully. +./aws/aws_iam_account_password_policy_strong_min_length_8.yaml processed successfully. +./aws/aws_efs_file_system_encrypt_data_at_rest.yaml processed successfully. +./aws/aws_foundational_security_dynamodb_3.yaml processed successfully. +./aws/aws_networkfirewall_firewall_policy_rule_group_not_empty.yaml processed successfully. +./aws/aws_mandatory_sql_guardduty_detector_mandatory.yaml processed successfully. +./aws/aws_cis_v200_4_3.yaml processed successfully. +./aws/aws_cis_v300_5_2.yaml processed successfully. +./aws/aws_lambda_function_concurrent_execution_limit_configured.yaml processed successfully. +./aws/aws_foundational_security_opensearch_3.yaml processed successfully. +./aws/aws_waf_web_acl_rule_attached.yaml processed successfully. +./aws/aws_cis_v120_2_2.yaml processed successfully. +./aws/aws_foundational_security_backup_1.yaml processed successfully. +./aws/aws_mandatory_sql_elasticsearch_domain_mandatory.yaml processed successfully. +./aws/aws_foundational_security_waf_3.yaml processed successfully. +./aws/aws_mandatory_sql_codepipeline_pipeline_mandatory.yaml processed successfully. +./aws/aws_cis_v140_4_5.yaml processed successfully. +./aws/aws_cis_v150_1_16.yaml processed successfully. +./aws/aws_mandatory_sql_rds_db_snapshot_mandatory.yaml processed successfully. +./aws/aws_sagemaker_notebook_instance_root_access_disabled.yaml processed successfully. +./aws/aws_foundational_security_acm_2.yaml processed successfully. +./aws/aws_cis_v300_1_15.yaml processed successfully. +./aws/aws_cis_compute_service_v100_4_4.yaml processed successfully. +./aws/aws_rds_db_cluster_no_default_admin_name.yaml processed successfully. +./aws/aws_efs_file_system_in_backup_plan.yaml processed successfully. +./aws/aws_cis_v300_3_8.yaml processed successfully. +./aws/aws_foundational_security_elasticache_4.yaml processed successfully. +./aws/aws_kms_key_decryption_restricted_in_iam_customer_managed_policy.yaml processed successfully. +./aws/aws_emr_cluster_encryption_at_rest_with_sse_kms.yaml processed successfully. +./aws/aws_s3_bucket_object_lock_enabled.yaml processed successfully. +./aws/aws_cloudfront_distribution_field_level_encryption_enabled.yaml processed successfully. +./aws/aws_rds_db_instance_copy_tags_to_snapshot_enabled.yaml processed successfully. +./aws/aws_cis_v140_5_1.yaml processed successfully. +./aws/aws_foundational_security_networkfirewall_9.yaml processed successfully. +./aws/aws_cis_v140_1_13.yaml processed successfully. +./aws/aws_wafv2_web_acl_logging_enabled.yaml processed successfully. +./aws/aws_waf_regional_rule_condition_attached.yaml processed successfully. +./aws/aws_elastic_beanstalk_environment_managed_updates_enabled.yaml processed successfully. +./aws/aws_foundational_security_s3_8.yaml processed successfully. +./aws/aws_foundational_security_apigateway_5.yaml processed successfully. +./aws/aws_cis_v130_1_1.yaml processed successfully. +./aws/aws_sagemaker_notebook_instance_encrypted_with_kms_cmk.yaml processed successfully. +./aws/aws_cis_v130_1_18.yaml processed successfully. +./aws/aws_foundational_security_autoscaling_1.yaml processed successfully. +./aws/aws_dms_certificate_not_expired.yaml processed successfully. +./aws/aws_foundational_security_elasticbeanstalk_3.yaml processed successfully. +./aws/aws_foundational_security_ec2_4.yaml processed successfully. +./aws/aws_iam_account_password_policy_one_uppercase_letter.yaml processed successfully. +./aws/aws_cloudfront_distribution_encryption_in_transit_enabled.yaml processed successfully. +./aws/aws_foundational_security_codebuild_3.yaml processed successfully. +./aws/aws_mandatory_sql_cloudwatch_log_group_mandatory.yaml processed successfully. +./aws/aws_route53_domain_transfer_lock_enabled.yaml processed successfully. +./aws/aws_cloudwatch_cross_account_sharing.yaml processed successfully. +./aws/aws_foundational_security_pca_1.yaml processed successfully. +./aws/aws_redshift_cluster_automatic_snapshots_min_7_days.yaml processed successfully. +./aws/aws_secretsmanager_secret_rotated_as_scheduled.yaml processed successfully. +./aws/aws_cis_v300_2_1_1.yaml processed successfully. +./aws/aws_foundational_security_rds_24.yaml processed successfully. +./aws/aws_elb_application_lb_deletion_protection_enabled.yaml processed successfully. +./aws/aws_log_metric_filter_console_authentication_failure.yaml processed successfully. +./aws/aws_api_gateway_method_authorization_type_configured.yaml processed successfully. +./aws/aws_iam_policy_inline_no_blocked_kms_actions.yaml processed successfully. +./aws/aws_log_metric_filter_config_configuration.yaml processed successfully. +./aws/aws_cis_v150_3_11.yaml processed successfully. +./aws/aws_redshift_cluster_audit_logging_enabled.yaml processed successfully. +./aws/aws_foundational_security_neptune_1.yaml processed successfully. +./aws/aws_workspaces_workspace_volume_encryption_enabled.yaml processed successfully. +./aws/aws_mandatory_sql_rds_db_option_group_mandatory.yaml processed successfully. +./aws/aws_emr_cluster_master_nodes_no_public_ip.yaml processed successfully. +./aws/aws_autoscaling_launch_config_public_ip_disabled.yaml processed successfully. +./aws/aws_cis_v130_1_22.yaml processed successfully. +./aws/aws_foundational_security_es_4.yaml processed successfully. +./aws/aws_lambda_function_cloudwatch_insights_enabled.yaml processed successfully. +./aws/aws_dynamodb_table_in_backup_plan.yaml processed successfully. +./aws/aws_cis_compute_service_v100_3_6.yaml processed successfully. +./aws/aws_dms_replication_task_source_database_logging_enabled.yaml processed successfully. +./aws/aws_foundational_security_cloudfront_6.yaml processed successfully. +./aws/aws_iam_user_mfa_enabled.yaml processed successfully. +./aws/aws_cis_v140_3_7.yaml processed successfully. +./aws/aws_lambda_function_in_vpc.yaml processed successfully. +./aws/aws_foundational_security_elb_1.yaml processed successfully. +./aws/aws_mandatory_sql_vpc_eip_mandatory.yaml processed successfully. +./aws/aws_cloudtrail_s3_object_read_events_audit_enabled.yaml processed successfully. +./aws/aws_iam_all_policy_no_service_wild_card.yaml processed successfully. +./aws/aws_foundational_security_cloudfront_7.yaml processed successfully. +./aws/aws_foundational_security_athena_1.yaml processed successfully. +./aws/aws_cis_v140_3_6.yaml processed successfully. +./aws/aws_foundational_security_iam_1.yaml processed successfully. +./aws/aws_foundational_security_es_5.yaml processed successfully. +./aws/aws_route53_domain_expires_7_days.yaml processed successfully. +./aws/aws_cis_v300_1_8.yaml processed successfully. +./aws/aws_sqs_queue_dead_letter_queue_configured.yaml processed successfully. +./aws/aws_cis_compute_service_v100_3_7.yaml processed successfully. +./aws/aws_ec2_instance_no_iam_role_with_org_write_access.yaml processed successfully. +./aws/aws_cis_compute_service_v100_6_4.yaml processed successfully. +./aws/aws_cis_v150_3_10.yaml processed successfully. +./aws/aws_foundational_security_elb_10.yaml processed successfully. +./aws/aws_codebuild_project_s3_logs_encryption_enabled.yaml processed successfully. +./aws/aws_foundational_security_rds_25.yaml processed successfully. +./aws/aws_secretsmanager_secret_automatic_rotation_enabled.yaml processed successfully. +./aws/aws_waf_web_acl_resource_associated.yaml processed successfully. +./aws/aws_neptune_db_cluster_no_public_subnet.yaml processed successfully. +./aws/aws_lambda_function_variables_no_sensitive_data.yaml processed successfully. +./aws/aws_foundational_security_codebuild_2.yaml processed successfully. +./aws/aws_ec2_instance_not_publicly_accessible.yaml processed successfully. +./aws/aws_cis_compute_service_v100_2_3.yaml processed successfully. +./aws/aws_mandatory_sql_vpc_mandatory.yaml processed successfully. +./aws/aws_foundational_security_eventbridge_3.yaml processed successfully. +./aws/aws_cis_v150_4_14.yaml processed successfully. +./aws/aws_iam_policy_custom_no_permissive_role_assumption.yaml processed successfully. +./aws/aws_foundational_security_sns_1.yaml processed successfully. +./aws/aws_cis_v140_1_7.yaml processed successfully. +./aws/aws_opensearch_domain_internal_user_database_disabled.yaml processed successfully. +./aws/aws_foundational_security_apigateway_4.yaml processed successfully. +./aws/aws_cis_compute_service_v100_5_1.yaml processed successfully. +./aws/aws_ecs_service_not_publicly_accessible.yaml processed successfully. +./aws/aws_cis_v130_1_19.yaml processed successfully. +./aws/aws_ecs_cluster_encryption_at_rest_enabled.yaml processed successfully. +./aws/aws_sqs_queue_policy_prohibit_public_access.yaml processed successfully. +./aws/aws_ecs_task_definition_container_readonly_root_filesystem.yaml processed successfully. +./aws/aws_cis_v140_1_12.yaml processed successfully. +./aws/aws_ec2_instance_no_iam_role_with_alter_critical_s3_permissions_configuration.yaml processed successfully. +./aws/aws_iam_root_user_hardware_mfa_enabled.yaml processed successfully. +./aws/aws_foundational_security_s3_9.yaml processed successfully. +./aws/aws_cis_v300_3_9.yaml processed successfully. +./aws/aws_foundational_security_elasticache_5.yaml processed successfully. +./aws/aws_ec2_instance_iam_profile_attached.yaml processed successfully. +./aws/aws_account_alternate_contact_security_registered.yaml processed successfully. +./aws/aws_acm_certificate_expires_30_days.yaml processed successfully. +./aws/aws_foundational_security_kms_1.yaml processed successfully. +./aws/aws_cis_v300_2_3_1.yaml processed successfully. +./aws/aws_mandatory_sql_ec2_reserved_instance_mandatory.yaml processed successfully. +./aws/aws_elasticache_replication_group_redis_auth_enabled.yaml processed successfully. +./aws/aws_autoscaling_launch_config_requires_imdsv2.yaml processed successfully. +./aws/aws_cis_v130_2_2_1.yaml processed successfully. +./aws/aws_glue_data_catalog_encryption_settings_metadata_encryption_enabled.yaml processed successfully. +./aws/aws_cis_compute_service_v100_4_5.yaml processed successfully. +./aws/aws_glue_data_catalog_encryption_settings_password_encryption_enabled.yaml processed successfully. +./aws/aws_cis_v300_1_14.yaml processed successfully. +./aws/aws_foundational_security_waf_2.yaml processed successfully. +./aws/aws_vpc_igw_attached_to_authorized_vpc.yaml processed successfully. +./aws/aws_cis_v150_1_17.yaml processed successfully. +./aws/aws_ec2_ami_ebs_encryption_enabled.yaml processed successfully. +./aws/aws_athena_workgroup_enforce_configuration_enabled.yaml processed successfully. +./aws/aws_foundational_security_ecs_10.yaml processed successfully. +./aws/aws_lambda_function_cors_configuration.yaml processed successfully. +./aws/aws_cis_v130_4_3.yaml processed successfully. +./aws/aws_iam_group_user_role_no_inline_policies.yaml processed successfully. +./aws/aws_dlm_ebs_snapshot_lifecycle_policy_enabled.yaml processed successfully. +./aws/aws_sns_topic_policy_prohibit_cross_account_access.yaml processed successfully. +./aws/aws_foundational_security_msk_1.yaml processed successfully. +./aws/aws_rds_db_instance_automatic_minor_version_upgrade_enabled.yaml processed successfully. +./aws/aws_opensearch_domain_https_required.yaml processed successfully. +./aws/aws_foundational_security_opensearch_2.yaml processed successfully. +./aws/aws_config_configuration_recorder_no_failed_deliver_logs.yaml processed successfully. +./aws/aws_cis_v120_2_3.yaml processed successfully. +./aws/aws_ecs_task_definition_container_environment_no_secret.yaml processed successfully. +./aws/aws_foundational_security_waf_12.yaml processed successfully. +./aws/aws_elb_classic_lb_use_ssl_certificate.yaml processed successfully. +./aws/aws_foundational_security_dynamodb_2.yaml processed successfully. +./aws/aws_cis_v200_2_1_1.yaml processed successfully. +./aws/aws_cis_v300_5_3.yaml processed successfully. +./aws/aws_ec2_instance_no_iam_with_write_level_access.yaml processed successfully. +./aws/aws_secretsmanager_secret_last_changed_90_day.yaml processed successfully. +./aws/aws_cis_compute_service_v100_2_2_2.yaml processed successfully. +./aws/aws_vpc_eip_associated.yaml processed successfully. +./aws/aws_ecs_service_fargate_using_latest_platform_version.yaml processed successfully. +./aws/aws_ec2_ami_not_older_than_90_days.yaml processed successfully. +./aws/aws_cis_v150_2_3_3.yaml processed successfully. +./aws/aws_eks_cluster_no_default_vpc.yaml processed successfully. +./aws/aws_foundational_security_ecr_3.yaml processed successfully. +./aws/aws_cis_v300_1_4.yaml processed successfully. +./aws/aws_cloudtrail_s3_object_write_events_audit_enabled.yaml processed successfully. +./aws/aws_foundational_security_rds_7.yaml processed successfully. +./aws/aws_cis_v150_1_21.yaml processed successfully. +./aws/aws_cis_v200_5_6.yaml processed successfully. +./aws/aws_acm_certificate_rsa_key_length_2048_bits_or_greater.yaml processed successfully. +./aws/aws_cis_compute_service_v100_2_13.yaml processed successfully. +./aws/aws_mandatory_sql_iam_role_mandatory.yaml processed successfully. +./aws/aws_mq_broker_restrict_public_access.yaml processed successfully. +./aws/aws_mandatory_sql_ebs_snapshot_mandatory.yaml processed successfully. +./aws/aws_lambda_function_multiple_az_configured.yaml processed successfully. +./aws/aws_cis_v200_1_11.yaml processed successfully. +./aws/aws_emr_cluster_security_configuration_enabled.yaml processed successfully. +./aws/aws_cloudtrail_trail_validation_enabled.yaml processed successfully. +./aws/aws_cis_v200_1_1.yaml processed successfully. +./aws/aws_waf_rule_condition_attached.yaml processed successfully. +./aws/aws_mandatory_sql_route53_resolver_endpoint_mandatory.yaml processed successfully. +./aws/aws_docdb_cluster_backup_retention_period_7_days.yaml processed successfully. +./aws/aws_opensearch_domain_fine_grained_access_enabled.yaml processed successfully. +./aws/aws_cis_v130_1_15.yaml processed successfully. +./aws/aws_ec2_instance_no_iam_role_with_new_role_creation_with_attached_policy_access.yaml processed successfully. +./aws/aws_cis_compute_service_v100_3_12.yaml processed successfully. +./aws/aws_sqs_queue_encrypted_with_kms_cmk.yaml processed successfully. +./aws/aws_foundational_security_apigateway_8.yaml processed successfully. +./aws/aws_secretsmanager_secret_automatic_rotation_lambda_enabled.yaml processed successfully. +./aws/aws_ecs_task_definition_user_for_host_mode_check.yaml processed successfully. +./aws/aws_foundational_security_ec2_9.yaml processed successfully. +./aws/aws_foundational_security_docdb_2.yaml processed successfully. +./aws/aws_iam_policy_custom_no_blocked_kms_actions.yaml processed successfully. +./aws/aws_cis_v300_3_5.yaml processed successfully. +./aws/aws_log_metric_filter_bucket_policy.yaml processed successfully. +./aws/aws_foundational_security_cloudtrail_4.yaml processed successfully. +./aws/aws_cis_v150_2_1_2.yaml processed successfully. +./aws/aws_foundational_security_networkfirewall_4.yaml processed successfully. +./aws/aws_foundational_security_s3_5.yaml processed successfully. +./aws/aws_foundational_security_ec2_24.yaml processed successfully. +./aws/aws_rds_db_instance_and_cluster_enhanced_monitoring_enabled.yaml processed successfully. +./aws/aws_cis_v150_2_4_1.yaml processed successfully. +./aws/aws_cis_v150_1_1.yaml processed successfully. +./aws/aws_cis_v300_1_18.yaml processed successfully. +./aws/aws_cis_compute_service_v100_4_9.yaml processed successfully. +./aws/aws_s3_access_point_restrict_public_access.yaml processed successfully. +./aws/aws_foundational_security_redshift_1.yaml processed successfully. +./aws/aws_iam_user_no_policies.yaml processed successfully. +./aws/aws_vpc_security_group_not_uses_launch_wizard_sg.yaml processed successfully. +./aws/aws_efs_access_point_enforce_user_identity.yaml processed successfully. +./aws/aws_mandatory_sql_api_gateway_stage_mandatory.yaml processed successfully. +./aws/aws_foundational_security_rds_13.yaml processed successfully. +./aws/aws_foundational_security_efs_4.yaml processed successfully. +./aws/aws_redshift_cluster_prohibit_public_access.yaml processed successfully. +./aws/aws_lambda_function_restrict_public_url.yaml processed successfully. +./aws/aws_cis_v200_4_12.yaml processed successfully. +./aws/aws_mandatory_sql_sagemaker_training_job_mandatory.yaml processed successfully. +./aws/aws_cis_v140_4_8.yaml processed successfully. +./aws/aws_elasticache_replication_group_encryption_at_rest_enabled_with_kms_cmk.yaml processed successfully. +./aws/aws_cloudtrail_trail_enabled_account.yaml processed successfully. +./pending/azure/azure_cis_v200_4_1_1.yaml processed successfully. +./pending/azure/azure_cis_v150_4_3_3.yaml processed successfully. +./pending/azure/azure_cis_v130_3_5.yaml processed successfully. +./pending/azure/azure_cis_v200_4_2_4.yaml processed successfully. +./pending/azure/azure_cis_v210_1_3.yaml processed successfully. +./pending/azure/azure_cis_v200_1_11.yaml processed successfully. +./pending/azure/azure_cis_v130_5_1_4.yaml processed successfully. +./pending/azure/azure_cis_v210_4_3_5.yaml processed successfully. +./pending/azure/azure_cis_v200_9_10.yaml processed successfully. +./pending/azure/azure_cis_v130_4_2_1.yaml processed successfully. +./pending/azure/azure_cis_v140_4_2_2.yaml processed successfully. +./pending/azure/azure_cis_v140_4_3_6.yaml processed successfully. +./pending/azure/azure_cis_v210_9_9.yaml processed successfully. +./pending/azure/azure_cis_v200_8_7.yaml processed successfully. +./pending/azure/azure_cis_v130_4_3_4.yaml processed successfully. +./pending/azure/azure_cis_v150_6_6.yaml processed successfully. +./pending/azure/azure_cis_v140_4_2_3.yaml processed successfully. +./pending/azure/azure_cis_v210_4_3_4.yaml processed successfully. +./pending/azure/azure_cis_v150_8_7.yaml processed successfully. +./pending/azure/azure_cis_v200_6_6.yaml processed successfully. +./pending/azure/azure_cis_v150_9_3.yaml processed successfully. +./pending/azure/azure_cis_v150_4_1_3.yaml processed successfully. +./pending/azure/azure_cis_v200_4_2_5.yaml processed successfully. +./pending/azure/azure_cis_v150_4_3_2.yaml processed successfully. +./pending/azure/azure_cis_v200_4_4_3.yaml processed successfully. +./pending/azure/azure_cis_v140_4_1_1.yaml processed successfully. +./pending/azure/azure_cis_v210_4_3_3.yaml processed successfully. +./pending/azure/azure_cis_v140_4_2_4.yaml processed successfully. +./pending/azure/azure_mariadb_server_private_link_used.yaml processed successfully. +./pending/azure/azure_cis_v130_4_3_3.yaml processed successfully. +./pending/azure/azure_cis_v150_4_2_1.yaml processed successfully. +./pending/azure/azure_cis_v200_4_4_4.yaml processed successfully. +./pending/azure/azure_cis_v210_2_1_9.yaml processed successfully. +./pending/azure/azure_cis_v150_4_3_5.yaml processed successfully. +./pending/azure/azure_cis_v140_4_6.yaml processed successfully. +./pending/azure/azure_cis_v200_4_2_2.yaml processed successfully. +./pending/azure/azure_cis_v200_4_3_6.yaml processed successfully. +./pending/azure/azure_cis_v150_5_1_4.yaml processed successfully. +./pending/azure/azure_cis_v150_9_10.yaml processed successfully. +./pending/azure/azure_cis_v210_8_7.yaml processed successfully. +./pending/azure/azure_cis_v200_4_2_3.yaml processed successfully. +./pending/azure/azure_cis_v140_3_5.yaml processed successfully. +./pending/azure/azure_iot_hub_private_link_used.yaml processed successfully. +./pending/azure/azure_cis_v150_4_3_4.yaml processed successfully. +./pending/azure/azure_cis_v200_4_1_6.yaml processed successfully. +./pending/azure/azure_application_insights_linked_to_log_analytics_workspace.yaml processed successfully. +./pending/azure/azure_cis_v210_4_1_3.yaml processed successfully. +./pending/azure/azure_cis_v140_4_2_5.yaml processed successfully. +./pending/azure/azure_cis_v210_4_3_2.yaml processed successfully. +./pending/azure/azure_cis_v130_4_1_3.yaml processed successfully. +./pending/azure/azure_cis_v140_1_8.yaml processed successfully. +./pending/azure/azure_cis_v140_4_3_2.yaml processed successfully. +./pending/azure/azure_cis_v130_9_10.yaml processed successfully. +./pending/azure/azure_cis_v210_4_4_3.yaml processed successfully. +./pending/azure/azure_cis_v130_4_2_5.yaml processed successfully. +./pending/azure/azure_cis_v150_1_13.yaml processed successfully. +./pending/azure/azure_cis_v140_4_1_3.yaml processed successfully. +./pending/azure/azure_cis_v150_4_1_6.yaml processed successfully. +./pending/azure/azure_cis_v140_6_5.yaml processed successfully. +./pending/azure/azure_cis_v200_4_3_4.yaml processed successfully. +./pending/azure/azure_cis_v210_6_5.yaml processed successfully. +./pending/azure/azure_cis_v200_4_1_5.yaml processed successfully. +./pending/azure/azure_cis_v150_4_2_3.yaml processed successfully. +./pending/azure/azure_cis_v210_3_17.yaml processed successfully. +./pending/azure/azure_cis_v140_1_6.yaml processed successfully. +./pending/azure/azure_cis_v150_4_2_2.yaml processed successfully. +./pending/azure/azure_cis_v200_5_1_4.yaml processed successfully. +./pending/azure/azure_cis_v200_3_13.yaml processed successfully. +./pending/azure/azure_cis_v150_4_3_6.yaml processed successfully. +./pending/azure/azure_monitor_logs_storage_container_insights_activity_logs_encrypted_with_byok.yaml processed successfully. +./pending/azure/azure_cis_v150_4_4_4.yaml processed successfully. +./pending/azure/azure_cis_v200_4_2_1.yaml processed successfully. +./pending/azure/azure_storage_account_queues_logging_enabled.yaml processed successfully. +./pending/azure/azure_cis_v140_6_4.yaml processed successfully. +./pending/azure/azure_cis_v130_4_1_1.yaml processed successfully. +./pending/azure/azure_cis_v130_4_2_4.yaml processed successfully. +./pending/azure/azure_cis_v140_4_3_3.yaml processed successfully. +./pending/azure/azure_storage_account_containing_vhd_os_disk_cmk_encrypted.yaml processed successfully. +./pending/azure/azure_cis_v210_4_1_1.yaml processed successfully. +./pending/azure/azure_cis_v130_6_4.yaml processed successfully. +./pending/azure/azure_cis_v200_4_3_2.yaml processed successfully. +./pending/azure/azure_monitor_logs_storage_container_insights_operational_logs_encrypted_with_byok.yaml processed successfully. +./pending/azure/azure_cis_v130_4_5.yaml processed successfully. +./pending/azure/azure_cis_v200_4_1_3.yaml processed successfully. +./pending/azure/azure_cis_v200_2_1_10.yaml processed successfully. +./pending/azure/azure_cis_v150_4_2_5.yaml processed successfully. +./pending/azure/azure_cis_v210_4_1_6.yaml processed successfully. +./pending/azure/azure_cis_v140_4_3_4.yaml processed successfully. +./pending/azure/azure_cis_v130_4_3_7.yaml processed successfully. +./pending/azure/azure_cis_v150_6_5.yaml processed successfully. +./pending/azure/azure_cis_v130_4_2_3.yaml processed successfully. +./pending/azure/azure_cis_v200_6_5.yaml processed successfully. +./pending/azure/azure_cis_v140_5_1_4.yaml processed successfully. +./pending/azure/azure_cis_v210_4_3_6.yaml processed successfully. +./pending/azure/azure_cis_v200_3_7.yaml processed successfully. +./pending/azure/azure_cis_v130_4_2_2.yaml processed successfully. +./pending/azure/azure_cis_v210_4_4_4.yaml processed successfully. +./pending/azure/azure_cis_v140_4_2_1.yaml processed successfully. +./pending/azure/azure_cis_v130_4_3_6.yaml processed successfully. +./pending/azure/azure_cis_v150_3_13.yaml processed successfully. +./pending/azure/azure_cis_v140_4_3_5.yaml processed successfully. +./pending/azure/azure_cis_v150_4_2_4.yaml processed successfully. +./pending/azure/azure_cis_v150_1_18.yaml processed successfully. +./pending/azure/azure_appservice_web_app_worker_more_than_one.yaml processed successfully. +./pending/azure/azure_compute_windows_vm_secure_boot_enabled.yaml processed successfully. +./pending/azure/azure_cis_v140_9_10.yaml processed successfully. +./pending/azure/azure_cis_v200_4_3_3.yaml processed successfully. +./pending/azure/azure_postgres_db_server_log_duration_on.yaml processed successfully. +./pending/azure/azure_cis_v150_4_1_1.yaml processed successfully. +./pending/azure/azure_cis_v130_6_5.yaml processed successfully. +./pending/aws/aws_cis_v200_4_1.yaml processed successfully. +./pending/aws/aws_cis_v130_4_15.yaml processed successfully. +./pending/aws/aws_foundational_security_rds_4.yaml processed successfully. +./pending/aws/aws_cis_v120_3_4.yaml processed successfully. +./pending/aws/aws_emr_cluster_encryption_at_rest_enabled.yaml processed successfully. +./pending/aws/aws_cis_v300_4_4.yaml processed successfully. +./pending/aws/aws_ec2_instance_no_iam_role_with_defense_evasion_impact_of_aws_security_services_access.yaml processed successfully. +./pending/aws/aws_redshift_cluster_encrypted_with_cmk.yaml processed successfully. +./pending/aws/aws_cis_v140_1_8.yaml processed successfully. +./pending/aws/aws_iam_password_policy_expire_90.yaml processed successfully. +./pending/aws/aws_cis_v150_4_1.yaml processed successfully. +./pending/aws/aws_cis_v120_1_5.yaml processed successfully. +./pending/aws/aws_lightsail_instance_ssh_rdp_http_ports_disabled.yaml processed successfully. +./pending/aws/aws_cis_v200_4_11.yaml processed successfully. +./pending/aws/aws_cis_compute_service_v100_3_4.yaml processed successfully. +./pending/aws/aws_cis_v140_4_12.yaml processed successfully. +./pending/aws/aws_cis_v300_4_8.yaml processed successfully. +./pending/aws/aws_foundational_security_elb_13.yaml processed successfully. +./pending/aws/aws_cis_v120_3_8.yaml processed successfully. +./pending/aws/aws_s3_bucket_object_logging_enabled.yaml processed successfully. +./pending/aws/aws_foundational_security_ec2_6.yaml processed successfully. +./pending/aws/aws_cis_v140_5_3.yaml processed successfully. +./pending/aws/aws_foundational_security_kms_2.yaml processed successfully. +./pending/aws/aws_cis_v120_1_9.yaml processed successfully. +./pending/aws/aws_cis_v130_4_1.yaml processed successfully. +./pending/aws/aws_codedeploy_deployment_group_lambda_allatonce_traffic_shift_disabled.yaml processed successfully. +./pending/aws/aws_cis_v140_4_6.yaml processed successfully. +./pending/aws/aws_glue_dev_endpoint_cloudwatch_logs_encryption_enabled.yaml processed successfully. +./pending/aws/aws_cis_v120_3_9.yaml processed successfully. +./pending/aws/aws_cis_v300_4_15.yaml processed successfully. +./pending/aws/aws_cis_v300_4_9.yaml processed successfully. +./pending/aws/aws_cis_v140_4_13.yaml processed successfully. +./pending/aws/aws_cis_v140_2_1_5.yaml processed successfully. +./pending/aws/aws_foundational_security_elb_3.yaml processed successfully. +./pending/aws/aws_foundational_security_ec2_10.yaml processed successfully. +./pending/aws/aws_cis_v200_4_10.yaml processed successfully. +./pending/aws/aws_cis_v300_3_7.yaml processed successfully. +./pending/aws/aws_cis_v140_1_9.yaml processed successfully. +./pending/aws/aws_cis_v300_4_5.yaml processed successfully. +./pending/aws/aws_cis_v130_4_14.yaml processed successfully. +./pending/aws/aws_cis_v300_5_1.yaml processed successfully. +./pending/aws/aws_cis_v120_2_1.yaml processed successfully. +./pending/aws/aws_foundational_security_cloudfront_9.yaml processed successfully. +./pending/aws/aws_emr_cluster_local_disk_encryption_enabled.yaml processed successfully. +./pending/aws/aws_cis_v150_4_11.yaml processed successfully. +./pending/aws/aws_docdb_cluster_snapshot_restrict_public_access.yaml processed successfully. +./pending/aws/aws_cis_v200_1_22.yaml processed successfully. +./pending/aws/aws_cis_v140_4_1.yaml processed successfully. +./pending/aws/aws_cis_v130_4_6.yaml processed successfully. +./pending/aws/aws_iam_role_cross_account_read_only_access_policy.yaml processed successfully. +./pending/aws/aws_ec2_instance_no_high_level_finding_in_inspector_scan.yaml processed successfully. +./pending/aws/aws_foundational_security_cloudfront_13.yaml processed successfully. +./pending/aws/aws_cis_v200_4_7.yaml processed successfully. +./pending/aws/aws_foundational_security_guardduty_1.yaml processed successfully. +./pending/aws/aws_cis_v120_3_2.yaml processed successfully. +./pending/aws/aws_cis_v300_4_2.yaml processed successfully. +./pending/aws/aws_rds_db_cluster_encrypted_with_cmk.yaml processed successfully. +./pending/aws/aws_cis_v130_1_9.yaml processed successfully. +./pending/aws/aws_foundational_security_ec2_21.yaml processed successfully. +./pending/aws/aws_cis_v200_4_16.yaml processed successfully. +./pending/aws/aws_dms_replication_task_target_database_logging_enabled.yaml processed successfully. +./pending/aws/aws_cis_v120_1_14.yaml processed successfully. +./pending/aws/aws_cis_v150_4_6.yaml processed successfully. +./pending/aws/aws_glue_dev_endpoint_s3_encryption_enabled.yaml processed successfully. +./pending/aws/aws_cis_v300_3_1.yaml processed successfully. +./pending/aws/aws_lightsail_instance_rdp_restricted_ip.yaml processed successfully. +./pending/aws/aws_cis_v300_4_3.yaml processed successfully. +./pending/aws/aws_iam_access_analyzer_enabled_without_findings.yaml processed successfully. +./pending/aws/aws_emr_cluster_encryption_at_rest_with_cse_cmk.yaml processed successfully. +./pending/aws/aws_cis_v120_3_3.yaml processed successfully. +./pending/aws/aws_cis_v130_4_12.yaml processed successfully. +./pending/aws/aws_cis_v130_3_9.yaml processed successfully. +./pending/aws/aws_cis_v130_4_7.yaml processed successfully. +./pending/aws/aws_cis_v130_5_3.yaml processed successfully. +./pending/aws/aws_rds_db_instance_no_public_subnet.yaml processed successfully. +./pending/aws/aws_vpc_subnet_multi_az_enabled.yaml processed successfully. +./pending/aws/aws_cis_compute_service_v100_2_7.yaml processed successfully. +./pending/aws/aws_cis_v200_1_9.yaml processed successfully. +./pending/aws/aws_cis_v300_2_1_4.yaml processed successfully. +./pending/aws/aws_cis_v300_4_13.yaml processed successfully. +./pending/aws/aws_cis_v140_4_15.yaml processed successfully. +./pending/aws/aws_foundational_security_dms_7.yaml processed successfully. +./pending/aws/aws_foundational_security_elb_5.yaml processed successfully. +./pending/aws/aws_cis_v130_4_4.yaml processed successfully. +./pending/aws/aws_cis_v140_4_3.yaml processed successfully. +./pending/aws/aws_cis_v300_1_13.yaml processed successfully. +./pending/aws/aws_cis_v150_4_9.yaml processed successfully. +./pending/aws/aws_ec2_instance_no_iam_role_with_new_user_creation_with_attached_policy_access.yaml processed successfully. +./pending/aws/aws_cis_v150_4_13.yaml processed successfully. +./pending/aws/aws_cis_v300_4_10.yaml processed successfully. +./pending/aws/aws_foundational_security_iam_6.yaml processed successfully. +./pending/aws/aws_cis_v140_3_1.yaml processed successfully. +./pending/aws/aws_cis_v200_4_9.yaml processed successfully. +./pending/aws/aws_cis_v200_4_15.yaml processed successfully. +./pending/aws/aws_cis_v150_5_1.yaml processed successfully. +./pending/aws/aws_guardduty_centrally_configured.yaml processed successfully. +./pending/aws/aws_elb_application_lb_listener_certificate_expire_7_days.yaml processed successfully. +./pending/aws/aws_cis_v150_1_6.yaml processed successfully. +./pending/aws/aws_emr_cluster_encryption_in_transit_enabled.yaml processed successfully. +./pending/aws/aws_foundational_security_s3_2.yaml processed successfully. +./pending/aws/aws_cis_v150_2_1_5.yaml processed successfully. +./pending/aws/aws_cis_v200_1_6.yaml processed successfully. +./pending/aws/aws_cis_v120_3_10.yaml processed successfully. +./pending/aws/aws_cis_v200_5_1.yaml processed successfully. +./pending/aws/aws_cis_v130_4_11.yaml processed successfully. +./pending/aws/aws_cis_v200_4_5.yaml processed successfully. +./pending/aws/aws_cis_v300_5_4.yaml processed successfully. +./pending/aws/aws_vpc_subnet_public_and_private.yaml processed successfully. +./pending/aws/aws_cis_v130_4_10.yaml processed successfully. +./pending/aws/aws_cis_v200_4_4.yaml processed successfully. +./pending/aws/aws_cis_v120_3_1.yaml processed successfully. +./pending/aws/aws_foundational_security_rds_1.yaml processed successfully. +./pending/aws/aws_cis_v300_4_1.yaml processed successfully. +./pending/aws/aws_cis_v150_4_4.yaml processed successfully. +./pending/aws/aws_elb_application_lb_listener_certificate_expire_30_days.yaml processed successfully. +./pending/aws/aws_cis_v120_4_3.yaml processed successfully. +./pending/aws/aws_foundational_security_s3_3.yaml processed successfully. +./pending/aws/aws_cis_v130_4_9.yaml processed successfully. +./pending/aws/aws_cis_v200_4_14.yaml processed successfully. +./pending/aws/aws_glue_dev_endpoint_job_bookmarks_encryption_enabled.yaml processed successfully. +./pending/aws/aws_cis_v200_4_8.yaml processed successfully. +./pending/aws/aws_foundational_security_iam_7.yaml processed successfully. +./pending/aws/aws_foundational_security_rds_23.yaml processed successfully. +./pending/aws/aws_cis_v150_4_12.yaml processed successfully. +./pending/aws/aws_cis_v130_1_6.yaml processed successfully. +./pending/aws/aws_cis_v130_5_1.yaml processed successfully. +./pending/aws/aws_cis_v140_4_2.yaml processed successfully. +./pending/aws/aws_cis_v130_4_5.yaml processed successfully. +./pending/aws/aws_cis_v200_4_13.yaml processed successfully. +./pending/aws/aws_cis_v140_4_9.yaml processed successfully. +./pending/aws/aws_cis_v200_3_1.yaml processed successfully. +./pending/aws/aws_cloudfront_distribution_non_s3_origins_encryption_in_transit_enabled.yaml processed successfully. +./pending/aws/aws_ec2_instance_no_iam_role_with_database_management_write_access.yaml processed successfully. +./pending/aws/aws_cis_v120_1_7.yaml processed successfully. +./pending/aws/aws_foundational_security_ec2_25.yaml processed successfully. +./pending/aws/aws_foundational_security_docdb_3.yaml processed successfully. +./pending/aws/aws_cis_v150_1_20.yaml processed successfully. +./pending/aws/aws_cis_v150_3_1.yaml processed successfully. +./pending/aws/aws_cis_v300_4_6.yaml processed successfully. +./pending/aws/aws_cis_v120_3_6.yaml processed successfully. +./pending/aws/aws_foundational_security_rds_6.yaml processed successfully. +./pending/aws/aws_cis_v130_4_2.yaml processed successfully. +./pending/aws/aws_backup_report_plan_configured.yaml processed successfully. +./pending/aws/aws_ec2_instance_no_iam_role_with_write_access_to_resource_based_policies.yaml processed successfully. +./pending/aws/aws_ecs_cluster_instance_in_vpc.yaml processed successfully. +./pending/aws/aws_cis_v140_1_6.yaml processed successfully. +./pending/aws/aws_cis_v150_4_15.yaml processed successfully. +./pending/aws/aws_cis_v300_4_16.yaml processed successfully. +./pending/aws/aws_cis_v140_4_10.yaml processed successfully. +./pending/aws/aws_cis_v300_1_9.yaml processed successfully. +./pending/aws/aws_lightsail_instance_ssh_restricted_ip.yaml processed successfully. +./pending/aws/aws_cis_v130_3_1.yaml processed successfully. +./pending/aws/aws_glue_job_cloudwatch_logs_encryption_enabled.yaml processed successfully. +./pending/aws/aws_cis_v140_4_11.yaml processed successfully. +./pending/aws/aws_foundational_security_lambda_5.yaml processed successfully. +./pending/aws/aws_cis_v140_4_4.yaml processed successfully. +./pending/aws/aws_glue_job_s3_encryption_enabled.yaml processed successfully. +./pending/aws/aws_cis_v200_4_2.yaml processed successfully. +./pending/aws/aws_iam_user_hardware_mfa_enabled.yaml processed successfully. +./pending/aws/aws_cis_v120_3_7.yaml processed successfully. +./pending/aws/aws_cis_v300_4_7.yaml processed successfully. +./pending/aws/aws_cis_v300_1_22.yaml processed successfully. +./pending/aws/aws_cis_v150_4_2.yaml processed successfully. +./pending/aws/aws_cis_v120_1_10.yaml processed successfully. +./pending/aws/aws_cis_v120_1_6.yaml processed successfully. diff --git a/queries/bulk_update_yaml.sh b/queries/bulk_update_yaml.sh new file mode 100755 index 000000000..5dab704c4 --- /dev/null +++ b/queries/bulk_update_yaml.sh @@ -0,0 +1,41 @@ +#!/bin/bash + +# Description: +# This script traverses all subdirectories to find YAML files containing the 'Connector' key +# and renames the key to 'IntegrationTypeName' while mapping specific values. + +# Define the root directory (current directory) +ROOT_DIR="." + +# Create or clear the log files +> processed_files.log +> error_files.log +> error_messages.log + +# Function to process each file +process_file() { + local file="$1" + echo "Processing: $file" + + # Apply the yq transformation + if yq eval -i '.IntegrationTypeName = (if (.Connector | type) == "array" then .Connector | map({"aws": "aws_cloud", "azure": "azure_subscription"}[.] // .) else {"aws": "aws_cloud", "azure": "azure_subscription"}[.Connector] // .Connector end) | del(.Connector)' "$file" + then + echo "$file processed successfully." >> processed_files.log + else + echo "Error processing $file" >> error_files.log + # Capture detailed error messages + yq eval '.IntegrationTypeName = (if (.Connector | type) == "array" then .Connector | map({"aws": "aws_cloud", "azure": "azure_subscription"}[.] // .) else {"aws": "aws_cloud", "azure": "azure_subscription"}[.Connector] // .Connector end) | del(.Connector)' "$file" 2>> error_messages.log + fi +} + +export -f process_file + +# Find and process all .yaml and .yml files containing the 'Connector' key +find "$ROOT_DIR" -type f \( -iname "*.yaml" -o -iname "*.yml" \) -print0 | while IFS= read -r -d '' file; do + if grep -q '^Connector:' "$file"; then + process_file "$file" + fi +done + +echo "Bulk update completed. Check 'processed_files.log' for details." +echo "Any errors are logged in 'error_files.log' and 'error_messages.log'." \ No newline at end of file diff --git a/queries/error_files.log b/queries/error_files.log new file mode 100644 index 000000000..52c6d0a46 --- /dev/null +++ b/queries/error_files.log @@ -0,0 +1,36 @@ +Error processing ./aws_workspaces_directory_8.yaml +Error processing ./aws_dynamodb_metric_account_provisioned_read_capacity_util_1.yaml +Error processing ./aws_route53_health_check_5.yaml +Error processing ./aws_wafv2_ip_set_3.yaml +Error processing ./aws_iam_service_specific_credential_2.yaml +Error processing ./aws_securityhub_hub_3.yaml +Error processing ./aws_ecr_repository_2.yaml +Error processing ./aws_glacier_vault_2.yaml +Error processing ./aws_athena_query_execution_3.yaml +Error processing ./aws_wellarchitected_workload_4.yaml +Error processing ./aws_ebs_volume_metric_write_ops_daily_2.yaml +Error processing ./aws_elasticache_redis_metric_engine_cpu_utilization_hourly_2.yaml +Error processing ./aws_securitylake_subscriber_4.yaml +Error processing ./17-azure_insight_compute_disk_unattached.yaml +Error processing ./aws_cloudwatch_log_event_5.yaml +Error processing ./aws_ebs_volume_metric_read_ops_1.yaml +Error processing ./aws_eks_addon_3.yaml +Error processing ./aws_vpc_flow_log_event_4.yaml +Error processing ./aws_iot_thing_group_3.yaml +Error processing ./aws_ec2_instance_type_2.yaml +Error processing ./aws_msk_cluster_2.yaml +Error processing ./aws_cloudtrail_import_5.yaml +Error processing ./aws_vpc_peering_connection_8.yaml +Error processing ./aws_resource_explorer_search_6.yaml +Error processing ./aws_availability_zone_2.yaml +Error processing ./aws_guardduty_publishing_destination_1.yaml +Error processing ./aws_inspector2_coverage_3.yaml +Error processing ./aws_kms_alias_3.yaml +Error processing ./aws_wellarchitected_share_invitation_6.yaml +Error processing ./aws_iam_server_certificate_1.yaml +Error processing ./aws_accessanalyzer_analyzer_2.yaml +Error processing ./aws_emr_block_public_access_configuration_1.yaml +Error processing ./aws_tagging_resource_1.yaml +Error processing ./aws_s3_object_8.yaml +Error processing ./aws_elasticache_redis_metric_get_type_cmds_hourly_2.yaml +Error processing ./aws_securitylake_data_lake_4.yaml diff --git a/queries/error_messages.log b/queries/error_messages.log new file mode 100644 index 000000000..6769e53f8 --- /dev/null +++ b/queries/error_messages.log @@ -0,0 +1,35 @@ +Error: 1:25: invalid input text "if (.Connector |..." +Error: 1:25: invalid input text "if (.Connector |..." +Error: 1:25: invalid input text "if (.Connector |..." +Error: 1:25: invalid input text "if (.Connector |..." +Error: 1:25: invalid input text "if (.Connector |..." +Error: 1:25: invalid input text "if (.Connector |..." +Error: 1:25: invalid input text "if (.Connector |..." +Error: 1:25: invalid input text "if (.Connector |..." +Error: 1:25: invalid input text "if (.Connector |..." +Error: 1:25: invalid input text "if (.Connector |..." +Error: 1:25: invalid input text "if (.Connector |..." +Error: 1:25: invalid input text "if (.Connector |..." +Error: 1:25: invalid input text "if (.Connector |..." +Error: 1:25: invalid input text "if (.Connector |..." +Error: 1:25: invalid input text "if (.Connector |..." +Error: 1:25: invalid input text "if (.Connector |..." +Error: 1:25: invalid input text "if (.Connector |..." +Error: 1:25: invalid input text "if (.Connector |..." +Error: 1:25: invalid input text "if (.Connector |..." +Error: 1:25: invalid input text "if (.Connector |..." +Error: 1:25: invalid input text "if (.Connector |..." +Error: 1:25: invalid input text "if (.Connector |..." +Error: 1:25: invalid input text "if (.Connector |..." +Error: 1:25: invalid input text "if (.Connector |..." +Error: 1:25: invalid input text "if (.Connector |..." +Error: 1:25: invalid input text "if (.Connector |..." +Error: 1:25: invalid input text "if (.Connector |..." +Error: 1:25: invalid input text "if (.Connector |..." +Error: 1:25: invalid input text "if (.Connector |..." +Error: 1:25: invalid input text "if (.Connector |..." +Error: 1:25: invalid input text "if (.Connector |..." +Error: 1:25: invalid input text "if (.Connector |..." +Error: 1:25: invalid input text "if (.Connector |..." +Error: 1:25: invalid input text "if (.Connector |..." +Error: 1:25: invalid input text "if (.Connector |..." diff --git a/queries/processed_files.log b/queries/processed_files.log new file mode 100644 index 000000000..e69de29bb