opengovern · acx1729 · Nov 12, 2024 · Nov 12, 2024
diff --git a/compliance/controls/aws/aws_account_alternate_contact_security_registered.yaml b/compliance/controls/aws/aws_account_alternate_contact_security_registered.yaml
@@ -1,42 +1,42 @@
+Description: This control checks if an AWS Web Services (AWS) account has security contact information. The control fails if security contact information is not provided for the account.
 ID: aws_account_alternate_contact_security_registered
-Title: "Security contact information should be provided for an AWS account"
-Description: "This control checks if an AWS Web Services (AWS) account has security contact information. The control fails if security contact information is not provided for the account."
+IntegrationType:
+  - aws_cloud_account
 Query:
   Engine: CloudQL-v0.0.1
+  ListOfTables:
+    - aws_account
+    - aws_account_alternate_contact
+  Parameters: []
+  PrimaryTable: aws_account
   QueryToExecute: |
-    with alternate_security_contact as (
-      select
+    WITH alternate_security_contact AS (
+      SELECT
         name,
         account_id
-      from
+      FROM
         aws_account_alternate_contact
-      where
+      WHERE
         contact_type = 'SECURITY'
     )
-    select
-      arn as resource,
-      og_account_id as og_account_id,
-      og_resource_id as og_resource_id,
-      case
-        when a.partition = 'aws-us-gov' then 'info'
-        -- Name is a required field if setting a security contact
-        when c.name is not null then 'ok'
-        else 'alarm'
-      end as status,
-      case
-        when a.partition = 'aws-us-gov' then a.title || ' in GovCloud, manual verification required.'
-        when c.name is not null then a.title || ' has security contact ' || c.name || ' registered.'
-        else a.title || ' security contact not registered.'
-      end as reason
-      , a.account_id
-    from
-      aws_account as a
-      left join alternate_security_contact as c on c.account_id = a.account_id;
-  PrimaryTable: aws_account
-  ListOfTables:
-    - aws_account
-    - aws_account_alternate_contact
-  Parameters: []
+    SELECT
+      arn AS resource,
+      og_account_id AS og_account_id,
+      og_resource_id AS og_resource_id,
+      CASE
+        WHEN a.partition = 'aws-us-gov' THEN 'info'
+        WHEN c.name IS NOT NULL THEN 'ok'
+        ELSE 'alarm'
+      END AS status,
+      CASE
+        WHEN a.partition = 'aws-us-gov' THEN a.title || ' in GovCloud, manual verification required.'
+        WHEN c.name IS NOT NULL THEN a.title || ' has security contact ' || c.name || ' registered.'
+        ELSE a.title || ' security contact not registered.'
+      END AS reason,
+      a.account_id
+    FROM
+      aws_account AS a
+    LEFT JOIN alternate_security_contact AS c ON c.account_id = a.account_id;
 Severity: low
 Tags:
   category:
@@ -57,5 +57,4 @@ Tags:
     - aws
   service:
     - AWS/IAM
-IntegrationType:
-  - aws_cloud_account
+Title: Security contact information should be provided for an AWS account
diff --git a/compliance/controls/aws/aws_account_part_of_organizations.yaml b/compliance/controls/aws/aws_account_part_of_organizations.yaml
@@ -1,28 +1,30 @@
+Description: Ensure that an AWS account is part of AWS Organizations. The rule is non-compliant if an AWS account is not part of AWS Organizations, or AWS Organizations' master account ID does not match rule parameter MasterAccountId.
 ID: aws_account_part_of_organizations
-Title: "AWS account should be part of AWS Organizations"
-Description: "Ensure that an AWS account is part of AWS Organizations. The rule is non-compliant if an AWS account is not part of AWS Organizations or AWS Organizations master account ID does not match rule parameter MasterAccountId."
+IntegrationType:
+  - aws_cloud_account
 Query:
   Engine: CloudQL-v0.0.1
-  QueryToExecute: |
-    select
-      arn as resource,
-      og_account_id as og_account_id,
-      og_resource_id as og_resource_id,
-      case
-        when organization_id is not null then 'ok'
-        else 'alarm'
-      end as status,
-      case
-        when organization_id is not null then title || ' is part of organization(s).'
-        else title || ' is not part of organization.'
-      end as reason
-      , region, account_id
-    from
-      aws_account;
-  PrimaryTable: aws_account
   ListOfTables:
     - aws_account
   Parameters: []
+  PrimaryTable: aws_account
+  QueryToExecute: |
+    SELECT
+      arn AS resource,
+      og_account_id AS og_account_id,
+      og_resource_id AS og_resource_id,
+      CASE
+        WHEN organization_id IS NOT NULL THEN 'ok'
+        ELSE 'alarm'
+      END AS status,
+      CASE
+        WHEN organization_id IS NOT NULL THEN title || ' is part of organization(s).'
+        ELSE title || ' is not part of organization.'
+      END AS reason,
+      region,
+      account_id
+    FROM
+      aws_account;
 Severity: medium
 Tags:
   category:
@@ -39,5 +41,4 @@ Tags:
     - aws
   service:
     - AWS/IAM
-IntegrationType:
-  - aws_cloud_account
+Title: AWS account should be part of AWS Organizations
diff --git a/compliance/controls/aws/aws_acm_certificate_expires_30_days.yaml b/compliance/controls/aws/aws_acm_certificate_expires_30_days.yaml
@@ -1,13 +1,32 @@
+Description: Ensure network integrity is protected by ensuring X509 certificates are issued by AWS ACM.
 ID: aws_acm_certificate_expires_30_days
-Title: "ACM certificates should not expire within 30 days"
-Description: "Ensure network integrity is protected by ensuring X509 certificates are issued by AWS ACM."
+IntegrationType:
+  - aws_cloud_account
 Query:
   Engine: CloudQL-v0.0.1
-  QueryToExecute: "select\n  certificate_arn as resource,\n  og_account_id as og_account_id,\n  og_resource_id as og_resource_id,\n  case\n    when renewal_eligibility = 'INELIGIBLE' then 'skip'\n    when date(not_after) - date(current_date) >= 30 then 'ok'\n    else 'alarm'\n  end as status,\n  case\n    when renewal_eligibility = 'INELIGIBLE' then title || ' not eligible for renewal.'\n    else title || ' expires ' || to_char(not_after, 'DD-Mon-YYYY') ||\n    ' (' || extract(day from not_after - current_date) || ' days).'\n  end as reason\n  \n  , region, account_id\nfrom\n  aws_acm_certificate;\n"
-  PrimaryTable: aws_acm_certificate
   ListOfTables:
     - aws_acm_certificate
   Parameters: []
+  PrimaryTable: aws_acm_certificate
+  QueryToExecute: |
+    SELECT
+      certificate_arn AS resource,
+      og_account_id AS og_account_id,
+      og_resource_id AS og_resource_id,
+      CASE
+        WHEN renewal_eligibility = 'INELIGIBLE' THEN 'skip'
+        WHEN DATE(not_after) - DATE(current_date) >= 30 THEN 'ok'
+        ELSE 'alarm'
+      END AS status,
+      CASE
+        WHEN renewal_eligibility = 'INELIGIBLE' THEN title || ' not eligible for renewal.'
+        ELSE title || ' expires ' || TO_CHAR(not_after, 'DD-Mon-YYYY') ||
+        ' (' || EXTRACT(DAY FROM not_after - current_date) || ' days).'
+      END AS reason,
+      region,
+      account_id
+    FROM
+      aws_acm_certificate;
 Severity: high
 Tags:
   category:
@@ -26,12 +45,12 @@ Tags:
     - "true"
   hipaa_security_rule_2003:
     - "true"
-  nist_800_171_rev_2:
-    - "true"
   nist_800_53_rev_4:
     - "true"
   nist_800_53_rev_5:
     - "true"
+  nist_800_171_rev_2:
+    - "true"
   nist_csf:
     - "true"
   pci_dss_v321:
@@ -44,5 +63,4 @@ Tags:
     - AWS/ACM
   soc_2:
     - "true"
-IntegrationType:
-  - aws_cloud_account
+Title: ACM certificates should not expire within 30 days
diff --git a/compliance/controls/aws/aws_acm_certificate_no_failed_certificate.yaml b/compliance/controls/aws/aws_acm_certificate_no_failed_certificate.yaml
@@ -1,14 +1,25 @@
+Description: This control ensures that ACM certificates are not in failed state.
 ID: aws_acm_certificate_no_failed_certificate
-Title: "Ensure that ACM certificates are not in failed state"
-Description: "This control ensures that ACM certificates are not in failed state."
+IntegrationType:
+  - aws_cloud_account
 Query:
   Engine: CloudQL-v0.0.1
-  QueryToExecute: "select\n  certificate_arn as resource,\n  og_account_id as og_account_id,\n  og_resource_id as og_resource_id,\n  case\n    when status in ('VALIDATION_TIMED_OUT', 'FAILED') then 'alarm'\n    else 'ok'\n  end as status,\n  title || ' status is ' || status || '.'  as reason\n  \n  \nfrom\n  aws_acm_certificate;"
-  PrimaryTable: aws_acm_certificate
   ListOfTables:
     - aws_acm_certificate
   Parameters: []
+  PrimaryTable: aws_acm_certificate
+  QueryToExecute: |
+    SELECT
+      certificate_arn AS resource,
+      og_account_id AS og_account_id,
+      og_resource_id AS og_resource_id,
+      CASE
+        WHEN status IN ('VALIDATION_TIMED_OUT', 'FAILED') THEN 'alarm'
+        ELSE 'ok'
+      END AS status,
+      title || ' status is ' || status || '.' AS reason
+    FROM
+      aws_acm_certificate;
 Severity: low
 Tags: {}
-IntegrationType:
-  - aws_cloud_account
+Title: Ensure that ACM certificates are not in failed state
diff --git a/compliance/controls/aws/aws_acm_certificate_no_pending_validation_certificate.yaml b/compliance/controls/aws/aws_acm_certificate_no_pending_validation_certificate.yaml
@@ -1,14 +1,25 @@
+Description: This control ensures that ACM certificates are not in pending validation state. When certificates are not validated within 72 hours after the request is made, those certificates become invalid.
 ID: aws_acm_certificate_no_pending_validation_certificate
-Title: "Ensure that ACM certificates are not in pending validation state"
-Description: "This control ensures that ACM certificates are not in pending validation state. When certificates are not validated within 72 hours after the request is made, those certificates become invalid."
+IntegrationType:
+  - aws_cloud_account
 Query:
   Engine: CloudQL-v0.0.1
-  QueryToExecute: "select\n  certificate_arn as resource,\n  og_account_id as og_account_id,\n  og_resource_id as og_resource_id,\n  case\n    when status = 'PENDING_VALIDATION' then 'info'\n    else 'ok'\n  end as status,\n  title || ' status is ' || status || '.'  as reason\n  \n  \nfrom\n  aws_acm_certificate;"
-  PrimaryTable: aws_acm_certificate
   ListOfTables:
     - aws_acm_certificate
   Parameters: []
+  PrimaryTable: aws_acm_certificate
+  QueryToExecute: |
+    SELECT
+      certificate_arn AS resource,
+      og_account_id AS og_account_id,
+      og_resource_id AS og_resource_id,
+      CASE
+        WHEN status = 'PENDING_VALIDATION' THEN 'info'
+        ELSE 'ok'
+      END AS status,
+      title || ' status is ' || status || '.' AS reason
+    FROM
+      aws_acm_certificate;
 Severity: low
 Tags: {}
-IntegrationType:
-  - aws_cloud_account
+Title: Ensure that ACM certificates are not in pending validation state
diff --git a/compliance/controls/aws/aws_acm_certificate_no_wildcard_domain_name.yaml b/compliance/controls/aws/aws_acm_certificate_no_wildcard_domain_name.yaml
@@ -1,28 +1,28 @@
+Description: Ensure that ACM single domain name certificates are used instead of wildcard certificates within your AWS account in order to follow security best practices and protect each domain/subdomain with its own unique private key.
 ID: aws_acm_certificate_no_wildcard_domain_name
-Title: "ACM certificates should not use wildcard certificates"
-Description: "Ensure that ACM single domain name certificates are used instead of wildcard certificates within your AWS account in order to follow security best practices and protect each domain/subdomain with its own unique private key."
+IntegrationType:
+  - aws_cloud_account
 Query:
   Engine: CloudQL-v0.0.1
-  QueryToExecute: |-
-    select
-      certificate_arn as resource,
-      og_account_id as og_account_id,
-      og_resource_id as og_resource_id,
-      case
-        when domain_name like '*%' then 'alarm'
-        else 'ok'
-      end as status,
-      case
-        when domain_name like '*%' then title || ' uses wildcard domain name.'
-        else title || ' does not use wildcard domain name.'
-      end as reason
-    from
-      aws_acm_certificate;
-  PrimaryTable: aws_acm_certificate
   ListOfTables:
     - aws_acm_certificate
   Parameters: []
+  PrimaryTable: aws_acm_certificate
+  QueryToExecute: |
+    SELECT
+      certificate_arn AS resource,
+      og_account_id AS og_account_id,
+      og_resource_id AS og_resource_id,
+      CASE
+        WHEN domain_name LIKE '*%' THEN 'alarm'
+        ELSE 'ok'
+      END AS status,
+      CASE
+        WHEN domain_name LIKE '*%' THEN title || ' uses wildcard domain name.'
+        ELSE title || ' does not use wildcard domain name.'
+      END AS reason
+    FROM
+      aws_acm_certificate;
 Severity: low
 Tags: {}
-IntegrationType:
-  - aws_cloud_account
+Title: ACM certificates should not use wildcard certificates
diff --git a/compliance/controls/aws/aws_acm_certificate_not_expired.yaml b/compliance/controls/aws/aws_acm_certificate_not_expired.yaml
@@ -1,14 +1,32 @@
+Description: This control ensures that all expired ACM certificates are removed from AWS account.
 ID: aws_acm_certificate_not_expired
-Title: "Ensure that all the expired ACM certificates are removed"
-Description: "This control ensures that all expired ACM certificates are removed from AWS account."
+IntegrationType:
+  - aws_cloud_account
 Query:
   Engine: CloudQL-v0.0.1
-  QueryToExecute: "select\n  certificate_arn as resource,\n  og_account_id as og_account_id,\n  og_resource_id as og_resource_id,\n  case\n    when renewal_eligibility = 'INELIGIBLE' then 'skip'\n    when date(not_after) < (current_date - interval '1' minute) then 'alarm'\n    else 'ok'\n  end as status,\n  case\n    when renewal_eligibility = 'INELIGIBLE' then title || ' not eligible for renewal.'\n    when date(not_after) < (current_date - interval '1' minute) then title || ' expired ' || to_char(not_after, 'DD-Mon-YYYY') ||\n    ' (' || extract(day from not_after - current_date) || ' days ago).'\n    else title || ' expires ' || to_char(not_after, 'DD-Mon-YYYY') ||\n    ' (' || extract(day from not_after - current_date) || ' days).'\n   end as reason\n  \n  \nfrom\n  aws_acm_certificate;"
-  PrimaryTable: aws_acm_certificate
   ListOfTables:
     - aws_acm_certificate
   Parameters: []
+  PrimaryTable: aws_acm_certificate
+  QueryToExecute: |
+    SELECT
+      certificate_arn AS resource,
+      og_account_id AS og_account_id,
+      og_resource_id AS og_resource_id,
+      CASE
+        WHEN renewal_eligibility = 'INELIGIBLE' THEN 'skip'
+        WHEN DATE(not_after) < (CURRENT_DATE - INTERVAL '1' minute) THEN 'alarm'
+        ELSE 'ok'
+      END AS status,
+      CASE
+        WHEN renewal_eligibility = 'INELIGIBLE' THEN title || ' not eligible for renewal.'
+        WHEN DATE(not_after) < (CURRENT_DATE - INTERVAL '1' minute) THEN title || ' expired ' || TO_CHAR(not_after, 'DD-Mon-YYYY') ||
+          ' (' || EXTRACT(day FROM not_after - CURRENT_DATE) || ' days ago).'
+        ELSE title || ' expires ' || TO_CHAR(not_after, 'DD-Mon-YYYY') ||
+          ' (' || EXTRACT(day FROM not_after - CURRENT_DATE) || ' days).'
+      END AS reason
+    FROM
+      aws_acm_certificate;
 Severity: low
 Tags: {}
-IntegrationType:
-  - aws_cloud_account
+Title: Ensure that all the expired ACM certificates are removed
diff --git a/compliance/controls/aws/aws_acm_certificate_rsa_key_length_2048_bits_or_greater.yaml b/compliance/controls/aws/aws_acm_certificate_rsa_key_length_2048_bits_or_greater.yaml
@@ -1,14 +1,30 @@
+Description: This control checks whether RSA certificates managed by AWS Certificate Manager use a key length of at least 2,048 bits. The control fails if the key length is smaller than 2,048 bits.
 ID: aws_acm_certificate_rsa_key_length_2048_bits_or_greater
-Title: "RSA certificates managed by ACM should use a key length of at least 2,048 bits"
-Description: "This control checks whether RSA certificates managed by AWS Certificate Manager use a key length of at least 2,048 bits. The control fails if the key length is smaller than 2,048 bits."
+IntegrationType:
+  - aws_cloud_account
 Query:
   Engine: CloudQL-v0.0.1
-  QueryToExecute: "select\n  certificate_arn as resource,\n  og_account_id as og_account_id,\n  og_resource_id as og_resource_id,\n  case\n    when not key_algorithm like 'RSA-%' then 'skip'\n    when key_algorithm = 'RSA_1024' then 'alarm'\n    else 'ok'\n  end as status,\n  case\n    when not key_algorithm like 'RSA-%' then title || ' is not a RSA certificate.'\n    when key_algorithm = 'RSA_1024' then title || ' is using 1024 bits key length.'\n    else title || ' is using ' || split_part(key_algorithm, '-', 2) || ' bits key length.'\n  end as reason\n  \n  \nfrom\n  aws_acm_certificate;"
-  PrimaryTable: aws_acm_certificate
   ListOfTables:
     - aws_acm_certificate
   Parameters: []
+  PrimaryTable: aws_acm_certificate
+  QueryToExecute: |
+    SELECT
+      certificate_arn AS resource,
+      og_account_id AS og_account_id,
+      og_resource_id AS og_resource_id,
+      CASE
+        WHEN NOT key_algorithm LIKE 'RSA-%' THEN 'skip'
+        WHEN key_algorithm = 'RSA_1024' THEN 'alarm'
+        ELSE 'ok'
+      END AS status,
+      CASE
+        WHEN NOT key_algorithm LIKE 'RSA-%' THEN title || ' is not a RSA certificate.'
+        WHEN key_algorithm = 'RSA_1024' THEN title || ' is using 1024 bits key length.'
+        ELSE title || ' is using ' || split_part(key_algorithm, '-', 2) || ' bits key length.'
+      END AS reason
+    FROM
+      aws_acm_certificate;
 Severity: low
 Tags: {}
-IntegrationType:
-  - aws_cloud_account
+Title: RSA certificates managed by ACM should use a key length of at least 2,048 bits