Skip to content

Commit

Permalink
feat: Included 12.1 and 12.2 rules for aws nist 800-53 rev4
Browse files Browse the repository at this point in the history
  • Loading branch information
m-pizarro committed May 13, 2022
1 parent f8cab8a commit 54e3947
Show file tree
Hide file tree
Showing 6 changed files with 184 additions and 247 deletions.
93 changes: 49 additions & 44 deletions src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-11.1.ts
Original file line number Diff line number Diff line change
@@ -1,60 +1,65 @@
export default {
id: 'aws-nist-800-53-rev4-11.1',
title: 'ECS task definitions should limit memory usage for containers',
title: 'AWS NIST 11.1 ECS task definitions should limit memory usage for containers',

description: `'Limiting memory usage for your ECS tasks allows you to avoid running out of memory because ECS stops placing tasks on the instance, and Docker kills any containers that try to go over the hard limit. Having no limit on memory usage can lead to issues where one container can easily make the whole system unstable and as a result unusable.'`,
description: `Limiting memory usage for your ECS tasks allows you to avoid running out of memory because ECS stops placing tasks on the instance, and Docker kills any containers that try to go over the hard limit. Having no limit on memory usage can lead to issues where one container can easily make the whole system unstable and as a result unusable.
Memory limits must be set through the *memory* property for each *ContainerDefinition* within the task definition. For more information about the *memory* property, see [ContainerDefinition](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_ContainerDefinition.html) in the ECS API Reference.`,

audit: '',

rationale: '',

remediation: `**AWS Console**
- Navigate to ECS.
remediation: `**Console Remediation Steps**
- Navigate to [ECS](https://console.aws.amazon.com/ecs/).
- Select the Region that contains your task definition.
- In the left pane, select Task Definitions.
- Check the task definition and click Create new revision.
- On the Create new revision of task definition page, make changes. For example, to change the existing container definitions (such as the container image, memory limits, or port mappings), select the container, make the changes, and then choose Update.
- Select Create.
- If your task definition is used in a service, update your service with the updated task definition and deactivate the previous task definition. For more information, see Updating a service.
**AWS CLI**
- If your task definition is used in a service, update your service with the updated task definition and deactivate the previous task definition. For more information, see [Updating a service](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/update-service.html).
**CLI Remediation Steps**
- Create new task definition revision:
> aws ecs register-task-definition <br>
> --family \<value> <br>
> [--task-role-arn \<value>] <br>
> [--execution-role-arn \<value>] <br>
> [--network-mode \<value>] <br>
> --container-definitions \<value> <br>
> [--volumes \<value>] <br>
> [--placement-constraints \<value>] <br>
> [--requires-compatibilities \<value>] <br>
> [--cpu \<value>] <br>
> [--memory \<value>] <br>
> [--tags \<value>] <br>
> [--pid-mode \<value>] <br>
> [--ipc-mode \<value>] <br>
> [--proxy-configuration \<value>] <br>
> [--inference-accelerators \<value>] <br>
> [--cli-input-json | --cli-input-yaml] <br>
> [--generate-cli-skeleton \<value>] <br>
- Update the service to use the new task definition:
> aws ecs update-service <br>
> [--cluster \<value>] <br>
> --service \<value> <br>
> [--desired-count \<value>] <br>
> [--task-definition \<value>] <br>
> [--capacity-provider-strategy \<value>] <br>
> [--deployment-configuration \<value>] <br>
> [--network-configuration \<value>] <br>
> [--placement-constraints \<value>] <br>
> [--placement-strategy \<value>] <br>
> [--platform-version \<value>] <br>
> [--force-new-deployment | --no-force-new-deployment] <br>
> [--health-check-grace-period-seconds \<value>] <br>
> [--cli-input-json | --cli-input-yaml] <br>
> [--generate-cli-skeleton \<value>] <br>`,
aws ecs register-task-definition
--family <value>
[--task-role-arn <value>]
[--execution-role-arn <value>]
[--network-mode <value>]
--container-definitions <value>
[--volumes <value>]
[--placement-constraints <value>]
[--requires-compatibilities <value>]
[--cpu <value>]
[--memory <value>]
[--tags <value>]
[--pid-mode <value>]
[--ipc-mode <value>]
[--proxy-configuration <value>]
[--inference-accelerators <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
- Update the service to use the new task definition:
aws ecs update-service
[--cluster <value>]
--service <value>
[--desired-count <value>]
[--task-definition <value>]
[--capacity-provider-strategy <value>]
[--deployment-configuration <value>]
[--network-configuration <value>]
[--placement-constraints <value>]
[--placement-strategy <value>]
[--platform-version <value>]
[--force-new-deployment | --no-force-new-deployment]
[--health-check-grace-period-seconds <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]`,

references: [
'https://docs.aws.amazon.com/AmazonECS/latest/developerguide/update-service.html',
Expand All @@ -76,6 +81,6 @@ export default {
severity: 'medium',
conditions: {
path: '@.memory',
in: ["0", "256", "512"]
in: ['0', '256', '512'],
},
}
91 changes: 48 additions & 43 deletions src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-11.2.ts
Original file line number Diff line number Diff line change
@@ -1,60 +1,65 @@
export default {
id: 'aws-nist-800-53-rev4-11.2',
title: 'ECS task definitions should set CPU limit for containers',
title: 'AWS NIST 11.2 ECS task definitions should set CPU limit for containers',

description: `'Unless specified, containers get access to all the CPU and memory capacity available on that host. Specifying CPU for ECS task definitions ensures that high priority containers are able to claim the CPU runtime they require.'`,
description: `Unless specified, containers get access to all the CPU and memory capacity available on that host. Specifying CPU for ECS task definitions ensures that high priority containers are able to claim the CPU runtime they require.
A CPU limit must be set through the *cpu* property in the task definition. For more information about the *cpu* property, see [TaskDefinition](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_TaskDefinition.html) in the ECS API Reference.`,

audit: '',

rationale: '',

remediation: `**AWS Console**
- Navigate to ECS.
remediation: `**Console Remediation Steps**
- Navigate to [ECS](https://console.aws.amazon.com/ecs/).
- Select the Region that contains your task definition.
- In the left pane, select Task Definitions.
- Check the task definition and click Create new revision.
- On the Create new revision of task definition page, make changes. For example, to change the existing container definitions (such as the container image, memory limits, or port mappings), select the container, make the changes, and then choose Update.
- Select Create.
- If your task definition is used in a service, update your service with the updated task definition and deactivate the previous task definition. For more information, see Updating a service.
**AWS CLI**
- If your task definition is used in a service, update your service with the updated task definition and deactivate the previous task definition. For more information, see [Updating a service](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/update-service.html).
**CLI Remediation Steps**
- Create new task definition revision:
> aws ecs register-task-definition <br>
> --family \<value> <br>
> [--task-role-arn \<value>] <br>
> [--execution-role-arn \<value>] <br>
> [--network-mode \<value>] <br>
> --container-definitions \<value> <br>
> [--volumes \<value>] <br>
> [--placement-constraints \<value>] <br>
> [--requires-compatibilities \<value>] <br>
> [--cpu \<value>] <br>
> [--memory \<value>] <br>
> [--tags \<value>] <br>
> [--pid-mode \<value>] <br>
> [--ipc-mode \<value>] <br>
> [--proxy-configuration \<value>] <br>
> [--inference-accelerators \<value>] <br>
> [--cli-input-json | --cli-input-yaml] <br>
> [--generate-cli-skeleton \<value>]
aws ecs register-task-definition
--family <value>
[--task-role-arn <value>]
[--execution-role-arn <value>]
[--network-mode <value>]
--container-definitions <value>
[--volumes <value>]
[--placement-constraints <value>]
[--requires-compatibilities <value>]
[--cpu <value>]
[--memory <value>]
[--tags <value>]
[--pid-mode <value>]
[--ipc-mode <value>]
[--proxy-configuration <value>]
[--inference-accelerators <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
- Update the service to use the new task definition:
> aws ecs update-service
> [--cluster \<value>]
> --service \<value>
> [--desired-count \<value>]
> [--task-definition \<value>]
> [--capacity-provider-strategy \<value>]
> [--deployment-configuration \<value>]
> [--network-configuration \<value>]
> [--placement-constraints \<value>]
> [--placement-strategy \<value>]
> [--platform-version \<value>]
> [--force-new-deployment | --no-force-new-deployment]
> [--health-check-grace-period-seconds \<value>]
> [--cli-input-json | --cli-input-yaml]
> [--generate-cli-skeleton \<value>]`,
aws ecs update-service
[--cluster <value>]
--service <value>
[--desired-count <value>]
[--task-definition <value>]
[--capacity-provider-strategy <value>]
[--deployment-configuration <value>]
[--network-configuration <value>]
[--placement-constraints <value>]
[--placement-strategy <value>]
[--platform-version <value>]
[--force-new-deployment | --no-force-new-deployment]
[--health-check-grace-period-seconds <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]`,

references: [
'https://docs.aws.amazon.com/AmazonECS/latest/developerguide/update-service.html',
Expand All @@ -75,6 +80,6 @@ export default {
severity: 'medium',
conditions: {
path: '@.cpu',
in: ["0", "256", "512"]
in: ['0', '256', '512'],
},
}
18 changes: 12 additions & 6 deletions src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-12.1.ts
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
export default {
id: 'aws-nist-800-53-rev4-12.1',
title: 'CloudFront distributions should have geo-restrictions specified',
title: 'AWS NIST 12.1 CloudFront distributions should have geo-restrictions specified',

description: `CloudFront distributions should enable geo-restriction when an organization needs to
prevent users in specific geographic locations from accessing content. For example,
Expand Down Expand Up @@ -39,17 +39,23 @@ export default {
accountId
__typename
geoRestriction {
restrictionType
restrictionType
locations
}
}
}`,
resource: 'queryawsCloudfront[*]',
severity: 'medium',
conditions: {
path: '@.geoRestriction',
array_all: {
path: '[*].restrictionType',
notIn: 'none'
and: [
{
path: '@.geoRestriction.restrictionType',
in: ['whitelist', 'blacklist']
},
{
path: '@.geoRestriction.locations',
isEmpty: false
},
],
},
}
14 changes: 8 additions & 6 deletions src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-12.2.ts
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
export default {
id: 'aws-nist-800-53-rev4-12.2',
title: 'EC2 instances should not have a public IP association (IPv4)',
title: 'AWS NIST 12.2 EC2 instances should not have a public IP association (IPv4)',

description: `EC2 instances are reachable over the internet even if you have protections such as
NACLs or security groups if a public IP address is associated with an instance. To minimize the risk
Expand Down Expand Up @@ -50,18 +50,20 @@ Disable the public IP addressing feature
arn
accountId
__typename
subnet {
subnets {
autoAssignPublicIpv4Address
}
}
}`,
resource: 'queryawsEc2[*]',
severity: 'medium',
conditions: {
path: '@.subnet',
array_all: {
path: '[*].autoAssignPublicIpv4Address',
notEqual: 'Yes'
not: {
path: '@.subnets',
array_any: {
path: '[*].autoAssignPublicIpv4Address',
equal: 'Yes',
},
},
},
}
Loading

0 comments on commit 54e3947

Please sign in to comment.