Skip to content

Commit

Permalink
refactor(checks): migrate from Go to Rego
Browse files Browse the repository at this point in the history
  • Loading branch information
nikpivkin committed Jun 10, 2024
1 parent 7e2b879 commit 92c7195
Show file tree
Hide file tree
Showing 328 changed files with 7,696 additions and 7,323 deletions.
2 changes: 2 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
.idea
bundle.tar.gz
opa
.vscode/
.DS_Store
1 change: 1 addition & 0 deletions checks/cloud/aws/accessanalyzer/accessanalyzer.go
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
package accessanalyzer
57 changes: 0 additions & 57 deletions checks/cloud/aws/accessanalyzer/enable_access_analyzer.go

This file was deleted.

45 changes: 45 additions & 0 deletions checks/cloud/aws/accessanalyzer/enable_access_analyzer.rego
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
# METADATA
# title: Enable IAM Access analyzer for IAM policies about all resources in each region.
# description: |
# AWS IAM Access Analyzer helps you identify the resources in your organization and
# accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity.
# This lets you identify unintended access to your resources and data. Access Analyzer
# identifies resources that are shared with external principals by using logic-based reasoning
# to analyze the resource-based policies in your AWS environment. IAM Access Analyzer
# continuously monitors all policies for S3 bucket, IAM roles, KMS(Key Management Service)
# keys, AWS Lambda functions, and Amazon SQS(Simple Queue Service) queues.
# scope: package
# schemas:
# - input: schema["cloud"]
# related_resources:
# - https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html
# custom:
# id: AVD-AWS-0175
# avd_id: AVD-AWS-0175
# provider: aws
# service: accessanalyzer
# severity: LOW
# short_code: enable-access-analyzer
# recommended_action: Enable IAM Access analyzer across all regions.
# frameworks:
# cis-aws-1.4:
# - "1.20"
# input:
# selector:
# - type: aws
# subtypes:
# - service: accessanalyzer
# provider: aws
package builtin.aws.accessanalyzer.aws0175

import rego.v1

deny contains res if {
not has_active_analyzer
res := result.new("Access Analyzer is not enabled.", {})
}

has_active_analyzer if {
some analyzer in input.aws.accessanalyzer.analyzers
analyzer.active.value
}
75 changes: 0 additions & 75 deletions checks/cloud/aws/accessanalyzer/enable_access_analyzer_test.go

This file was deleted.

26 changes: 26 additions & 0 deletions checks/cloud/aws/accessanalyzer/enable_access_analyzer_test.rego
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
package builtin.aws.accessanalyzer.aws0175_test

import rego.v1

import data.builtin.aws.accessanalyzer.aws0175 as check
import data.lib.test

test_disallow_no_analyzers if {
r := check.deny with input as {"aws": {"accessanalyzer": {"analyzers": []}}}
test.assert_equal_message("Access Analyzer is not enabled.", r)
}

test_disallow_analyzer_disabled if {
r := check.deny with input as {"aws": {"accessanalyzer": {"analyzers": [{"active": {"value": false}}]}}}
test.assert_equal_message("Access Analyzer is not enabled.", r)
}

test_allow_one_of_analyzer_disabled if {
r := check.deny with input as {"aws": {"accessanalyzer": {"analyzers": [{"active": {"value": false}}, {"active": {"value": true}}]}}}
test.assert_empty(r)
}

test_allow_analyzer_enabled if {
r := check.deny with input as {"aws": {"accessanalyzer": {"analyzers": [{"active": {"value": true}}]}}}
test.assert_empty(r)
}
1 change: 1 addition & 0 deletions checks/cloud/aws/apigateway/apigateway.go
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
package apigateway
71 changes: 0 additions & 71 deletions checks/cloud/aws/apigateway/enable_access_logging.go

This file was deleted.

49 changes: 49 additions & 0 deletions checks/cloud/aws/apigateway/enable_access_logging.rego
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
# METADATA
# title: API Gateway stages for V1 and V2 should have access logging enabled
# description: |
# API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.
# scope: package
# schemas:
# - input: schema["cloud"]
# related_resources:
# - https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html
# custom:
# id: AVD-AWS-0001
# avd_id: AVD-AWS-0001
# provider: aws
# service: api-gateway
# severity: MEDIUM
# short_code: enable-access-logging
# recommended_action: Enable logging for API Gateway stages
# input:
# selector:
# - type: aws
# subtypes:
# - service: api-gateway
# provider: aws
# terraform:
# links:
# - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/apigatewayv2_stage#access_log_settings
# good_examples: checks/cloud/aws/apigateway/enable_access_logging.tf.go
# bad_examples: checks/cloud/aws/apigateway/enable_access_logging.tf.go
# cloudformation:
# good_examples: checks/cloud/aws/apigateway/enable_access_logging.cf.go
# bad_examples: checks/cloud/aws/apigateway/enable_access_logging.cf.go
package builtin.aws.apigateway.aws0001

import rego.v1

deny contains res if {
some stage in apis[_].stages
stage.__defsec_metadata.managed

arn := stage.accesslogging.cloudwatchloggrouparn
arn.value == "" # TODO: check if unresolvable?

res := result.new("Access logging is not configured.", arn)
}

# TODO: use map?
apis contains input.aws.apigateway.v1.apis[_]

apis contains input.aws.apigateway.v2.apis[_]
Loading

0 comments on commit 92c7195

Please sign in to comment.