From a1322dcdc125cabe797b35bf807971680e5706e0 Mon Sep 17 00:00:00 2001 From: Simar Date: Tue, 24 Oct 2023 00:58:59 -0600 Subject: [PATCH 1/3] chore(rules): dedupe AVD-AWS-0180 --- .../aws/rds/no_public_db_access.cf.go | 31 -------- .../policies/aws/rds/no_public_db_access.go | 63 ---------------- .../aws/rds/no_public_db_access.tf.go | 23 ------ .../aws/rds/no_public_db_access_test.go | 72 ------------------- 4 files changed, 189 deletions(-) delete mode 100644 rules/cloud/policies/aws/rds/no_public_db_access.cf.go delete mode 100755 rules/cloud/policies/aws/rds/no_public_db_access.go delete mode 100644 rules/cloud/policies/aws/rds/no_public_db_access.tf.go delete mode 100644 rules/cloud/policies/aws/rds/no_public_db_access_test.go diff --git a/rules/cloud/policies/aws/rds/no_public_db_access.cf.go b/rules/cloud/policies/aws/rds/no_public_db_access.cf.go deleted file mode 100644 index 8c4be392..00000000 --- a/rules/cloud/policies/aws/rds/no_public_db_access.cf.go +++ /dev/null @@ -1,31 +0,0 @@ -package rds - -var cloudFormationNoPublicDbAccessGoodExamples = []string{ - `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example -Resources: - Queue: - Type: AWS::RDS::DBInstance - Properties: - PubliclyAccessible: false - -`, -} - -var cloudFormationNoPublicDbAccessBadExamples = []string{ - `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Bad example -Resources: - Queue: - Type: AWS::RDS::DBInstance - Properties: - PubliclyAccessible: true - -`, -} - -var cloudFormationNoPublicDbAccessLinks = []string{} - -var cloudFormationNoPublicDbAccessRemediationMarkdown = `` diff --git a/rules/cloud/policies/aws/rds/no_public_db_access.go b/rules/cloud/policies/aws/rds/no_public_db_access.go deleted file mode 100755 index bad1b981..00000000 --- a/rules/cloud/policies/aws/rds/no_public_db_access.go +++ /dev/null @@ -1,63 +0,0 @@ -package rds - -import ( - "github.com/aquasecurity/defsec/pkg/providers" - "github.com/aquasecurity/defsec/pkg/scan" - "github.com/aquasecurity/defsec/pkg/severity" - "github.com/aquasecurity/defsec/pkg/state" - "github.com/aquasecurity/trivy-policies/pkg/rules" -) - -var CheckNoPublicDbAccess = rules.Register( - scan.Rule{ - AVDID: "AVD-AWS-0082", - Provider: providers.AWSProvider, - Service: "rds", - ShortCode: "no-public-db-access", - Summary: "A database resource is marked as publicly accessible.", - Impact: "The database instance is publicly accessible", - Resolution: "Set the database to not be publicly accessible", - Explanation: `Database resources should not publicly available. You should limit all access to the minimum that is required for your application to function.`, - Links: []string{ - "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html#USER_VPC.Hiding", - }, - Terraform: &scan.EngineMetadata{ - GoodExamples: terraformNoPublicDbAccessGoodExamples, - BadExamples: terraformNoPublicDbAccessBadExamples, - Links: terraformNoPublicDbAccessLinks, - RemediationMarkdown: terraformNoPublicDbAccessRemediationMarkdown, - }, - CloudFormation: &scan.EngineMetadata{ - GoodExamples: cloudFormationNoPublicDbAccessGoodExamples, - BadExamples: cloudFormationNoPublicDbAccessBadExamples, - Links: cloudFormationNoPublicDbAccessLinks, - RemediationMarkdown: cloudFormationNoPublicDbAccessRemediationMarkdown, - }, - Severity: severity.Critical, - }, - func(s *state.State) (results scan.Results) { - for _, cluster := range s.AWS.RDS.Clusters { - for _, instance := range cluster.Instances { - if instance.PublicAccess.IsTrue() { - results.Add( - "Cluster instance is exposed publicly.", - instance.PublicAccess, - ) - } else { - results.AddPassed(&instance) - } - } - } - for _, instance := range s.AWS.RDS.Instances { - if instance.PublicAccess.IsTrue() { - results.Add( - "Instance is exposed publicly.", - instance.PublicAccess, - ) - } else { - results.AddPassed(&instance) - } - } - return - }, -) diff --git a/rules/cloud/policies/aws/rds/no_public_db_access.tf.go b/rules/cloud/policies/aws/rds/no_public_db_access.tf.go deleted file mode 100644 index 570f3eea..00000000 --- a/rules/cloud/policies/aws/rds/no_public_db_access.tf.go +++ /dev/null @@ -1,23 +0,0 @@ -package rds - -var terraformNoPublicDbAccessGoodExamples = []string{ - ` - resource "aws_db_instance" "good_example" { - publicly_accessible = false - } -`, -} - -var terraformNoPublicDbAccessBadExamples = []string{ - ` - resource "aws_db_instance" "bad_example" { - publicly_accessible = true - } -`, -} - -var terraformNoPublicDbAccessLinks = []string{ - `https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance`, -} - -var terraformNoPublicDbAccessRemediationMarkdown = `` diff --git a/rules/cloud/policies/aws/rds/no_public_db_access_test.go b/rules/cloud/policies/aws/rds/no_public_db_access_test.go deleted file mode 100644 index c87b02ca..00000000 --- a/rules/cloud/policies/aws/rds/no_public_db_access_test.go +++ /dev/null @@ -1,72 +0,0 @@ -package rds - -import ( - "testing" - - defsecTypes "github.com/aquasecurity/defsec/pkg/types" - - "github.com/aquasecurity/defsec/pkg/state" - - "github.com/aquasecurity/defsec/pkg/providers/aws/rds" - "github.com/aquasecurity/defsec/pkg/scan" - - "github.com/stretchr/testify/assert" -) - -func TestCheckNoPublicDbAccess(t *testing.T) { - tests := []struct { - name string - input rds.RDS - expected bool - }{ - { - name: "RDS Instance with public access enabled", - input: rds.RDS{ - Instances: []rds.Instance{ - { - Metadata: defsecTypes.NewTestMetadata(), - PublicAccess: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), - }, - }, - }, - expected: true, - }, - { - name: "RDS Instance with public access disabled", - input: rds.RDS{ - Clusters: []rds.Cluster{ - { - Metadata: defsecTypes.NewTestMetadata(), - Instances: []rds.ClusterInstance{ - { - Instance: rds.Instance{ - Metadata: defsecTypes.NewTestMetadata(), - PublicAccess: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), - }, - }, - }, - }, - }, - }, - expected: false, - }, - } - for _, test := range tests { - t.Run(test.name, func(t *testing.T) { - var testState state.State - testState.AWS.RDS = test.input - results := CheckNoPublicDbAccess.Evaluate(&testState) - var found bool - for _, result := range results { - if result.Status() == scan.StatusFailed && result.Rule().LongID() == CheckNoPublicDbAccess.LongID() { - found = true - } - } - if test.expected { - assert.True(t, found, "Rule should have been found") - } else { - assert.False(t, found, "Rule should not have been found") - } - }) - } -} From 1996196fd516d256e7c38cf55ebfeb3e39cc0ae1 Mon Sep 17 00:00:00 2001 From: Nikita Pivkin Date: Tue, 24 Oct 2023 17:44:39 +0700 Subject: [PATCH 2/3] restore examples --- .../aws/rds/disable_public_access.cf.go | 31 +++++++++++++++++++ .../aws/rds/disable_public_access.rego | 8 ++--- .../aws/rds/disable_public_access.tf.go | 23 ++++++++++++++ 3 files changed, 58 insertions(+), 4 deletions(-) create mode 100644 rules/cloud/policies/aws/rds/disable_public_access.cf.go create mode 100644 rules/cloud/policies/aws/rds/disable_public_access.tf.go diff --git a/rules/cloud/policies/aws/rds/disable_public_access.cf.go b/rules/cloud/policies/aws/rds/disable_public_access.cf.go new file mode 100644 index 00000000..8c4be392 --- /dev/null +++ b/rules/cloud/policies/aws/rds/disable_public_access.cf.go @@ -0,0 +1,31 @@ +package rds + +var cloudFormationNoPublicDbAccessGoodExamples = []string{ + `--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good example +Resources: + Queue: + Type: AWS::RDS::DBInstance + Properties: + PubliclyAccessible: false + +`, +} + +var cloudFormationNoPublicDbAccessBadExamples = []string{ + `--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Bad example +Resources: + Queue: + Type: AWS::RDS::DBInstance + Properties: + PubliclyAccessible: true + +`, +} + +var cloudFormationNoPublicDbAccessLinks = []string{} + +var cloudFormationNoPublicDbAccessRemediationMarkdown = `` diff --git a/rules/cloud/policies/aws/rds/disable_public_access.rego b/rules/cloud/policies/aws/rds/disable_public_access.rego index b7a34fc3..655f188d 100644 --- a/rules/cloud/policies/aws/rds/disable_public_access.rego +++ b/rules/cloud/policies/aws/rds/disable_public_access.rego @@ -1,6 +1,6 @@ # METADATA # title: "RDS Publicly Accessible" -# description: "Ensures RDS instances are not launched into the public cloud." +# description: "Ensures RDS instances and RDS Cluster instances are not launched into the public cloud." # scope: package # schemas: # - input: schema["cloud"] @@ -12,7 +12,7 @@ # service: rds # severity: HIGH # short_code: enable-public-access -# recommended_action: "Remove the public endpoint from the RDS instance'" +# recommended_action: "Remove the public endpoint from the RDS instance." # input: # selector: # - type: cloud @@ -20,9 +20,9 @@ # - service: rds # provider: aws # terraform: -# good_examples: "rules/cloud/policies/aws/rds/no_public_db_access.tf.go" +# good_examples: "rules/cloud/policies/aws/rds/disable_public_access.tf.go" # cloud_formation: -# good_examples: "rules/cloud/policies/aws/rds/no_public_db_access.cf.go" +# good_examples: "rules/cloud/policies/aws/rds/disable_public_access.cf.go" package builtin.aws.rds.aws0180 diff --git a/rules/cloud/policies/aws/rds/disable_public_access.tf.go b/rules/cloud/policies/aws/rds/disable_public_access.tf.go new file mode 100644 index 00000000..570f3eea --- /dev/null +++ b/rules/cloud/policies/aws/rds/disable_public_access.tf.go @@ -0,0 +1,23 @@ +package rds + +var terraformNoPublicDbAccessGoodExamples = []string{ + ` + resource "aws_db_instance" "good_example" { + publicly_accessible = false + } +`, +} + +var terraformNoPublicDbAccessBadExamples = []string{ + ` + resource "aws_db_instance" "bad_example" { + publicly_accessible = true + } +`, +} + +var terraformNoPublicDbAccessLinks = []string{ + `https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance`, +} + +var terraformNoPublicDbAccessRemediationMarkdown = `` From 8ef1b4f88aa6f4be8a52b5fb0ce4e8ac3ad1b473 Mon Sep 17 00:00:00 2001 From: Nikita Pivkin Date: Tue, 24 Oct 2023 17:46:46 +0700 Subject: [PATCH 3/3] check public access on RDS cluster instances --- .../cloud/policies/aws/rds/disable_public_access.rego | 6 ++++++ .../policies/aws/rds/disable_public_access_test.rego | 10 ++++++++++ 2 files changed, 16 insertions(+) diff --git a/rules/cloud/policies/aws/rds/disable_public_access.rego b/rules/cloud/policies/aws/rds/disable_public_access.rego index 655f188d..a88d9ae4 100644 --- a/rules/cloud/policies/aws/rds/disable_public_access.rego +++ b/rules/cloud/policies/aws/rds/disable_public_access.rego @@ -31,3 +31,9 @@ deny[res] { instance.publicaccess.value res := result.new("Instance has Public Access enabled", instance.publicaccess) } + +deny[res] { + instance := input.aws.rds.clusters[_].instances[_].instance + instance.publicaccess.value + res := result.new("Cluster instance has Public Access enabled", instance.publicaccess) +} diff --git a/rules/cloud/policies/aws/rds/disable_public_access_test.rego b/rules/cloud/policies/aws/rds/disable_public_access_test.rego index 496061ab..fae9110d 100644 --- a/rules/cloud/policies/aws/rds/disable_public_access_test.rego +++ b/rules/cloud/policies/aws/rds/disable_public_access_test.rego @@ -9,3 +9,13 @@ test_when_enabled { r := deny with input as {"aws": {"rds": {"instances": [{"publicaccess": {"value": true}}]}}} count(r) == 1 } + +test_when_cluster_disabled { + r := deny with input as {"aws": {"rds": {"clusters": [{"instances": [{"instance": {"publicaccess": {"value": false}}}]}]}}} + count(r) == 0 +} + +test_when_cluster_enabled { + r := deny with input as {"aws": {"rds": {"clusters": [{"instances": [{"instance": {"publicaccess": {"value": true}}}]}]}}} + count(r) == 1 +}