Skip to content

Commit

Permalink
refactor(checks): migrate AWS IAM to Rego
Browse files Browse the repository at this point in the history
Signed-off-by: Nikita Pivkin <[email protected]>
  • Loading branch information
nikpivkin committed Aug 22, 2024
1 parent 3020e37 commit 236fa7b
Show file tree
Hide file tree
Showing 103 changed files with 2,787 additions and 2,169 deletions.
5 changes: 3 additions & 2 deletions avd_docs/aws/iam/AVD-AWS-0056/docs.md
Original file line number Diff line number Diff line change
@@ -1,10 +1,11 @@

IAM account password policies should prevent the reuse of passwords.
IAM account password policies should prevent the reuse of passwords.

The account password policy should be set to prevent using any of the last five used passwords.


### Impact
Password reuse increase the risk of compromised passwords being abused
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
3 changes: 2 additions & 1 deletion avd_docs/aws/iam/AVD-AWS-0057/docs.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@

You should use the principle of least privilege when defining your IAM policies. This means you should specify each exact permission required without using wildcards, as this could cause the granting of access to certain undesired actions, resources and principals.


### Impact
Overly permissive policies may grant access to sensitive resources
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
3 changes: 2 additions & 1 deletion avd_docs/aws/iam/AVD-AWS-0058/docs.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@

IAM account password policies should ensure that passwords content including at least one lowercase character.


### Impact
Short, simple passwords are easier to compromise
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
3 changes: 2 additions & 1 deletion avd_docs/aws/iam/AVD-AWS-0059/docs.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@

IAM account password policies should ensure that passwords content including at least one number.


### Impact
Short, simple passwords are easier to compromise
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
3 changes: 2 additions & 1 deletion avd_docs/aws/iam/AVD-AWS-0060/docs.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@

IAM account password policies should ensure that passwords content including a symbol.


### Impact
Short, simple passwords are easier to compromise
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
4 changes: 3 additions & 1 deletion avd_docs/aws/iam/AVD-AWS-0061/docs.md
Original file line number Diff line number Diff line change
@@ -1,9 +1,11 @@

,

IAM account password policies should ensure that passwords content including at least one uppercase character.


### Impact
Short, simple passwords are easier to compromise
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
7 changes: 4 additions & 3 deletions avd_docs/aws/iam/AVD-AWS-0062/docs.md
Original file line number Diff line number Diff line change
@@ -1,10 +1,11 @@

IAM account password policies should have a maximum age specified.
IAM account password policies should have a maximum age specified.

The account password policy should be set to expire passwords after 90 days or less.


### Impact
Long life password increase the likelihood of a password eventually being compromised
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
5 changes: 3 additions & 2 deletions avd_docs/aws/iam/AVD-AWS-0063/docs.md
Original file line number Diff line number Diff line change
@@ -1,10 +1,11 @@

IAM account password policies should ensure that passwords have a minimum length.
IAM account password policies should ensure that passwords have a minimum length.

The account password policy should be set to enforce minimum password length of at least 14 characters.


### Impact
Short, simple passwords are easier to compromise
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
5 changes: 2 additions & 3 deletions avd_docs/aws/iam/AVD-AWS-0123/docs.md
Original file line number Diff line number Diff line change
@@ -1,10 +1,9 @@


IAM groups should be protected with multi factor authentication to add safe guards to password compromise.


### Impact
IAM groups are more vulnerable to compromise without multi factor authentication activated
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
5 changes: 2 additions & 3 deletions avd_docs/aws/iam/AVD-AWS-0140/docs.md
Original file line number Diff line number Diff line change
@@ -1,10 +1,9 @@


The root user has unrestricted access to all services and resources in an AWS account. We highly recommend that you avoid using the root user for daily tasks. Minimizing the use of the root user and adopting the principle of least privilege for access management reduce the risk of accidental changes and unintended disclosure of highly privileged credentials.


### Impact
Compromise of the root account compromises the entire AWS account and all resources within it.
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
5 changes: 2 additions & 3 deletions avd_docs/aws/iam/AVD-AWS-0141/docs.md
Original file line number Diff line number Diff line change
@@ -1,10 +1,9 @@


CIS recommends that all access keys be associated with the root user be removed. Removing access keys associated with the root user limits vectors that the account can be compromised by. Removing the root user access keys also encourages the creation and use of role-based accounts that are least privileged.


### Impact
Compromise of the root account compromises the entire AWS account and all resources within it.
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
5 changes: 2 additions & 3 deletions avd_docs/aws/iam/AVD-AWS-0142/docs.md
Original file line number Diff line number Diff line change
@@ -1,12 +1,11 @@


MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they're prompted for their user name and password and for an authentication code from their AWS MFA device.

When you use virtual MFA for the root user, CIS recommends that the device used is not a personal device. Instead, use a dedicated mobile device (tablet or phone) that you manage to keep charged and secured independent of any individual personal devices. This lessens the risks of losing access to the MFA due to device loss, device trade-in, or if the individual owning the device is no longer employed at the company.


### Impact
Compromise of the root account compromises the entire AWS account and all resources within it.
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
5 changes: 2 additions & 3 deletions avd_docs/aws/iam/AVD-AWS-0143/docs.md
Original file line number Diff line number Diff line change
@@ -1,10 +1,9 @@


CIS recommends that you apply IAM policies directly to groups and roles but not users. Assigning privileges at the group or role level reduces the complexity of access management as the number of users grow. Reducing access management complexity might in turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.


### Impact
Complex access control is difficult to manage and maintain.
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
5 changes: 2 additions & 3 deletions avd_docs/aws/iam/AVD-AWS-0144/docs.md
Original file line number Diff line number Diff line change
@@ -1,10 +1,9 @@


CIS recommends that you remove or deactivate all credentials that have been unused in 90 days or more. Disabling or removing unnecessary credentials reduces the window of opportunity for credentials associated with a compromised or abandoned account to be used.


### Impact
Leaving unused credentials active widens the scope for compromise.
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
5 changes: 2 additions & 3 deletions avd_docs/aws/iam/AVD-AWS-0145/docs.md
Original file line number Diff line number Diff line change
@@ -1,10 +1,9 @@


IAM user accounts should be protected with multi factor authentication to add safe guards to password compromise.


### Impact
User accounts are more vulnerable to compromise without multi factor authentication activated
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
5 changes: 2 additions & 3 deletions avd_docs/aws/iam/AVD-AWS-0146/docs.md
Original file line number Diff line number Diff line change
@@ -1,10 +1,9 @@


Regularly rotating your IAM credentials helps prevent a compromised set of IAM access keys from accessing components in your AWS account.


### Impact
Compromised keys are more likely to be used to compromise the account
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
5 changes: 2 additions & 3 deletions avd_docs/aws/iam/AVD-AWS-0165/docs.md
Original file line number Diff line number Diff line change
@@ -1,10 +1,9 @@


Hardware MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they're prompted for their user name and password and for an authentication code from their AWS MFA device.


### Impact
Compromise of the root account compromises the entire AWS account and all resources within it.
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
5 changes: 2 additions & 3 deletions avd_docs/aws/iam/AVD-AWS-0166/docs.md
Original file line number Diff line number Diff line change
@@ -1,10 +1,9 @@

AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have been unused in45 or greater days be deactivated or removed.

Disabling or removing unnecessary credentials will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used.


### Impact
Leaving unused credentials active widens the scope for compromise.
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
5 changes: 2 additions & 3 deletions avd_docs/aws/iam/AVD-AWS-0167/docs.md
Original file line number Diff line number Diff line change
@@ -1,10 +1,9 @@


Multiple active access keys widens the scope for compromise.


### Impact
Widened scope for compromise.
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
8 changes: 5 additions & 3 deletions avd_docs/aws/iam/AVD-AWS-0168/docs.md
Original file line number Diff line number Diff line change
@@ -1,13 +1,15 @@


Removing expired SSL/TLS certificates eliminates the risk that an invalid certificate will be

deployed accidentally to a resource such as AWS Elastic Load Balancer (ELB), which can

damage the credibility of the application/website behind the ELB. As a best practice, it is

recommended to delete expired certificates.


### Impact
Risk of misconfiguration and damage to credibility
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
6 changes: 3 additions & 3 deletions avd_docs/aws/iam/AVD-AWS-0169/docs.md
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@


By implementing least privilege for access control, an IAM Role will require an appropriate

IAM Policy to allow Support Center Access in order to manage Incidents with AWS Support.


### Impact
Incident management is not possible without a support role.
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
3 changes: 2 additions & 1 deletion checks/cloud/aws/iam/disable_unused_credentials.go
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,8 @@ CIS recommends that you remove or deactivate all credentials that have been unus
Links: []string{
"https://console.aws.amazon.com/iam/",
},
Severity: severity.Medium,
Severity: severity.Medium,
Deprecated: true,
},
func(s *state.State) (results scan.Results) {

Expand Down
47 changes: 47 additions & 0 deletions checks/cloud/aws/iam/disable_unused_credentials.rego
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
# METADATA
# title: Credentials which are no longer used should be disabled.
# description: |
# CIS recommends that you remove or deactivate all credentials that have been unused in 90 days or more. Disabling or removing unnecessary credentials reduces the window of opportunity for credentials associated with a compromised or abandoned account to be used.
# scope: package
# schemas:
# - input: schema["cloud"]
# related_resources:
# - https://console.aws.amazon.com/iam/
# custom:
# id: AVD-AWS-0144
# avd_id: AVD-AWS-0144
# provider: aws
# service: iam
# severity: MEDIUM
# short_code: disable-unused-credentials
# recommended_action: Disable credentials which are no longer used.
# frameworks:
# cis-aws-1.2:
# - "1.3"
# input:
# selector:
# - type: cloud
# subtypes:
# - service: iam
# provider: aws
package builtin.aws.iam.aws0144

import rego.v1

import data.lib.iam

days_to_check = 90

deny contains res if {
some user in input.aws.iam.users
iam.user_is_inactive(user, days_to_check)
res := result.new("User has not logged in for >90 days.", user)
}

deny contains res if {
some user in input.aws.iam.users
not iam.user_is_inactive(user, days_to_check)
some key in user.accesskeys
iam.key_is_unused(key, days_to_check)
res := result.new(sprintf("User access key %q has not been used in >90 days", [key.accesskeyid.value]), user)
}
46 changes: 46 additions & 0 deletions checks/cloud/aws/iam/disable_unused_credentials_45.rego
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
# METADATA
# title: Disabling or removing unnecessary credentials will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used.
# description: |
# AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have been unused in45 or greater days be deactivated or removed.
# scope: package
# schemas:
# - input: schema["cloud"]
# related_resources:
# - https://console.aws.amazon.com/iam/
# custom:
# id: AVD-AWS-0166
# avd_id: AVD-AWS-0166
# provider: aws
# service: iam
# severity: LOW
# short_code: disable-unused-credentials-45-days
# recommended_action: Disable credentials which are no longer used.
# frameworks:
# cis-aws-1.4:
# - "1.12"
# input:
# selector:
# - type: cloud
# subtypes:
# - service: iam
# provider: aws
package builtin.aws.iam.aws0166

import data.lib.iam
import rego.v1

days_to_check = 45

deny contains res if {
some user in input.aws.iam.users
iam.user_is_inactive(user, days_to_check)
res := result.new("User has not logged in for >45 days.", user)
}

deny contains res if {
some user in input.aws.iam.users
not iam.user_is_inactive(user, days_to_check)
some key in user.accesskeys
iam.key_is_unused(key, days_to_check)
res := result.new(sprintf("User access key %q has not been used in >45 days", [key.accesskeyid.value]), user)
}
Loading

0 comments on commit 236fa7b

Please sign in to comment.