From 3c9848c6a0dbc36181789576fe5399a93e70788d Mon Sep 17 00:00:00 2001 From: Nikita Pivkin Date: Thu, 11 Jul 2024 20:38:38 +0700 Subject: [PATCH] chore: generate AWS compliance specs based on checks Signed-off-by: Nikita Pivkin --- .github/workflows/verify-specs.yaml | 21 ++ Makefile | 6 +- cmd/specs/main.go | 93 ++++++ pkg/specs/compliance/aws-cis-1.2.yaml | 416 ++++++++++++----------- pkg/specs/compliance/aws-cis-1.4.yaml | 457 ++++++++++++-------------- 5 files changed, 543 insertions(+), 450 deletions(-) create mode 100755 .github/workflows/verify-specs.yaml create mode 100644 cmd/specs/main.go diff --git a/.github/workflows/verify-specs.yaml b/.github/workflows/verify-specs.yaml new file mode 100755 index 00000000..98488dc2 --- /dev/null +++ b/.github/workflows/verify-specs.yaml @@ -0,0 +1,21 @@ +name: Verify Specs +on: + pull_request: + merge_group: +jobs: + build: + name: Verify Docs + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-go@v5 + with: + go-version-file: go.mod + + - run: | + make generate-specs + if [ -n "$(git status --porcelain)" ]; then + echo "Run 'generate-specs' and push it" + exit 1 + fi diff --git a/Makefile b/Makefile index e6c528cd..9d1d7624 100644 --- a/Makefile +++ b/Makefile @@ -49,4 +49,8 @@ verify-bundle: rm scripts/bundle.tar.gz build-opa: - go build ./cmd/opa \ No newline at end of file + go build ./cmd/opa +.PHONY: generate-specs + +generate-specs: + go run ./cmd/specs diff --git a/cmd/specs/main.go b/cmd/specs/main.go new file mode 100644 index 00000000..7d835544 --- /dev/null +++ b/cmd/specs/main.go @@ -0,0 +1,93 @@ +package main + +import ( + "fmt" + "os" + "path/filepath" + "sort" + "strings" + + "gopkg.in/yaml.v3" + + "github.com/aquasecurity/trivy/pkg/iac/framework" + "github.com/aquasecurity/trivy/pkg/iac/rego" + "github.com/aquasecurity/trivy/pkg/iac/rules" + iacTypes "github.com/aquasecurity/trivy/pkg/iac/types" +) + +const complianceDirPath = "pkg/specs/compliance/" + +var specs = map[framework.Framework]*iacTypes.Spec{ + framework.CIS_AWS_1_2: { + ID: "aws-cis-1.2", + Title: "AWS CIS Foundations v1.2", + Description: "AWS CIS Foundations", + Version: "1.2", + Platform: "aws", + Type: "cis", + RelatedResources: []string{ + "https://www.cisecurity.org/benchmark/amazon_web_services", + }, + }, + framework.CIS_AWS_1_4: { + ID: "aws-cis-1.4", + Title: "AWS CIS Foundations v1.4", + Description: "AWS CIS Foundations", + Version: "1.4", + Platform: "aws", + Type: "cis", + RelatedResources: []string{ + "https://www.cisecurity.org/benchmark/amazon_web_services", + }, + }, +} + +func main() { + frameworks := make([]framework.Framework, 0, len(specs)) + for f := range specs { + frameworks = append(frameworks, f) + } + + // Clean up all Go checks + rules.Reset() + + // Load Rego checks + rego.LoadAndRegister() + + for _, rule := range rules.GetRegistered(frameworks...) { + for f, controlIDs := range rule.Frameworks { + for _, id := range controlIDs { + specs[f].Controls = append(specs[f].Controls, iacTypes.Control{ + ID: id, + Name: rule.ShortCode, + Description: rule.Summary, + Severity: iacTypes.Severity(rule.Severity), + Checks: []iacTypes.SpecCheck{{ID: rule.AVDID}}, + }) + } + } + } + + for _, spec := range specs { + sort.Slice(spec.Controls, func(i, j int) bool { + return strings.Compare(spec.Controls[i].ID, spec.Controls[j].ID) < 0 + }) + } + + for _, c := range specs { + if err := writeCompliance(c, complianceDirPath); err != nil { + panic(err) + } + } +} + +func writeCompliance(spec *iacTypes.Spec, path string) error { + file, err := os.Create(filepath.Join(path, fmt.Sprintf("%s.yaml", spec.ID))) + if err != nil { + return err + } + defer file.Close() + encoder := yaml.NewEncoder(file) + encoder.SetIndent(2) + return encoder.Encode(iacTypes.ComplianceSpec{Spec: *spec}) +} diff --git a/pkg/specs/compliance/aws-cis-1.2.yaml b/pkg/specs/compliance/aws-cis-1.2.yaml index 3d8d4eeb..f7780468 100644 --- a/pkg/specs/compliance/aws-cis-1.2.yaml +++ b/pkg/specs/compliance/aws-cis-1.2.yaml @@ -3,216 +3,212 @@ spec: title: AWS CIS Foundations v1.2 description: AWS CIS Foundations version: "1.2" - platfrom: aws + platform: aws type: cis relatedResources: - - https://www.cisecurity.org/benchmark/amazon_web_services + - https://www.cisecurity.org/benchmark/amazon_web_services controls: - - id: "1.1" - name: limit-root-account-usage - description: |- - The "root" account has unrestricted access to all resources in the AWS account. It is highly - recommended that the use of this account be avoided. - checks: - - id: AVD-AWS-0140 - severity: LOW - - id: "1.10" - name: no-password-reuse - description: IAM Password policy should prevent password reuse. - checks: - - id: AVD-AWS-0056 - severity: MEDIUM - - id: "1.11" - name: set-max-password-age - description: IAM Password policy should have expiry less than or equal to 90 days. - checks: - - id: AVD-AWS-0062 - severity: MEDIUM - - id: "1.12" - name: no-root-access-keys - description: The root user has complete access to all services and resources in an AWS account. AWS Access Keys provide programmatic access to a given account. - checks: - - id: AVD-AWS-0141 - severity: CRITICAL - - id: "1.13" - name: enforce-root-mfa - description: |- - The "root" account has unrestricted access to all resources in the AWS account. It is highly - recommended that this account have MFA enabled. - checks: - - id: AVD-AWS-0142 - severity: CRITICAL - - id: "1.16" - name: no-user-attached-policies - description: IAM policies should not be granted directly to users. - checks: - - id: AVD-AWS-0143 - severity: LOW - - id: "1.2" - name: enforce-user-mfa - description: IAM Users should have MFA enforcement activated. - checks: - - id: AVD-AWS-0145 - severity: MEDIUM - - id: "1.3" - name: disable-unused-credentials - description: Credentials which are no longer used should be disabled. - checks: - - id: AVD-AWS-0144 - severity: MEDIUM - - id: "1.4" - name: rotate-access-keys - description: Access keys should be rotated at least every 90 days - checks: - - id: AVD-AWS-0146 - severity: LOW - - id: "1.5" - name: require-uppercase-in-passwords - description: IAM Password policy should have requirement for at least one uppercase character. - checks: - - id: AVD-AWS-0061 - severity: MEDIUM - - id: "1.6" - name: require-lowercase-in-passwords - description: IAM Password policy should have requirement for at least one lowercase character. - checks: - - id: AVD-AWS-0058 - severity: MEDIUM - - id: "1.7" - name: require-symbols-in-passwords - description: IAM Password policy should have requirement for at least one symbol in the password. - checks: - - id: AVD-AWS-0060 - severity: MEDIUM - - id: "1.8" - name: require-numbers-in-passwords - description: IAM Password policy should have requirement for at least one number in the password. - checks: - - id: AVD-AWS-0059 - severity: MEDIUM - - id: "1.9" - name: set-minimum-password-length - description: IAM Password policy should have minimum password length of 14 or more characters. - checks: - - id: AVD-AWS-0063 - severity: MEDIUM - - id: "2.3" - name: no-public-log-access - description: The S3 Bucket backing Cloudtrail should be private - checks: - - id: AVD-AWS-0161 - severity: CRITICAL - - id: "2.4" - name: ensure-cloudwatch-integration - description: CloudTrail logs should be stored in S3 and also sent to CloudWatch Logs - checks: - - id: AVD-AWS-0162 - severity: LOW - - id: "2.5" - name: enable-all-regions - description: Cloudtrail should be enabled in all regions regardless of where your AWS resources are generally homed - checks: - - id: AVD-AWS-0014 - severity: MEDIUM - - id: "2.6" - name: require-bucket-access-logging - description: You should enable bucket access logging on the CloudTrail S3 bucket. - checks: - - id: AVD-AWS-0163 - severity: LOW - - id: "3.1" - name: require-unauthorised-api-call-alarm - description: Ensure a log metric filter and alarm exist for unauthorized API calls - checks: - - id: AVD-AWS-0147 - severity: LOW - - id: "3.10" - name: require-sg-change-alarms - description: Ensure a log metric filter and alarm exist for security group changes - checks: - - id: AVD-AWS-0156 - severity: LOW - - id: "3.11" - name: require-nacl-changes-alarm - description: Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) - checks: - - id: AVD-AWS-0157 - severity: LOW - - id: "3.12" - name: require-network-gateway-changes-alarm - description: Ensure a log metric filter and alarm exist for changes to network gateways - checks: - - id: AVD-AWS-0158 - severity: LOW - - id: "3.13" - name: require-network-gateway-changes-alarm - description: Ensure a log metric filter and alarm exist for route table changes - checks: - - id: AVD-AWS-0159 - severity: LOW - - id: "3.14" - name: require-vpc-changes-alarm - description: Ensure a log metric filter and alarm exist for VPC changes - checks: - - id: AVD-AWS-0160 - severity: LOW - - id: "3.2" - name: require-non-mfa-login-alarm - description: Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA - checks: - - id: AVD-AWS-0148 - severity: LOW - - id: "3.3" - name: require-root-user-usage-alarm - description: Ensure a log metric filter and alarm exist for usage of root user - checks: - - id: AVD-AWS-0149 - severity: LOW - - id: "3.4" - name: require-iam-policy-change-alarm - description: Ensure a log metric filter and alarm exist for IAM policy changes - checks: - - id: AVD-AWS-0150 - severity: LOW - - id: "3.5" - name: require-cloud-trail-change-alarm - description: Ensure a log metric filter and alarm exist for CloudTrail configuration changes - checks: - - id: AVD-AWS-0151 - severity: LOW - - id: "3.6" - name: require-console-login-failures-alarm - description: Ensure a log metric filter and alarm exist for AWS Management Console authentication failures - checks: - - id: AVD-AWS-0152 - severity: LOW - - id: "3.7" - name: require-cmk-disabled-alarm - description: Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys - checks: - - id: AVD-AWS-0153 - severity: LOW - - id: "3.8" - name: require-s3-bucket-policy-change-alarm - description: Ensure a log metric filter and alarm exist for S3 bucket policy changes - checks: - - id: AVD-AWS-0154 - severity: LOW - - id: "3.9" - name: require-config-configuration-changes-alarm - description: Ensure a log metric filter and alarm exist for AWS Config configuration changes - checks: - - id: AVD-AWS-0155 - severity: LOW - - id: "4.1" - name: no-public-ingress-sgr - description: Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22 or port 3389. - checks: - - id: AVD-AWS-0107 - severity: HIGH - - id: "4.2" - name: no-public-ingress-sgr - description: Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22 or port 3389. - checks: - - id: AVD-AWS-0107 - severity: HIGH \ No newline at end of file + - id: "1.1" + name: limit-root-account-usage + description: The "root" account has unrestricted access to all resources in the AWS account. It is highly recommended that the use of this account be avoided. + checks: + - id: AVD-AWS-0140 + severity: LOW + - id: "1.10" + name: no-password-reuse + description: IAM Password policy should prevent password reuse. + checks: + - id: AVD-AWS-0056 + severity: MEDIUM + - id: "1.11" + name: set-max-password-age + description: IAM Password policy should have expiry less than or equal to 90 days. + checks: + - id: AVD-AWS-0062 + severity: MEDIUM + - id: "1.12" + name: no-root-access-keys + description: The root user has complete access to all services and resources in an AWS account. AWS Access Keys provide programmatic access to a given account. + checks: + - id: AVD-AWS-0141 + severity: CRITICAL + - id: "1.13" + name: enforce-root-mfa + description: The "root" account has unrestricted access to all resources in the AWS account. It is highly recommended that this account have MFA enabled. + checks: + - id: AVD-AWS-0142 + severity: CRITICAL + - id: "1.16" + name: no-user-attached-policies + description: IAM policies should not be granted directly to users. + checks: + - id: AVD-AWS-0143 + severity: LOW + - id: "1.2" + name: enforce-user-mfa + description: IAM Users should have MFA enforcement activated. + checks: + - id: AVD-AWS-0145 + severity: MEDIUM + - id: "1.3" + name: disable-unused-credentials + description: Credentials which are no longer used should be disabled. + checks: + - id: AVD-AWS-0144 + severity: MEDIUM + - id: "1.4" + name: rotate-access-keys + description: Access keys should be rotated at least every 90 days + checks: + - id: AVD-AWS-0146 + severity: LOW + - id: "1.5" + name: require-uppercase-in-passwords + description: IAM Password policy should have requirement for at least one uppercase character. + checks: + - id: AVD-AWS-0061 + severity: MEDIUM + - id: "1.6" + name: require-lowercase-in-passwords + description: IAM Password policy should have requirement for at least one lowercase character. + checks: + - id: AVD-AWS-0058 + severity: MEDIUM + - id: "1.7" + name: require-symbols-in-passwords + description: IAM Password policy should have requirement for at least one symbol in the password. + checks: + - id: AVD-AWS-0060 + severity: MEDIUM + - id: "1.8" + name: require-numbers-in-passwords + description: IAM Password policy should have requirement for at least one number in the password. + checks: + - id: AVD-AWS-0059 + severity: MEDIUM + - id: "1.9" + name: set-minimum-password-length + description: IAM Password policy should have minimum password length of 14 or more characters. + checks: + - id: AVD-AWS-0063 + severity: MEDIUM + - id: "2.3" + name: no-public-log-access + description: The S3 Bucket backing Cloudtrail should be private + checks: + - id: AVD-AWS-0161 + severity: CRITICAL + - id: "2.4" + name: ensure-cloudwatch-integration + description: CloudTrail logs should be stored in S3 and also sent to CloudWatch Logs + checks: + - id: AVD-AWS-0162 + severity: LOW + - id: "2.5" + name: enable-all-regions + description: Cloudtrail should be enabled in all regions regardless of where your AWS resources are generally homed + checks: + - id: AVD-AWS-0014 + severity: MEDIUM + - id: "2.6" + name: require-bucket-access-logging + description: You should enable bucket access logging on the CloudTrail S3 bucket. + checks: + - id: AVD-AWS-0163 + severity: LOW + - id: "3.1" + name: require-unauthorised-api-call-alarm + description: Ensure a log metric filter and alarm exist for unauthorized API calls + checks: + - id: AVD-AWS-0147 + severity: LOW + - id: "3.10" + name: require-sg-change-alarms + description: Ensure a log metric filter and alarm exist for security group changes + checks: + - id: AVD-AWS-0156 + severity: LOW + - id: "3.11" + name: require-nacl-changes-alarm + description: Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) + checks: + - id: AVD-AWS-0157 + severity: LOW + - id: "3.12" + name: require-network-gateway-changes-alarm + description: Ensure a log metric filter and alarm exist for changes to network gateways + checks: + - id: AVD-AWS-0158 + severity: LOW + - id: "3.13" + name: require-network-gateway-changes-alarm + description: Ensure a log metric filter and alarm exist for route table changes + checks: + - id: AVD-AWS-0159 + severity: LOW + - id: "3.14" + name: require-vpc-changes-alarm + description: Ensure a log metric filter and alarm exist for VPC changes + checks: + - id: AVD-AWS-0160 + severity: LOW + - id: "3.2" + name: require-non-mfa-login-alarm + description: Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA + checks: + - id: AVD-AWS-0148 + severity: LOW + - id: "3.3" + name: require-root-user-usage-alarm + description: Ensure a log metric filter and alarm exist for usage of root user + checks: + - id: AVD-AWS-0149 + severity: LOW + - id: "3.4" + name: require-iam-policy-change-alarm + description: Ensure a log metric filter and alarm exist for IAM policy changes + checks: + - id: AVD-AWS-0150 + severity: LOW + - id: "3.5" + name: require-cloud-trail-change-alarm + description: Ensure a log metric filter and alarm exist for CloudTrail configuration changes + checks: + - id: AVD-AWS-0151 + severity: LOW + - id: "3.6" + name: require-console-login-failures-alarm + description: Ensure a log metric filter and alarm exist for AWS Management Console authentication failures + checks: + - id: AVD-AWS-0152 + severity: LOW + - id: "3.7" + name: require-cmk-disabled-alarm + description: Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys + checks: + - id: AVD-AWS-0153 + severity: LOW + - id: "3.8" + name: require-s3-bucket-policy-change-alarm + description: Ensure a log metric filter and alarm exist for S3 bucket policy changes + checks: + - id: AVD-AWS-0154 + severity: LOW + - id: "3.9" + name: require-config-configuration-changes-alarm + description: Ensure a log metric filter and alarm exist for AWS Config configuration changes + checks: + - id: AVD-AWS-0155 + severity: LOW + - id: "4.1" + name: no-public-ingress-sgr + description: Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22 or port 3389. + checks: + - id: AVD-AWS-0107 + severity: HIGH + - id: "4.2" + name: no-public-ingress-sgr + description: Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22 or port 3389. + checks: + - id: AVD-AWS-0107 + severity: HIGH diff --git a/pkg/specs/compliance/aws-cis-1.4.yaml b/pkg/specs/compliance/aws-cis-1.4.yaml index 9193a446..58025e2f 100644 --- a/pkg/specs/compliance/aws-cis-1.4.yaml +++ b/pkg/specs/compliance/aws-cis-1.4.yaml @@ -3,245 +3,224 @@ spec: title: AWS CIS Foundations v1.4 description: AWS CIS Foundations version: "1.4" - platfrom: aws + platform: aws type: cis relatedResources: - - https://www.cisecurity.org/benchmark/amazon_web_services + - https://www.cisecurity.org/benchmark/amazon_web_services controls: - - id: 2.1.3 - name: require-mfa-delete - description: Buckets should have MFA deletion protection enabled. - checks: - - id: AVD-AWS-0170 - severity: LOW - - id: "1.12" - name: disable-unused-credentials-45-days - description: |- - AWS IAM users can access AWS resources using different types of credentials, such as - passwords or access keys. It is recommended that all credentials that have been unused in - 45 or greater days be deactivated or removed. - checks: - - id: AVD-AWS-0166 - severity: LOW - - id: "1.13" - name: limit-user-access-keys - description: No user should have more than one active access key. - checks: - - id: AVD-AWS-0167 - severity: LOW - - id: "1.14" - name: rotate-access-keys - description: Access keys should be rotated at least every 90 days - checks: - - id: AVD-AWS-0146 - severity: LOW - - id: "1.15" - name: no-user-attached-policies - description: IAM policies should not be granted directly to users. - checks: - - id: AVD-AWS-0143 - severity: LOW - - id: "1.16" - name: no-policy-wildcards - description: IAM policy should avoid use of wildcards and instead apply the principle of least privilege - checks: - - id: AVD-AWS-0057 - severity: HIGH - - id: "1.17" - name: require-support-role - description: Missing IAM Role to allow authorized users to manage incidents with AWS Support. - checks: - - id: AVD-AWS-0169 - severity: LOW - - id: "1.19" - name: remove-expired-certificates - description: Delete expired TLS certificates - checks: - - id: AVD-AWS-0168 - severity: LOW - - id: "1.20" - name: enable-access-analyzer - description: Enable IAM Access analyzer for IAM policies about all resources in each region. - checks: - - id: AVD-AWS-0175 - severity: LOW - - id: "1.4" - name: enforce-user-mfa - description: IAM Users should have MFA enforcement activated. - checks: - - id: AVD-AWS-0145 - severity: MEDIUM - - id: "1.4" - name: no-root-access-keys - description: The root user has complete access to all services and resources in an AWS account. AWS Access Keys provide programmatic access to a given account. - checks: - - id: AVD-AWS-0141 - severity: CRITICAL - - id: "1.5" - name: enforce-root-mfa - description: |- - The "root" account has unrestricted access to all resources in the AWS account. It is highly - recommended that this account have MFA enabled. - checks: - - id: AVD-AWS-0142 - severity: CRITICAL - - id: "1.6" - name: enforce-root-hardware-mfa - description: |- - The "root" account has unrestricted access to all resources in the AWS account. It is highly - recommended that this account have hardware MFA enabled. - checks: - - id: AVD-AWS-0165 - severity: MEDIUM - - id: "1.7" - name: limit-root-account-usage - description: |- - The "root" account has unrestricted access to all resources in the AWS account. It is highly - recommended that the use of this account be avoided. - checks: - - id: AVD-AWS-0140 - severity: LOW - - id: "1.8" - name: set-minimum-password-length - description: IAM Password policy should have minimum password length of 14 or more characters. - checks: - - id: AVD-AWS-0063 - severity: MEDIUM - - id: "1.9" - name: no-password-reuse - description: IAM Password policy should prevent password reuse. - checks: - - id: AVD-AWS-0056 - severity: MEDIUM - - id: "3.10" - name: enable-object-write-logging - description: S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets. - checks: - - id: AVD-AWS-0171 - severity: LOW - - id: "3.11" - name: enable-object-read-logging - description: S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets. - checks: - - id: AVD-AWS-0172 - severity: LOW - - id: "3.3" - name: no-public-log-access - description: The S3 Bucket backing Cloudtrail should be private - checks: - - id: AVD-AWS-0161 - severity: CRITICAL - - id: "3.4" - name: ensure-cloudwatch-integration - description: CloudTrail logs should be stored in S3 and also sent to CloudWatch Logs - checks: - - id: AVD-AWS-0162 - severity: LOW - - id: "3.6" - name: require-bucket-access-logging - description: You should enable bucket access logging on the CloudTrail S3 bucket. - checks: - - id: AVD-AWS-0163 - severity: LOW - - id: "4.10" - name: require-sg-change-alarms - description: Ensure a log metric filter and alarm exist for security group changes - checks: - - id: AVD-AWS-0156 - severity: LOW - - id: "4.1" - name: require-unauthorised-api-call-alarm - description: Ensure a log metric filter and alarm exist for unauthorized API calls - checks: - - id: AVD-AWS-0147 - severity: LOW - - id: "4.11" - name: require-nacl-changes-alarm - description: Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) - checks: - - id: AVD-AWS-0157 - severity: LOW - - id: "4.12" - name: require-network-gateway-changes-alarm - description: Ensure a log metric filter and alarm exist for changes to network gateways - checks: - - id: AVD-AWS-0158 - severity: LOW - - id: "4.13" - name: require-network-gateway-changes-alarm - description: Ensure a log metric filter and alarm exist for route table changes - checks: - - id: AVD-AWS-0159 - severity: LOW - - id: "4.14" - name: require-vpc-changes-alarm - description: Ensure a log metric filter and alarm exist for VPC changes - checks: - - id: AVD-AWS-0160 - severity: LOW - - id: "4.15" - name: require-org-changes-alarm - description: Ensure a log metric filter and alarm exist for organisation changes - checks: - - id: AVD-AWS-0174 - severity: LOW - - id: "4.2" - name: require-non-mfa-login-alarm - description: Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA - checks: - - id: AVD-AWS-0148 - severity: LOW - - id: "4.3" - name: require-root-user-usage-alarm - description: Ensure a log metric filter and alarm exist for usage of root user - checks: - - id: AVD-AWS-0149 - severity: LOW - - id: "4.4" - name: require-iam-policy-change-alarm - description: Ensure a log metric filter and alarm exist for IAM policy changes - checks: - - id: AVD-AWS-0150 - severity: LOW - - id: "4.5" - name: require-cloud-trail-change-alarm - description: Ensure a log metric filter and alarm exist for CloudTrail configuration changes - checks: - - id: AVD-AWS-0151 - severity: LOW - - id: "4.6" - name: require-console-login-failures-alarm - description: Ensure a log metric filter and alarm exist for AWS Management Console authentication failures - checks: - - id: AVD-AWS-0152 - severity: LOW - - id: "4.7" - name: require-cmk-disabled-alarm - description: Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys - checks: - - id: AVD-AWS-0153 - severity: LOW - - id: "4.8" - name: require-s3-bucket-policy-change-alarm - description: Ensure a log metric filter and alarm exist for S3 bucket policy changes - checks: - - id: AVD-AWS-0154 - severity: LOW - - id: "4.9" - name: require-config-configuration-changes-alarm - description: Ensure a log metric filter and alarm exist for AWS Config configuration changes - checks: - - id: AVD-AWS-0155 - severity: LOW - - id: "5.1" - name: aws-vpc-no-public-ingress-acl - description: Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389. - checks: - - id: AVD-AWS-0105 - severity: MEDIUM - - id: "5.3" - name: restrict-all-in-default-sg - description: Default security group should restrict all traffic - checks: - - id: AVD-AWS-0173 - severity: LOW \ No newline at end of file + - id: "1.12" + name: disable-unused-credentials-45-days + description: Disabling or removing unnecessary credentials will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used. + checks: + - id: AVD-AWS-0166 + severity: LOW + - id: "1.13" + name: limit-user-access-keys + description: No user should have more than one active access key. + checks: + - id: AVD-AWS-0167 + severity: LOW + - id: "1.14" + name: rotate-access-keys + description: Access keys should be rotated at least every 90 days + checks: + - id: AVD-AWS-0146 + severity: LOW + - id: "1.15" + name: no-user-attached-policies + description: IAM policies should not be granted directly to users. + checks: + - id: AVD-AWS-0143 + severity: LOW + - id: "1.19" + name: remove-expired-certificates + description: Delete expired TLS certificates + checks: + - id: AVD-AWS-0168 + severity: LOW + - id: "1.20" + name: enable-access-analyzer + description: Enable IAM Access analyzer for IAM policies about all resources in each region. + checks: + - id: AVD-AWS-0175 + severity: LOW + - id: "1.4" + name: enforce-user-mfa + description: IAM Users should have MFA enforcement activated. + checks: + - id: AVD-AWS-0145 + severity: MEDIUM + - id: "1.4" + name: no-root-access-keys + description: The root user has complete access to all services and resources in an AWS account. AWS Access Keys provide programmatic access to a given account. + checks: + - id: AVD-AWS-0141 + severity: CRITICAL + - id: "1.5" + name: enforce-root-mfa + description: The "root" account has unrestricted access to all resources in the AWS account. It is highly recommended that this account have MFA enabled. + checks: + - id: AVD-AWS-0142 + severity: CRITICAL + - id: "1.6" + name: enforce-root-hardware-mfa + description: The "root" account has unrestricted access to all resources in the AWS account. It is highly recommended that this account have hardware MFA enabled. + checks: + - id: AVD-AWS-0165 + severity: MEDIUM + - id: "1.7" + name: limit-root-account-usage + description: The "root" account has unrestricted access to all resources in the AWS account. It is highly recommended that the use of this account be avoided. + checks: + - id: AVD-AWS-0140 + severity: LOW + - id: "1.8" + name: set-minimum-password-length + description: IAM Password policy should have minimum password length of 14 or more characters. + checks: + - id: AVD-AWS-0063 + severity: MEDIUM + - id: "1.9" + name: no-password-reuse + description: IAM Password policy should prevent password reuse. + checks: + - id: AVD-AWS-0056 + severity: MEDIUM + - id: 2.1.3 + name: require-mfa-delete + description: Buckets should have MFA deletion protection enabled. + checks: + - id: AVD-AWS-0170 + severity: LOW + - id: "3.10" + name: enable-object-write-logging + description: S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets. + checks: + - id: AVD-AWS-0171 + severity: LOW + - id: "3.11" + name: enable-object-read-logging + description: S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets. + checks: + - id: AVD-AWS-0172 + severity: LOW + - id: "3.3" + name: no-public-log-access + description: The S3 Bucket backing Cloudtrail should be private + checks: + - id: AVD-AWS-0161 + severity: CRITICAL + - id: "3.4" + name: ensure-cloudwatch-integration + description: CloudTrail logs should be stored in S3 and also sent to CloudWatch Logs + checks: + - id: AVD-AWS-0162 + severity: LOW + - id: "3.6" + name: require-bucket-access-logging + description: You should enable bucket access logging on the CloudTrail S3 bucket. + checks: + - id: AVD-AWS-0163 + severity: LOW + - id: "4.1" + name: require-unauthorised-api-call-alarm + description: Ensure a log metric filter and alarm exist for unauthorized API calls + checks: + - id: AVD-AWS-0147 + severity: LOW + - id: "4.10" + name: require-sg-change-alarms + description: Ensure a log metric filter and alarm exist for security group changes + checks: + - id: AVD-AWS-0156 + severity: LOW + - id: "4.11" + name: require-nacl-changes-alarm + description: Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) + checks: + - id: AVD-AWS-0157 + severity: LOW + - id: "4.12" + name: require-network-gateway-changes-alarm + description: Ensure a log metric filter and alarm exist for changes to network gateways + checks: + - id: AVD-AWS-0158 + severity: LOW + - id: "4.13" + name: require-network-gateway-changes-alarm + description: Ensure a log metric filter and alarm exist for route table changes + checks: + - id: AVD-AWS-0159 + severity: LOW + - id: "4.14" + name: require-vpc-changes-alarm + description: Ensure a log metric filter and alarm exist for VPC changes + checks: + - id: AVD-AWS-0160 + severity: LOW + - id: "4.15" + name: require-org-changes-alarm + description: Ensure a log metric filter and alarm exist for organisation changes + checks: + - id: AVD-AWS-0174 + severity: LOW + - id: "4.2" + name: require-non-mfa-login-alarm + description: Ensure a log metric filter and alarm exist for AWS Management Console sign-in without MFA + checks: + - id: AVD-AWS-0148 + severity: LOW + - id: "4.3" + name: require-root-user-usage-alarm + description: Ensure a log metric filter and alarm exist for usage of root user + checks: + - id: AVD-AWS-0149 + severity: LOW + - id: "4.4" + name: require-iam-policy-change-alarm + description: Ensure a log metric filter and alarm exist for IAM policy changes + checks: + - id: AVD-AWS-0150 + severity: LOW + - id: "4.5" + name: require-cloud-trail-change-alarm + description: Ensure a log metric filter and alarm exist for CloudTrail configuration changes + checks: + - id: AVD-AWS-0151 + severity: LOW + - id: "4.6" + name: require-console-login-failures-alarm + description: Ensure a log metric filter and alarm exist for AWS Management Console authentication failures + checks: + - id: AVD-AWS-0152 + severity: LOW + - id: "4.7" + name: require-cmk-disabled-alarm + description: Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer managed keys + checks: + - id: AVD-AWS-0153 + severity: LOW + - id: "4.8" + name: require-s3-bucket-policy-change-alarm + description: Ensure a log metric filter and alarm exist for S3 bucket policy changes + checks: + - id: AVD-AWS-0154 + severity: LOW + - id: "4.9" + name: require-config-configuration-changes-alarm + description: Ensure a log metric filter and alarm exist for AWS Config configuration changes + checks: + - id: AVD-AWS-0155 + severity: LOW + - id: "5.1" + name: no-public-ingress-acl + description: Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389. + checks: + - id: AVD-AWS-0105 + severity: MEDIUM + - id: "5.3" + name: restrict-all-in-default-sg + description: Default security group should restrict all traffic + checks: + - id: AVD-AWS-0173 + severity: LOW