From 6f9439f8711f45c9370252ad68a5277c31f8ea25 Mon Sep 17 00:00:00 2001
From: Matt Fuller <matthewdf10@gmail.com>
Date: Thu, 18 Apr 2019 08:25:52 -0400
Subject: [PATCH] adding new plugins for open ec2 sg rules and rds logging

---
 .../insecure-cloudfront-protocols.md           |  4 ++--
 ...en-hadoop-hdfs-namenode-metadata-service.md | 18 ++++++++++++++++++
 en/aws/ec2/open-hadoop-hdfs-namenode-webui.md  | 18 ++++++++++++++++++
 en/aws/ec2/open-kibana.md                      | 18 ++++++++++++++++++
 en/aws/iam/canary-keys-used.md                 | 18 ++++++++++++++++++
 en/aws/lambda/lambda-old-runtimes.md           |  2 +-
 en/aws/rds/rds-logging-enabled.md              | 18 ++++++++++++++++++
 7 files changed, 93 insertions(+), 3 deletions(-)
 create mode 100644 en/aws/ec2/open-hadoop-hdfs-namenode-metadata-service.md
 create mode 100644 en/aws/ec2/open-hadoop-hdfs-namenode-webui.md
 create mode 100644 en/aws/ec2/open-kibana.md
 create mode 100644 en/aws/iam/canary-keys-used.md
 create mode 100644 en/aws/rds/rds-logging-enabled.md

diff --git a/en/aws/cloudfront/insecure-cloudfront-protocols.md b/en/aws/cloudfront/insecure-cloudfront-protocols.md
index b297e62f1..8c6d5c51f 100644
--- a/en/aws/cloudfront/insecure-cloudfront-protocols.md
+++ b/en/aws/cloudfront/insecure-cloudfront-protocols.md
@@ -10,9 +10,9 @@
 | **Cloud** | AWS |
 | **Category** | CloudFront |
 | **Description** | Detects the use of insecure HTTPS SSL/TLS protocols for use with HTTPS traffic between viewers and CloudFront |
-| **More Info** | CloudFront supports SSLv3 and TLSv1 protocols for use with HTTPS traffic, but only TLSv1 should be used unless there is a valid business justification to support the older, insecure SSLv3. |
+| **More Info** | CloudFront supports SSLv3 and TLSv1 protocols for use with HTTPS traffic, but only TLSv1.1 or higher should be used unless there is a valid business justification to support the older, insecure SSLv3. |
 | **AWS Link** | http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html |
-| **Recommended Action** | Ensure that traffic sent between viewers and CloudFront is passed over HTTPS and uses TLSv1, not SSLv3. |
+| **Recommended Action** | Ensure that traffic sent between viewers and CloudFront is passed over HTTPS and uses TLSv1.1 or higher. |
 
 ## Detailed Remediation Steps
 
diff --git a/en/aws/ec2/open-hadoop-hdfs-namenode-metadata-service.md b/en/aws/ec2/open-hadoop-hdfs-namenode-metadata-service.md
new file mode 100644
index 000000000..edd7818af
--- /dev/null
+++ b/en/aws/ec2/open-hadoop-hdfs-namenode-metadata-service.md
@@ -0,0 +1,18 @@
+[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)
+
+# AWS / EC2 / Open Hadoop HDFS NameNode Metadata Service
+
+## Quick Info
+
+| | |
+|-|-|
+| **Plugin Title** | Open Hadoop HDFS NameNode Metadata Service |
+| **Cloud** | AWS |
+| **Category** | EC2 |
+| **Description** | Determine if TCP port 8020 for HDFS NameNode metadata service is open to the public |
+| **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as Hadoop/HDFS should be restricted to known IP addresses. |
+| **AWS Link** | http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html |
+| **Recommended Action** | Restrict TCP port 8020 to known IP addresses for Hadoop/HDFS |
+
+## Detailed Remediation Steps
+
diff --git a/en/aws/ec2/open-hadoop-hdfs-namenode-webui.md b/en/aws/ec2/open-hadoop-hdfs-namenode-webui.md
new file mode 100644
index 000000000..128f585eb
--- /dev/null
+++ b/en/aws/ec2/open-hadoop-hdfs-namenode-webui.md
@@ -0,0 +1,18 @@
+[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)
+
+# AWS / EC2 / Open Hadoop HDFS NameNode WebUI
+
+## Quick Info
+
+| | |
+|-|-|
+| **Plugin Title** | Open Hadoop HDFS NameNode WebUI |
+| **Cloud** | AWS |
+| **Category** | EC2 |
+| **Description** | Determine if TCP port 50070 and 50470 for Hadoop/HDFS NameNode WebUI service is open to the public |
+| **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as Hadoop/HDFS should be restricted to known IP addresses. |
+| **AWS Link** | http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html |
+| **Recommended Action** | Restrict TCP port 50070 and 50470 to known IP addresses for Hadoop/HDFS |
+
+## Detailed Remediation Steps
+
diff --git a/en/aws/ec2/open-kibana.md b/en/aws/ec2/open-kibana.md
new file mode 100644
index 000000000..aedda82f3
--- /dev/null
+++ b/en/aws/ec2/open-kibana.md
@@ -0,0 +1,18 @@
+[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)
+
+# AWS / EC2 / Open Kibana
+
+## Quick Info
+
+| | |
+|-|-|
+| **Plugin Title** | Open Kibana |
+| **Cloud** | AWS |
+| **Category** | EC2 |
+| **Description** | Determine if TCP port 5601 for Kibana is open to the public |
+| **More Info** | While some ports such as HTTP and HTTPS are required to be open to the public to function properly, more sensitive services such as Kibana should be restricted to known IP addresses. |
+| **AWS Link** | http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html |
+| **Recommended Action** | Restrict TCP port 5601 to known IP addresses |
+
+## Detailed Remediation Steps
+
diff --git a/en/aws/iam/canary-keys-used.md b/en/aws/iam/canary-keys-used.md
new file mode 100644
index 000000000..aef828bd7
--- /dev/null
+++ b/en/aws/iam/canary-keys-used.md
@@ -0,0 +1,18 @@
+[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)
+
+# AWS / IAM / Canary Keys Used
+
+## Quick Info
+
+| | |
+|-|-|
+| **Plugin Title** | Canary Keys Used |
+| **Cloud** | AWS |
+| **Category** | IAM |
+| **Description** | Detects when a special canary-token access key has been used |
+| **More Info** | Canary access keys can be created with limited permissions and then used to detect when a potential breach occurs. |
+| **AWS Link** | https://docs.aws.amazon.com/IAM/latest/UserGuide/ManagingCredentials.html |
+| **Recommended Action** | Create a canary access token and provide its user to CloudSploit. If CloudSploit detects that the account is in use, it will trigger a failure. |
+
+## Detailed Remediation Steps
+
diff --git a/en/aws/lambda/lambda-old-runtimes.md b/en/aws/lambda/lambda-old-runtimes.md
index 819b66d32..cb3cb0004 100644
--- a/en/aws/lambda/lambda-old-runtimes.md
+++ b/en/aws/lambda/lambda-old-runtimes.md
@@ -10,7 +10,7 @@
 | **Cloud** | AWS |
 | **Category** | Lambda |
 | **Description** | Ensures Lambda functions are not using out-of-date runtime environments. |
-| **More Info** | Lambda runtimes should be kept current with recent versions of the underlying codebase. Node.js 0.10.0 should not be used. |
+| **More Info** | Lambda runtimes should be kept current with recent versions of the underlying codebase. Deprecated runtimes should not be used. |
 | **AWS Link** | http://docs.aws.amazon.com/lambda/latest/dg/current-supported-versions.html |
 | **Recommended Action** | Upgrade the Lambda function runtime to use a more current version. |
 
diff --git a/en/aws/rds/rds-logging-enabled.md b/en/aws/rds/rds-logging-enabled.md
new file mode 100644
index 000000000..720f10b13
--- /dev/null
+++ b/en/aws/rds/rds-logging-enabled.md
@@ -0,0 +1,18 @@
+[![CloudSploit](https://cloudsploit.com/img/logo-new-big-text-100.png "CloudSploit")](https://cloudsploit.com)
+
+# AWS / RDS / RDS Logging Enabled
+
+## Quick Info
+
+| | |
+|-|-|
+| **Plugin Title** | RDS Logging Enabled |
+| **Cloud** | AWS |
+| **Category** | RDS |
+| **Description** | Ensures logging is configured for RDS instances |
+| **More Info** | Logging database level events enables teams to analyze events for the purpose diagnostics as well as audit tracking for compliance purposes. |
+| **AWS Link** | https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.html |
+| **Recommended Action** | Modify the RDS instance to enable logging as required. |
+
+## Detailed Remediation Steps
+